Re: [Freeipa-users] Freeipa-users Digest, Vol 79, Issue 57
: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Installation failed. Rolling back changes. Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' args=ipa-client-automount --uninstall --debug stdout=Restoring configuration -- Message: 2 Date: Mon, 16 Feb 2015 05:37:36 -0500 (EST) From: Nicolas Zin nicolas@savoirfairelinux.com To: Alexander Bokovoy aboko...@redhat.com Cc: Francois Cami fc...@redhat.com, freeipa-users@redhat.com Subject: Re: [Freeipa-users] resolving subdomain AD in a trust relationship Message-ID: 1746325772.2636258.1424083056821.javamail.r...@savoirfairelinux.com Content-Type: text/plain; charset=utf-8 OK seems promising but it stills fail. I used ipa idrange-mod COMPANY.COM_id_range --range-size=1000 ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=1000 restarted sssd (and IPA in case of) but still get the same error. Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-( thank you - Mail original - De: Alexander Bokovoy aboko...@redhat.com ?: Nicolas Zin nicolas@savoirfairelinux.com Cc: freeipa-users@redhat.com, Francois Cami fc...@redhat.com Envoy?: Lundi 16 F?vrier 2015 13:50:38 Objet: Re: [Freeipa-users] resolving subdomain AD in a trust relationship On Mon, 16 Feb 2015, Nicolas Zin wrote: Hi, we created a trust relationship with an AD, and we get this result: # ipa trust-domainfind company.com Domain name: corp.company.com Domain NetBIOS name: COMPANY Domain Security Identifier: S-1-5-21-blabla-blabla-blabla Domain enabled: True Domain name: company.com Domain NetBIOS name: ROOT Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2 Domain enabled: True We manage to see the user from the root domain: id au...@company.com But cannot see a user from the child: id anotheru...@corp.company.com In the logs we see: Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID RID (496378) is larger than the size of the idrange given for this domain (20 ids by default). You need to extend idrange for corp.company.com. In Windows world RIDs grow monotonically -- if you delete user, its RID is not reused. When there is large churn of users created/removed, RIDs may go up quickly. For most mid-range companies defaults like IPA has (20 ids) are fine but if your situation is different, increase the range. Note that idranges for trusted AD domains are not used by DNA plugin as nothing is allocating in this space on the LDAP server side, rather SSSD does allocation on its own, it just needs the idrange reserved. For example, 'ipa idrange-mod range-name --size=100' to set the idrange size to one million. Range name for the trusted domain can be seen with 'ipa idrange-find'. -- / Alexander Bokovoy -- Message: 3 Date: Mon, 16 Feb 2015 12:48:37 +0200 From: Alexander Bokovoy aboko...@redhat.com To: Nicolas Zin nicolas@savoirfairelinux.com Cc: Francois Cami fc...@redhat.com, freeipa-users@redhat.com Subject: Re: [Freeipa-users] resolving subdomain AD in a trust relationship Message-ID: 20150216104837.gk26...@redhat.com Content-Type: text/plain; charset=us-ascii; Format=flowed On Mon, 16 Feb 2015, Nicolas Zin wrote: OK seems promising but it stills fail. I used ipa idrange-mod COMPANY.COM_id_range --range-size=1000 ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=1000 restarted sssd (and IPA in case of) but still get the same error. SSSD logs would be more helpful (debug_level = 9). Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-( These options should not be touched at all. -- / Alexander Bokovoy -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: not available URL: https://www.redhat.com/archives/freeipa-users/attachments/20150216/68ee1ece/attachment.bin -- Message: 4 Date: Mon, 16 Feb 2015 12:05:07 +0100 From: Martin Basti mba...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com, freeipa-users@redhat.com freeipa-users@redhat.com Subject: Re: [Freeipa-users] join error Message-ID: 54e1cee3.5070...@redhat.com Content-Type: text/plain; charset=windows-1252; format=flowed On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic
Re: [Freeipa-users] join error [solved]
On 16/02/15 15:51, Rob Crittenden wrote: Dmitri Pal wrote: On 02/16/2015 08:19 AM, mohammad sereshki wrote: dear I use the admin user, at the same time I added another server with this permission. Then the problem is probably with this client. Is everything fine with its host name and DNS lookups? I don't think this has anything to do with DNS, the hostname or enrollment privileges. As Martin pointed out, it's odd that Basic auth is being used in this case. The empty value isn't so surprising since with negotiate auth in curl we purposely set it to :. I think we need to see the full ipaclient-install.log. rob For record: Mohammad had his own compiled curl, which doesn't work with IPA. It works with the original one. Martin^2 *From:* Martin Basti mba...@redhat.com *To:* mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, February 16, 2015 2:35 PM *Subject:* Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Typo on Troubleshooting page
Hi there, There's a typo here - http://www.freeipa.org/page/Troubleshooting The word error is spell incorrectly in this sentence: If changes done on one FreeIPA master are not replicated to another master, always verify errros log on both master and replica. Thanks, Dave -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Typo on Troubleshooting page
On 16/02/15 17:32, David Little wrote: Hi there, There's a typo here - http://www.freeipa.org/page/Troubleshooting The word error is spell incorrectly in this sentence: If changes done on one FreeIPA master are not replicated to another master, always verify errros log on both master and replica. Thanks, Dave Thank you, fixed. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Help with debugging HBACs
Thank you for the reply Sumit - I will look into updating the version of sssd. If that doesn't work, I will also try adding the 'sourceHostCategory' attribute to rules. Though, I would imagine I would have to do this for *all* rules if I want them to work as intended. I'll report back my findings tomorrow. Thanks, -Andrew On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose sb...@redhat.com wrote: On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote: Hi FreeIPA Users- I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and a single user ('testuser'). The only HBAC rule I currently have is the stock allow_all. Yet, when I attempt to log into the host via ssh, it closes the connection. $ ssh testuser@host Warning: Permanently added 'host,host-ip' (RSA) to the list of known hosts. testuser@host's password: Connection closed by host-ip The host I'm attempting to login to can correctly look up the user using getent: # getent passwd testuser testuser:*:16843:16843:Test User:/home/testuser:/bin/bash Scanning /var/log/secure, I see these entries: Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58 user=testuser Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58 user=testuser Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied) That tells me (From reading online) the user / password was correctly authenticated, but failed authorization due to HBAC rules. I've tested the rule using the 'hbactest' utility and it passes [root@Master ~]# ipa hbactest --user=testuser --host=host --service=sshd Access granted: True Matched rules: allow_all I'm at a loss here, because If I comment out the line: account [default=bad success=ok user_unknown=ignore] pam_sss.so in /etc/pam.d/system-auth, the user is able to login. So what am I missing here? Is there a way I can debug HBAC rules? I've already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_domain.dc .log: (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [sdap_get_generic_done] (7): Total count [0] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule] (7): Processing rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_service_attrs_to_rule] (7): Processing PAM services for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (7): [12] groups for [admin] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (7): Added group [admins] for user [admin] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication administrators,cn=privileges,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host keytab,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Hi, I have no idea how. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
While attempting to initialise the new server I am getting, [root@xxmailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
yep this is all double dutch to me. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
= cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8--- = :( So now what? regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: = cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8--- Now you need to replace the contents of this double-encoded value with an actual binary value. First create the necessary file: $ openssl x509 -inform pem -outform der -in /etc/ipa/ca.crt -out /tmp/ca.der Now replace what is there with the contents of the file, replacing dc=example,dc=com with your basedn: $ kinit admin $ ldapmodify -Y GSSAPI dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacertificate;binary cacertificate;binary: file:///tmp/ca.der hit return to signal you are done modifying entry cn=CACert,cn=ipa,cn=etc,dc=example,dc=com ctrl-D to quit This is assuming that you have a single CA certificate in /etc/ipa/ca.crt. This is *not* the best assumption to make. Be careful. rob = :( So now what? regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: ? [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX SASL/GSSAPI authentication started SASL username: SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=CAcert,cn=ipa,cn=etc, with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 Did you literally use $SUFFIX? You need to use dc=example,dc=com, whatever is appropriate for your install. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: Hi, I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade. Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go
Re: [Freeipa-users] join error
On 02/16/2015 08:19 AM, mohammad sereshki wrote: dear I use the admin user, at the same time I added another server with this permission. Then the problem is probably with this client. Is everything fine with its host name and DNS lookups? *From:* Martin Basti mba...@redhat.com *To:* mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, February 16, 2015 2:35 PM *Subject:* Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
dear I use ipa-client-3.0.0-42 and I added with ipa-client-install so it asks to enter admin user and password. From: Martin Basti mba...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, February 16, 2015 2:35 PM Subject: Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
On 02/16/2015 07:51 AM, mohammad sereshki wrote: dear I use ipa-client-3.0.0-42 and I added with ipa-client-install so it asks to enter admin user and password. Did you change admin user privileges inside IPA? Are you using admin user from IPA or some other local admin account? *From:* Martin Basti mba...@redhat.com *To:* mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, February 16, 2015 2:35 PM *Subject:* Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
dear I use the admin user, at the same time I added another server with this permission. From: Martin Basti mba...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, February 16, 2015 2:35 PM Subject: Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.
Steven Jones wrote: While attempting to initialise the new server I am getting, [root@xx mailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8 packages/ipaserver/install/plugins/update_uniqueness.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa.ipaserver.install.installutils: DEBUGgroup dirsrv exists ipa.ipaserver.install.installutils: DEBUGuser dirsrv exists ipa.ipaserver.plugins.ldap2.ldap2: DEBUGCreated connection context.ldap2_59928528 ipa.ipapython.ipaldap.SchemaCache: DEBUGflushing ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUGretrieving schema for SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz conn=ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0 error copying files: failed to decode certificate: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.plugins.ldap2.ldap2: DEBUGDestroyed connection context.ldap2_59928528 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-replica-install, line 658, in main install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) File /sbin/ipa-replica-install, line 227, in install_ca_cert sys.exit(1) ipa : DEBUGThe ipa-replica-install command failed, exception: SystemExit: 1 Any idea what is wrong please? What a strange error. My initial thought was that it couldn't read or parse the CA cert from the 3.0 master, but this security library error is unexpected. I might be sending you on a wild goose chase but take a look at the CA cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX There was a bug quite a while back where the cert value was double-base64-encoded. I wouldn't expect this error from this problem but who knows. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
Dmitri Pal wrote: On 02/16/2015 08:19 AM, mohammad sereshki wrote: dear I use the admin user, at the same time I added another server with this permission. Then the problem is probably with this client. Is everything fine with its host name and DNS lookups? I don't think this has anything to do with DNS, the hostname or enrollment privileges. As Martin pointed out, it's odd that Basic auth is being used in this case. The empty value isn't so surprising since with negotiate auth in curl we purposely set it to :. I think we need to see the full ipaclient-install.log. rob *From:* Martin Basti mba...@redhat.com *To:* mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, February 16, 2015 2:35 PM *Subject:* Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] resolving subdomain AD in a trust relationship
OK seems promising but it stills fail. I used ipa idrange-mod COMPANY.COM_id_range --range-size=1000 ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=1000 restarted sssd (and IPA in case of) but still get the same error. Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-( thank you - Mail original - De: Alexander Bokovoy aboko...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com Cc: freeipa-users@redhat.com, Francois Cami fc...@redhat.com Envoyé: Lundi 16 Février 2015 13:50:38 Objet: Re: [Freeipa-users] resolving subdomain AD in a trust relationship On Mon, 16 Feb 2015, Nicolas Zin wrote: Hi, we created a trust relationship with an AD, and we get this result: # ipa trust-domainfind company.com Domain name: corp.company.com Domain NetBIOS name: COMPANY Domain Security Identifier: S-1-5-21-blabla-blabla-blabla Domain enabled: True Domain name: company.com Domain NetBIOS name: ROOT Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2 Domain enabled: True We manage to see the user from the root domain: id au...@company.com But cannot see a user from the child: id anotheru...@corp.company.com In the logs we see: Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID RID (496378) is larger than the size of the idrange given for this domain (20 ids by default). You need to extend idrange for corp.company.com. In Windows world RIDs grow monotonically -- if you delete user, its RID is not reused. When there is large churn of users created/removed, RIDs may go up quickly. For most mid-range companies defaults like IPA has (20 ids) are fine but if your situation is different, increase the range. Note that idranges for trusted AD domains are not used by DNA plugin as nothing is allocating in this space on the LDAP server side, rather SSSD does allocation on its own, it just needs the idrange reserved. For example, 'ipa idrange-mod range-name --size=100' to set the idrange size to one million. Range name for the trusted domain can be seen with 'ipa idrange-find'. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] resolving subdomain AD in a trust relationship
On Mon, 16 Feb 2015, Nicolas Zin wrote: OK seems promising but it stills fail. I used ipa idrange-mod COMPANY.COM_id_range --range-size=1000 ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=1000 restarted sssd (and IPA in case of) but still get the same error. SSSD logs would be more helpful (debug_level = 9). Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in which section? :-( These options should not be touched at all. -- / Alexander Bokovoy pgp4esVfx90GF.pgp Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dirsrv hangs, 0% CPU util
On Mon, Feb 16, 2015 at 8:44 AM, Alexander Bokovoy aboko...@redhat.com wrote: I wonder if amending your slapi-nis config to avoid triggering internal searches on cn=changelog would be enough. I can try, but would need some more details, if possible. If you have RHEL subscription, please open a case with Red Hat's support. Ahh, it's been on my todo list for quite some time now (performing fresh installs of all those CentOS servers isn't something I look forward to). But an order has now been sent, and we'll start with IPA :-) Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Help with debugging HBACs
On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote: Hi FreeIPA Users- I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and a single user ('testuser'). The only HBAC rule I currently have is the stock allow_all. Yet, when I attempt to log into the host via ssh, it closes the connection. $ ssh testuser@host Warning: Permanently added 'host,host-ip' (RSA) to the list of known hosts. testuser@host's password: Connection closed by host-ip The host I'm attempting to login to can correctly look up the user using getent: # getent passwd testuser testuser:*:16843:16843:Test User:/home/testuser:/bin/bash Scanning /var/log/secure, I see these entries: Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58 user=testuser Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58 user=testuser Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied) That tells me (From reading online) the user / password was correctly authenticated, but failed authorization due to HBAC rules. I've tested the rule using the 'hbactest' utility and it passes [root@Master ~]# ipa hbactest --user=testuser --host=host --service=sshd Access granted: True Matched rules: allow_all I'm at a loss here, because If I comment out the line: account [default=bad success=ok user_unknown=ignore] pam_sss.so in /etc/pam.d/system-auth, the user is able to login. So what am I missing here? Is there a way I can debug HBAC rules? I've already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_domain.dc .log: (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [sdap_get_generic_done] (7): Total count [0] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule] (7): Processing rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_service_attrs_to_rule] (7): Processing PAM services for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category] (5): Category is set to 'all'. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (7): [12] groups for [admin] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (7): Added group [admins] for user [admin] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication administrators,cn=privileges,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host keytab,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a host,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock user accounts,cn=permissions,cn=pbac,dc=domain,dc=dc] (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_eval_user_element] (8): Skipping non-group memberOf
[Freeipa-users] resolving subdomain AD in a trust relationship
Hi, we created a trust relationship with an AD, and we get this result: # ipa trust-domainfind company.com Domain name: corp.company.com Domain NetBIOS name: COMPANY Domain Security Identifier: S-1-5-21-blabla-blabla-blabla Domain enabled: True Domain name: company.com Domain NetBIOS name: ROOT Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2 Domain enabled: True We manage to see the user from the root domain: id au...@company.com But cannot see a user from the child: id anotheru...@corp.company.com In the logs we see: Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID I have to add: - it is on a Windows 2008R2 - it is a functional Windows 2003 level AD Any idea? Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ipa replication not working
i install IPA on CENTOS 6.5 with Replication when configure every role in IPA, role Copy to Replica but Conversely, it does not work (role from Replica DO not copy to IPA) i do the following: *on server IPA:* #ipa-replica-manage list ipa... master ipareplica...master #ipa-replica-manage list ipa ipareplica.replica #ipa-replica-masnage list ipareplica ipa...replica *on server ipareplica* #ipa-replica-manage list ipa... master ipareplica...master #ipa-replica-manage list ipa Failed get data from ipa... Can not Contact LDAP Server -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] resolving subdomain AD in a trust relationship
On Mon, 16 Feb 2015, Nicolas Zin wrote: Hi, we created a trust relationship with an AD, and we get this result: # ipa trust-domainfind company.com Domain name: corp.company.com Domain NetBIOS name: COMPANY Domain Security Identifier: S-1-5-21-blabla-blabla-blabla Domain enabled: True Domain name: company.com Domain NetBIOS name: ROOT Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2 Domain enabled: True We manage to see the user from the root domain: id au...@company.com But cannot see a user from the child: id anotheru...@corp.company.com In the logs we see: Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID RID (496378) is larger than the size of the idrange given for this domain (20 ids by default). You need to extend idrange for corp.company.com. In Windows world RIDs grow monotonically -- if you delete user, its RID is not reused. When there is large churn of users created/removed, RIDs may go up quickly. For most mid-range companies defaults like IPA has (20 ids) are fine but if your situation is different, increase the range. Note that idranges for trusted AD domains are not used by DNA plugin as nothing is allocating in this space on the LDAP server side, rather SSSD does allocation on its own, it just needs the idrange reserved. For example, 'ipa idrange-mod range-name --size=100' to set the idrange size to one million. Range name for the trusted domain can be seen with 'ipa idrange-find'. -- / Alexander Bokovoy pgpkgQ8kgHeFu.pgp Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] join error
hi when I want to add a host to IPA I get below error, My server is centOS, is there anyone to help me? HTTP response code is 401, not 200 stderr= trying to retrieve CA cert via LDAP from ldap://linux126.example.com Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s linux126.example.com -b dc=mtnirancell,dc=ir -d -h temsdp-smsc1.example.com stdout= stderr=XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Installation failed. Rolling back changes. Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' args=ipa-client-automount --uninstall --debug stdout=Restoring configuration -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project