Re: [Freeipa-users] EXTERNAL: Re: Multiple CA certificates (for PassSync)
Yeah I knew that the passync utility would only communicate with 1 server. I'm not too worried about password sync for our new IdM server until it actually replaces the old server. I just didn't know how Windows would handle having multiple CA certs and if it would get cranky because of it. Last thing I want to do is have users coming to complain about the passwords not syncing. Thanks for the input guys, I'll give it a shot to see how it goes. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, July 09, 2015 10:37 AM To: Rob Crittenden; Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync) On 07/09/2015 07:23 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). I have feeling you are overcomplicating things for yourself. You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA. All you need is to create your users in IPA, assign them some temporary passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html, set up your web app to authenticate via PAM like http://www.freeipa.org/page/Web_App_Authentication explains, and you are done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On 07/09/2015 08:36 AM, Nicola Canepa wrote: If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password). The 389-ds PAM passthrough auth plugin can't add users. You would have to add some additional functionality to either PAM, or another 389-ds plugin. Nicola Il 09/07/15 15:20, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
Hi Martin I have taken the plunge, and created a detailed HOWTO at http://www.freeipa.org/page/HowTos/LDAP_authentication_for_Atlassian_JIRA_using_FreeIPA @Petr, for the moment I have left your HOWTO / link in place, but have also linked to that thread from my HOWTO. I hope it helps Chris From: Martin Kosek mko...@redhat.com To: Brian Topping brian.topp...@gmail.com, Sandor Juhasz sjuh...@chemaxon.com Cc: freeipa-users@redhat.com Date: 10.06.2015 12:13 Subject:Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA Sent by:freeipa-users-boun...@redhat.com Cool, I am glad you made this working. BTW, would any of you mind volunteering and helping the FreeIPA community with contributing a HOWTO article on how to configure FreeIPA and Jira? It is still missing in FreeIPA.org wiki. All we have right now is the link to this discussion, that Petr Spacek added to http://www.freeipa.org/page/HowTos#Web_Services It would be really nice to also have a real page that others can follow and use. Thank you! Martin On 06/10/2015 11:29 AM, Brian Topping wrote: FYI, that mirrors my configuration. Not sure if this was covered previously, but for my setup, only JIRA connects to IPA. All the other atleasian products contact JIRA for their information. Cheers, Brian On Jun 10, 2015, at 12:47 AM, Sandor Juhasz sjuh...@chemaxon.com wrote: Hi, here are our working configurations. Might be useful. We use compat tree for auth. We use user in group matching. We use group filter for login authorization. We use FedoraDS as ldap connector on JIRA's side. We don't use pw change or user create in IPA from JIRA side. Watch out not to have matching local users/groups or you will suffer bigtime. Initially it was setup not to use ldap groups, but was changed afterwards by creating all new groups in ldap for this purpose and readding the users. We use ldap service user for binding - https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA . Attributes: autoAddGroups: com.atlassian.crowd.directory.sync.currentstartsynctime: null com.atlassian.crowd.directory.sync.issynchronising: false com.atlassian.crowd.directory.sync.lastdurationms: 373 com.atlassian.crowd.directory.sync.laststartsynctime: 1433920165776 crowd.sync.incremental.enabled: false directory.cache.synchronise.interval: 3600 ldap.basedn: dc=OURDOMAIN ldap.connection.timeout: 0 ldap.external.id: ldap.group.description: description ldap.group.dn: cn=groups,cn=compat ldap.group.filter: ((objectClass=posixgroup)(| (cn=COMPANYGROUP)(cn=TEAMGROUPS)(cn=JIRAGROUP))) ldap.group.name: cn ldap.group.objectclass: groupOfUniqueNames ldap.group.usernames: memberUid ldap.local.groups: false ldap.nestedgroups.disabled: true ldap.pagedresults: false ldap.pagedresults.size: 1000 ldap.password: ldap.pool.initsize: null ldap.pool.maxsize: null ldap.pool.prefsize: null ldap.pool.timeout: 0 ldap.propogate.changes: false ldap.read.timeout: 12 ldap.referral: false ldap.relaxed.dn.standardisation: true ldap.roles.disabled: true ldap.search.timelimit: 6 ldap.secure: false ldap.url: ldap://IPAURL ldap.user.displayname: cn ldap.user.dn: cn=users,cn=accounts ldap.user.email: mail ldap.user.encryption: sha ldap.user.filter: ((objectclass=posixAccount)(memberOf=cn=JIRAGROUP,cn=groups,cn=accounts,dc=OURDOMAIN)) ldap.user.firstname: givenName ldap.user.group: memberOf ldap.user.lastname: sn ldap.user.objectclass: person ldap.user.password: userPassword ldap.user.username: uid ldap.user.username.rdn: ldap.userdn: uid=OURSERVICEUSER,cn=sysaccounts,cn=etc,dc=OURDOMAIN ldap.usermembership.use: false ldap.usermembership.use.for.groups: false localUserStatusEnabled: false Sándor Juhász System Administrator ChemAxon Ltd. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: Martin Kosek mko...@redhat.com To: Christopher Lamb christopher.l...@ch.ibm.com, freeipa-users@redhat.com Sent: Wednesday, June 10, 2015 9:22:03 AM Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA On 06/08/2015 06:44 PM, Christopher Lamb wrote: Hi All we are interested to know if anybody has succeeded (or for that matter failed) in using FreeIPA to provide user authentication for Atlassian products such as JIRA or Confluence? Somewhere in an Atlassian ticket I saw that FreeIPA is not officially supported, so I guess that should set our expectations . If anyone has succeeded, then of course any tips on how best to do so would be fantastic! I saw reply in the threads, so it should be covered. BTW, please add +1s to respective Jira tickets to add proper FreeIPA support. It would be really cool if Jira would know FreeIPA out of the box and could connect to it natively! -- Manage your subscription for the Freeipa-users mailing list:
[Freeipa-users] KRA? 4.2?
Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/29/2015 03:11 PM, Sumit Bose wrote: On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: On 06/29/2015 10:30 AM, Sumit Bose wrote: On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: On 06/26/2015 08:06 PM, Sumit Bose wrote: On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: On 06/26/2015 02:38 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: On 06/25/2015 05:44 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: On 06/25/2015 02:10 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: On 06/25/2015 12:56 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: On 06/24/2015 06:45 PM, Sumit Bose wrote: On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? Have you tried to login to an IPA client or the server? Please try with an IPA server first. If this does not work it would be nice if you can send the SSSD log files from the IPA server which are generated during the logon attempt. Please call 'sss_cache -E' before to invalidate all cached entries so that the logs will contain all needed calls to AD. Using UPN suffixes were added to the AD provider some time ago and the code is available in the IPA provider as well, but I guess no one has actually tried this before. bye, Sumit First of all let me say that i feel like I'm missing some config somewhere.. Changes tried in krb5.conf to support UPN suffixes didn't helped. I can only access the server vi ssh so I've attached the logs for a successful login for account1@mydomain.local and an unsuccessful login for accou...@otherdomain.com done via ssh. Bye and thanks for your help It looks like the request is not properly propagated to sub-domains (the trusted AD domain) but only send to the IPA domain. Would it be possible for you to run a test build of SSSD which might fix this? If yes, which version of SSSD are you currently using? Then I can prepare a test build with the patch on top of this version. bye, Sumit Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 Please try the packages at http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . bye, Sumit Hi, I've installed the new RPMs, now if I run on the server: id account1@mydomain.local id accou...@otherdomain.com id accou...@sub.otherdomain.com all the users are found but I'm still unable to log in via ssh with the accounts @otherdomain.com and @sub.otherdomain.com. In attachment the logs for unsuccessful login for user accou...@otherdomain.com. Bother, I forgot to add the fix to the pam responder as well, please try new packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . bye, Sumit Hi, I've updated all the packages but still no login. Logs follows. I found another issue in the logs which should be fixed by the build from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . Please send the sssd_pam log file as well it might contain more details about what goes wrong during authentication. bye, Sumit Hi, packages update, sssd and kerberos services restarted, cache flushed but still no login on the IPA server. As before, logs attached. I've also included the logs generated by the restart of sssd service because there were no logs in sssd_pam.log when trying to authenticate. Debug level is set to 6 in the sections: [domain/ipa.mydomain.local] [sssd] [nss] [pam] of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to increase it. so far it is sufficient. I have another build for you to try at
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote: On 06/29/2015 03:11 PM, Sumit Bose wrote: On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: On 06/29/2015 10:30 AM, Sumit Bose wrote: On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: On 06/26/2015 08:06 PM, Sumit Bose wrote: On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: On 06/26/2015 02:38 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: On 06/25/2015 05:44 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: On 06/25/2015 02:10 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: On 06/25/2015 12:56 PM, Sumit Bose wrote: On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: On 06/24/2015 06:45 PM, Sumit Bose wrote: On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? Have you tried to login to an IPA client or the server? Please try with an IPA server first. If this does not work it would be nice if you can send the SSSD log files from the IPA server which are generated during the logon attempt. Please call 'sss_cache -E' before to invalidate all cached entries so that the logs will contain all needed calls to AD. Using UPN suffixes were added to the AD provider some time ago and the code is available in the IPA provider as well, but I guess no one has actually tried this before. bye, Sumit First of all let me say that i feel like I'm missing some config somewhere.. Changes tried in krb5.conf to support UPN suffixes didn't helped. I can only access the server vi ssh so I've attached the logs for a successful login for account1@mydomain.local and an unsuccessful login for accou...@otherdomain.com done via ssh. Bye and thanks for your help It looks like the request is not properly propagated to sub-domains (the trusted AD domain) but only send to the IPA domain. Would it be possible for you to run a test build of SSSD which might fix this? If yes, which version of SSSD are you currently using? Then I can prepare a test build with the patch on top of this version. bye, Sumit Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 Please try the packages at http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . bye, Sumit Hi, I've installed the new RPMs, now if I run on the server: id account1@mydomain.local id accou...@otherdomain.com id accou...@sub.otherdomain.com all the users are found but I'm still unable to log in via ssh with the accounts @otherdomain.com and @sub.otherdomain.com. In attachment the logs for unsuccessful login for user accou...@otherdomain.com. Bother, I forgot to add the fix to the pam responder as well, please try new packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . bye, Sumit Hi, I've updated all the packages but still no login. Logs follows. I found another issue in the logs which should be fixed by the build from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . Please send the sssd_pam log file as well it might contain more details about what goes wrong during authentication. bye, Sumit Hi, packages update, sssd and kerberos services restarted, cache flushed but still no login on the IPA server. As before, logs attached. I've also included the logs generated by the restart of sssd service because there were no logs in sssd_pam.log when trying to authenticate. Debug level is set to 6 in the sections:
[Freeipa-users] Multiple CA certificates
Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sendmail.schema
Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn’t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
2015-06-29 19:37 GMT+02:00 Alexandre Ellert aell...@numeezy.com: Hello, I have a problem on a replica server running Centos 7.1 and ipa 4.1.0-18.el7.centos.3.x86_64 (last version) Ipa server doesn’t restart correctly (using systemctl restart ipa or reboot the whole server) : # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful and I have to force the start process : # ipactl start -f Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Starting ipa-otpd Service ipa: INFO: The ipactl command was successful But, as you see the pki-tomcatd is unable to start. I started looking at /var/log/pki/pki-tomcat/localhost.2015-06-29.log and found this error : Jun 29, 2015 7:33:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caProfileSubmit] in context with path [/ca] threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
Re: [Freeipa-users] nsslapd-maxbersize and cachememsize
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Andy Thompson Sent: Monday, July 6, 2015 2:28 PM To: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 6, 2015 2:05 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize On 07/06/2015 11:49 AM, Andy Thompson wrote: I've got a couple warnings in different IPA installs that I'm not sure how to find what values I should increase each config setting to. In one install I'm seeing the following [03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. This ended up being a security scanner on the network causing the problem and nothing related to system functionality in any way. Second installation I'm seeing this on startup WARNING: changelog: entry cache size 858992B is less than db size 2293760B; We recommend to increase the entry cache size nsslapd- cachememsize. How can I determine what to increase each config setting to? https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html-single/Configuration_and_Command-Line_Tool_Reference/index.html#cnconfig-nsslapd_maxbersize_Maximum_Message_Size -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a DS (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the NIS migration documentation (maintaining passwords) with the migration mode, hoping it was what I was looking for. Is there a way so that users are created in FreeIPA once they login in this way? From what you said, I need to use SSSD (I'm going to read the docs ASAP). Is migration mode only used when I also use ipa migrate-ds? Thank you very much. Nicola Il 09/07/15 14:08, Alexander Bokovoy ha scritto: Nicola, perhaps it would help if you explain what did you mean by saying below My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. When you enabled migration mode and actually migrated users with 'ipa migrate-ds' command, you will have those users in IPA and they will be able to authenticate via LDAP with their old passwords. If your server (where your web app would be running) is enrolled into IPA, then it would be already running SSSD and set up for using it via pam_sss. Then configuring your web app to authenticate via PAM stack (for example, like we explain on http://www.freeipa.org/page/Web_App_Authentication) takes care of properly logging in and updating passwords. SSSD knows about migration mode and has support for it. On Thu, 09 Jul 2015, Nicola Canepa wrote: I don't understand the question: aren't users created by IPA command line the same as if they are created via the web GUI? Nicola Il 09/07/15 13:05, Jan Pazdziora ha scritto: On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote: Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o
[Freeipa-users] Migrating from custom auth system
Hello. I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps). I was able to authenticate (via pam_exec) LDAP users on the legacy system. My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA. I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance. Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? My workaround is to create user in the pam_exec-uted script, but I don't think this is a clean way of doing it, and I have to use LDAP as first login method. Thank you in advance for any link, suggestion or solution. Nicola -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686
I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers [root@alvin ~]# cat /etc/sssd/sssd.conf [domain/xx.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xx.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = alvin.ai.co.zw chpass_provider = ipa ipa_server = _srv_, .ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xx.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root@alvin ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I'll test both ways. Nicola Il 09/07/15 14:44, Alexander Bokovoy ha scritto: On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a DS (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the NIS migration documentation (maintaining passwords) with the migration mode, hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: ---8---8---8---8---8---8---8---8---8---8---8---8---8---8---8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8---8---8---8---8---8---8---8---8---8---8---8---8---8--- -- Nicola Canepa Tel: +39-0522-399-3474 canep...@mmfg.it --- Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti. The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Apache not starting because of cert password issue ?
Matt . wrote: I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) I think you need to take a step back and tell us what you've done to get into this situation. The error messages are fairly clear. The first one was you had a bad password for the database. This current error is that the certificate referenced by the NSSNickname directive in nss.conf does not exist in the Apache NSS database. These aren't the kinds of errors that pop up out of the blue. What, specifically, are you trying to do and what have you done to get to this point? rob 2015-07-09 3:27 GMT+02:00 Nigel Sollars nsoll...@gmail.com: Fair enough :) On Wed, Jul 8, 2015 at 9:25 PM, Matt . yamakasi@gmail.com wrote: Hi, No I'm testing some recovering strategies for the docs, so I need to have that checked. I have emailed Martin Kosek if he can enable the olders repo's again, would be great! Thanks, Matt 2015-07-09 3:23 GMT+02:00 Nigel Sollars nsoll...@gmail.com: Would it not be wise to keep with current? There does seem to be alot of threads with issues regarding older versions. That being said there is a thread also with regards to LDAP which could be related also. Regards On Wed, Jul 8, 2015 at 9:19 PM, Matt . yamakasi@gmail.com wrote: Hi I found that but it didn't fix it, thanks btw. Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems that the maintainer empties the repo after every release... so older versions are not there anymore. 2015-07-09 3:17 GMT+02:00 Nigel Sollars nsoll...@gmail.com: Looks similar to a TLS/SSL issue in this thread, http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ Hope this helps, Regards On Wed, Jul 8, 2015 at 5:04 PM, Matt . yamakasi@gmail.com wrote: I'm facing a httpd server which won't start with ipa, so IPA fails to start. As I'm really not able to find anything about it on the internet I wonder if someone knows why it's logging this and how I can fix it. [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for slot internal is incorrect. [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS initialization failed. Certificate database: /etc/httpd/alias. [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library Error: -8177 The security password entered is incorrect Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: Thank you Alexander. If the previous password is not used, I could set an impossible-hash password (such as {crypt}*) and let users login authenticating trhough PAM? How would you authenticate then? Remember that it is the hash in userPassword attribute that is used for actual authentication. If password-handling plugin cannot calculate to the same hash based on the plain-text password it was supplied via LDAP bind, how would user successfully authenticate? If you migrate this way, you need password hashes, at least. If you are going to issue users with new passwords, just create all of them in IPA with these new passwords and ask them to login, at least once, to IPA self-service. Or I could put the user-add in the pam_exec script (but only if the user does not already exists). I don't think is is sufficiently good, at least I wouldn't do it this way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from custom auth system
On Thu, 09 Jul 2015, Nicola Canepa wrote: OK, I'm sorry for the little information provided: I can't do migrate-ds, since I'm not coming from a DS (which can only be another LDAP server, I guess). The only thing I can expect is that users will login to one of the applicazions which I put under FreeIPA authentication. So I mixed the NIS migration documentation (maintaining passwords) with the migration mode, hoping it was what I was looking for. If you did create your users the same way as proposed with NIS migration, then they wouldn't be different from what would have happened with 'ipa migrate-ds'. End result, you have user entries in LDAP with passwords set to their hashes in the previous system and no Kerberos attributes. Is there a way so that users are created in FreeIPA once they login in this way? *You* need to create them. http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords walks you through that: ---8---8---8---8---8---8---8---8---8---8---8---8---8---8---8 From your export file, import the users into IPA using the admin tools and set the original hashed password: # ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass ---8---8---8---8---8---8---8---8---8---8---8---8---8---8--- -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686
Martin Chamambo wrote: I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the information necessary to assist. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates (for PassSync)
Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Apache htaccess replacement
On Fri, Jun 26, 2015 at 09:19:51PM -0400, Dmitri Pal wrote: On 05/19/2015 05:29 AM, thewebbie wrote: My requirements is to replace dozens of htaccess folders on one server. Each folder requiring a user group. So Host based will not work in this case Was this resolved in some way? I don't think it was. I believe the OP is following http://www.freeipa.org/page/Apache_Group_Based_Authorization which looks a bit outdated. What we probably should decide is, what group-based access control do we want to suggest to people who cannot use HBAC and want to get the groups. On Mon, May 18, 2015 at 12:38:47PM -0400, thewebbie wrote: I have been attempting to use my 4.1.4 FreeIPA server to authenticate folders on a web server as a replacement for the normal htaccess feature. I do require group authentication. I have tried just about online example and have only been able to get basic ldap and basic kerbos authentication. How do I go about getting group based authentication working. I have tried to add the following to either example below and no luck. I added the httpbind user from an ldif file from examples. I created a user group named htaccess and added the users to it. AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=test,dc=com AuthLDAPBindPassword XX AuthLDAPGroupAttributeIsDN off AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?uid [] [Mon May 18 14:31:19 2015] [debug] mod_authnz_ldap.c(739): [client xxx.xxx.xxx.xxx] auth_ldap authorise: User DN not found, LDAP: ldap_simple_bind_s() failed Are you able to able to bind with that DN and password using for example ldapsearch? I have this working. Location /private SSLRequireSSL AuthName LDAP Authentication AuthType Basic AuthzLDAPMethod ldap AuthzLDAPServer ipa.test.com AuthzLDAPUserBase cn=users,cn=compat,dc=test,dc=com AuthzLDAPUserKey uid AuthzLDAPUserScope base require valid-user /Location And this is working Location /private SSLRequireSSL AuthName KERBEROS Authentication AuthType Kerberos KrbServiceName HTTP KrbMethodK5Passwd On KrbSaveCredentials On KrbMethodNegotiate On KrbAuthRealms TEST.COM Krb5KeyTab /etc/httpd/conf.d/keytab AuthLDAPUrl ldap://ipa.test.com/dc=test,dc=com?krbPrincipalName Require valid-user I wonder -- with SSSD configured on the machine -- doesn't require group the-group-name actually work? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple CA certificates (for PassSync)
On 07/09/2015 07:23 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can’t find any information on this so I figured I’d ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
(Not sure if this message went through initially, this is a resend.) I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] adding freeipa client fails
On Thu, 2015-07-09 at 19:14 +, John Williams wrote: I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? You probably added a cname pointing ipa - ipa2, that won't work, drop the cname or force the client to use the ipa2 with the --server option. Simo. Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA certSubject: CN=Certificate Authority,O=COMIssuer: CN=Certificate Authority,O=COMValid From: Thu Apr 04 23:20:27 2013 UTCValid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Import DNS records from another system
Ah! Perfect! Thank you, Craig! On 7/9/15, 4:33 PM, Craig White cwh...@skytouchtechnology.com wrote: Should be relatively easy enough using ipa-admintools cli ipa help dnsrecord-add Craig White System Administrator O 623-201-8179 M 602-377-9752 SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bendl, Kurt Sent: Thursday, July 09, 2015 3:16 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Import DNS records from another system Hello, I've been given a list of DNS info [ipaddress, FQDN] to import into FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so the zone2dyndb-ldif tool won't help me at the moment. I'm hoping there is another method I can leverage to do the import. Some kind of API call would be awesome. Pointers on what I can try would be greatly appreciated. Thanks, Kurt PS: I'm running this against a test environment, currently: ipa-server-4.1.0-18 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Import DNS records from another system
Hello, I've been given a list of DNS info [ipaddress, FQDN] to import into FreeIPA. The current DNS setup doesn't allow me to do a zone transfer so the zone2dyndb-ldif tool won't help me at the moment. I'm hoping there is another method I can leverage to do the import. Some kind of API call would be awesome. Pointers on what I can try would be greatly appreciated. Thanks, Kurt PS: I'm running this against a test environment, currently: ipa-server-4.1.0-18 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project