[Freeipa-users] forcing ldaps and https
Hi all, how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP? I've google before, but with no results. I know that the server discovery is based upon SRV records in the DNS and these points to 389, not 636. I don't know nor how to change from 389 to 636, nor is this would automatically enable LDAPS on port 636. Then, I have to get rid of HTTP and use HTTPS only. Regards, Danilo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replacing the "master"
Martin Kosek wrote: On 09/04/2015 12:00 AM, Rob Crittenden wrote: Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting this server will orphan 'vuwunicoipam001x and vuwunicoipam003.x You will need to reconfigure your replication topology to delete this server. [root@vuwunicoipam001 thing]# ipa-replica-manage list Directory Manager password: vuwunicoipam002. master vuwunicoipam003. master vuwunicoipam001. master [root@vuwunicoipam001 thing]#" So how do I re-configure? Every server is a master. The only differences may be the services running (CA and/or DNS) and only one generates the CRL and manages certificate renewal. Otherwise they are all equal masters. This doesn't show the topology. Were I to guess it looks like: 001 / \ 002 003 So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 Then you should be able to delete 0001. Just be sure at least one of those other masters has a CA, if not both of them. You may need ipa-csreplica-manage connect to connect that topology. Also be aware of the DNA config. A master doesn't automatically get one. It only gets it when it creates an entry that needs a range. However, in this case this should not be a problem AFAIK, given that ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: https://fedorahosted.org/freeipa/ticket/3321 Well, Steven didn't mention his version so I assumed 3.0. It doesn't hurt to double-check the ranges in advance. It can still be an issue if one of the masters lacks a DNA range. My patch harvests the DNA range but IIRC doesn't reset the DNA master server on all other masters. So one may still be pointing to nowhere and fail to get a range when needed. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Faulty LDAP record
Hi All, how can I delete a faulty user in IPA 4.1? The record in LDAP look like this: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso It is not possible to delete it over the WebUI and with LDAP Browser I get this error: Deleting is not possible, the following error appears: Error while deleting entry LDAP: error code 32 - No Such Object Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ugrading IPA to dogtag? CA?
Steven Jones wrote: It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? I think it depends heavily on what version of IPA you are running and what you mean by self-signed. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Does everyone have this working or gived up on it ? Chers, Matt 2015-08-26 20:07 GMT+02:00 Matt .: > Chris, > > How far are you on this ? I'm stuck atm :( > > I hope you have some reference notes to follow and check out. > > Thanks! > > Matt > > 2015-08-20 22:15 GMT+02:00 Matt . : >> Hi Chris, >> >> Would be great to see! >> >> If I have it working and we have 2-3 testcases I think we can add it >> to the IPA docs! >> >> Keep me updated! >> >> Thanks >> >> Matt >> >> 2015-08-20 8:49 GMT+02:00 Christopher Lamb : >>> Matt >>> >>> Once I got Samba and FreeIPA integrated (by the "good old extensions" >>> path), I always use FreeIPA to administer users. I have never tried the >>> samba tools like smbpasswd. >>> >>> I still have a wiki how-to in the works, but I had to focus on some other >>> issues for a while. >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Youenn PIOLET >>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>> "freeipa-users@redhat.com" >>> Date: 20.08.2015 08:12 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> HI Guys, >>> >>> Anyone still a working clue/test here ? >>> >>> I didn't came further as it seems there need to be some domain join / >>> match following the freeipa devs. >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-13 13:09 GMT+02:00 Matt . : Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base => [dc=my,dc=domain], filter => [(&(objectClass=ipaNTGroupAttrs)(| >>> (ipaNTSecurityIdentifier=S-1my--sid---)))], scope => [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . : > Hi Youenn, > > OK thanks! this takes me a little but futher now and I see some good > stuff in my logging. > > I'm testing on a Windows 10 Machine which is not member of an AD or > so, so that might be my issue for now ? > > When testing on the samba box itself as my user I get: > > > [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares > > ... > Checking NTLMSSP password for MSP\myusername failed: >>> NT_STATUS_WRONG_PASSWORD > ... > SPNEGO login failed: NT_STATUS_WRONG_PASSWORD > > > Maybe I have an issue with encrypted passwords ? > > > When we have this all working, I think we have a howto :D > > Thanks! > > Matt > > 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >> Hi Matt >> >> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >> sambaSamAccount is not needed anymore that way. >> - Default IPA Way : won't work if your Windows is not part of a domain >> controller. DOMAIN\username may work for some users using Windows 7 - >>> not 8 >> nor 10 (it did for me but I was the only one at the office... quite >>> useless) >> >> This config may work on your CentOS (for the ipasam way): >> workgroup = TEST >> realm = TEST.NET >> kerberos method = dedicated keytab >> dedicated keytab file = FILE:/<.>/samba.keytab >> create krb5 conf = no >> security = user >> encrypt passwords = true >> passdb backend = ipasam:ldaps://youripa.test.net >> ldapsam:trusted = yes >> ldapsuffix = test.net >> ldap user suffix = cn=users,cn=accounts >> ldap group suffix = cn=groups,cn=accounts >> >> >> -- >> Youenn Piolet >> piole...@gmail.com >> >> >> 2015-08-12 22:15 GMT+02:00 Matt . : >>> >>> Hi, >>> >>> OK the default IPA way works great actually when testing it as >>> described >>> here: >>> >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> On the samba server I can auth and see my share where I want to >>> connect >>> to. >>> >>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>> as username >>> >>> So, the IPA way should work. >>> >>> Any comments here ? >>> >>> Cheers, >>> >>> Matt >>> >>> 2015-08-12 19:00 GMT+02:00 Matt . : >>> > HI GUys, >>> > >>> > I'm testing this out and I think I almost setup, this on a CentOS >>> samba >>> > server. >>> >
Re: [Freeipa-users] forcing ldaps and https
On Fri, 04 Sep 2015, Danilo Aghemo wrote: Hi all, how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP? I've google before, but with no results. I know that the server discovery is based upon SRV records in the DNS and these points to 389, not 636. I don't know nor how to change from 389 to 636, nor is this would automatically enable LDAPS on port 636. Then, I have to get rid of HTTP and use HTTPS only. LDAPS is deprecated in favor of StartTLS and not recommended. The client actually uses STARTTLS on port 389, not a plain LDAP. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with replication?
Hi we have a lot of this messages in the error log of dirsrv... What can be the problem and how can we fix it? our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int): [04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int): [04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to start pki-tomcatd Service
On 08/28/2015 05:46 PM, Alexandre Ellert wrote: Le 28 août 2015 à 17:41, Alexander Bokovoya écrit : On Fri, 28 Aug 2015, Alexandre Ellert wrote: Le 28 août 2015 à 17:09, Alexander Bokovoy a écrit : On Wed, 26 Aug 2015, Alexandre Ellert wrote: Le 28 juil. 2015 à 05:59, Alexander Bokovoy a écrit : If the problem is too hard to solve, maybe I should try to deploy another replica ? You may try that. Sorry for not responding, I have some other tasks that occupy my time right now. Can you please tell me the procedure to decommission and re-create a new replica ? Are "ipa-server-install —uninstall" then "ipa-server-install" the only things to do ? No, you need also to remove the server from the replication topology. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html -- / Alexander Bokovoy I can’t remove the node on which I have problem with pki-tomcatd : # ipa-replica-manage del .example.com Deleting a master is irreversible. To reconnect to the remote master you will need to prepare a new replica file and re-install. Continue to delete? [no]: yes Deleting this server is not allowed as it would leave your installation without a CA I seem that it’s the only node where CA is installed. What should I do now ? Add a replica with CA using ipa-ca-install on existing replica. Read the guide, it has detailed coverage of these situations. -- / Alexander Bokovoy On the first node (which is working and without pki-tomcatd service) # ipa-ca-install Directory Manager (existing master) password: CA is already installed. How is it possible ? You must provide a replica file as an argument to ipa-ca-install if you want to setup CA on another replica. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with replication?
On 09/04/2015 04:37 PM, Christoph Kaminski wrote: Hi we have a lot of this messages in the error log of dirsrv... What can be the problem and how can we fix it? our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int): [04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 [04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 [04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 [04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 [04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 [04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 [04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "cn=Replication Manager masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32 one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int): [04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) this means you somehow lost the user for authentication in replication. you could try to add it back, as a template use one existing user in ou=csusers,cn=config Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Faulty LDAP record
On 09/04/2015 04:49 PM, Christoph Kaminski wrote: Hi All, how can I delete a faulty user in IPA 4.1? The record in LDAP look like this: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso this is a replication conflict entry, the user uid=zimt was added in parallel on two servers. you should be able to delete it with ldapmodify ldapmodify . dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso changetype: delete It is not possible to delete it over the WebUI and with LDAP Browser I get this error: Deleting is not possible, the following error appears: Error while deleting entry LDAP: error code 32 - No Such Object Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replacing the "master"
On 09/04/2015 12:00 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >> try and remove the last one the master? it says, >> >> "[root@vuwunicoipam001 thing]# ipa-replica-manage del >> vuwunicoipam002. >> Directory Manager password: >> >> Deleting a master is irreversible. >> To reconnect to the remote master you will need to prepare a new replica file >> and re-install. >> Continue to delete? [no]: yes >> Deleting this server will orphan 'vuwunicoipam001x and >> vuwunicoipam003.x >> You will need to reconfigure your replication topology to delete this server. >> [root@vuwunicoipam001 thing]# ipa-replica-manage list >> Directory Manager password: >> >> vuwunicoipam002. master >> vuwunicoipam003. master >> vuwunicoipam001. master >> [root@vuwunicoipam001 thing]#" >> >> So how do I re-configure? > > Every server is a master. The only differences may be the services running (CA > and/or DNS) and only one generates the CRL and manages certificate renewal. > Otherwise they are all equal masters. > > This doesn't show the topology. Were I to guess it looks like: > >001 > / \ > 002 003 > > So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003 > > Then you should be able to delete 0001. Just be sure at least one of those > other masters has a CA, if not both of them. You may need ipa-csreplica-manage > connect to connect that topology. > > Also be aware of the DNA config. A master doesn't automatically get one. It > only gets it when it creates an entry that needs a range. However, in this case this should not be a problem AFAIK, given that ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2: https://fedorahosted.org/freeipa/ticket/3321 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)
Janelle, Am 03.09.15 um 21:38 schrieb Janelle: > As soon as I get another failed replica in this state (about once every > 2-3 weeks) I will post the logs and open a ticket. On one server, I > simply did a reboot, and when it came back, the keytab was wrong and the > replica now claimed that it was no longer a member of the replica list. > Let me get more information and logs to open a ticket. May I ask you to post a link to the ticket here once it's open? I am really intereted to follow this issue. Besides only two people having the password here, we have a two-factor authentication on ssh, so there shouldn't be login failures via ssh to valid accounts. I posted my "ipa user-show" output earlier. But we run IPA to authenticate users to a compute cluster of about 3000 job slots, so there are in fact a lot of ssh connections to be handled. And if a flood of jobs is started more or less at the same time, these ssh connections will spread out in parallel. So that could match what Rob was saying. Hope we can find out at the end what is really causing this.. Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenb...@physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project