date:20151013

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

2015-10-13 Thread Jan Pazdziora

On Mon, Oct 12, 2015 at 08:13:29PM +, Andy Thompson wrote:
> 
> > The company I work for  uses AD 2008R2 DC to resolve requests for
> > Unix/Linux servers in various environments, under one domain
> > example.com, with the Realm EXAMPLE.COM ?
> > 
> > Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as 
> > a
> > name server and forwarding all DNS requests to the windows DC's and still
> > keep everything in the example.com domain without creating a child domain
> > like  ipa.example.com ?
> > 
> > http://www.freeipa.org/page/Active_Directory_trust_setup
> > 
> > Add for RedHat 7, use hostnamectl set-hostname ipa.example.com
> > 
> > and
> > change the install IPA server  command to
> > 
> > ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
> > -realm=example.com --setup-dns --forwarder=AD_ipaddress
> 
> No.  The IPA domain has to be different than the AD domain.

However, if the concern is more about users not wanting to see the
ipa.example.com in servers' hostnames than the underlying technology,
CNAMEs pointing to that IPA-managed domain can be used to present
flat structure to users:

server.example.com -> server.ipa.example.com

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

2015-10-13 Thread Alexander Bokovoy


On Tue, 13 Oct 2015, Petr Spacek wrote:

On 12.10.2015 22:20, Alexander Bokovoy wrote:

On Mon, 12 Oct 2015, Andy Thompson wrote:




-Original Message-
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Hoffmaster, John
Sent: Monday, October 12, 2015 3:46 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

Hi,

The company I work for  uses AD 2008R2 DC to resolve requests for
Unix/Linux servers in various environments, under one domain
example.com, with the Realm EXAMPLE.COM ?

Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
name server and forwarding all DNS requests to the windows DC's and still
keep everything in the example.com domain without creating a child domain
like  ipa.example.com ?

http://www.freeipa.org/page/Active_Directory_trust_setup

Add for RedHat 7, use hostnamectl set-hostname ipa.example.com

and
change the install IPA server  command to

ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
-realm=example.com --setup-dns --forwarder=AD_ipaddress

Thanks,



No.  The IPA domain has to be different than the AD domain.

This is true for any two separate Active Directory forests, and as IPA
represents itself as a separate AD forest for the trust relationship, it
is forced to follow Active Directory requirements.


In other words, IPA itself needs one separate domain for SRV records and other
stuff.

Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).

Yep. Let's say explicitly:
- IPA machines cannot belong to any domain of AD forest -- in terms of
  DNS this means they cannot have A/ records in any AD domain's DNS
  zone;
- IPA machines may have CNAMEs in an AD domain's DNS zone that point to
  A/ records in IPA DNS zones.

If you follow these two rules, you'll have single sign-on working
between IPA and AD through the cross-forest trust.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SUDO does not always works on first try

2015-10-13 Thread Zoske, Fabian

Hi Jakub,

thanks for looking through the data.

I can not access the bug you mentioned. I already created an account for 
Bugzilla, but so far nothing.

In the second query there is a group which isn't present in the first one 
((sudoUser=%ug_freeipa-administrators_int)). This is the IPA-equivalent of the 
AD-Group (ug_freeipa-administrators).
AD -> IPA_EXT -> IPA_INT

The second command you mentioned works and returns the correct passwd entry for 
my user. The first command ist not found on the client.

Best regards,
Fabian

From: Jakub Hrozek [jhro...@redhat.com]
Sent: Monday, October 12, 2015 11:47
To: Zoske, Fabian
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SUDO does not always works on first try

On Fri, Oct 09, 2015 at 11:04:15AM +, Zoske, Fabian wrote:
> Hi Jakub,
>
> I increased the log level in every SSSD section to 6 and got following 
> output, hope that helps.
>
> KRB5_CHILD.LOG: https://s.mit42.de/IR6tu

All is OK here..

>
> SSSD_SUDO.LOG (two tries are logged in it): https://s.mit42.de/WF1Jl

So the interesting part is that the first try doesn't match any rules
for the user:
(Fri Oct  9 12:24:09 2015) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Fri Oct  9 12:24:09 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with

[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=f.zo...@de.eu.local)(sudoUser=#1948403038)(sudoUser=%ug_freeipa-administrat...@de.eu.local)(sudoUser=%domänen-benut...@de.eu.local)(sudoUser=+*)))]
(Fri Oct  9 12:24:09 2015) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
[f.zo...@de.eu.local]

While the second does:
(Fri Oct  9 12:24:14 2015) [sssd[sudo]]
[sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with

[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=f.zo...@de.eu.local)(sudoUser=#1948403038)(sudoUser=%ug_freeipa-administrat...@de.eu.local)(sudoUser=%domänen-benut...@de.eu.local)(sudoUser=%admins)(sudoUser=%ug_freeipa-administrators_int)(sudoUser=+*)))]
(Fri Oct  9 12:24:14 2015) [sssd[sudo]]
[sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for
[f.zo...@de.eu.local]

It would be interesting to see the dump of the cache from when 0 rules
are returned. I suspect the user's membership wouldn't be correct, which
might be because of the bug I linked earlier.

>
> SSSD_IPA-LX.COM: https://s.mit42.de/frBvx

There are some failures here:
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: No such object(32), (null)
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,1432158221,Account info lookup
failed
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=*]
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [ipa-lx.com] to [de.eu.local]
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Fri Oct  9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: No such object(32), (null)

But I think this is a really minor bug we fixed later where we marked
requests as failed if they simply didn't find anything. If this works
without issues:
$ sss_cache -u f.zo...@de.eu.local
$ getent passwd f.zo...@de.eu.local

Then you can ignore those..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

2015-10-13 Thread Petr Spacek

On 12.10.2015 22:20, Alexander Bokovoy wrote:
> On Mon, 12 Oct 2015, Andy Thompson wrote:
>>
>>
>>> -Original Message-
>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>>> boun...@redhat.com] On Behalf Of Hoffmaster, John
>>> Sent: Monday, October 12, 2015 3:46 PM
>>> To: freeipa-users@redhat.com
>>> Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
>>>
>>> Hi,
>>>
>>> The company I work for  uses AD 2008R2 DC to resolve requests for
>>> Unix/Linux servers in various environments, under one domain
>>> example.com, with the Realm EXAMPLE.COM ?
>>>
>>> Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as 
>>> a
>>> name server and forwarding all DNS requests to the windows DC's and still
>>> keep everything in the example.com domain without creating a child domain
>>> like  ipa.example.com ?
>>>
>>> http://www.freeipa.org/page/Active_Directory_trust_setup
>>>
>>> Add for RedHat 7, use hostnamectl set-hostname ipa.example.com
>>>
>>> and
>>> change the install IPA server  command to
>>>
>>> ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
>>> -realm=example.com --setup-dns --forwarder=AD_ipaddress
>>>
>>> Thanks,
>>>
>>
>> No.  The IPA domain has to be different than the AD domain.
> This is true for any two separate Active Directory forests, and as IPA
> represents itself as a separate AD forest for the trust relationship, it
> is forced to follow Active Directory requirements.

In other words, IPA itself needs one separate domain for SRV records and other
stuff.

Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-server-install fails at last leg?

2015-10-13 Thread lejeczek


dear all,

my first try at ipa server, I get this when install fails:

  [15/16]: restarting httpd
  [error] CalledProcessError: Command ''/bin/systemctl' 
'restart' 'httpd.service'' returned non-zero exit status 1
Unexpected error - see /var/log/ipaserver-install.log for 
details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 
'httpd.service'' returned non-zero exit status 1


then I can see that httpd fails to restart for:

Starting The Apache HTTP Server...
(98)Address already in use: AH00072: make_sock: could not 
bind to address [::]:8443
(98)Address already in use: AH00072: make_sock: could not 
bind to address 0.0.0.0:8443

no listening sockets available, shutting down

and port is bound by:

UIDPID  PPID  CSZ   RSS PSR STIME TTY  
TIME CMD
pkiuser   5330 1  1 2128224 494604 5 11:00 ?   
00:00:16 java 
-agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on 
-DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar 
-Dcatalina.base=/var/lib/pki/pki-tomcat 
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= 
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp 
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Djava.security.manager 
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy 
org.apache.catalina.startup.Bootstrap start


and this is as you can see, the process, the result of the 
ipa-server-install itself.

Any suggestions as what is the problem there?

many thanks.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] import debian (salted SHA-512) password

2015-10-13 Thread Martin Kosek

On 10/13/2015 02:35 AM, Simo Sorce wrote:
> On 11/10/15 21:39, Benjamin Reed wrote:
>> On 10/11/15 12:59 PM, Benjamin Reed wrote:
>>> ...but I'm not sure exactly what format to use to import a
>>> "$6$salt$hash" style password from an existing debian system.
>>
>> Just a note for future folks trying to do this, I was able to do it by
>> enabling adding users with {CRYPT}:
>>
>> ipa config-mod --enable-migration=1
>> ipa user-add \
>>  --first=John --last=Doe \
>>  --setattr userPassword='{CRYPT}$6$salt$hash' john_doe
>>
>> Now I just need them to ssh in once to initialize kerberos passwords, right?
> 
> That's all you need if you are inm migration mode and the server they log in 
> is
> configured with SSSD.
> 
> Simo.

... or use the Web service:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Migrating_from_a_Directory_Server_to_IPA.html#webpage-pwd-migr

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OAuth2

2015-10-13 Thread Ben Francis

Is it supported?

Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OAuth2

2015-10-13 Thread Rob Crittenden

Ben Francis wrote:
> Is it supported?

No but you should be able to use IPA as an identity backend for an
OAuth2 (or other Federation) provider.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Looking to test one-way trust

2015-10-13 Thread Alexander Bokovoy


On Tue, 13 Oct 2015, Michael Barkdoll wrote:

Hello, I've successfully setup a two-way trust between FreeIPA and AD.  My
understanding is that FreeIPA is currently or planning to support Global
Cataloging.  I'm looking to implement a one-way trust between AD and
FreeIPA to remove security concerns with my AD administrators in my
organization.

You didn't specify what FreeIPA version you are talking about. One-way
trust is implemented in FreeIPA 4.2 (4.2.2 right now, RHEL 7.2 beta has
it under 'ipa-server-4.2.0-*' package).



My questions are as follows:
1) Is there a guide/post that I can follow for setting up a one-way trust
between FreeIPA and AD?

In FreeIPA 4.2+ one-way trust is the default. So if you want to
establish trust and don't specify --bi-directional flag, you are
establishing one-way trust.

For earlier-established trust relationship, you need to re-run 'ipa
trust-add' again to convert to one-way.


2) What type of trust is being created on the AD side, is it a cross-forest
outgoing trust to the FreeIPA server from the AD server?

Yes. Instead of creating both legs of the trust, only one of them is
created.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Looking to test one-way trust

2015-10-13 Thread Michael Barkdoll

Hello, I've successfully setup a two-way trust between FreeIPA and AD.  My
understanding is that FreeIPA is currently or planning to support Global
Cataloging.  I'm looking to implement a one-way trust between AD and
FreeIPA to remove security concerns with my AD administrators in my
organization.

My questions are as follows:
1) Is there a guide/post that I can follow for setting up a one-way trust
between FreeIPA and AD?
2) What type of trust is being created on the AD side, is it a cross-forest
outgoing trust to the FreeIPA server from the AD server?

Thanks for your kind time,

Michael Barkdoll
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-13 Thread Gronde, Christopher (Contractor)

Still having issues...if I can still have assistance with this

getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150922143354':
status: NEED_TO_SUBMIT
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=IPA RA,O=ITMODEV.GOV
expires: 2013-10-09 11:45:01 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20151007150853':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using 
default keytab: Cannot contact any KDC for realm 'ITMODEV.GOV'.
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20150921154714':
status: NEED_CA
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB'
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV
track: yes
auto-renew: yes

-Original Message-
From: Gronde, Christopher (Contractor) 
Sent: Thursday, October 08, 2015 2:06 PM
To: 'Rob Crittenden' 
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Certmonger and dogtag not workingissues 
manually renewing Server-Cert

# ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ipa service was not running...I attempted to start it.

# service ipa start
Starting Directory Service
Starting dirsrv:
ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ] Starting 
KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping ipa_memcached:[  OK  ]
Stopping httpd:[FAILED]
Shutting down dirsrv:
ITMODEV-GOV... [  OK  ]
Aborting ipactl

Ntpd is still stopped but date was back to today so I changed the date back to 
9/21 and started ipa services

# service ipa start
Starting Directory Service
Starting dirsrv:
ITMODEV-GOV... [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]

]# service ipa start
Starting Directory Service
Starting dirsrv:

Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0

2015-10-13 Thread Andrey Ptashnik

I usually try not to. On the other side I see that many important fixes are 
coming with major/minor releases, and trying to figure out my course of actions 
until fixes and/or release become available. 

Regards,

Andrey Ptashnik






On 10/12/15, 7:46 PM, "freeipa-users-boun...@redhat.com on behalf of Steven 
Jones"  
wrote:

>Hi,
>
>IPA is a complex beast, you would be brave/foolish to upgrade it outside of 
>the Redhat support matrix.
>
>Also I would / will wait 1~2 months before upgrading to 7.2 so any serious 
>bugs/issues are found by someone else.
>
>regards
>
>Steven 
>
>
>From: freeipa-users-boun...@redhat.com  on 
>behalf of Andrey Ptashnik 
>Sent: Tuesday, 13 October 2015 8:43 a.m.
>To: Alexander Bokovoy
>Cc: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
>
>I see, so your best advice is to wait for official release of 7.2 and upgrade 
>all at once even if I need just a few simple fixes like “search for non-admin 
>users” and etc…?
>
>Are there any approximate timeline for 7.2 release?
>
>Regards,
>
>Andrey Ptashnik
>
>
>
>
>
>On 10/12/15, 2:10 PM, "Alexander Bokovoy"  wrote:
>
>>On Mon, 12 Oct 2015, Andrey Ptashnik wrote:
>>>I we have a production environment, is it a safe move to upgrade to 7.2 Beta?
>>Beta is for testing new features, not for production yet.
>>
>>>And then still question remains what are correct steps to go from 4.1.0 to 
>>>4.2.0?
>>As Rob said, you do package updates and as part of that process an
>>upgrade will be done. There is no specific upgrade path instructions
>>between 4.1 and 4.2, unlike between 3.0 and 3.3+.
>>
>>--
>>/ Alexander Bokovoy
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-13 Thread Gronde, Christopher (Contractor)

So over the weekend time on the server changed back to normal so I set the time 
back again and tried to restart the ipa service and I get the following

#service ipa start
Starting Directory Service
Starting dirsrv:
ITMODEV-GOV... [FAILED]
  *** Error: 1 instance(s) failed to start
Failed to start Directory Service: Command '/sbin/service dirsrv start ' 
returned non-zero exit status 1

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gronde, Christopher 
(Contractor)
Sent: Tuesday, October 13, 2015 10:50 AM
To: Rob Crittenden 
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues 
manually renewing Server-Cert

Still having issues...if I can still have assistance with this

getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150922143354':
status: NEED_TO_SUBMIT
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=IPA RA,O=ITMODEV.GOV
expires: 2013-10-09 11:45:01 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20151007150853':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using 
default keytab: Cannot contact any KDC for realm 'ITMODEV.GOV'.
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20150921154714':
status: NEED_CA
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB'
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV
track: yes
auto-renew: yes

-Original Message-
From: Gronde, Christopher (Contractor)
Sent: Thursday, October 08, 2015 2:06 PM
To: 'Rob Crittenden' 
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Certmonger and dogtag not workingissues 
manually renewing Server-Cert

# ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ipa service was not running...I attempted to start it.

# service ipa start
Starting Directory Service
Starting dirsrv:
ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
   [  OK  ] Starting 
KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:   [  OK  ]
Stopping Kerberos 5 Admin Server:  [  OK  ]
Stopping ipa_memcached:[  OK  ]
Stopping httpd:[FAILED]
Shutting

[Freeipa-users] shared ip space for iDM and AD

2015-10-13 Thread Craig White

Our environment is mostly Linux servers but we do have some Windows servers 
running MSSQL. A co-worker spun up Active Directory Domain Controllers without 
conferring with me and the Windows boxes are all on one of the VLAN private LAN 
networks used by FreeIPA. Thus we not only have reverse DNS servers in FreeIPA 
but also in Active Directory. Is it possible to have Active Directory use the 
reverse DNS servers on iDM/FreeIPA?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png@01CF86FE.42D51630]

SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

Re: [Freeipa-users] SUDO does not always works on first try

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

[Freeipa-users] ipa-server-install fails at last leg?

Re: [Freeipa-users] import debian (salted SHA-512) password

[Freeipa-users] OAuth2

Re: [Freeipa-users] OAuth2

Re: [Freeipa-users] Looking to test one-way trust

[Freeipa-users] Looking to test one-way trust

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

[Freeipa-users] shared ip space for iDM and AD

14 matches

Site Navigation

Mail list logo

Footer information