date:20160426

[Freeipa-users] IPA vulnerability management SSL

2016-04-26 Thread Sean Hogan



Hello,

  We currently have 7 ipa servers in multi master running:

ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64

Tenable is showing the use of weak ciphers along with freak
vulnerabilities.  I have followed
https://access.redhat.com/solutions/675183 however issues remain in the
ciphers being used.

I have also modified dse.ldif with the following from
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

With ipa stopped I modified dse with  below

odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1

I turn on ipa and get
Starting Directory Service
Starting dirsrv:
PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed

So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)


nss.conf


# new config to stop using weak ciphers.
NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
   SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


server.xml

   clientAuth="true"
   sslOptions="ssl2=off,ssl3=off,tls=true"

ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"





Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?



Sean Hogan


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] migration user passwords from openldap to freeipa

2016-04-26 Thread siology.io

I'm having issues migrating from an openldap directory (which has gosa
schema) to freeipa.

To migrate i'm doing (and yes, i know);

ipa migrate-ds ldap://old.server.com:389 --bind-dn
"cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup
--user-objectclass=inetOrgPerson --group-overwrite-gid
--user-ignore-objectclass=gosaAccount
--user-ignore-objectclass=gosaMailAccount
--user-ignore-attribute=gosaMailDeliveryMode
--user-ignore-attribute=gosaMailServer
--user-ignore-attribute=gosaSpamSortLevel
--user-ignore-attribute=gosaSpamMailbox
--user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl
--user-ignore-attribute=sshpublickey
--user-ignore-attribute=sambaLMPassword
--user-ignore-attribute=sambaBadPasswordTime
--user-ignore-attribute=gosaaclentry
--user-ignore-attribute=sambaBadPasswordCount
--user-ignore-attribute=sambaNTPassword
--user-ignore-attribute=sambaPwdLastSet

Which seems to work to import all those users which have posix settings
set, however i have two problems:

- Am i right in thinking there's no way to auto-assign a gid/uid/home dir
for the non-posix users at migration time ? That's not a deal breaker per
se, but i'd need to spin up a new copy of the old ldap and then add those
attributes to every user, then migrate to ipa from that source, which is a
real pain.

- The migration seems to be successful for the users that do have posix
attributes, and ends with:

 Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

...but i'm unable to login to that page as any of my migrated users, or
bind as them with ldapsearch. It seems like the passwords were not migrated
?

Because 90% of my ~350 users are only going to be using freeipa insomuch as
using services which are making use of the ipa server's ldap i was hoping
that i wouldn't need to make kerberos tickets for those users, and hence
avoid needing every user to login to the migration page. At the moment
however i'm not able to get any migrated users at all to be able to bind to
ldap or login to that page.

Any tips or gotchas i should know ? I've no idea how to begin debugging
this.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials 
for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested 
realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(No Kerberos credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact 
LDAP server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting



Gady Notrica wrote:

> Hey world,

>

> Any ideas?



What about the first part of Ludwig's question: Is there anything in the 389-ds 
error log?



rob



>

> Gady

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users@redhat.com

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica (secondary 
> server) is fine though.

>

> Gady Notrica

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz

> Sent: April 26, 2016 10:02 AM

> To: freeipa-users@redhat.com

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

>

> On 04/26/2016 03:26 PM, Gady Notrica wrote:

>> Here...

>>

>> [root@cd-p-ipa1 log]# ipactl status

>> Directory Service: STOPPED

>> Directory Service must be running in order to obtain status of other

>> services

>> ipa: INFO: The ipactl command was successful

>>

>> [root@cd-p-ipa1 log]# systemctl status 
>>

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Rob Crittenden


Gady Notrica wrote:

Hey world,

Any ideas?


What about the first part of Ludwig's question: Is there anything in the 
389-ds error log?


rob



Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:

Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service
-l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
 Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
 Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
30min ago
Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i
-i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016!
:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.

this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?

[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service
not starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

 Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)

 Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
EDT; 41min ago

Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
5 KDC...

Apr 26 08:27:52

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica

Hey world,

Any ideas? 

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica 

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root@cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other 
> services
> ipa: INFO: The ipactl command was successful
>
> [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
> -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
> preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
> 30min ago
>Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i 
> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
> (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file 
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
> error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
> OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?
> [root@cd-p-ipa1 log]#
>
> Gady
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the 
>> details in the logs and command result. Basically, krb5kdc service 
>> not starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
>> disabled; vendor preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 
>> EDT; 41min ago
>>
>>Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
>> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:52

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Bret Wortman




On 04/26/2016 01:45 PM, Rob Crittenden wrote:

Bret Wortman wrote:

I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.

I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and
2016-04-01 is actually 2036-04-01.

As for the unknowns, the first says status: CA_REJECTED and the error
says "hostname in subject of request 'zw198.private.net' does not match
principal hostname 'private.net'", with stuck: yes.

The second is similar, but for a different host.


Is it really a different host and why? I think we'd need to see the 
full output to know what's going on.




Full output:

Number of certificates and requests being tracked: 10.
Request ID '20140428181940':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:51 UTC
principal name: ldap/zsipa.private@private.net
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140428182016':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:31 UTC
principal name: HTTP/zsipa.private@private.net
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150211141945':
status: CA_REJECTED
ca-error: Server at https://zsipa.private.net/ipa/xml denied our 
request, giving up: 2100 (RPC failed at server.  Insufficient access: 
hostname in subject of request 'zw198.private.net' does not match 
principal hostname 'private.net').

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
Certificate DB'
certificate: 
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'

CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194107':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=CA Audit,O=PRIVATE.NET
expires: 2016-04-17 18:19:19 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194108':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=OCSP Subsystem,O=PRIVATE.NET
expires: 2016-04-17 18:19:18 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194109':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=CA Subsystem,O=PRIVATE.NET
expires: 2016-04-17 18:19:19 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Rob Crittenden


Bret Wortman wrote:

I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.

I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and
2016-04-01 is actually 2036-04-01.

As for the unknowns, the first says status: CA_REJECTED and the error
says "hostname in subject of request 'zw198.private.net' does not match
principal hostname 'private.net'", with stuck: yes.

The second is similar, but for a different host.


Is it really a different host and why? I think we'd need to see the full 
output to know what's going on.


A given host can only get certificates for itself or those delegated to 
it. Hostnames are used for this enforcement so if they don't line up 
you'll see this type of rejection.




No idea what's wrong with the rest, or why nothing will start. Near as I
can tell, Kerberos is failing to start, which is causing everything else
to go toes up.

Early in the startup, in /var/log/messages, there's:

ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (No Kerberos credentials available)


Without more context it's hard to say. 389 is rather chatty about things 
and of course when it starts it has no ticket so it logs a bunch of 
stuff, eventually (hopefully) gets one, and then shuts up.




After that, I get a jar file read pboelm on log4j.jar, then a series of
property setting attempts that don't find matching properties. Then some
cipher errors, then it looks like named starts up okay, and everything
pauses for about 5 minutes before it all comes crashing back down.



I wouldn't get too hung up on particular services just yet. Without 
valid certs things will fail and those problems will cascade. I think we 
just need more details at this point.


rob



Bret

On 04/26/2016 12:40 PM, Petr Vobornik wrote:

On 04/26/2016 06:00 PM, Bret Wortman wrote:

# getcert list | grep expires
  expires: 2018-04-02 13:04:51 UTC
  expires: 2018-04-02 13:04:31 UTC
  expires: unknown
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-17 18:19:18 UTC
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-01 20:16:39 UTC
  expires: 2016-04-17 18:19:35 UTC
  expires: 2016-03-11 13:04:29 UTC
  expires: unknown
#

So some got updated and most didn't. Is there a recommended way to update these
all? The system is still backdated to 3 April (ntpd disabled) at this point.

It's usually good to start renewing(when it doesn't happen automatically
from some reason) with the cert which is about to expired first, i.e.
the one with "2016-03-11 13:04:29"

The process is:
- move date before the cert is about to expired
- leave it up to certmonger or manually force resubmit by `getcert
resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output.

I'm little worried about the fact that CA cert was renewed at date which
is after expiration of the other certs.

Also the `expires: unknown` doesn't look good. Check `getcert list`
output for errors related to the cert.




Bret


On 04/26/2016 11:46 AM, Petr Vobornik wrote:

On 04/26/2016 03:26 PM, Bret Wortman wrote:

On our non-CA IPA server, this is happening, in case it's related and 
illustrative:

# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#

I would start with checking on all IPA servers if and what certificates
are expired:
# getcert list
or short version to check if there are any:
# getcert list | grep expires

When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
# ipa-certupdate


On 04/26/2016 09:24 AM, Bret Wortman wrote:

I rolled the date on the IPA server in question back to April 1 and ran
"ipa-cacert-manage renew", which said it completed successfully. I rolled the
date back to current and tried restarting ipa using ipactl stop && ipactl
start, but no joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:

systemd: kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT
systemd: Unit kadmin.service entered failed state.
systemd: kadmin.service failed.

I rebooted the server just in case, and it's still getting stuck at the same
place. ipa-otpd doesn't get around to starting.


Bret

After the several-minutes-long pause after ipactl start outputs "Starting
pki-tomcatd Service", I get the

On 04/26/2016 08:14 AM, Bret Wortman wrote:

I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for quite a
while, and is on 4.1.4-1 on fedora 21.

This morning, the gui started giving:

IPA Error 907: NetworkError with description "cannot connect to
'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired."

I dug into the logs and after trying

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Bret Wortman

I should also note that /var/log/dirsrv/slapd-PRIVATE-NET/errors ends 
with a series of "csngen_new_csn - Warning: too much time skew (-2153860 
secs). Current seqnum=1" errors.



On 04/26/2016 12:57 PM, Bret Wortman wrote:
I think I've found a deeper problem, in that I can't update these 
because IPA simply won't start at all now.


I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and 
2016-04-01 is actually 2036-04-01.


As for the unknowns, the first says status: CA_REJECTED and the error 
says "hostname in subject of request 'zw198.private.net' does not 
match principal hostname 'private.net'", with stuck: yes.


The second is similar, but for a different host.

No idea what's wrong with the rest, or why nothing will start. Near as 
I can tell, Kerberos is failing to start, which is causing everything 
else to go toes up.


Early in the startup, in /var/log/messages, there's:

ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may 
provide more information (No Kerberos credentials available)


After that, I get a jar file read pboelm on log4j.jar, then a series 
of property setting attempts that don't find matching properties. Then 
some cipher errors, then it looks like named starts up okay, and 
everything pauses for about 5 minutes before it all comes crashing 
back down.



Bret

On 04/26/2016 12:40 PM, Petr Vobornik wrote:

On 04/26/2016 06:00 PM, Bret Wortman wrote:

# getcert list | grep expires
  expires: 2018-04-02 13:04:51 UTC
  expires: 2018-04-02 13:04:31 UTC
  expires: unknown
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-17 18:19:18 UTC
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-01 20:16:39 UTC
  expires: 2016-04-17 18:19:35 UTC
  expires: 2016-03-11 13:04:29 UTC
  expires: unknown
#

So some got updated and most didn't. Is there a recommended way to update these
all? The system is still backdated to 3 April (ntpd disabled) at this point.

It's usually good to start renewing(when it doesn't happen automatically
from some reason) with the cert which is about to expired first, i.e.
the one with "2016-03-11 13:04:29"

The process is:
- move date before the cert is about to expired
- leave it up to certmonger or manually force resubmit by `getcert
resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output.

I'm little worried about the fact that CA cert was renewed at date which
is after expiration of the other certs.

Also the `expires: unknown` doesn't look good. Check `getcert list`
output for errors related to the cert.



Bret


On 04/26/2016 11:46 AM, Petr Vobornik wrote:

On 04/26/2016 03:26 PM, Bret Wortman wrote:

On our non-CA IPA server, this is happening, in case it's related and 
illustrative:

# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#

I would start with checking on all IPA servers if and what certificates
are expired:
# getcert list
or short version to check if there are any:
# getcert list | grep expires

When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
# ipa-certupdate


On 04/26/2016 09:24 AM, Bret Wortman wrote:

I rolled the date on the IPA server in question back to April 1 and ran
"ipa-cacert-manage renew", which said it completed successfully. I rolled the
date back to current and tried restarting ipa using ipactl stop && ipactl
start, but no joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:

systemd: kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT
systemd: Unit kadmin.service entered failed state.
systemd: kadmin.service failed.

I rebooted the server just in case, and it's still getting stuck at the same
place. ipa-otpd doesn't get around to starting.


Bret

After the several-minutes-long pause after ipactl start outputs "Starting
pki-tomcatd Service", I get the

On 04/26/2016 08:14 AM, Bret Wortman wrote:

I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for quite a
while, and is on 4.1.4-1 on fedora 21.

This morning, the gui started giving:

IPA Error 907: NetworkError with description "cannot connect to
'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired."

I dug into the logs and after trying to restart ipa using ipactl, there was a
length pause, then:

dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
database "/etc/httpd/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Bret Wortman

I think I've found a deeper problem, in that I can't update these 
because IPA simply won't start at all now.


I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and 
2016-04-01 is actually 2036-04-01.


As for the unknowns, the first says status: CA_REJECTED and the error 
says "hostname in subject of request 'zw198.private.net' does not match 
principal hostname 'private.net'", with stuck: yes.


The second is similar, but for a different host.

No idea what's wrong with the rest, or why nothing will start. Near as I 
can tell, Kerberos is failing to start, which is causing everything else 
to go toes up.


Early in the startup, in /var/log/messages, there's:

ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide 
more information (No Kerberos credentials available)


After that, I get a jar file read pboelm on log4j.jar, then a series of 
property setting attempts that don't find matching properties. Then some 
cipher errors, then it looks like named starts up okay, and everything 
pauses for about 5 minutes before it all comes crashing back down.



Bret

On 04/26/2016 12:40 PM, Petr Vobornik wrote:

On 04/26/2016 06:00 PM, Bret Wortman wrote:

# getcert list | grep expires
  expires: 2018-04-02 13:04:51 UTC
  expires: 2018-04-02 13:04:31 UTC
  expires: unknown
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-17 18:19:18 UTC
  expires: 2016-04-17 18:19:19 UTC
  expires: 2016-04-01 20:16:39 UTC
  expires: 2016-04-17 18:19:35 UTC
  expires: 2016-03-11 13:04:29 UTC
  expires: unknown
#

So some got updated and most didn't. Is there a recommended way to update these
all? The system is still backdated to 3 April (ntpd disabled) at this point.

It's usually good to start renewing(when it doesn't happen automatically
from some reason) with the cert which is about to expired first, i.e.
the one with "2016-03-11 13:04:29"

The process is:
- move date before the cert is about to expired
- leave it up to certmonger or manually force resubmit by `getcert
resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output.

I'm little worried about the fact that CA cert was renewed at date which
is after expiration of the other certs.

Also the `expires: unknown` doesn't look good. Check `getcert list`
output for errors related to the cert.




Bret


On 04/26/2016 11:46 AM, Petr Vobornik wrote:

On 04/26/2016 03:26 PM, Bret Wortman wrote:

On our non-CA IPA server, this is happening, in case it's related and 
illustrative:

# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#

I would start with checking on all IPA servers if and what certificates
are expired:
# getcert list
or short version to check if there are any:
# getcert list | grep expires

When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
# ipa-certupdate


On 04/26/2016 09:24 AM, Bret Wortman wrote:

I rolled the date on the IPA server in question back to April 1 and ran
"ipa-cacert-manage renew", which said it completed successfully. I rolled the
date back to current and tried restarting ipa using ipactl stop && ipactl
start, but no joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:

systemd: kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT
systemd: Unit kadmin.service entered failed state.
systemd: kadmin.service failed.

I rebooted the server just in case, and it's still getting stuck at the same
place. ipa-otpd doesn't get around to starting.


Bret

After the several-minutes-long pause after ipactl start outputs "Starting
pki-tomcatd Service", I get the

On 04/26/2016 08:14 AM, Bret Wortman wrote:

I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for quite a
while, and is on 4.1.4-1 on fedora 21.

This morning, the gui started giving:

IPA Error 907: NetworkError with description "cannot connect to
'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired."

I dug into the logs and after trying to restart ipa using ipactl, there was a
length pause, then:

dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
database "/etc/httpd/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied

and then things start shutting down. I can't start ipa at all

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Petr Vobornik

On 04/26/2016 06:00 PM, Bret Wortman wrote:
> # getcert list | grep expires
>  expires: 2018-04-02 13:04:51 UTC
>  expires: 2018-04-02 13:04:31 UTC
>  expires: unknown
>  expires: 2016-04-17 18:19:19 UTC
>  expires: 2016-04-17 18:19:18 UTC
>  expires: 2016-04-17 18:19:19 UTC
>  expires: 2016-04-01 20:16:39 UTC
>  expires: 2016-04-17 18:19:35 UTC
>  expires: 2016-03-11 13:04:29 UTC
>  expires: unknown
> #
> 
> So some got updated and most didn't. Is there a recommended way to update 
> these 
> all? The system is still backdated to 3 April (ntpd disabled) at this point.

It's usually good to start renewing(when it doesn't happen automatically
from some reason) with the cert which is about to expired first, i.e.
the one with "2016-03-11 13:04:29"

The process is:
- move date before the cert is about to expired
- leave it up to certmonger or manually force resubmit by `getcert
resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output.

I'm little worried about the fact that CA cert was renewed at date which
is after expiration of the other certs.

Also the `expires: unknown` doesn't look good. Check `getcert list`
output for errors related to the cert.


> 
> 
> Bret
> 
> 
> On 04/26/2016 11:46 AM, Petr Vobornik wrote:
>> On 04/26/2016 03:26 PM, Bret Wortman wrote:
>>> On our non-CA IPA server, this is happening, in case it's related and 
>>> illustrative:
>>>
>>> # ipa host-del zw113.private.net
>>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>> certificate/key database is in an old, unsupported format.
>>> #
>> I would start with checking on all IPA servers if and what certificates
>> are expired:
>># getcert list
>> or short version to check if there are any:
>># getcert list | grep expires
>>
>> When CA cert is renewed, it is not automatically transfered to clients.
>> There one must run:
>># ipa-certupdate
>>
>>> On 04/26/2016 09:24 AM, Bret Wortman wrote:
 I rolled the date on the IPA server in question back to April 1 and ran
 "ipa-cacert-manage renew", which said it completed successfully. I rolled 
 the
 date back to current and tried restarting ipa using ipactl stop && ipactl
 start, but no joy. No more ca renewal errors, but right after the pause I 
 see
 this in /var/log/messages:

 systemd: kadmin.service: main process exited, code=exited,
 status=2/INVALIDARGUMENT
 systemd: Unit kadmin.service entered failed state.
 systemd: kadmin.service failed.

 I rebooted the server just in case, and it's still getting stuck at the 
 same
 place. ipa-otpd doesn't get around to starting.


 Bret

 After the several-minutes-long pause after ipactl start outputs "Starting
 pki-tomcatd Service", I get the

 On 04/26/2016 08:14 AM, Bret Wortman wrote:
> I have an IPA server on a private network which has apparently run into
> certificate issues this morning. It's been running without issue for 
> quite a
> while, and is on 4.1.4-1 on fedora 21.
>
> This morning, the gui started giving:
>
> IPA Error 907: NetworkError with description "cannot connect to
> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as 
> expired."
>
> I dug into the logs and after trying to restart ipa using ipactl, there 
> was a
> length pause, then:
>
> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
> database "/etc/httpd/alias" is no longer valid.
> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer 
> valid.
> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
> named-pkcs11[3437]: client 192.168.208.205#57832: update
> '208.168.192.in-addr.arpa/IN' denied
>
> and then things start shutting down. I can't start ipa at all using 
> ipactl.
>
> So at present, our DNS is down. Authentication should work for a while, 
> but
> I'd like to get this working again as quickly as possible. Any ideas? I 
> deal
> with certificates so infrequently (like only when something like this
> happens) that I'm not sure where to start.
>
> Thanks!
>
>
> -- 
> *Bret Wortman*
> /Coming soon to Kickstarter.../
> 
> http://wrapbuddies.co/
>
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Bret Wortman


# getcert list | grep expires
expires: 2018-04-02 13:04:51 UTC
expires: 2018-04-02 13:04:31 UTC
expires: unknown
expires: 2016-04-17 18:19:19 UTC
expires: 2016-04-17 18:19:18 UTC
expires: 2016-04-17 18:19:19 UTC
expires: 2016-04-01 20:16:39 UTC
expires: 2016-04-17 18:19:35 UTC
expires: 2016-03-11 13:04:29 UTC
expires: unknown
#

So some got updated and most didn't. Is there a recommended way to 
update these all? The system is still backdated to 3 April (ntpd 
disabled) at this point.



Bret


On 04/26/2016 11:46 AM, Petr Vobornik wrote:

On 04/26/2016 03:26 PM, Bret Wortman wrote:

On our non-CA IPA server, this is happening, in case it's related and 
illustrative:

# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#

I would start with checking on all IPA servers if and what certificates
are expired:
   # getcert list
or short version to check if there are any:
   # getcert list | grep expires

When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
   # ipa-certupdate


On 04/26/2016 09:24 AM, Bret Wortman wrote:

I rolled the date on the IPA server in question back to April 1 and ran
"ipa-cacert-manage renew", which said it completed successfully. I rolled the
date back to current and tried restarting ipa using ipactl stop && ipactl
start, but no joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:

systemd: kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT
systemd: Unit kadmin.service entered failed state.
systemd: kadmin.service failed.

I rebooted the server just in case, and it's still getting stuck at the same
place. ipa-otpd doesn't get around to starting.


Bret

After the several-minutes-long pause after ipactl start outputs "Starting
pki-tomcatd Service", I get the

On 04/26/2016 08:14 AM, Bret Wortman wrote:

I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for quite a
while, and is on 4.1.4-1 on fedora 21.

This morning, the gui started giving:

IPA Error 907: NetworkError with description "cannot connect to
'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired."

I dug into the logs and after trying to restart ipa using ipactl, there was a
length pause, then:

dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
database "/etc/httpd/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied

and then things start shutting down. I can't start ipa at all using ipactl.

So at present, our DNS is down. Authentication should work for a while, but
I'd like to get this working again as quickly as possible. Any ideas? I deal
with certificates so infrequently (like only when something like this
happens) that I'm not sure where to start.

Thanks!


--
*Bret Wortman*
/Coming soon to Kickstarter.../

http://wrapbuddies.co/



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-26 Thread Petr Vobornik

On 04/26/2016 03:26 PM, Bret Wortman wrote:
> On our non-CA IPA server, this is happening, in case it's related and 
> illustrative:
> 
> # ipa host-del zw113.private.net
> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
> certificate/key database is in an old, unsupported format.
> #

I would start with checking on all IPA servers if and what certificates
are expired:
  # getcert list
or short version to check if there are any:
  # getcert list | grep expires

When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
  # ipa-certupdate

> 
> On 04/26/2016 09:24 AM, Bret Wortman wrote:
>> I rolled the date on the IPA server in question back to April 1 and ran 
>> "ipa-cacert-manage renew", which said it completed successfully. I rolled 
>> the 
>> date back to current and tried restarting ipa using ipactl stop && ipactl 
>> start, but no joy. No more ca renewal errors, but right after the pause I 
>> see 
>> this in /var/log/messages:
>>
>> systemd: kadmin.service: main process exited, code=exited, 
>> status=2/INVALIDARGUMENT
>> systemd: Unit kadmin.service entered failed state.
>> systemd: kadmin.service failed.
>>
>> I rebooted the server just in case, and it's still getting stuck at the same 
>> place. ipa-otpd doesn't get around to starting.
>>
>>
>> Bret
>>
>> After the several-minutes-long pause after ipactl start outputs "Starting 
>> pki-tomcatd Service", I get the
>>
>> On 04/26/2016 08:14 AM, Bret Wortman wrote:
>>> I have an IPA server on a private network which has apparently run into 
>>> certificate issues this morning. It's been running without issue for quite 
>>> a 
>>> while, and is on 4.1.4-1 on fedora 21.
>>>
>>> This morning, the gui started giving:
>>>
>>> IPA Error 907: NetworkError with description "cannot connect to 
>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': 
>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as 
>>> expired."
>>>
>>> I dug into the logs and after trying to restart ipa using ipactl, there was 
>>> a 
>>> length pause, then:
>>>
>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in 
>>> database "/etc/httpd/alias" is no longer valid.
>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS 
>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
>>> named-pkcs11[3437]: client 192.168.208.205#57832: update 
>>> '208.168.192.in-addr.arpa/IN' denied
>>>
>>> and then things start shutting down. I can't start ipa at all using ipactl.
>>>
>>> So at present, our DNS is down. Authentication should work for a while, but 
>>> I'd like to get this working again as quickly as possible. Any ideas? I 
>>> deal 
>>> with certificates so infrequently (like only when something like this 
>>> happens) that I'm not sure where to start.
>>>
>>> Thanks!
>>>
>>>
>>> -- 
>>> *Bret Wortman*
>>> /Coming soon to Kickstarter.../
>>> 
>>> http://wrapbuddies.co/
>>>
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-26 Thread Timo Aaltonen

26.04.2016, 16:52, Harald Dunkel kirjoitti:
> Hi Timo,
> 
> On 04/18/2016 02:08 PM, Timo Aaltonen wrote:
>>
>> The old package used to create /etc/pki/nssdb on postinst, but with 644
>> permissions so I'm not sure why they have 600 here. 4.1.4 in
>> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1
>> to unstable this week, which should fix this for good.
>>
> 
> AFAICS there are just a few pending dependencies for 4.3.1
> on Jessie. Would you recommend to backport? I already did
> it for sssd.

I guess 4.3.1 would need to be in sid first, and it just got rejected
because of the minified javascript (bug #787593). Don't know when
that'll get fixed.


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?]

2016-04-26 Thread Alexander Bokovoy


On Tue, 26 Apr 2016, Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:

On 25.4.2016 18:05, EXT Alexander Bokovoy wrote:

On Mon, 25 Apr 2016, Rob Crittenden wrote:

-8<-8<-8<-8<-8<-8<-8<-8<-8<-

-8<-8<-8<-8<-8<-8<-8<-8<-8<-


It is denied by IPA, not certmonger.

IP addresses are frowned upon in certs in general and they are denied
by IPA because the access control would be really difficult. Today a
host must be granted access to issue certs with additional names in it.

You can open a RFE for this on the IPA trac if you really need it.

I'm not deeply familiar with the new profile support so perhaps it is
possible to do this using the latest version of IPA, I'm not sure.

Correct and no, it is not right now.
Certificate profile defines what CA considers possible to grant when
issuing a cert. CA doesn't have contextual logic -- that would be
provided by an agent approving the cert. IPA framework is sitting in
front of CA to put the context in place and could be considered such an
agent, so we have logic to cross-check the request for fields that would
be conflicting with IPA access controls.

As it happens now, IPA framework disallows IP addresses. Adding support
for that would need to get proper logic in place to decide which
address spaces to allow being managing by a requesting party -- a host
in your case as certmonger asks for the cert on behalf of the host. We
don't have any system in place for that.


Because I am not an expert on IPA / cert-business I might 
over-simplify the case.


To me letting to add to SAN an IP address of related FQDN would be 
quite simple case. When I am requesting cert for ipa2.public.domain 
and ipa2.management.domain and wanting to have also their IPs in SAN 
extension of the cert. The logic would be something like; IPA 
framework checks that related FQDNs and their DNS information is in 
place in IPA => allow

We don't have for a general case any means to rely on the IP address <->
host name mapping. For cases where there is DNS zone managed by IPA we
might add a logic, I agree, but not in general unless there is DNSSEC in
place -- because with DNSSEC we could at least be able to verify
signatures on the records to see if we could trust the data.

There probably are much more complicated cases though. I understand 
that to create huge number of exceptions for all the possible cases 
would be mission impossible. Thus it would be nice if there would be 
possibility for ipa admin to create this kind of rules to allow local 
exceptions -- even frowned ones.


In my original email I promised not to go details why I'd need the 
feature, but here we go...


In our case the IP in SAN would be needed because our lab has its own 
DNS space that is not published to intranet side. However there are 
situations when user needs / wants to connect certain web services in 
lab also from intranet (to change his password on IPA for example). In 
such cases he has to give URL with IP address, but browsers tell that 
the certificate is invalid because the cert is only valid for FQDN.


Naturally it is possible to create an exception on browser or add 
/etc/hots entry for FQDN on intranet computer. However to me IP in SAN 
would be much more elegant and clean solution.

I understand you pain. You can file a ticket with a feature request for
that use case.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica

No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica 

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root@cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other 
> services
> ipa: INFO: The ipactl command was successful
>
> [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
> -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
> preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
> 30min ago
>Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i 
> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
> (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file 
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
> error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
> OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?
> [root@cd-p-ipa1 log]#
>
> Gady
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the 
>> details in the logs and command result. Basically, krb5kdc service 
>> not starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; 
>> disabled; vendor preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 
>> EDT; 41min ago
>>
>>Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
>> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
>> 5 KDC...
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: 
>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
>> control process exited, code=exited

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Ludwig Krispenz



On 04/26/2016 03:26 PM, Gady Notrica wrote:

Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min 
ago
   Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more 
errors before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?


And, did you do any changes to the system before this problem started ?

[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service not
starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
vendor preset: disabled)

Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
EDT; 41min ago

   Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
5 KDC...

Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
initialize realm IPA.DOMAIN.LOCAL- see log file for details

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
krb5kdc.service entered failed state.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

[root@cd-ipa1 log]#



Errors in /var/log/krb5kdc.log



krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL



[root@cd-ipa1 log]# systemctl status httpd -l

● httpd.service - The Apache HTTP Server

Loaded: loaded

[Freeipa-users] /var/log/dirsrv/slapd-*/acces: SSL peer cannot verify your certificate

2016-04-26 Thread Bjarne Blichfeldt

Ipa server: rhel7.2,  ipa ping ="IPA server version 4.2.0. API version 2.156"

In order to use ldap through load balancer, I added an alternative dns name to 
ipa server certificate.
ipa-getcert resubmit -i   -D newname.differentdomaine.net

It all seemed well, the extra name was entered into the certificate, expiration 
day 2018-04-27 12:20:55 UTC.
and I can access ldaps through the load balancer.

But in /var/log/dirsrv/slapd-*/acces I see a lot of  "SSL peer cannot verify 
your certificate"  and cert operations
are gone:

idm1:~$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate 
with CMS (Internal Server Error)

Anybody have an idea of what I missed?





Venlig hilsen


Bjarne Blichfeldt


Infrastructure Services



Direkte +4563636119


Mobile +4521593270


b...@jndata.dk

[cid:image002.png@01D19FD4.9D73F340]

JN Data A/S

*

Havsteensvej 4

*

4000 Roskilde


Telefon 63 63 63 63/ Fax 63 63 63 64


www.jndata.dk


[cid:image004.png@01D19FD4.9D73F340]
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-26 Thread Harald Dunkel

Hi Timo,

On 04/18/2016 02:08 PM, Timo Aaltonen wrote:
> 
> The old package used to create /etc/pki/nssdb on postinst, but with 644
> permissions so I'm not sure why they have 600 here. 4.1.4 in
> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1
> to unstable this week, which should fix this for good.
> 

AFAICS there are just a few pending dependencies for 4.3.1
on Jessie. Would you recommend to backport? I already did
it for sssd.


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica

Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min 
ago
  Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:
> Hello world,
>
>
>
> I am having issues this morning with my primary IPA. See below the 
> details in the logs and command result. Basically, krb5kdc service not 
> starting - krb5kdc: Server error - while fetching master key.
>
>
>
> DNS is functioning. See below dig result. I have a trust with Windows AD.
>
>
>
> Please help…!
>
>
>
> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>
> ● krb5kdc.service - Kerberos 5 KDC
>
>Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; 
> vendor preset: disabled)
>
>Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 
> EDT; 41min ago
>
>   Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>
>
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 
> 5 KDC...
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot 
> initialize realm IPA.DOMAIN.LOCAL- see log file for details
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
> control process exited, code=exited status=1
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start 
> Kerberos 5 KDC.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit 
> krb5kdc.service entered failed state.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
>
> [root@cd-ipa1 log]#
>
>
>
> Errors in /var/log/krb5kdc.log
>
>
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
>
>
> [root@cd-ipa1 log]# systemctl status httpd -l
>
> ● httpd.service - The Apache HTTP Server
>
>Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
> preset: disabled)
>
>Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 
> EDT; 39min ago
>
>  Docs: man:httpd(8)
>
>man:apachectl(8)
>
>   Process: 3594

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Martin Babinsky


On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service not
starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
vendor preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT;
41min ago

  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5
KDC...

Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
initialize realm IPA.DOMAIN.LOCAL- see log file for details

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service
entered failed state.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

[root@cd-ipa1 log]#



Errors in /var/log/krb5kdc.log



krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL



[root@cd-ipa1 log]# systemctl status httpd -l

● httpd.service - The Apache HTTP Server

   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT;
39min ago

 Docs: man:httpd(8)

   man:apachectl(8)

  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=1/FAILURE)



Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in
__wait_for_connection

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
wait_for_open_socket(lurl.hostport, timeout)

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in
wait_for_open_socket

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
error: [Errno 2] No such file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
ipa : ERRORUnknown error while retrieving setting from
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
control process exited, code=exited status=1

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The
Apache HTTP Server.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service
entered failed state.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.

[root@cd-ipa1 log]#





DNS Result for dig redhat.com



; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;redhat.com.IN  A



;; ANSWER SECTION:

redhat.com. 60  IN  A   209.132.183.105



;; AUTHORITY SECTION:

.   849 IN  NS  f.root-servers.net.

.   849 IN  NS  e.root-servers.net.

.   849 IN  NS  k.root-servers.net.

.   849 IN  NS  m.root-servers.net.

.   849 IN  NS  b.root-servers.net.

.   849 IN  NS  g.root-servers.net.

.   849 IN  NS  c.root-servers.net.

.   849 IN  NS  h.root-servers.net.

.   849 IN  NS  l.root-servers.net.

.   849 IN  NS  a.root-servers.net.

.   849 IN  NS  j.root-servers.net.

.   849 IN  NS  i.root-servers.net.

.   849 IN  NS  d.root-servers.net.



;; ADDITIONAL SECTION:

j.root-servers.net. 3246IN  A   192.58.128.30



;; Query time: 79 msec

;; SERVER: 10.20.10.41#53(10.20.10.41)

;; WHEN: Tue Apr 26 09:02:43 EDT 2016

;; MSG SIZE  rcvd: 282



Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
416.818.4797 |

[Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?]

2016-04-26 Thread Tikkanen, Tuomo (Nokia - FI/Espoo)


On 25.4.2016 18:05, EXT Alexander Bokovoy wrote:

On Mon, 25 Apr 2016, Rob Crittenden wrote:

-8<-8<-8<-8<-8<-8<-8<-8<-8<-

-8<-8<-8<-8<-8<-8<-8<-8<-8<-


It is denied by IPA, not certmonger.

IP addresses are frowned upon in certs in general and they are denied
by IPA because the access control would be really difficult. Today a
host must be granted access to issue certs with additional names in it.

You can open a RFE for this on the IPA trac if you really need it.

I'm not deeply familiar with the new profile support so perhaps it is
possible to do this using the latest version of IPA, I'm not sure.

Correct and no, it is not right now.
Certificate profile defines what CA considers possible to grant when
issuing a cert. CA doesn't have contextual logic -- that would be
provided by an agent approving the cert. IPA framework is sitting in
front of CA to put the context in place and could be considered such an
agent, so we have logic to cross-check the request for fields that would
be conflicting with IPA access controls.

As it happens now, IPA framework disallows IP addresses. Adding support
for that would need to get proper logic in place to decide which
address spaces to allow being managing by a requesting party -- a host
in your case as certmonger asks for the cert on behalf of the host. We
don't have any system in place for that.


Because I am not an expert on IPA / cert-business I might over-simplify 
the case.


To me letting to add to SAN an IP address of related FQDN would be quite 
simple case. When I am requesting cert for ipa2.public.domain and 
ipa2.management.domain and wanting to have also their IPs in SAN 
extension of the cert. The logic would be something like; IPA framework 
checks that related FQDNs and their DNS information is in place in IPA 
=> allow


There probably are much more complicated cases though. I understand that 
to create huge number of exceptions for all the possible cases would be 
mission impossible. Thus it would be nice if there would be possibility 
for ipa admin to create this kind of rules to allow local exceptions -- 
even frowned ones.


In my original email I promised not to go details why I'd need the 
feature, but here we go...


In our case the IP in SAN would be needed because our lab has its own 
DNS space that is not published to intranet side. However there are 
situations when user needs / wants to connect certain web services in 
lab also from intranet (to change his password on IPA for example). In 
such cases he has to give URL with IP address, but browsers tell that 
the certificate is invalid because the cert is only valid for FQDN.


Naturally it is possible to create an exception on browser or add 
/etc/hots entry for FQDN on intranet computer. However to me IP in SAN 
would be much more elegant and clean solution.


--
tuomo.tikka...@nokia.com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica

Hello world,

I am having issues this morning with my primary IPA. See below the details in 
the logs and command result. Basically, krb5kdc service not starting - krb5kdc: 
Server error - while fetching master key.

DNS is functioning. See below dig result. I have a trust with Windows AD.

Please help…!

[root@cd-ipa1 log]# systemctl status krb5kdc.service -l
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; 41min 
ago
  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 KDC...
Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot 
initialize realm IPA.DOMAIN.LOCAL- see log file for details
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: control 
process exited, code=exited status=1
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start Kerberos 5 
KDC.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service 
entered failed state.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
[root@cd-ipa1 log]#

Errors in /var/log/krb5kdc.log

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

[root@cd-ipa1 log]# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: 
disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; 39min 
ago
 Docs: man:httpd(8)
   man:apachectl(8)
  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, 
status=1/FAILURE)

Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File 
"/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in 
__wait_for_connection
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: 
wait_for_open_socket(lurl.hostport, timeout)
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File 
"/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in 
wait_for_open_socket
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: error: 
[Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: ipa 
: ERRORUnknown error while retrieving setting from 
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such file or 
directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: control 
process exited, code=exited status=1
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The Apache 
HTTP Server.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service entered 
failed state.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
[root@cd-ipa1 log]#


DNS Result for dig redhat.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;redhat.com.IN  A

;; ANSWER SECTION:
redhat.com. 60  IN  A   209.132.183.105

;; AUTHORITY SECTION:
.   849 IN  NS  f.root-servers.net.
.   849 IN  NS  e.root-servers.net.
.   849 IN  NS  k.root-servers.net.
.   849 IN  NS  m.root-servers.net.
.   849 IN  NS  b.root-servers.net.
.   849 IN  NS  g.root-servers.net.
.   849 IN  NS  c.root-servers.net.
.   849 IN  NS  h.root-servers.net.
.   849 IN  NS  l.root-servers.net.
.   849 IN  NS  a.root-servers.net.
.   849 IN  NS  j.root-servers.net.
.   849 IN  NS  i.root-servers.net.
.   849 IN  NS  d.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net. 3246IN  A   192.58.128.30

;; Query time: 79 msec
;; SERVER: 10.20.10.41#53(10.20.10.41)
;; WHEN: Tue Apr 26 09:02:43 EDT 2016
;; MSG SIZE  rcvd: 282

Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 
| gnotr...@candeal.com
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-04-26 Thread Bjarne Blichfeldt

This is a follow-up to 
https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html

From: Jan Cholasta 
   Peter Pakos , freeipa-users redhat 
com
My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?


1. Install the CA certificate chain of the issuer of the 3rd party certificate 
to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the /etc/dirsrv/slapd-REALM NSS 
database, configure the correct nickname in LDAP in the nsSSLPersonalitySSL 
attribute of cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS 
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf using 
the NSSNickname directive and restart httpd.


I am in a similar situation and have some follow-up questions:

ad1:  If I run ipa-cacert-manage install 
--external-cert-file=/path/to/external_ca_certificate-chain, does this simply 
add the chain as an extra root ca without destroying the existing ipa-ca?

ad3: I assume the import is : certutil -A -d /etc/dirsrv/slapd-REALM.  How do I 
configure the ldap attribute?
Is it just a matter of make the change in /etc/dirsrv/ldap*/dse.ldif  and 
restart?

Also:
Where is the private key in all this?  I generate a csr with openssl, send csr 
to ca, receive certificate, but I don't see any option in certutil to specify 
the private key. I did find an instruction in importing pkcs12 into nssdb, is 
this what is meant here?


Our setup:
  4 ipa servers, rhel7.2,  ipa ping ="IPA server version 4.2.0. API version 
2.156"
  mix of rhel6 (ipa-client 3.0.xx) and rhel7.1 (ipa-client 4.1.xx),







Regards,
Bjarne Blichfeldt




















[cid:image002.png@01D19FCC.DE1B7060]

JN Data A/S

*

Havsteensvej 4

*

4000 Roskilde


Telefon 63 63 63 63/ Fax 63 63 63 64


www.jndata.dk


[cid:image004.png@01D19FCC.DE1B7060]
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 cannot syn update to server 2 after restart

2016-04-26 Thread barrykfl

server 2 can syn update to server 1 but reverse fail

Any idea? error below:

Can't contact LDAP server



[26/Apr/2016:18:40:13 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[26/Apr/2016:18:40:19 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[26/Apr/2016:18:40:19 +0800] set_krb5_creds - Could not get initial
credentials for principal [ldap/central.abc@abc.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[26/Apr/2016:18:40:19 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth
failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_492' not found))
[26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
for LDAPI requests
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth
resumed
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Missing data encountered
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Incremental update failed and
requires administrator action

>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] concurrent requests to ipalib app giving network error

2016-04-26 Thread Petr Vobornik

On 04/22/2016 08:44 AM, Martin Basti wrote:
> 
> 
> On 21.04.2016 18:46, Oğuz Yarımtepe wrote:
>> Hi,
>>
>> I have a REST API that is using the ipalib and written with Falcon.
>> Below is the code or you can check it online here: 
>> http://paste.ubuntu.com/15966308/
>>
>> from __future__ import print_function
>> from bson import json_util
>> import json
>> import falcon
>>
>> from ipalib import api as ipaapi
>> from api.utils.utils import parse_json, check_connection
>> from api import settings
>>
>> class Calls(object):
>>
>> #@falcon.before(check_connection)
>> def on_post(self, req, resp):
>>
>> result_json = parse_json(req)
>> command_name = result_json["command_name"]
>> params = result_json["params"]
>>
>> if not hasattr(ipaapi.env, "conf"):
>> #TODO: add kinit oguz for exceptional case
>>  ipaapi.bootstrap_with_global_options(context='satcloud_api')
>> ipaapi.finalize()
>>
>> if ipaapi.env.in_server:
>> ipaapi.Backend.ldap2.connect()
>> else:
>> ipaapi.Backend.rpcclient.connect()
>>
>> #import ipdb
>> #ipdb.set_trace()
>>
>> command=ipaapi.Command
>> command_result=getattr(command,command_name)
>>
>> #resp.set_cookie('api_status_cookie', 'True')
>> if not params:
>> resp.body = json.dumps(command_result())
>> resp.status = falcon.HTTP_200
>> else:
>> if type(params) == dict:
>> arguments = []
>> kwargs = dict()
>> for key, value in params.iteritems():
>> if "arg" in key:
>> arguments.append(value)
>> else:
>> kwargs[key]=value
>> try:
>> #for datetime serialization problems better to use bson
>> dump = command_result(*arguments, **kwargs)
>> resp.body = json.dumps(dump, default=json_util.default)
>> #resp.body = json.dumps(command_result(*arguments, 
>> **kwargs))
>> resp.status = falcon.HTTP_200
>> except UnicodeDecodeError:
>> resp.body = json.dumps(dump, default=json_util.default, 
>> encoding='latin1')
>> resp.status = falcon.HTTP_200
>> except Exception as e:
>> resp.status = falcon.HTTP_BAD_REQUEST
>> resp.body = json.dumps({"description": e.message, 
>> "title": 
>> "Dublicate entry"})
>> #raise falcon.HTTPBadRequest(title="Dublicate 
>> entry",
>> #  description=e,
>> #  href=settings.__docs__)
>> else:
>> dump = command_result(params)
>> resp.body = json.dumps(dump, default=json_util.default)
>> #resp.body = json.dumps(command_result(params))
>> resp.status = falcon.HTTP_200
>>
>>
>> Basically i am making concurrent calls to this rest api and i am getting
>>
>> Network error: http://paste.ubuntu.com/15966347/
>>
>> ipa: INFO: Forwarding 'user_find' to json server 
>> 'https://ipa.foo.com/ipa/json'
>> ipa: INFO: Forwarding 'netgroup_find' to json server 
>> 'https://ipa.foo.com/ipa/json'
>> [pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} [Thu 
>> Apr 
>> 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes in 227 msecs 
>> (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0)
>> Traceback (most recent call last):
>>   File "falcon/api.py", line 213, in falcon.api.API.__call__ 
>> (falcon/api.c:2521)
>>   File "falcon/api.py", line 182, in falcon.api.API.__call__ 
>> (falcon/api.c:2118)
>>   File "./api/resources/ipa/calls.py", line 38, in on_post
>> resp.body = json.dumps(command_result())
>>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in 
>> __call__
>> ret = self.run(*args, **options)
>>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in 
>> run
>> return self.forward(*args, **options)
>>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in 
>> forward
>> return self.Backend.rpcclient.forward(self.name , 
>> *args, 
>> **kw)
>>   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in forward
>> raise NetworkError(uri=server, error=e.errmsg)
>> ipalib.errors.NetworkError: cannot connect to 
>> 'https://ipa.foo.com/ipa/json': Internal 
>> Server 
>> Error
>> [pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} [Thu 
>> Apr 
>> 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in 1421 msecs 
>> (HTTP/1.1 500) 0 headers in 0 bytes (0 switches

Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

2016-04-26 Thread Petr Vobornik

On 04/25/2016 11:33 PM, Anthony Cheng wrote:
> So I went ahead and ran the migrate-ds command; ran into issue that was 
> described here: 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when 
> trying to change password
> 
> I re-ran migrate-ds option; but I actually don't see the user accounts being 
> migrated at all when I run a "ipa user-show user_name --all"
> 
> I supposed manual option/script is the only option at this point?
> 
> Anthony
> 
> On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng  > wrote:
> 
> Hi list,
> 
> Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
> v4.2.0; I have setup the new IPA instances and I am looking at migrate 
> the data.

I'd assume that by v3.0.0 you mean RHEL 6.7 and by v 4.2.0 RHEL 7.2. For
such migration you can use a method by creating a replica

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

With IPA upgraded from version 2.x, make sure that internal CA users has
correct certificates and that all certificates are valid. Details are in
thread "7.x replica install from 6.x master fails" Especially:
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00046.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

> 
> Based on the section under 'Migrating from other FreeIPA to FreeIPA' here
> 
> (http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
> it is suggested to run the following sample command:
> 
> echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> 
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://migrated.freeipa.server.test

Migrate DS was designed to be used for migration from general LDAP
server to IPA but it can be used also for IPA-IPA migration given that
IPA has also LDAP server.

> 
> My questions are:
> 1) Will this work as my new domain has changed (so realm is different)

Yes

> 2) Will this work for migration from 3.0.0 to 4.2.0?

Yes, but see the link above - it is the recommended method if you want
to just "upgrade".

> 3) Is this command safe to run from a production box?

The command doesn't do any changes on source machine. It's always better
to try it first in testing environment.

> 4) If it fails or is not safe to run, what is the alternative/process?
> (details would be appreciated)

Depends how it fails.

> 
> Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
> ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
> instance, selecting the records to be migrated, updating the attributes in
> batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."

Yes, automatic migration of other records than users and groups was not
yet implented: we have an RFE for such migration:
https://fedorahosted.org/freeipa/ticket/3656

> 
> I have some idea how to do LDIF import/export but is this process 
> documented
> anywhere (on the freeipa.org )?

I'm not aware of any such document.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA vulnerability management SSL

[Freeipa-users] migration user passwords from openldap to freeipa

Re: [Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] IPA server having cert issues

Re: [Freeipa-users] ipa -v ping lies about the cert database

Re: [Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?]

Re: [Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] krb5kdc service not starting

[Freeipa-users] /var/log/dirsrv/slapd-*/acces: SSL peer cannot verify your certificate

Re: [Freeipa-users] ipa -v ping lies about the cert database

Re: [Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] krb5kdc service not starting

[Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?]

[Freeipa-users] krb5kdc service not starting

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Re: [Freeipa-users] server 1 cannot syn update to server 2 after restart

Re: [Freeipa-users] concurrent requests to ipalib app giving network error

Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

26 matches

Site Navigation

Mail list logo

Footer information