Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

2016-05-05 Thread David LeVene 
Hi Petr,

Thanks for the response.

I didn't know about Samba 4, so that's worth some further investigation on my 
part - Thanks.

So from what you've said below it can't run as a standalone, but SSSD does 
allow caching(if a user has authenticated previous).. does IPA have the ability 
to cache credentials for ~1 hour, so if there is a short loss of network 
connectivity users still get the OK from the cache?

I'm still having a look at SyncRepl from slapd for replication, but not sure 
how this will work in the event that the Provider is uncontactable - as long as 
it caches credentials/details for ~ 1 hour that's acceptable.

Regards
David

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Thursday, May 05, 2016 18:17
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

On 5.5.2016 06:28, David LeVene wrote:
> Hey All,
>
> I'm looking for a bit of direction around the best way to
> configure/setup an on-site cache &/or replica from an AD Server which
> will be uni-directional (AD -> IPA/slapd)
>
> The master are multiple AD Servers located around the place, and we exist in 
> a place which is outside of the core network and that network link is a 
> single point of failure.
>
> What I want to achieve is in the event we lose connectivity with the world 
> users can still authenticate, but if someone is disabled/updated at the top 
> level it replicates down. I've got a test AD Server & have been reviewing 
> IPA, but have hit an issue in that I can't get software installed on the AD 
> Masters for the 389 dir sync software.
>
> Currently I've configured a synchronization based solution with one way 
> replication from the AD Masters -> IPA. This works fine and I can see all the 
> users being created in IPA - but as the passwords can't be synced without 
> installing software I can't use this method.

All methods which can work completely off-line will require access to keys on 
AD server. This means either some additional software on AD side OR having 
proper AD server which is hosted locally. This could theoretically be Samba 4 
AD server if you want to try that.

If your clients are sufficiently new you can try to use SSSD everywhere but it 
comes with own limitations, e.g. users who never logged in before will not be 
able to login when the network link is down.

I hope this help.

Petr^2 Spacek


> Another nice thing would be to have a separate domain/tree available so we 
> can split up the staff that are from the master servers and some client 
> related user/passes that won't be in the Global Directory - but managed from 
> the same place.
>
> Are there any other setup's that will achieve what I require? Have seen slapd 
> with proxy cache but I'm not sure on this options either and configuring 
> slapd with all the ldif files manually seems a little daunting at first sight.
>
> Thanks in advance,
> David

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone 

Hi again

After further testing, it seems like my problems were caused by the use 
of the -F option on the kinit line.


Roderick

On 05/05/2016 22:31, Roderick Johnstone wrote:

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping
successfully. Then I tried my kinit syntax (after a kdestroy) and I can
still ipa ping successfully!

So, it does work now, but I don't know why it didn't work for me
earlier. It feels like some sort of caching problem but I think kdestroy
clears the cache.

Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere
secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to
switch user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone 
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Looking for documentation for Python API

2016-05-05 Thread Joshua J. Kugler 
[This didn't show up in the archives or list after 12 house, so resending. 
Sorry if it's a dupe.]

I've been googling and looking through the documentation, but I have yet to 
find official docs for the Python API for FreeIPA.

The first result for 'python' when doing a search on www.freeipa.org is 
http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link 
to "freeIPA Python API documentation" which goes to

https://www.freeipa.org/page/Documentation#Developer_Documentation

That page, however, doesn't have one mention of Python, and only one mention 
of "API" and that is "How to migrate your code to the new LDAP API" which 
doesn't seem to be related.  I did manage to find 
https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple 
(very convoluted) examples, but seems far from complete.

There is a freeipa-python RPM, but *WHERE* is the documentation for the Python 
API. Or should I just shell-out to the 'ipa' command from all my python 
scripts? :)

I found 
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and 
https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so 
I'm sure I could work up something with python and requests, but I'd prefer to 
use the official API if I could. :)

Any assistance would be great! 

j

-- 
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: pedah...@gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-05-05 Thread Rob Crittenden 

Anthony Cheng wrote:

More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias).  So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.


You're fixing the wrong place. Apache is up and serving which is how you 
are getting Not Found. It is dogtag that isn't starting for some reason. 
Maybe Endi has some ideas.


rob



So it went from this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
ipaCert   u,u,u
sample.NET IPA CA  CT,C,C
ipaCert   u,u,u
Signing-Certu,u,u
Server-Cert u,u,u

to this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCertu,u,u
Server-Cert u,u,u
sample.NET IPA CA  CT,C,C
Signing-Certu,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
 wrote:

On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:

Anthony Cheng wrote:


Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working.  The article is listed
as "Solution in Progress".

[root@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).



Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.

rob


selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[root@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
[root@test pki-ca]#
[root@test pki-ca]#

[root@test pki-ca]# ll * | grep self
-rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
selftests.log.20150407143526
-rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
selftests.log.20150630163924
-rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
selftests.log.20151024101159

 From debug log I see some error messages:

[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
 at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
[28/Jan/2016:21:09:02][main]: 
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]:

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-05-05 Thread Anthony Cheng 
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias).  So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.

So it went from this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
ipaCert   u,u,u
sample.NET IPA CA  CT,C,C
ipaCert   u,u,u
Signing-Certu,u,u
Server-Cert u,u,u

to this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCertu,u,u
Server-Cert u,u,u
sample.NET IPA CA  CT,C,C
Signing-Certu,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
 wrote:
> On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden  wrote:
>> Anthony Cheng wrote:
>>>
>>> Small update, I found an article on the RH solution library
>>> (https://access.redhat.com/solutions/2020223) that has the same error
>>> code that I am getting and I followed the steps with certutil to update
>>> the cert attributes but it is still not working.  The article is listed
>>> as "Solution in Progress".
>>>
>>> [root@test ~]# getcert list | more
>>>
>>> Number of certificates and requests being tracked: 7.
>>>
>>> Request ID '20111214223243':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server.Certificate operation cannot be comp
>>>
>>> leted: Unable to communicate with CMS (Not Found)).
>>
>>
>> Not Found means the CA didn't start. You need to examine the debug and
>> selftest logs to determine why.
>>
>> rob
>
> selftests.log is empty; there are entries for other time but not for
> the test to when I set the clock to renew certs.
>
> [root@test pki-ca]# clock
> Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
> [root@test pki-ca]#
> [root@test pki-ca]#
>
> [root@test pki-ca]# ll * | grep self
> -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
> -rw-r-. 1 pkiuser pkiuser  1206 Apr  7  2015
> selftests.log.20150407143526
> -rw-r-. 1 pkiuser pkiuser  3673 Jun 30  2015
> selftests.log.20150630163924
> -rw-r-. 1 pkiuser pkiuser  1217 Aug 31 20:07
> selftests.log.20150831160735
> -rw-r-. 1 pkiuser pkiuser  3798 Oct 24 14:12
> selftests.log.20151024101159
>
> From debug log I see some error messages:
>
> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>
> Full log:
>
> [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
> [28/Jan/2016:21:09:02][main]: 
> [28/Jan/2016:21:09:02][main]: =  DEBUG SUBSYSTEM INITIALIZED   ===
> [28/Jan/2016:21:09:02][main]: 
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_STARTUP
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_SHUTDOWN
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_POLICY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CRL_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_OCSP_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
> [28/Jan/2016:21:09:02][main]: LogFile: log event type

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone 

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping 
successfully. Then I tried my kinit syntax (after a kdestroy) and I can 
still ipa ping successfully!


So, it does work now, but I don't know why it didn't work for me 
earlier. It feels like some sort of caching problem but I think kdestroy 
clears the cache.


Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone 
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag migration to FreeIPA

2016-05-05 Thread Fraser Tweedale 
On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote:
> Hi Fraser,
> 
> Thank you very much for the immediate response. Our use-case for Dogtag is:
> our installation engineers request a signing CA cert through the Dogtag web
> interface, and our admin grants the request, anything following is not
> managed with Dogtag. So we only use Dogtag for managing the root cert and
> the signing CA certs (beside OCSP, audit certs, etc that come with the
> system).
> 
> I'm not sure how your solution would work in our case, if we import a
> signing cert into Dogtag and sign other certs that we give to our
> installation engineers using it, it would change our current cert chain.
> 
> Reading your reply, I realized I probably misunderstood how FreeIPA worked,
> I thought I only needed to import Dogtag's Root CA (which is our company
> Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this
> would not work, would it?
> 
Correct; there isn't right now a way to "adopt" an existing CA into
an existing Dogtag instance.

In either case, because you are issuing admin-approved CA
certificates, I don't think FreeIPA fits your use case.  In the
future we will support sub-CA creation (it is what I am working on)
so you might want to evaluate FreeIPA once that feature has landed.

Cheers,
Fraser

> Thanks,
> Ha
> 
> On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale  wrote:
> 
> > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> > > Hi,
> > >
> > > We have an in-house CA system managed by a stand-alone Dogtag system, we
> > > would like to integrate it with our FreeIPA system which is already in
> > use
> > > and is setup with the company LDAP. I'm new to FreeIPA and I have some
> > > questions about this process:
> > >
> > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> > > directly? If so, how would I achieve that?
> > >
> > This is not supported, though it's technically feasible (we just
> > don't have any code to do it).
> >
> > > 2. If it's not possible to do the above, what about setting up a clone of
> > > the current FreeIPA system and migrate Dogtag during the installation of
> > > the replica? Is this a better option?
> > >
> > Same as above... technically feasible but no way to do it right now.
> >
> > > 3. Any other alternative?
> > >
> > One alternative is to export your CA signing cert and key, and
> > install a new Dogtag instance in your FreeIPA environment.  The IPA
> > Dogtag instance would be "detached" from your existing Dogtag
> > instance but, cryptographically speaking, it would be the same CA.
> >
> > You would have to tweak serial number ranges to ensure the new
> > instance doesn't reuse serial numbers that were already used (a
> > simple procedure).
> >
> > How well this would work in your organisation would depend on what
> > sorts of things you use the exiting Dogtag for, how clients expect
> > to renew certificates, etc.  I'm happy to answer questions you might
> > have in considering this approach.
> >
> > Cheers,
> > Fraser
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag migration to FreeIPA

2016-05-05 Thread Ha T. Lam 
Hi Fraser,

Thank you very much for the immediate response. Our use-case for Dogtag is:
our installation engineers request a signing CA cert through the Dogtag web
interface, and our admin grants the request, anything following is not
managed with Dogtag. So we only use Dogtag for managing the root cert and
the signing CA certs (beside OCSP, audit certs, etc that come with the
system).

I'm not sure how your solution would work in our case, if we import a
signing cert into Dogtag and sign other certs that we give to our
installation engineers using it, it would change our current cert chain.

Reading your reply, I realized I probably misunderstood how FreeIPA worked,
I thought I only needed to import Dogtag's Root CA (which is our company
Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this
would not work, would it?

Thanks,
Ha

On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale  wrote:

> On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote:
> > Hi,
> >
> > We have an in-house CA system managed by a stand-alone Dogtag system, we
> > would like to integrate it with our FreeIPA system which is already in
> use
> > and is setup with the company LDAP. I'm new to FreeIPA and I have some
> > questions about this process:
> >
> > 1. Is it possible to add our current Dogtag on top of the FreeIPA system
> > directly? If so, how would I achieve that?
> >
> This is not supported, though it's technically feasible (we just
> don't have any code to do it).
>
> > 2. If it's not possible to do the above, what about setting up a clone of
> > the current FreeIPA system and migrate Dogtag during the installation of
> > the replica? Is this a better option?
> >
> Same as above... technically feasible but no way to do it right now.
>
> > 3. Any other alternative?
> >
> One alternative is to export your CA signing cert and key, and
> install a new Dogtag instance in your FreeIPA environment.  The IPA
> Dogtag instance would be "detached" from your existing Dogtag
> instance but, cryptographically speaking, it would be the same CA.
>
> You would have to tweak serial number ranges to ensure the new
> instance doesn't reuse serial numbers that were already used (a
> simple procedure).
>
> How well this would work in your organisation would depend on what
> sorts of things you use the exiting Dogtag for, how clients expect
> to renew certificates, etc.  I'm happy to answer questions you might
> have in considering this approach.
>
> Cheers,
> Fraser
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Michael ORourke 

Roderick,

Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-
>From: Roderick Johnstone 
>Sent: May 5, 2016 12:39 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] Help needed with keytabs
>
>Hi
>
>I need to run some ipa commands in cron jobs.
>
>The post here: 
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
>suggests I need to use a keytab file to authenticate kerberos.
>
>I've tried the prescription there, with variations, without success.
>
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>
>1) Log into ipa client as user test.
>
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>FILE:/tmp/krb5cc_3395_PWO4wH)
>
>4) kinit from the keytab:
>$ kinit -F t...@example.com -k -t /home/test/test.keytab
>
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal: t...@example.com
>
>Valid starting ExpiresService principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
>
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
>https://ipa2.example.com/ipa/xml
>
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>
>For completeness of information, the ipa servers are RHEL 7.2, 
>ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
>Thanks
>
>Roderick Johnstone
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

2016-05-05 Thread Gary T. Giesen 
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.

These are the steps I took:

# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# wget -N
https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr
eeipa-epel-7.repo
# yum install -y haveged
# systemctl start haveged
# systemctl enable haveged
# yum install -y ipa-server ipa-server-dns
# ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir
--ip-address=192.0.2.10 --idstart=10 --idmax=19 --no-ui-redirect
--ssh-trust-dns --setup-dns --no-forwarders --no-reverse
# ipa-dns-install --no-forwarders --no-reverse --dnssec-master
# ipa dnszone-mod example.com --dnssec=true


GTG

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen
Sent: May-05-16 11:19 AM
To: 'Petr Spacek' ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:


[root@host /]# date
Thu May  5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: u...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base

[Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone 

Hi

I need to run some ipa commands in cron jobs.

The post here: 
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
suggests I need to use a keytab file to authenticate kerberos.


I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7, 
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
destroy the current tickets, re-establish a tgt for the user with kinit 
using the keytab and try to run an ipa command. The ipa command fails 
(just like in my cron jobs which use the same kinit command).


1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
/home/test/test.keytab -P

New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step, 
otherwise it gets set to something random and the user test cannot log 
into the ipa client any more.


3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache 
FILE:/tmp/krb5cc_3395_PWO4wH)


4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
https://ipa2.example.com/ipa/xml


Can someone advise what I'm doing wrong in this procedure please (some 
strings were changed to anonymize the setting)?


For completeness of information, the ipa servers are RHEL 7.2, 
ipa-server-4.2.0-15.el7_2.6.1.x86_64.


Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

2016-05-05 Thread Gary T. Giesen 
I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:


[root@host /]# date
Thu May  5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: u...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] freeipa permission denied for user

2016-05-05 Thread Jakub Hrozek 
On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote:
> (Thu May  5 14:35:49 2016) [[sssd[krb5_child[32281 [get_and_save_tgt]
> (0x0020): 1000: [-1765328353][Decrypt integrity check failed]
> (Thu May  5 14:35:49 2016) [[sssd[krb5_child[32281 [map_krb5_error]
> (0x0020): 1069: [-1765328353][Decrypt integrity check failed]

This seems like a wrong password..

Are you able to kinit with the same password using the user's principal?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Automatic consistency checking

2016-05-05 Thread Martin Basti 




On 05.05.2016 15:54, Andrew Holway wrote: 



Hello, 

We've been using Freeipa on Centos for a while and found one day that the 
replication stuff was broken and that the LDAP database on our pair of IPA 
servers was inconsistent. We didn't know how long this had been broken for but 
we were not able to repair it either. 

We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get 
support when this is breaking but I am a bit stuck how to monitor that the 
replication is still working. 

So is there some monitoring mechanisms in FreeIPA? 

Cheers, 

Andrew 





This is planned for future, you can use 
https://github.com/peterpakos/ipa_check_consistency (community script without 
any guarantee) to check your servers. 

Martin 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to create a new replica

2016-05-05 Thread Francoeur, Louis 
I'm trying to create a new replica and i receive the following message:


onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/8]: adding sasl mappings to the directory
  [2/8]: configuring KDC
  [3/8]: creating a keytab for the directory
  [4/8]: creating a keytab for the machine
  [5/8]: adding the password extension to the directory
  [6/8]: enable GSSAPI for replication
  [error] RuntimeError: One of the ldap service principals is missing. 
Replication agreement cannot be converted.
Replication error message: Can't acquire busy replica


I have done a multiple time:


ipa-replica-manage del new-ipa.domain.local --force --cleanup


I have validated that my ports are open:

nmap -Pn -p53,80,88,443,389,464,636 existing-ipa

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:46 UTC
Nmap scan report for existing-ipa (xxx.xxx.xxx.xxx)
Host is up (0.29s latency).
rDNS record for xxx.xxx.xxx.xxx: existing-ipa.domain.local
PORTSTATE SERVICE
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds


nmap -Pn -p53,80,88,443,389,464,636 xxx.xxx.xxx.xxx (this is after the failed 
install - closed means nothing is listening)

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:50 UTC
Nmap scan report for new-ipa.domain.local (xxx.xxx.xxx.xxx)
Host is up (0.21s latency).
PORTSTATE  SERVICE
53/tcp  closed domain
80/tcp  closed http
88/tcp  closed kerberos-sec
389/tcp open   ldap
443/tcp closed https
464/tcp closed kpasswd5
636/tcp open   ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds


I am running on Centos 7 with:


ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-ipa-1.13.0-40.el7_2.2.x86_64
libipa_hbac-1.13.0-40.el7_2.2.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64

The other strange thing i notice at the beginning of the install is:

ipa : ERRORCould not resolve hostname new-ipa.domain.local using 
DNS. Clients may not function properly. Please check your DNS setup. (Note that 
this check queries IPA DNS directly and ignores /etc/hosts.)


But i can find it from the command line with dig/nslookup.


With more debug info, i find it is trying to reach another ipa that he has no 
access to (geo is too far and ports are closed instead of using resolv.conf).


What am i missing here?


BTW i have multiples replicas installed already.


Thanks

Louis

data:image/png;base64,iVBORw0KGgoNSUhEUgAAATBMCAIAAABlDnyqGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAUkZJREFUeNrUvQdgZNV5L37PrdNHZdT7Slptb7C7bKEsHQMG3BLABvL8DLgmL3aaE/s9J3HiVOefZzsOTmzAQBwbbAzGGDALC9t71RZJq941o+kzt7/v3DNzdTVNo7Jr/y/a4c6dc/v5nd/XDxL+5j+pPIuu69RSLEt1nKU9lHXRNK1wA5ReyHrGRo7j4KuqqnR6gY2yLMNhdWMhV24u5o3M2gh/6VPku4acG2nLwhgLuRg4Jrkvcnz41TyIeS/kUsl6vsvL9+StW/K9l3zXXOTGYn4tvGMxDZawzWJuhCw0dYWXKwShpV3mfEzZndXcqBkL6e4mBgg8rF3fiuEMYKCCOMy4hvk+7QKIyrivnI/COvr8dnaJBTyThSFtSa5nzouhr+iFLjkal/bZLeB2MjBpEixsgWsjK4SdgKlM/skg2JyYhDWqiMeVceoCTzgfAvP9ah0X5vucF0B6V3PgXpKDXx1qoa/cFVyhG7gSmCySoPLhkyDQFPwAlqb4mkGDc2CyuIeWjclsostun1P+zLnjwmD5mx0r51Q3rmbHWwxJ0v//EjWLEduuKCbzKYGAQKsmRqjSxGS2dJoTk9RV6dPZ+Cz8uvM9mWLk/KvWKxYv0y5e9L3iDPlbiMbfkhEh+0qI6kikVvIVFgIzIrjmVCNzYHLRnaxIXbFI+GVc+W+KFa+CsHaVNcl8DdgrKios4DkiXWMpjUMarcp2pP
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Automatic consistency checking

2016-05-05 Thread Martin Babinsky 

On 05/05/2016 03:54 PM, Andrew Holway wrote:

Hello,

We've been using Freeipa on Centos for a while and found one day that
the replication stuff was broken and that the LDAP database on our pair
of IPA servers was inconsistent. We didn't know how long this had been
broken for but we were not able to repair it either.

We use AWS so we've now deployed RHEL AMI's and are now using IdM so we
can get support when this is breaking but I am a bit stuck how to
monitor that the replication is still working.

So is there some monitoring mechanisms in FreeIPA?

Cheers,

Andrew




Hi Andrew,

to check the status of a replica you can use the following command:

"""
ipa-replica-manage list -v replica1.ipa.test
master1.ipa.test: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: 0 Replica acquired successfully: Incremental 
update succeeded

  last update ended: 2016-05-05 14:29:01+00:00
"""

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Automatic consistency checking

2016-05-05 Thread Andrew Holway 
Hello,

We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for
but we were not able to repair it either.

We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can
get support when this is breaking but I am a bit stuck how to monitor that
the replication is still working.

So is there some monitoring mechanisms in FreeIPA?

Cheers,

Andrew
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread Rob Crittenden 

lejeczek wrote:

On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:

lejeczek wrote:

hi users, as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ? I understand
certificates issued with: $ ipa cert-re­quest -add --prin­ci­pal are
stored in ldap backend, (yet I don't quite get the difference between
that tool and ipa-certget).



The first uses the IPA command-line to get a cert directly. ipa-getcert
uses certmonger.

If you are getting a certificate for another host, particularly if that
host isn't an IPA client, then the first form is the way to go.


How do I get such a certificate off the server and to a host-not-server?



$ ipa cert-show  --out cert.pem


In my case I'm hoping to use this certificate in apache+nss. I
realize I also will need CA certificate on that host, which I got
hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if
it's the right way?



So in this case you'd want to generate the CSR on the host-not-server
using certutil. You'd take that CSR to the enrolled host and run ipa
cert-request ...

Get a copy of the cert and get that and /etc/ipa/ca.crt to the

Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY..
gets me:

MY-DOMAIN IPA CACT,C,C
Server-Certu,u,u

what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)


Yes, these are all (or should be) the same (there is a copy in LDAP too).


I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management purposes?


Yes, certmonger manages automatic renewal.

rob


many thanks.


host-not-server.

Use certutil to add both to your NSS database.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread Petr Vobornik 
On 05/05/2016 11:44 AM, lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a 
>>> service/host, one wonders what is the correct way to move such a 
>>> certificate 
>>> to a host(which is domain member) ? I understand certificates issued with: 
>>> $ 
>>> ipa cert-re­quest -add --prin­ci­pal are stored in ldap backend, (yet I 
>>> don't 
>>> quite get the difference between that tool and ipa-certget). 
>>
>>
>> The first uses the IPA command-line to get a cert directly. ipa-getcert
>> uses certmonger.
>>
>> If you are getting a certificate for another host, particularly if that
>> host isn't an IPA client, then the first form is the way to go.
>>
>>> How do I get such a certificate off the server and to a host-not-server? 
>>
>>
>> $ ipa cert-show  --out cert.pem
>>
>>> In my case I'm hoping to use this certificate in apache+nss. I realize I 
>>> also 
>>> will need CA certificate on that host, which I got hold of with certutil 
>>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? 
>>
>>
>> So in this case you'd want to generate the CSR on the host-not-server
>> using certutil. You'd take that CSR to the enrolled host and run ipa
>> cert-request ...
>>
>> Get a copy of the cert and get that and /etc/ipa/ca.crt to the
> Is this the only place where IPA' CA cert resides?
> I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
> $ certutil -d /etc/dirsrv/slapd-MY..
> gets me:
> 
> MY-DOMAIN IPA CACT,C,C
> Server-Certu,u,u
> 
> what is that IPA CA then?
> I also see the same with:
> $ certutil -d /etc/httpd/alias -L
> Is this the same one certificate? (including /etc/ipa/ca.crt)
> 
> I get these with: ipa-getcert list
> I'm guessing these are set up by installer and to be managed by certmonger, 
> for 
> DS and web server for certificates auto management purposes?

You can use generic `getcert` tool to get all certs managed by
certmonger and their location. It will show you also PKI internal certs.

  # getcert list

`ipa-getcert list` is equivalent to `getcert list -c IPA`

> 
> many thanks.
> 
>> host-not-server.
>>
>> Use certutil to add both to your NSS database.
>>
>> rob
>>
> 
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP token policies.

2016-05-05 Thread Prashant Bapat 
+1 For enforcing OTP in web UI.

When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.

Are there any ideas for ensuring that all users are using OTP tokens ?

On 4 May 2016 at 05:12, Peter Bisroev  wrote:

> Dear Developers,
>
> Firstly, thank you for a fantastic product. I have a few questions
> relating to OTP that I could not find the answers to in the Red Hat IdM
> manual, http://www.freeipa.org/page/V4/OTP document, and on both user and
> devel mailing lists. Hopefully I have not missed anything obvious :)
>
> With FreeIPA version 4.2, is it possible to enforce policies on what
> administrators and/or users can do with OTP tokens? For example:
>
> 1) Is there a way to enforce how many tokens can be active for a user at
> the same time?
>
> 2) Is it possible to force the number of digits to be eight and a specific
> algorithm to be used?
>
> 3) Is it possible to force the user to create a new OTP token after the
> first password change?
>
> If there is such support, it can be used to overcome the soft OTP token
> enrollment bootstrap issue. For example, currently, if the administrator
> creates a new user and enables "Two factor authentication (password + OTP)"
> but does not assign an OTP token, the user is able to login, change the
> password and continue using the new password without enabling 2FA
> indefinitely.
>
> However, once the OTP token is created, either by administrator or the
> user, the systems forces the token's use from this point on. Maybe in the
> future, FreeIPA can force the user to enable OTP at first login into the
> FreeIPA console? But I guess then, the system must somehow stop the users
> from login in into any other service besides FreeIPA web console, until the
> OTP token is generated.
>
> A few more questions:
>
> Would it be possible to describe a use case when having multiple OTP
> tokens enabled at the same time is a requirement?
>
> How does TOTP token synchronization work? Can it be disabled?
>
> Thank you for your time and help!
>
> Regards,
> --peter
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Error Server update not syn to Server02 but reverse ok

2016-05-05 Thread Barry 
Hi all:

Orginal config server <> server02 , either server can add user and syn

Now  server < server02 ,GSSAPI show as below ..ANY idea? THX

[05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size
10485760B is less than db size 17113088B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[05/May/2016:17:29:03 +0800] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[05/May/2016:17:29:03 +0800] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=ABC,dc=com
[05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[05/May/2016:17:29:07 +0800] set_krb5_creds - Could not get initial
credentials for principal [ldap/server.abc@abc.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[05/May/2016:17:29:07 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[05/May/2016:17:29:07 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[05/May/2016:17:29:07 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth
failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_492' not found))
[05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[05/May/2016:17:29:07 +0800] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[05/May/2016:17:29:07 +0800] - Listening on All Interfaces port 636 for
LDAPS requests
[05/May/2016:17:29:07 +0800] - Listening on /var/run/slapd-ABC-COM.socket
for LDAPI requests
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth
resumed
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Missing data encountered
[05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn=
meToserver02.ABC.com" (server02:389): Incremental update failed and
requires administrator action
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread lejeczek 
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
> lejeczek wrote:
> > hi users,
> > 
> > as one follows official docs and issues a certificate for a
> > service/host, one wonders what is the correct way to move such a
> > certificate to a host(which is domain member) ?
> > I understand certificates issued with:
> > 
> > $ ipa cert-re­quest -add --prin­ci­pal
> > 
> > are stored in ldap backend, (yet I don't quite get the difference
> > between that tool and ipa-certget).
> 
> The first uses the IPA command-line to get a cert directly. ipa-
> getcert 
> uses certmonger.
> 
> If you are getting a certificate for another host, particularly if
> that 
> host isn't an IPA client, then the first form is the way to go.
> 
> > How do I get such a certificate off the server and to a host-not-
> > server?
> 
> $ ipa cert-show  --out cert.pem
> 
> > In my case I'm hoping to use this certificate in apache+nss.
> > I realize I also will need CA certificate on that host, which I got
> > hold
> > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's
> > the
> > right way?
> 
> So in this case you'd want to generate the CSR on the host-not-
> server 
> using certutil. You'd take that CSR to the enrolled host and run ipa 
> cert-request ...
> 
> Get a copy of the cert and get that and /etc/ipa/ca.crt to the 
Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY.. 
gets me:
MY-DOMAIN IPA CACT,C,C
Server-Cert u,u,u
what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)
I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management
purposes?
many thanks.
> host-not-server.
> 
> Use certutil to add both to your NSS database.
> 
> rob
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

2016-05-05 Thread Petr Spacek 
On 5.5.2016 06:28, David LeVene wrote:
> Hey All,
> 
> I'm looking for a bit of direction around the best way to configure/setup an 
> on-site cache &/or replica from an AD Server which will be uni-directional 
> (AD -> IPA/slapd)
> 
> The master are multiple AD Servers located around the place, and we exist in 
> a place which is outside of the core network and that network link is a 
> single point of failure.
> 
> What I want to achieve is in the event we lose connectivity with the world 
> users can still authenticate, but if someone is disabled/updated at the top 
> level it replicates down. I've got a test AD Server & have been reviewing 
> IPA, but have hit an issue in that I can't get software installed on the AD 
> Masters for the 389 dir sync software.
> 
> Currently I've configured a synchronization based solution with one way 
> replication from the AD Masters -> IPA. This works fine and I can see all the 
> users being created in IPA - but as the passwords can't be synced without 
> installing software I can't use this method.

All methods which can work completely off-line will require access to keys on
AD server. This means either some additional software on AD side OR having
proper AD server which is hosted locally. This could theoretically be Samba 4
AD server if you want to try that.

If your clients are sufficiently new you can try to use SSSD everywhere but it
comes with own limitations, e.g. users who never logged in before will not be
able to login when the network link is down.

I hope this help.

Petr^2 Spacek


> Another nice thing would be to have a separate domain/tree available so we 
> can split up the staff that are from the master servers and some client 
> related user/passes that won't be in the Global Directory - but managed from 
> the same place.
> 
> Are there any other setup's that will achieve what I require? Have seen slapd 
> with proxy cache but I'm not sure on this options either and configuring 
> slapd with all the ldif files manually seems a little daunting at first sight.
> 
> Thanks in advance,
> David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-05 Thread Petr Spacek 
On 4.5.2016 16:33, Jakub Hrozek wrote:
> On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote:
>> On 05/04/2016 09:23 AM, Jakub Hrozek wrote:
>>> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
 On (03/05/16 15:09), Alexandre de Verteuil wrote:
> Hello all,
>
> I've deployed FreeIPA in my home lab and I'm happy to have single
> sign-on for all my Archlinux virtual machines and Fedora laptops :)
>
> It took me lots of research and conversations before hearing about
> FreeIPA for the first time while searching for a libre SSO solution. I
> think FreeIPA needs much more exposure. I am really impressed with it.
> Tomorrow I am giving a short presentation at my workplace to talk about
> it and invite other sysadmins to try it.
>
> I would like to make a slide showing the current adoption of FreeIPA. I
> read that Red Hat uses it internally, but do they actually deploy it in
> their client's infrastructures? Are there any big companies that use it?
> Even if I only have reports of schools and small businesses would be
> good enough to say it's production ready and it has traction.
>
> Whether you are reporting about your own use or you know where I can
> find out more would be greatly appreciated! I have not found a "Who uses
> FreeIPA" page on the Internet.
>
 The GNOME Infrastructure is now powered by FreeIPA!
 October 7, 2014

 https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/
>>>
>>> Would it make sense to add 'success stories' like this to the
>>> freeipa.org home page? Of course, we can't use Red Hat IDM customers,
>>> but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu
>>> could be added there if they would agree..
>>
>> I think it would make sense. We already know at least about GNOME as Lukas
>> mentioned or about eBay's Hadoop clusters:
>>
>> https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish
>>
>> I think we should start a new "References" page on the FreeIPA.org wiki and 
>> ask
>> for success stories from this list. Any takers? :-)
> 
> I think we should ask those projects for permission first..

Why is that? The information is public in both cases, right?

I really do not see a reason for ask-before-linking approach. (The next step
is "pay-before-linking" as seen in various proposals from European governments.)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Restore form full backup but some warns/error ok , BUT WORK OK service

2016-05-05 Thread barrykfl 
Hi All:


I restore from backup but some lib / pki error come.
As the package is  ipa-server-3.0.0-26.el6_4.4.x86_64
But now is   ipa-server-3.0.0-47.el6.centos.2.x86_64   , it seem no harm ?

How to tune it ?



Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]
Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server
command-line interface')
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [  OK  ]
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-05 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote:
> Hi,
> 
> I avoided the slow filling group by using the AD-Group with spaces
> (was a tad more challenging for scipting)
> 
> But here's the releases (some of them)
> 
> ipa 4.2 and sssd 1.13
> 
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

The IPA packages haven't been released yet (those will be
at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would
have expected id to return the groups, "just" not getent group.

> sssd-common-1.13.0-40.el7_2.2.x86_64
> sssd-client-1.13.0-40.el7_2.2.x86_64
> sssd-ad-1.13.0-40.el7_2.2.x86_64
> 
> Cheers
> Rob Verduijn
> 
> 2016-05-04 18:06 GMT+02:00 Jakub Hrozek :
> > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
> >> to make sure I did the following on the ipa host
> >>
> >> systemctl stop sssd.service
> >> rm -f /var/lib/sss/db/*
> >> systemctl start sssd.service
> >>
> >> now there is no cheating from cach
> >> getent passwd u...@ad-domain.com works and gives userid
> >> id u...@ad-domain.com works fine and show all goups the user is a
> >> member of including ad_linux_administrators (ipa group) and 'linux
> >> administrat...@ad-domain.com'
> >> getent group ad_linux_administrators only shows the group ad, no
> >> members, these pop up after a very long time
> >> getent group 'linux administrat...@ad-domain.com' imediatly show all 
> >> members
> >
> > Please note that getent group only works with very recent versions of
> > ipa and sssd. What version are you running.
> >
> >>
> >> weird
> >>
> >> Rob Verduijn
> >>
> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> >> >> This goes especially for ad groups that are bested in ipa_groups
> >> >>
> >> >> ie :
> >> >> microsft group is defined as an external group,
> >> >> and that external group is member of an ipa group
> >> >> and that ipa group takes forever.
> >> >>
> >> >> Regards
> >> >> Rob Verduijn
> >> >
> >> > All the work in this area is done by sssd on the server. The sssd there
> >> > runs a periodical task to re-fetch new external groups memberships every
> >> > 10 seconds. So I would expect the group memberships to turn up after 10
> >> > seconds at worst.
> >> >
> >> > Are you sure (from sssd logs) that maybe sssd is not going into offline
> >> > state and just consults its cache?
> >> >
> >> >>
> >> >>
> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> >> >> > Hello,
> >> >> >
> >> >> > I'm using a trust to microsoft active directory to allow users access
> >> >> > to linux servers.
> >> >> >
> >> >> > But when a user is added it takes a very long time for ipa to 
> >> >> > register this.
> >> >> > And even more time for the ipa clients since they have to wait for the
> >> >> > ipa servers.
> >> >> >
> >> >> > Since I hate to tell the users to wait for a couple hours, and also I
> >> >> > do not like to clean up the sssd cache folder each time a new user
> >> >> > appears.
> >> >> >
> >> >> > Is there a way to tell ipa and all clients to refresh their cache ?
> >> >> >
> >> >> > Regards
> >> >> > Rob Verduijn
> >> >>
> >> >> --
> >> >> Manage your subscription for the Freeipa-users mailing list:
> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> >> Go to http://freeipa.org for more info on the project
> >> >
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project