Re: [Freeipa-users] ipa-server-upgrade fails and CA cannot start

2016-05-10 Thread Andrew C. Dingman 
On Tue, 2016-05-10 at 10:16 +0200, Petr Vobornik wrote:
> On 05/08/2016 09:49 PM, Andrew C. Dingman wrote:
> > 
> > "getcert list" successfully shows 8 certificate requests being
> > tracked.
> > Four are in "MONITORING" status, four in "NEED_CA". The NEED_CA
> > requests all indicate expiration back in February, and look like
> > crucial certificates: CN=CA Subsystem, CN=IPA RA, CN=CA Audit
> > and CN=OCSP Subsystem.
> > 
> > On the working replica, all eight are in "MONITORING" status and
> > have
> > expiration dates in 2017 or later. I have not attempted the package
> > update on that system. Should I consider promoting this one to CA
> > master, force-deleting the old one, and reinstalling it as a new
> > system?
> > 
> > Please let me know what other information would be helpful for
> > diagnostics. The current state of all packages on the broken master
> > is
> > up to earlier today from the official Red Hat content distribution
> > network.
> > 
> Hello Andrew,
> 
> Could you paste output of `ipactl start` ?

[andrew@ipa2 ~]$ sudo ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
[andrew@ipa2 ~]$

There's a pause of several minutes between "Starting pki-tomcatd
Service" and "Failed". Full output from "sudo ipactl -d start" is at  h
ttps://paste.fedoraproject.org/364876/14629214/ but it mostly consists
of:

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-
check-certificate' 'https://ipa2.acdingman.com:8443/ca/admin/ca/getS
tatus'
ipa: DEBUG: Process finished, return code=8
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-05-10 18:53:33--  https://ipa2.acdingman.c
om:8443/ca/admin/ca/getStatus
Resolving ipa2.acdingman.com (ipa2.acdingman.com)...
2001:19f0:300:2a63::64, 104.156.251.79
Connecting to ipa2.acdingman.com
(ipa2.acdingman.com)|2001:19f0:300:2a63::64|:8443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 500 Internal Server Error
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 2134
  Date: Tue, 10 May 2016 22:53:55 GMT
  Connection: close
2016-05-10 18:53:55 ERROR 500: Internal Server Error.

repeated once a second for nearly five minutes.

> Also when upgrader fails it tends to leave directory server not
> accessible by changing 389 and 636 port.
> 
> It could be verified by:
> 
> $ ldapsearch -ZZ -h `hostname` -D "cn=Directory Manager" -W -s base
> -b
> "cn=config" | grep "nsslapd-security\|nsslapd-port"
> Enter LDAP Password:
> nsslapd-requiresrestart: cn=config:nsslapd-port
> nsslapd-port: 389
> nsslapd-security: on
> 
> If there are values other than '389' and 'on' (usually '0' and 'off')
> then it might the reason why IPA doesn't start. Changing them back to
> 'on' and 389 might help.

Nope, my output looks just like your sample.

> But it won't say why the upgrader failed. Maybe it was a one-time
> glitch
> or it was related to the expired certs.
> 
> The error message you got is in code which creates connection to
> certmonger.
> 
> But if there are expired certificates. The usual recovery is to move
> back time a day or two before the first certificate expires and let
> certmonger to renew the certs. Optionally the renewal can be forced
> by
> `getcert resubmit -i $certid` command.

Do I risk hurting the functional replica if I do that? I presume with
time months off from each other they wouldn't even talk until I got the
time correct on the broken system, but that's based on the assumption
that they mostly use GSSAPI authentication. If anything is certificate-
based the time tolerances could be much larger.

-Andrew

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DHCP plugin (don't get your hopes up)

2016-05-10 Thread Jeffery Harrell 
As promised yesterday, here’s the link to my bespoke DHCP plugin. It’s really 
nothing, just a little thing I whipped up for my own use.

https://github.com/jefferyharrell/IPA-dhcp

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Determining the Renewal Master/First Master and backup restore strategies - Problems and Issues

2016-05-10 Thread opensauce . 
Hi All,

I would like to get right into my current issues.

Operating system : CentOS Linux release 7.2.1511 (Core)
Kernel Version : 3.10.0-327.10.1.el7.x86_64
IPA server Version : ipa-server-4.2.0-15.el7_2.6.x86_64
VM platform : ProxMox Virtual Environment Version 3.4-9/4b51d87a


I have prepared, what I would call the "first" master, by preparing and
installing the machine via the following method  :

*Source*
http://www.freeipa.org/page/Quick_Start_Guide#Getting_started_with_IPA
https://www.certdepot.net/rhel7-configure-freeipa-server/

Standard FreeIPA version distributed with the OS

yum install freeipa-server
yum install ipa-server-dns

ipa-server-install --setup-dns  --forwarder=x.x.x.x -a PASSWORD --hostname=
ipatester1.x.com --realm IPATESTER..XXX -p PASSWORD -n .xxx -U

firewall-cmd --permanent
--add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
firewall-cmd --reload

The first master is installed and now I would create a replica instance for
multi master replications.

First, create the replica file from first master :

ipa-replica-prepare  ipahostname --ip-address x.x.x.x

Copy the replica master info file to the new replica master. Then run the
replica install script :

ipa-replica-install --setup-dns --setup-ca
--forwarder=x.x.x.x /var/lib/ipa/replica-info-ipahostname.gpg

firewall-cmd --permanent
--add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
firewall-cmd --reload

I now have 2 multi-masters with replication agreements.

ipatester1 - first master
ipatester2 - replica master

>From master to replica :

 ipa-replica-conncheck --replica ipatester2
Check connection from master to remote replica 'ipatester2.macrolan.co.za':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

>From replica to master :

ipa-replica-conncheck --master ipatester1
Check connection from replica to remote master 'ipatester1.macrolan.co.za':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

*QUESTION 1 : Determining the Renewal Master/First Master*

Source  :
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

According to the above source, identifying the Renewal Master/First Master
can be done with the following ldap search command :
ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=example,dc=com'
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn

However, when I run this ldapsearch I get presented with both masters in
the results :

*# extended LDIF*
*#*
*# LDAPv3*
*# base

[Freeipa-users] AD trust and UPN issue

2016-05-10 Thread Jan Karásek 
Hi, 

thank you for the answer. I have already tried that workaround and still no 
luck. At the moment this is showstopper for us on two different projects at two 
different customers. 
Any chance to get it patch before 7.3 arrives ? 

Thanks, 
Jan 
-- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_principal = nosuchattr 
subdomain_inherit = ldap_user_principal 
in sssd.conf's domain section on the server? (Yes, server, not client..) 

This should work without the workaround starting with 7.3..

Jan Karásek

ELOS Technologies s.r.o.
U Kanálky 5
120 00  Praha 2

tel. +420 607 008 891
e-mail: jan.kara...@elostech.cz
www.elostech.cz

- Original Message -
From: "freeipa-users-request" 
To: freeipa-users@redhat.com
Sent: Tuesday, May 10, 2016 4:23:56 PM
Subject: Freeipa-users Digest, Vol 94, Issue 63

-- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_principal = nosuchattr 
subdomain_inherit = ldap_user_principal 
in sssd.conf's domain section on the server? (Yes, server, not client..) 

This should work without the workaround starting with 7.3.. 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Rob Crittenden 

barry...@gmail.com wrote:

So now how can i restore the normal status.

Can i export those acc out and restore to new server if same schema.?

Manual backup restore i test before should work.


This is a feature design page. The files there are notes, not a full 
list of things to backup, and definitely not meant as manual instructions.


What I'd recommend is to pause, restate what the problems are with as 
much detail as you can, what you've tried (again, details matter) and 
basically start this process over again so include the cert renewal 
problems, replication issues and now the startup problem. There are now 
something like three separate threads, all asking for similar 
information and none of which are really making any forward progress.


The python error is coming from dogtag so I've cc'd one of their 
developers to see what they think. That will need to be fixed eventually 
as well.


I've found these threads very difficult to follow but it seems like it 
started when cert renewal failed and moved onto replication issues which 
upgrading is probably not going to address and IMHO it is best to not 
add another variable to the mix. In order to migrate to RHEL 7/IPA 4.x 
you need a stable system to migrate from, and in that case the latest 
bits are necessary, as Petr pointed out.


rob



2016年5月10日 下午8:16 於 "Martin Basti" > 寫道:

There is no ipa-restore or ipa-backup commands even on RHEL6.7,
centos6.7, so I have no idea how you got that commands there. If you
just copy files manually it is not working as you can see.

Martin


On 10.05.2016 14:12, Barry wrote:


The bottom manual files based backup restore . I remember there s
one for 3.0

And test work before.

2016年5月10日 下午8:00 於 "Petr Vobornik"
<pvobo...@redhat.com
> 寫道:

On 05/10/2016 01:49 PM, Martin Basti wrote:
> No there is not python 2.7 on centos 6.x, maybe there is
something wrong in the
> code, let me check first

How did you run the backup and restore? AFAIK it was introduced in
FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL
7. It is
not on RHEL 6.

>
>
> On 10.05.2016 13:34, Barry wrote:
>>
>> Ipa 3.0 e47
>>
>> Centos 6.5 . Just update python?
>>
>> 2016年5月10日 下午6:58 於 "Martin Basti"
>> <>mba...@redhat.com
> 寫道:
>>
>>
>>
>> On 10.05.2016 12:41, barry...@gmail.com
 > wrote:
>>> Hi:
>>>
>>> Restore form backup follow the procedure below:
>>> http://www.freeipa.org/page/V3/Backup_and_Restore
>>>
>>> Now server web page launch but canot access
>>> Sorry you are not allowed to access this service.
>>>
>>> Starting dirsrv:
>>> PKI-IPA... [  OK  ]
>>> WISERS-COM... [  OK  ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC:  [  OK  ]
>>> Starting KPASSWD Service
>>> Starting Kerberos 5 Admin Server:   [  OK  ]
>>> Starting MEMCACHE Service
>>> Starting ipa_memcached:   [ OK  ]
>>> Starting HTTP Service
>>> Starting httpd:   [ OK  ]
>>> Starting CA Service
>>>
>>>
>>> Starting CA Service
>>> Traceback (most recent call last):
>>>   File "/usr/sbin/pki-server", line 88, in 
>>> cli = PKIServerCLI()
>>>   File "/usr/sbin/pki-server", line 34, in __init__
>>> super(PKIServerCLI, self).__init__('pki-server',
'PKI server
>>> command-line interface')
>>>   File "/usr/lib/python2.6/site-packages/pki/cli.py",
line 39, in __init__
>>> self.modules = collections.OrderedDict()
>>> AttributeError: 'module' object has no attribute
'OrderedDict'
>>> Starting pki-ca:  [ OK  ]
>>>
>>>
>>> Any idea above?
>>>
>>>
>>
>> You are using the old python, python 2.7 is required,
which version of OS
>> and IPA do you use?
>> Martin
>>
>
>
>


--
Petr Vobornik







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Fraser Tweedale 
On Tue, May 10, 2016 at 02:33:43PM +0200, Youenn PIOLET wrote:
> Hi Fraser, thanks a lot for your quick reply!
> 
> Could you confirm whether you are on RHEL / CentOS 7.2, and if so,
> > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier
> > version?
> >
> 
> This is a replica that was previously installed in CentOS 7.1.
> I don't exactly remember but I think I used COPR repository to install
> FreeIPA 4.2 and then upgraded CentOS to 7.2.
> 
> Also, I remember my pki got broken after upgrading this replica in 7.2. I
> had to renew the replica's certificate and force-sync to successfully
> launch pki-tomcatd. Now this replica is my pki master.
> 
Thanks for the background.  Every piece of evidence can help find
the bug :)

> 
> > > ### certprofile
> > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
> > > ---
> > > Profile configuration stored in file 'caIPAserviceCert.cfg'
> > > ---
> > >   Profile ID: caIPAserviceCert
> > >   Profile description: Standard profile for network services
> > >   Store issued certificates: TRUE
> > >
> > You do not include the caIPAserviceCert.cfg in the diffs below,
> > however, I suspect you will find it to be identical to
> > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg.  Could you
> > please confirm this?
> >
> 
> Ah true... I did not realised I was actually writing a new file!
> And you're right, diff is the same (except 2 profileId/classId lignes that
> don't exist in template + enableBy that differs)
> 
> FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> > which stores profile configuration in LDAP.  The file output by the
> > ``ipa certprofile-show`` command will have come from LDAP; this is
> > the version that's actually in use in your IPA installation.
> >
> 
> Thanks a lot for your answers.
> 
> So now, what would you suggest me to do?
> Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import
> to LDAP ?
> 
I'd recommend copying the IPA template from
/usr/share/ipa/profiles/caIPAserviceCert.cfg, then filling out the
params manually and updating the profile.  There are four config
params that require substitutions; fill them out like below:

- 
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, 
o=YOUR-DOMAIN

  (note the SINGLE '$'s; they are double '$$' in the template)

- 
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.YOUR-DOMAIN/ca/ocsp

- 
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate
 Authority,o=ipaca

- 
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.YOUR-DOMAIN/ipa/crl/MasterCRL.bin

Leave other values unchanged.  Import the updated profile by
running:

ipa certprofile-mod caIPAserviceCert --file new.cfg

Then certificates should be issued as expected.

Cheers,
Fraser


> Cheers,
> 
> 
> > > And a diff between them :
> > >
> > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
> > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> > > 1,2d0
> > > < profileId=caIPAserviceCert
> > > < classId=caEnrollImpl
> > > 15c13
> > > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
> > > ---
> > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8
> > > 22c20
> > > < policyset.serverCertSet.1.default.params.name=CN=$$
> > > request.req_subject_name.cn$$, $SUBJECT_DN_O
> > > ---
> > > > policyset.serverCertSet.1.default.params.name=CN=$
> > > request.req_subject_name.cn$, OU=pki-ipa, O=IPA
> > > 48c46
> > > <
> > >
> > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
> > > $IPA_CA_RECORD.$DOMAIN/ca/ocsp
> > > ---
> > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
> > > 95,97c93,95
> > > <
> > >
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
> > > <
> > >
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
> > > <
> > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
> > > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
> > > ---
> > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
> > > https://ipa.example.com/ipa/crl/MasterCRL.bin
> > > 100,109d97
> > > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
> > > < policyset.serverCertSet.10.constraint.name=No Constraint
> > > <
> > >
> > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
> > > < policyset.serverCertSet.10.default.name=Subject Key Identifier
> > Extension
> > > Default
> > > < policyset.serverCertSet.10.default.params.critical=false
> > > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
> > > <

Re: [Freeipa-users] Fwd: AD trust and UPN issue

2016-05-10 Thread Jakub Hrozek 
On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Karásek wrote:
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can
you try setting:
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
in sssd.conf's domain section on the server? (Yes, server, not client..)

This should work without the workaround starting with 7.3..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Youenn PIOLET 
Hi Fraser, thanks a lot for your quick reply!

Could you confirm whether you are on RHEL / CentOS 7.2, and if so,
> whether it was installed at 7.2 or an upgrade from 7.1 or an earlier
> version?
>

This is a replica that was previously installed in CentOS 7.1.
I don't exactly remember but I think I used COPR repository to install
FreeIPA 4.2 and then upgraded CentOS to 7.2.

Also, I remember my pki got broken after upgrading this replica in 7.2. I
had to renew the replica's certificate and force-sync to successfully
launch pki-tomcatd. Now this replica is my pki master.


> > ### certprofile
> > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
> > ---
> > Profile configuration stored in file 'caIPAserviceCert.cfg'
> > ---
> >   Profile ID: caIPAserviceCert
> >   Profile description: Standard profile for network services
> >   Store issued certificates: TRUE
> >
> You do not include the caIPAserviceCert.cfg in the diffs below,
> however, I suspect you will find it to be identical to
> /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg.  Could you
> please confirm this?
>

Ah true... I did not realised I was actually writing a new file!
And you're right, diff is the same (except 2 profileId/classId lignes that
don't exist in template + enableBy that differs)

FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> which stores profile configuration in LDAP.  The file output by the
> ``ipa certprofile-show`` command will have come from LDAP; this is
> the version that's actually in use in your IPA installation.
>

Thanks a lot for your answers.

So now, what would you suggest me to do?
Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import
to LDAP ?

Cheers,


> > And a diff between them :
> >
> > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
> > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> > 1,2d0
> > < profileId=caIPAserviceCert
> > < classId=caEnrollImpl
> > 15c13
> > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
> > ---
> > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8
> > 22c20
> > < policyset.serverCertSet.1.default.params.name=CN=$$
> > request.req_subject_name.cn$$, $SUBJECT_DN_O
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$
> > request.req_subject_name.cn$, OU=pki-ipa, O=IPA
> > 48c46
> > <
> >
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
> > $IPA_CA_RECORD.$DOMAIN/ca/ocsp
> > ---
> > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
> > 95,97c93,95
> > <
> >
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
> > <
> >
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
> > <
> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
> > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
> > ---
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
> > https://ipa.example.com/ipa/crl/MasterCRL.bin
> > 100,109d97
> > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
> > < policyset.serverCertSet.10.constraint.name=No Constraint
> > <
> >
> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
> > < policyset.serverCertSet.10.default.name=Subject Key Identifier
> Extension
> > Default
> > < policyset.serverCertSet.10.default.params.critical=false
> > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
> > < policyset.serverCertSet.11.constraint.name=No Constraint
> > < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
> > < policyset.serverCertSet.11.default.name=User Supplied Extension
> Default
> > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
> >
> > Thanks by advance for your support,
> > Regards
> >
> > --
> > Youenn Piolet
> > piole...@gmail.com
> >
> >
> > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale :
> >
> > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> > > > Hello,
> > > >
> > > > I seem to be having some issues with IPA CA feature not generating
> > > > certificates with DNS SubjectAltNames.
> > > >
> > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now
> under
> > > > CentOS 7.2 / IPA 4.2 something's different.
> > > >
> > > > Here are the original steps which worked fine for my first use case
> ::
> > > >
> > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
> > > > $ ipa host-add mail.example.com
> > > > $ ipa service-add smtp/mail.example.com
> > > > $ ipa service-add smtp/mail1.example.com
> > > > $ ipa service-add-host smtp/mail.example.com --hosts=
> mail1.example.com
> > > > $ ipa-getcert request -k

[Freeipa-users] Fwd: AD trust and UPN issue

2016-05-10 Thread Jan Karásek 
Hi all, 
I have lab environment with IPA server and trust to Active directory. 
IPA server is in a.example.com. 
AD DC is in example.com. 
We have also child AD subdomain ext.examle.com. 
Everything is fine until the users in AD domain ext.example.com gets the UPN 
suffix of the root AD domain - example.com - which is pretty common scenario. 
Example: 
user at ext.examaple.com is set in AD with UPN user at example.com 

In this situation I am not able to login into my linux box with user at 
example.com 
I have seen some open tickets on this issue 3559 and others, and they are 
marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
packages. 
Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
I have default settings - no changes in krb5.conf and sssd.conf after ipa 
trust-add. 
Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but 
no effect. 
Could you please confirm, that its possible to use IPA with different UPN 
suffix for users in AD than the domain name in which they are exists ? Is there 
any additional configuration needed to fix this scenario ? 

Regards, 
Jan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread barrykfl 
So now how can i restore the normal status.

Can i export those acc out and restore to new server if same schema.?

Manual backup restore i test before should work.
2016年5月10日 下午8:16 於 "Martin Basti"  寫道:

> There is no ipa-restore or ipa-backup commands even on RHEL6.7, centos6.7,
> so I have no idea how you got that commands there. If you just copy files
> manually it is not working as you can see.
>
> Martin
>
> On 10.05.2016 14:12, Barry wrote:
>
> The bottom manual files based backup restore . I remember there s one for
> 3.0
>
> And test work before.
> 2016年5月10日 下午8:00 於 "Petr Vobornik"  寫道:
>
>> On 05/10/2016 01:49 PM, Martin Basti wrote:
>> > No there is not python 2.7 on centos 6.x, maybe there is something
>> wrong in the
>> > code, let me check first
>>
>> How did you run the backup and restore? AFAIK it was introduced in
>> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is
>> not on RHEL 6.
>>
>> >
>> >
>> > On 10.05.2016 13:34, Barry wrote:
>> >>
>> >> Ipa 3.0 e47
>> >>
>> >> Centos 6.5 . Just update python?
>> >>
>> >> 2016年5月10日 下午6:58 於 "Martin Basti"
>> >> <mba...@redhat.com> 寫道:
>> >>
>> >>
>> >>
>> >> On 10.05.2016 12:41, barry...@gmail.com 
>> wrote:
>> >>> Hi:
>> >>>
>> >>> Restore form backup follow the procedure below:
>> >>> http://www.freeipa.org/page/V3/Backup_and_Restore
>> >>>
>> >>> Now server web page launch but canot access
>> >>> Sorry you are not allowed to access this service.
>> >>>
>> >>> Starting dirsrv:
>> >>> PKI-IPA... [  OK  ]
>> >>> WISERS-COM... [  OK  ]
>> >>> Starting KDC Service
>> >>> Starting Kerberos 5 KDC:   [  OK
>> ]
>> >>> Starting KPASSWD Service
>> >>> Starting Kerberos 5 Admin Server:  [  OK
>> ]
>> >>> Starting MEMCACHE Service
>> >>> Starting ipa_memcached:[ OK  ]
>> >>> Starting HTTP Service
>> >>> Starting httpd:[ OK  ]
>> >>> Starting CA Service
>> >>>
>> >>>
>> >>> Starting CA Service
>> >>> Traceback (most recent call last):
>> >>>   File "/usr/sbin/pki-server", line 88, in 
>> >>> cli = PKIServerCLI()
>> >>>   File "/usr/sbin/pki-server", line 34, in __init__
>> >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
>> >>> command-line interface')
>> >>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
>> __init__
>> >>> self.modules = collections.OrderedDict()
>> >>> AttributeError: 'module' object has no attribute 'OrderedDict'
>> >>> Starting pki-ca:   [ OK  ]
>> >>>
>> >>>
>> >>> Any idea above?
>> >>>
>> >>>
>> >>
>> >> You are using the old python, python 2.7 is required, which
>> version of OS
>> >> and IPA do you use?
>> >> Martin
>> >>
>> >
>> >
>> >
>>
>>
>> --
>> Petr Vobornik
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Martin Basti 
There is no ipa-restore or ipa-backup commands even on RHEL6.7, 
centos6.7, so I have no idea how you got that commands there. If you 
just copy files manually it is not working as you can see.


Martin


On 10.05.2016 14:12, Barry wrote:


The bottom manual files based backup restore . I remember there s one 
for 3.0


And test work before.

2016年5月10日 下午8:00 於 "Petr Vobornik" > 寫道:


On 05/10/2016 01:49 PM, Martin Basti wrote:
> No there is not python 2.7 on centos 6.x, maybe there is
something wrong in the
> code, let me check first

How did you run the backup and restore? AFAIK it was introduced in
FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7.
It is
not on RHEL 6.

>
>
> On 10.05.2016 13:34, Barry wrote:
>>
>> Ipa 3.0 e47
>>
>> Centos 6.5 . Just update python?
>>
>> 2016年5月10日 下午6:58 於 "Martin Basti"
>> <>mba...@redhat.com
> 寫道:
>>
>>
>>
>> On 10.05.2016 12:41, barry...@gmail.com
 > wrote:
>>> Hi:
>>>
>>> Restore form backup follow the procedure below:
>>> http://www.freeipa.org/page/V3/Backup_and_Restore
>>>
>>> Now server web page launch but canot access
>>> Sorry you are not allowed to access this service.
>>>
>>> Starting dirsrv:
>>> PKI-IPA... [  OK  ]
>>> WISERS-COM... [  OK  ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC:  [  OK  ]
>>> Starting KPASSWD Service
>>> Starting Kerberos 5 Admin Server:   [  OK  ]
>>> Starting MEMCACHE Service
>>> Starting ipa_memcached:   [ OK  ]
>>> Starting HTTP Service
>>> Starting httpd:   [ OK  ]
>>> Starting CA Service
>>>
>>>
>>> Starting CA Service
>>> Traceback (most recent call last):
>>>   File "/usr/sbin/pki-server", line 88, in 
>>> cli = PKIServerCLI()
>>>   File "/usr/sbin/pki-server", line 34, in __init__
>>> super(PKIServerCLI, self).__init__('pki-server', 'PKI
server
>>> command-line interface')
>>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line
39, in __init__
>>> self.modules = collections.OrderedDict()
>>> AttributeError: 'module' object has no attribute 'OrderedDict'
>>> Starting pki-ca:  [ OK  ]
>>>
>>>
>>> Any idea above?
>>>
>>>
>>
>> You are using the old python, python 2.7 is required, which
version of OS
>> and IPA do you use?
>> Martin
>>
>
>
>


--
Petr Vobornik



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Barry 
The bottom manual files based backup restore . I remember there s one for
3.0

And test work before.
2016年5月10日 下午8:00 於 "Petr Vobornik"  寫道:

> On 05/10/2016 01:49 PM, Martin Basti wrote:
> > No there is not python 2.7 on centos 6.x, maybe there is something wrong
> in the
> > code, let me check first
>
> How did you run the backup and restore? AFAIK it was introduced in
> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is
> not on RHEL 6.
>
> >
> >
> > On 10.05.2016 13:34, Barry wrote:
> >>
> >> Ipa 3.0 e47
> >>
> >> Centos 6.5 . Just update python?
> >>
> >> 2016年5月10日 下午6:58 於 "Martin Basti"
> >> <mba...@redhat.com> 寫道:
> >>
> >>
> >>
> >> On 10.05.2016 12:41, barry...@gmail.com 
> wrote:
> >>> Hi:
> >>>
> >>> Restore form backup follow the procedure below:
> >>> http://www.freeipa.org/page/V3/Backup_and_Restore
> >>>
> >>> Now server web page launch but canot access
> >>> Sorry you are not allowed to access this service.
> >>>
> >>> Starting dirsrv:
> >>> PKI-IPA... [  OK  ]
> >>> WISERS-COM... [  OK  ]
> >>> Starting KDC Service
> >>> Starting Kerberos 5 KDC:   [  OK  ]
> >>> Starting KPASSWD Service
> >>> Starting Kerberos 5 Admin Server:  [  OK  ]
> >>> Starting MEMCACHE Service
> >>> Starting ipa_memcached:[ OK  ]
> >>> Starting HTTP Service
> >>> Starting httpd:[ OK  ]
> >>> Starting CA Service
> >>>
> >>>
> >>> Starting CA Service
> >>> Traceback (most recent call last):
> >>>   File "/usr/sbin/pki-server", line 88, in 
> >>> cli = PKIServerCLI()
> >>>   File "/usr/sbin/pki-server", line 34, in __init__
> >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
> >>> command-line interface')
> >>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
> __init__
> >>> self.modules = collections.OrderedDict()
> >>> AttributeError: 'module' object has no attribute 'OrderedDict'
> >>> Starting pki-ca:   [ OK  ]
> >>>
> >>>
> >>> Any idea above?
> >>>
> >>>
> >>
> >> You are using the old python, python 2.7 is required, which version
> of OS
> >> and IPA do you use?
> >> Martin
> >>
> >
> >
> >
>
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Petr Vobornik 
On 05/10/2016 01:49 PM, Martin Basti wrote:
> No there is not python 2.7 on centos 6.x, maybe there is something wrong in 
> the 
> code, let me check first

How did you run the backup and restore? AFAIK it was introduced in
FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is
not on RHEL 6.

> 
> 
> On 10.05.2016 13:34, Barry wrote:
>>
>> Ipa 3.0 e47
>>
>> Centos 6.5 . Just update python?
>>
>> 2016年5月10日 下午6:58 於 "Martin Basti" 
>> <mba...@redhat.com> 寫道:
>>
>>
>>
>> On 10.05.2016 12:41, barry...@gmail.com  
>> wrote:
>>> Hi:
>>>
>>> Restore form backup follow the procedure below:
>>> http://www.freeipa.org/page/V3/Backup_and_Restore
>>>
>>> Now server web page launch but canot access
>>> Sorry you are not allowed to access this service.
>>>
>>> Starting dirsrv:
>>> PKI-IPA... [  OK  ]
>>> WISERS-COM... [  OK  ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC:   [  OK  ]
>>> Starting KPASSWD Service
>>> Starting Kerberos 5 Admin Server:  [  OK  ]
>>> Starting MEMCACHE Service
>>> Starting ipa_memcached:[ OK  ]
>>> Starting HTTP Service
>>> Starting httpd:[ OK  ]
>>> Starting CA Service
>>>
>>>
>>> Starting CA Service
>>> Traceback (most recent call last):
>>>   File "/usr/sbin/pki-server", line 88, in 
>>> cli = PKIServerCLI()
>>>   File "/usr/sbin/pki-server", line 34, in __init__
>>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
>>> command-line interface')
>>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in 
>>> __init__
>>> self.modules = collections.OrderedDict()
>>> AttributeError: 'module' object has no attribute 'OrderedDict'
>>> Starting pki-ca:   [ OK  ]
>>>
>>>
>>> Any idea above?
>>>
>>>
>>
>> You are using the old python, python 2.7 is required, which version of OS
>> and IPA do you use?
>> Martin
>>
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Martin Basti 
No there is not python 2.7 on centos 6.x, maybe there is something wrong 
in the code, let me check first



On 10.05.2016 13:34, Barry wrote:


Ipa 3.0 e47

Centos 6.5 . Just update python?

2016年5月10日 下午6:58 於 "Martin Basti" > 寫道:




On 10.05.2016 12:41, barry...@gmail.com
 wrote:

Hi:

Restore form backup follow the procedure below:
http://www.freeipa.org/page/V3/Backup_and_Restore

Now server web page launch but canot access
Sorry you are not allowed to access this service.

Starting dirsrv:
PKI-IPA... [  OK  ]
WISERS-COM... [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[ OK  ]
Starting HTTP Service
Starting httpd:[ OK  ]
Starting CA Service


Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server
command-line interface')
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
__init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [ OK  ]


Any idea above?




You are using the old python, python 2.7 is required, which
version of OS and IPA do you use?
Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Barry 
Ipa 3.0 e47

Centos 6.5 . Just update python?
2016年5月10日 下午6:58 於 "Martin Basti"  寫道:

>
>
> On 10.05.2016 12:41, barry...@gmail.com wrote:
>
> Hi:
>
> Restore form backup follow the procedure below:
> http://www.freeipa.org/page/V3/Backup_and_Restore
>
> Now server web page launch but canot access
> Sorry you are not allowed to access this service.
>
> Starting dirsrv:
> PKI-IPA... [  OK  ]
> WISERS-COM...  [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:[  OK  ]
> Starting HTTP Service
> Starting httpd:[  OK  ]
> Starting CA Service
>
>
> Starting CA Service
> Traceback (most recent call last):
>   File "/usr/sbin/pki-server", line 88, in 
> cli = PKIServerCLI()
>   File "/usr/sbin/pki-server", line 34, in __init__
> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
> command-line interface')
>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
> self.modules = collections.OrderedDict()
> AttributeError: 'module' object has no attribute 'OrderedDict'
> Starting pki-ca:   [  OK  ]
>
>
> Any idea above?
>
>
>
> You are using the old python, python 2.7 is required, which version of OS
> and IPA do you use?
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread Martin Basti 



On 10.05.2016 12:41, barry...@gmail.com wrote:

Hi:

Restore form backup follow the procedure below:
http://www.freeipa.org/page/V3/Backup_and_Restore

Now server web page launch but canot access
Sorry you are not allowed to access this service.

Starting dirsrv:
PKI-IPA... [ OK  ]
WISERS-COM...  [ OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [ OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [ OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[ OK  ]
Starting HTTP Service
Starting httpd:[ OK  ]
Starting CA Service


Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server 
command-line interface')

  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [ OK  ]


Any idea above?




You are using the old python, python 2.7 is required, which version of 
OS and IPA do you use?

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Fraser Tweedale 
On Tue, May 10, 2016 at 11:51:26AM +0200, Youenn PIOLET wrote:
> Hi Fraser, Martin,
> 
> I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA
> in the subject.
> 
Hi Youenn,

I'm currently investigating this issue; the state of the system
is clear but I'm still trying to work out how it gets there.

Could you confirm whether you are on RHEL / CentOS 7.2, and if so,
whether it was installed at 7.2 or an upgrade from 7.1 or an earlier
version?

Further commentary below.

> ### certprofile
> $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
> ---
> Profile configuration stored in file 'caIPAserviceCert.cfg'
> ---
>   Profile ID: caIPAserviceCert
>   Profile description: Standard profile for network services
>   Store issued certificates: TRUE
> 
You do not include the caIPAserviceCert.cfg in the diffs below,
however, I suspect you will find it to be identical to
/usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg.  Could you
please confirm this?

> 
> ### My /etc/pki/pki-tomcat/ca/CS.cfg :
> http://pastebin.com/wnVWH8bq
> 
Thanks for sharing; everything looks fine here.

> ### caIPAserviceCert
> I'd like to send you my caIPAserviceCert.cfg, two of them are present on my
> system:
> 
> - /usr/share/ipa/profiles/caIPAserviceCert.cfg :
> http://pastebin.com/byddqgSF
>
(The rest of my reply is just an FYI on where FreeIPA/Dogtag stores
profile configurtion.)

Profile configurations in /usr/share/ipa/profiles/ are templates
owned by IPA, with placeholders that get filled out when IPA imports
the profile.

> - /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg :
> http://pastebin.com/FFUTytDq
> 
Profiles stored here are the default profiles added to a Dogtag
instance, however, the files at these locations are not used by
running instances.

But wait, there's more!  You should also find
/var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg.  This
one is used by Dogtag if the file-based ProfileSubsystem is used.

FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
which stores profile configuration in LDAP.  The file output by the
``ipa certprofile-show`` command will have come from LDAP; this is
the version that's actually in use in your IPA installation.

Cheers,
Fraser


> And a diff between them :
> 
> $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
> /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> 1,2d0
> < profileId=caIPAserviceCert
> < classId=caEnrollImpl
> 15c13
> < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
> ---
> > policyset.serverCertSet.list=1,2,3,4,5,6,7,8
> 22c20
> < policyset.serverCertSet.1.default.params.name=CN=$$
> request.req_subject_name.cn$$, $SUBJECT_DN_O
> ---
> > policyset.serverCertSet.1.default.params.name=CN=$
> request.req_subject_name.cn$, OU=pki-ipa, O=IPA
> 48c46
> <
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
> $IPA_CA_RECORD.$DOMAIN/ca/ocsp
> ---
> > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
> 95,97c93,95
> <
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
> <
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
> < policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
> $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
> ---
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
> https://ipa.example.com/ipa/crl/MasterCRL.bin
> 100,109d97
> < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
> < policyset.serverCertSet.10.constraint.name=No Constraint
> <
> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
> < policyset.serverCertSet.10.default.name=Subject Key Identifier Extension
> Default
> < policyset.serverCertSet.10.default.params.critical=false
> < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
> < policyset.serverCertSet.11.constraint.name=No Constraint
> < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
> < policyset.serverCertSet.11.default.name=User Supplied Extension Default
> < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
> 
> Thanks by advance for your support,
> Regards
> 
> --
> Youenn Piolet
> piole...@gmail.com
> 
> 
> 2016-03-31 9:41 GMT+02:00 Fraser Tweedale :
> 
> > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> > > Hello,
> > >
> > > I seem to be having some issues with IPA CA feature not generating
> > > certificates with DNS SubjectAltNames.
> > >
> > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
> > > CentOS 7.2 / IPA 4.2 something's different.
> > >
> > > Here are the original steps which worked fine for my

[Freeipa-users] Restore form backup , start servrer will error but sucess

2016-05-10 Thread barrykfl 
Hi:

Restore form backup follow the procedure below:
http://www.freeipa.org/page/V3/Backup_and_Restore

Now server web page launch but canot access
Sorry you are not allowed to access this service.

Starting dirsrv:
PKI-IPA... [  OK  ]
WISERS-COM...  [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]
Starting CA Service


Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server
command-line interface')
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [  OK  ]


Any idea above?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade to new IPA

2016-05-10 Thread barrykfl 
Hi all:

I m using freeipa 3.0 ...is there a fast way  to export username / password
and migrate to
new 4.0 server not inplace upgrade .?


Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade to new IPA

2016-05-10 Thread Petr Vobornik 
On 05/10/2016 12:36 PM, barry...@gmail.com wrote:
> Hi all:
> 
> I m using freeipa 3.0 ...is there a fast way  to export username / password 
> and 
> migrate to
> new 4.0 server not inplace upgrade .?
> 

The recommended method is to do an inplace upgrade to the latest
RHEL/CentOS 6. Then migrate to RHEL 7 by creating a new replica, see the
full process here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Youenn PIOLET 
Hi Fraser, Martin,

I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA
in the subject.

### certprofile
$ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
---
Profile configuration stored in file 'caIPAserviceCert.cfg'
---
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE


### My /etc/pki/pki-tomcat/ca/CS.cfg :
http://pastebin.com/wnVWH8bq

### caIPAserviceCert
I'd like to send you my caIPAserviceCert.cfg, two of them are present on my
system:

- /usr/share/ipa/profiles/caIPAserviceCert.cfg :
http://pastebin.com/byddqgSF
- /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg :
http://pastebin.com/FFUTytDq

And a diff between them :

$ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
/usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
1,2d0
< profileId=caIPAserviceCert
< classId=caEnrollImpl
15c13
< policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
---
> policyset.serverCertSet.list=1,2,3,4,5,6,7,8
22c20
< policyset.serverCertSet.1.default.params.name=CN=$$
request.req_subject_name.cn$$, $SUBJECT_DN_O
---
> policyset.serverCertSet.1.default.params.name=CN=$
request.req_subject_name.cn$, OU=pki-ipa, O=IPA
48c46
<
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
$IPA_CA_RECORD.$DOMAIN/ca/ocsp
---
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
95,97c93,95
<
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
<
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
< policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
---
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
https://ipa.example.com/ipa/crl/MasterCRL.bin
100,109d97
< policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
< policyset.serverCertSet.10.constraint.name=No Constraint
<
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
< policyset.serverCertSet.10.default.name=Subject Key Identifier Extension
Default
< policyset.serverCertSet.10.default.params.critical=false
< policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
< policyset.serverCertSet.11.constraint.name=No Constraint
< policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
< policyset.serverCertSet.11.default.name=User Supplied Extension Default
< policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17

Thanks by advance for your support,
Regards

--
Youenn Piolet
piole...@gmail.com


2016-03-31 9:41 GMT+02:00 Fraser Tweedale :

> On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> > Hello,
> >
> > I seem to be having some issues with IPA CA feature not generating
> > certificates with DNS SubjectAltNames.
> >
> > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
> > CentOS 7.2 / IPA 4.2 something's different.
> >
> > Here are the original steps which worked fine for my first use case ::
> >
> > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
> > $ ipa host-add mail.example.com
> > $ ipa service-add smtp/mail.example.com
> > $ ipa service-add smtp/mail1.example.com
> > $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
> > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
> >   -f /etc/pki/tls/certs/postfix.pem   \
> >   -N CN=mail1.example.com,O=EXAMPLE.COM \
> >   -D mail1.example.com -D mail.example.com \
> >   -K smtp/mail1.example.com
> > (and repeat for every next member of the cluster...)
> >
> > After this, I would get certificate with something like ::
> > $ sudo ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20150419153933':
> >   status: MONITORING
> >   stuck: no
> >   key pair storage:
> > type=FILE,location='/etc/pki/tls/private/postfix.key'
> >   certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
> >   CA: IPA
> >   issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >   subject: CN=mail1.example.com,O=EXAMPLE.COM
> >   expires: 2017-04-19 15:39:35 UTC
> >   dns: mail1.example.com,mail.example.com
> >   principal name: smtp/mail1.example@example.com
> >   key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >   eku: id-kp-serverAuth,id-kp-clientAuth
> >   pre-save command:
> >   post-save command:
> >   track: yes
> >   auto-renew: yes
> >
> > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns'
> > info line present.
> >

Re: [Freeipa-users] ipa-server-upgrade fails and CA cannot start

2016-05-10 Thread Petr Vobornik 
On 05/08/2016 09:49 PM, Andrew C. Dingman wrote:
> For those of you who recognize me from non-public lists and chats, this
> is a whole different setup from the one we've been discussing there.
> 
> This is on a RHEL 7 system, and unfortunately for me the CA master in
> my personal IPA realm. When I attempted to update using yum on April
> 15th, the ipa-server-update script failed with what seems to be a dbus
> error, and I have been unable to start the CA (and therefore ipa in
> general) since. As a result, my personal systems are running on one IPA
> server, which makes me more than a little nervous.
> 
> The relevant bit of the upgrade log seems to be:
> 
> 2016-05-08T19:03:08Z DEBUG stderr=
> 2016-05-08T19:03:08Z INFO [Upgrading CA schema]
> 2016-05-08T19:03:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-
> ACDINGMAN-COM.socket from SchemaCache
> 2016-05-08T19:03:08Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-ACDINGMAN-COM.socket
> conn=
> 2016-05-08T19:03:08Z DEBUG Processing schema LDIF file
> /usr/share/pki/server/conf/schema-certProfile.ldif
> 2016-05-08T19:03:08Z DEBUG Not updating schema
> 2016-05-08T19:03:08Z INFO CA schema update complete (no changes)
> 2016-05-08T19:03:08Z INFO [Verifying that CA audit signing cert has 2
> year validity]
> 2016-05-08T19:03:08Z DEBUG caSignedLogCert.cfg profile validity range
> is 720
> 2016-05-08T19:03:08Z INFO [Update certmonger certificate renewal
> configuration to version 4]
> 2016-05-08T19:03:08Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2016-05-08T19:03:08Z ERROR Failed to get request: bus, object_path and
> dbus_interface must not be None.
> 2016-05-08T19:03:08Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2016-05-08T19:03:08Z DEBUG   File "/usr/lib/python2.7/site-
> packages/ipapython/admintool.py", line 171, in execute
> return_value = self.run()
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run
> raise admintool.ScriptError(str(e))
> 
> 2016-05-08T19:03:08Z DEBUG The ipa-server-upgrade command failed,
> exception: ScriptError: bus, object_path and dbus_interface must not be
> None.
> 2016-05-08T19:03:08Z ERROR bus, object_path and dbus_interface must not
> be None.
> 
> There's a whole lot more, nearly 4MiB of log even when I reduce it to
> my most recent attempt to run the upgrade script.
> 
> "getcert list" successfully shows 8 certificate requests being tracked.
> Four are in "MONITORING" status, four in "NEED_CA". The NEED_CA
> requests all indicate expiration back in February, and look like
> crucial certificates: CN=CA Subsystem, CN=IPA RA, CN=CA Audit
> and CN=OCSP Subsystem.
> 
> On the working replica, all eight are in "MONITORING" status and have
> expiration dates in 2017 or later. I have not attempted the package
> update on that system. Should I consider promoting this one to CA
> master, force-deleting the old one, and reinstalling it as a new
> system?
> 
> Please let me know what other information would be helpful for
> diagnostics. The current state of all packages on the broken master is
> up to earlier today from the official Red Hat content distribution
> network.
> 

Hello Andrew,

Could you paste output of `ipactl start` ?

Also when upgrader fails it tends to leave directory server not
accessible by changing 389 and 636 port.

It could be verified by:

$ ldapsearch -ZZ -h `hostname` -D "cn=Directory Manager" -W -s base -b
"cn=config" | grep "nsslapd-security\|nsslapd-port"
Enter LDAP Password:
nsslapd-requiresrestart: cn=config:nsslapd-port
nsslapd-port: 389
nsslapd-security: on

If there are values other than '389' and 'on' (usually '0' and 'off')
then it might the reason why IPA doesn't start. Changing them back to
'on' and 389 might help.

But it won't say why the upgrader failed. Maybe it was a one-time glitch
or it was related to the expired certs.

The error message you got is in code which creates connection to
certmonger.

But if there are expired certificates. The usual recovery is to move
back time a day or two before the first certificate expires and let
certmonger to renew the certs. Optionally the renewal can be forced by
`getcert resubmit -i $certid` command.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-10 Thread barrykfl 
Just wonder the freeipa package will have bugs if os too.old.
2016年5月10日 下午3:09 於 "Lukas Slebodnik"  寫道:

> On (10/05/16 08:19), barry...@gmail.com wrote:
> >Do u meant the error related to OS?
> I mean that there are known bugs in FreeIPA components.
> 389-ds, sssd 
> CentOS 6.5 is quite old version.
>
> I would really recommend to upgrade to the latest CentOS.
> If there are still problems on latest CentOS then
> we can try to continue with troubleshooting.
>
> It does not worth to spend time with analyzing already fixed bugs.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-05-10 Thread Lukas Slebodnik 
On (10/05/16 08:19), barry...@gmail.com wrote:
>Do u meant the error related to OS?
I mean that there are known bugs in FreeIPA components.
389-ds, sssd 
CentOS 6.5 is quite old version.

I would really recommend to upgrade to the latest CentOS.
If there are still problems on latest CentOS then
we can try to continue with troubleshooting.

It does not worth to spend time with analyzing already fixed bugs.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project