Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Lachlan Musicman]

It's worth noting that, in difference to the bug report:

1. We aren't making changes to the overrides. The overrides exist, they
just aren't propagating evenly or consistently.
2. We are seeing these errors in the various logs:


sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
[sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)


krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929
[k5c_send_data] (0x0200): Received error code 0
krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931
[k5c_send_data] (0x0200): Received error code 1432158214

sssd_nss.log:Error: 3, 0, Account info lookup failed
sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
(0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error
message: Account info lookup failed
sssd_nss.log:Error: 3, 22, Account info lookup failed
sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
(0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error
message: Account info lookup failed


cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 18 May 2016 at 08:35, Lachlan Musicman  wrote:

> Hmmm, I also now see
>
> https://fedorahosted.org/sssd/ticket/2642
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=1217127
>
> Versions being run:
>
> sssd-client-1.13.0-40.el7_2.4.x86_64
> sssd-ad-1.13.0-40.el7_2.4.x86_64
> sssd-proxy-1.13.0-40.el7_2.4.x86_64
> sssd-1.13.0-40.el7_2.4.x86_64
> sssd-common-1.13.0-40.el7_2.4.x86_64
> sssd-common-pac-1.13.0-40.el7_2.4.x86_64
> sssd-ipa-1.13.0-40.el7_2.4.x86_64
> sssd-ldap-1.13.0-40.el7_2.4.x86_64
> python-sssdconfig-1.13.0-40.el7_2.4.noarch
> sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
> sssd-krb5-1.13.0-40.el7_2.4.x86_64
>
> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 17 May 2016 at 22:34, Jakub Hrozek  wrote:
>
>> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
>> > FWIW,
>> >
>> > We are seeing the issues that are described here:
>> >
>> >
>> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
>> >
>> > I was about to write when I found this, it explains exactly what I am
>> > seeing - right down to the "impossible to reproduce because it's so
>> > (seemingly) random".
>> >
>> >
>> > I am about to read up on the SSSD trouble shooting in order to up the
>> logs
>> > , but here is some output I can share - note that this all happened
>> in
>> > ~5 minutes. As you can see, clearing the cache has various unpredictable
>> > effects. Both users should return the same list of groups. This was
>> > performed on a FreeIPA client.
>>
>> There were some bugs related to external groups, what server and client
>> packages version are you running?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Lachlan Musicman]

Hmmm, I also now see

https://fedorahosted.org/sssd/ticket/2642
and
https://bugzilla.redhat.com/show_bug.cgi?id=1217127

Versions being run:

sssd-client-1.13.0-40.el7_2.4.x86_64
sssd-ad-1.13.0-40.el7_2.4.x86_64
sssd-proxy-1.13.0-40.el7_2.4.x86_64
sssd-1.13.0-40.el7_2.4.x86_64
sssd-common-1.13.0-40.el7_2.4.x86_64
sssd-common-pac-1.13.0-40.el7_2.4.x86_64
sssd-ipa-1.13.0-40.el7_2.4.x86_64
sssd-ldap-1.13.0-40.el7_2.4.x86_64
python-sssdconfig-1.13.0-40.el7_2.4.noarch
sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
sssd-krb5-1.13.0-40.el7_2.4.x86_64

ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 17 May 2016 at 22:34, Jakub Hrozek  wrote:

> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
> > FWIW,
> >
> > We are seeing the issues that are described here:
> >
> >
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
> >
> > I was about to write when I found this, it explains exactly what I am
> > seeing - right down to the "impossible to reproduce because it's so
> > (seemingly) random".
> >
> >
> > I am about to read up on the SSSD trouble shooting in order to up the
> logs
> > , but here is some output I can share - note that this all happened
> in
> > ~5 minutes. As you can see, clearing the cache has various unpredictable
> > effects. Both users should return the same list of groups. This was
> > performed on a FreeIPA client.
>
> There were some bugs related to external groups, what server and client
> packages version are you running?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to determine cause/source of user lockout?

[Prasun Gera]

If it's the admin account, there would be a pretty good likelihood of
bruteforce attempts if your server is on the internet. One option is to
rename it to something else.
On 17 May 2016 11:36 a.m., "Rich Megginson"  wrote:

> On 05/17/2016 08:18 AM, Rob Crittenden wrote:
>
>> John Duino wrote:
>>
>>> Is there a (relatively easy) way to determine what is causing a user
>>> account to be locked out? The admin account on our 'primary' ipa host is
>>> locked out frequently, but somewhat randomly; sometimes it will be less
>>> than 5 minutes it is available, and other times several hours.
>>>
>>> ipa user-status admin will show something like:
>>> Failed logins: 6
>>> Last successful authentication: 20160516214142Z
>>> Last failed authentication: 20160516224718Z
>>> Time now: 2016-05-16T22:52:00Z
>>>
>>> ipa user-unlock admin  does unlock it.
>>>
>>> But parsing through the various logs on the affected host doesn't give
>>> me what I need to know, primarily, which host(s) are trying to access
>>> admin and causing it to lock.
>>>
>>> FreeIPA 4.2.0 on CentOS 7.2.1511
>>>
>>
>> I think you'd need to poke around in the KDC and 389-ds access log to
>> find the auth attempts. I guess I'd look for PREAUTH_FAILED in
>> /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then
>> correlate the conn value with a BIND to see who was authenticating.
>>
>
> For 389 you can use the logconv.pl tool
>
>
>> rob
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Read-only permission with no authentication

[Rob Crittenden]

Alexander Bokovoy wrote:

On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:

I'm trying to set up an account that will only have read permissions
to FreeIPA's user and host info to get some automated documentation
tasks running.  Basically I want to set up a cron job on a FreeIPA
server that will read info using the ipa command line tools like "ipa
user-find", "ipa user-show --all" and some of the host commands. After
it reads that info I can handle it in perl to maintain some
documentation requirements.  But I don't want to be forced into saving
a password anywhere along the way if I can avoid it.

Is there a way to set an account so it will be able to run those ipa
commands in a read-only state but not have any authentication
requirement?

No, it is not possible. On IPA server side all connections to the
management framework are always authenticated.

You can use an approach described in
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
to obtain authentication token and get requests to the IPA server with
that token. However, this implies you still need to authenticate first.

Another approach would be to create a service, obtain a keytab with a
key for that service and run your 'ipa ...' calls with the Kerberos
authentication based on that keytab. On reasonably recent systems you
can use GSS-Proxy to make sure your script is not having direct access
to the keytab and that would also make possible re-acquiring the ticket
on your behalf by GSS-Proxy.


For users, depending on configuration, you can use an anonymous LDAP 
bind and skip the ipa tool. I'm pretty sure that hosts require an 
authenticated user to read the entries.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error

[Alexander Bokovoy]

On Tue, 17 May 2016, John Meyers wrote:

All,

I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2).  The IPA side works perfect and AD users can
authenticate against IPA resources.  However, when one tries to add an
IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
right), Windows successfully obtains a Kerberos ticket for the IPA user
but then fails when trying to obtain the LDAP principal of the IPA
server.  KDC logs follows:

The other leg is not supported.

Read http://www.freeipa.org/page/V4/One-way_trust#Design for details.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error

[John Meyers]

All,

I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2).  The IPA side works perfect and AD users can
authenticate against IPA resources.  However, when one tries to add an
IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
right), Windows successfully obtains a Kerberos ticket for the IPA user
but then fails when trying to obtain the LDAP principal of the IPA
server.  KDC logs follows:

krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3})
adserver.addomain NEEDED_PREAUTH: admin@IPADOMAIN for
krbtgt/IPADOMAIN@IPADOMAIN, Additional pre-authentication required
krb5kdc[19373](info): closing down fd 12
krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3})
adserver.addomain: ISSUE: authtime 1463500682, etypes {rep=18 tkt=18
ses=18}, admin@IPADOMAIN for krbtgt/IPADOMAIN@IPADOMAIN
> Great!  We've successfully authenticated as our IPA admin user
from Windows.  But now the wheels come off the wagon.

krb5kdc[19373](info): closing down fd 12
krb5kdc[19373](info): TGS_REQ (5 etypes {18 17 23 24 -135})
adserver.addomain: LOOKING_UP_SERVER: authtime 0,  admin@IPADOMAIN for
ldap/ipaserver.ipadomain/ipadomain@IPADOMAIN, Server not found in
Kerberos database
krb5kdc[19373](info): closing down fd 12
--->  Oh oh!  For some odd reason Windows is appending the lowercase
'/ipadomain' the kerberos request.  ldap/ipaserver.ipadomain@IPADOMAIN
exists as a principal, ldap/ipaserver.ipadomain/ipadomain@IPADOMAIN does
not.  Since we can't authenticate to LDAP, we can't resolve a user.

Help would be appreciated.

John



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Read-only permission with no authentication

[Alexander Bokovoy]

On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
I'm trying to set up an account that will only have read permissions 
to FreeIPA's user and host info to get some automated documentation 
tasks running.  Basically I want to set up a cron job on a FreeIPA 
server that will read info using the ipa command line tools like "ipa 
user-find", "ipa user-show --all" and some of the host commands.  
After it reads that info I can handle it in perl to maintain some 
documentation requirements.  But I don't want to be forced into saving 
a password anywhere along the way if I can avoid it.


Is there a way to set an account so it will be able to run those ipa 
commands in a read-only state but not have any authentication 
requirement?

No, it is not possible. On IPA server side all connections to the
management framework are always authenticated.

You can use an approach described in
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
to obtain authentication token and get requests to the IPA server with
that token. However, this implies you still need to authenticate first.

Another approach would be to create a service, obtain a keytab with a
key for that service and run your 'ipa ...' calls with the Kerberos
authentication based on that keytab. On reasonably recent systems you
can use GSS-Proxy to make sure your script is not having direct access
to the keytab and that would also make possible re-acquiring the ticket
on your behalf by GSS-Proxy.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Read-only permission with no authentication

[Stephen Berg (Contractor)]

I'm trying to set up an account that will only have read permissions to 
FreeIPA's user and host info to get some automated documentation tasks 
running.  Basically I want to set up a cron job on a FreeIPA server that 
will read info using the ipa command line tools like "ipa user-find", 
"ipa user-show --all" and some of the host commands.  After it reads 
that info I can handle it in perl to maintain some documentation 
requirements.  But I don't want to be forced into saving a password 
anywhere along the way if I can avoid it.


Is there a way to set an account so it will be able to run those ipa 
commands in a read-only state but not have any authentication requirement?



--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
stephen.berg@nrlssc.navy.mil

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to determine cause/source of user lockout?

[Rich Megginson]

On 05/17/2016 08:18 AM, Rob Crittenden wrote:

John Duino wrote:

Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.

ipa user-status admin will show something like:
Failed logins: 6
Last successful authentication: 20160516214142Z
Last failed authentication: 20160516224718Z
Time now: 2016-05-16T22:52:00Z

ipa user-unlock admin  does unlock it.

But parsing through the various logs on the affected host doesn't give
me what I need to know, primarily, which host(s) are trying to access
admin and causing it to lock.

FreeIPA 4.2.0 on CentOS 7.2.1511


I think you'd need to poke around in the KDC and 389-ds access log to 
find the auth attempts. I guess I'd look for PREAUTH_FAILED in 
/var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then 
correlate the conn value with a BIND to see who was authenticating.


For 389 you can use the logconv.pl tool



rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

[Sean Hogan]

Hello,

This is an older thread now but our mitigation guys found a solution in
fixing this that I think you all may want as the output has now changed
from the 13 ciphers that would not change to the below.  Its a rather easy
fix as well and possible I missed it with assumptions.

You need to modify both the realm name dse and the pki dse ldifs.  I was
only modifying the realm dse.


/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-RELAM-NAME/dse.ldif




[bob@dingle ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-17 10:59 EDT
Nmap scan report for dingle@bob.local (IP of dingle)
Host is up (0.00015s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (7)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_  uncompressed





Sean Hogan





From:   Sean Hogan/Durham/IBM
To: Rob Crittenden 
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date:   04/29/2016 01:49 PM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL


Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well?  If I start off playing with something you
see working without issue then maybe I can come up with something or am I
wrong thinking those might affect anything?

IE .. can you send me the entire cn=encryption, cn=config section like this
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1


Sean Hogan








From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date:   04/29/2016 01:36 PM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Apparently making it the master ca will not work at this point since the
> replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers
available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

>
>
> Sean Hogan
>
>
>
>
>
> Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
> I stopped IPA, modified dse.ldif, restarted with the Sean
> Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
> dse.ldif, restarted with the cipher list and it started without is
>
> From: Sean Hogan/Durham/IBM
> To: Rob Crittenden 
> Cc: freeipa-users@redhat.com, Noriko Hosoi 
> Date: 04/29/2016 08:56 AM
> Subject: Re: [Freeipa-users] IPA vulnerability management SSL
>
> 
>
>
> Hi Rob,
>
> I stopped IPA, modified dse.ldif, restarted with the cipher list and it
> started without issue however Same 13 ciphers. You know.. thinking about
> this now.. I going to try something. The box I am testing on it a
> replica master and not the first replica. I did not think this would
> make a difference since I removed the replica from the realm before
> testing but maybe it will not change anything thinking its stuck in the
> old realm?
>
> Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-29
> 11:51 EDT
> Nmap scan report for
> Host is up (0.82s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> | TLS_RSA_WITH_AES_256_CBC_SHA256
> | TLS_RSA_WITH_DES_CBC_SHA
> | TLS_RSA_WITH_RC4_128_MD5
> | TLS_RSA_WITH_RC4_128_SHA
> | Compressors (1)
>
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> 

Re: [Freeipa-users] win2012 r2 and trust type = realm

[lejeczek]

On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
> On Tue, 17 May 2016, lejeczek wrote:
> > hi users/devs
> > 
> > I've used wiki pages to set AD - IPA trust, and it always end up
> > being
> > realm type of trust (@ AC DC end) whereas wiki shows forest type.
> > What am I doing wrong?
> Probably because you are choosing wrong type of trust on AD side.
> 
> Remove any trust with the same name as IPA on AD side and try to
> create
> the trust using 'ipa trust-add' command, as described in the wiki or
> in
> the documentation.
> 
but ipa trust-add renders one-way type of trust, at least here for me,
is this correct?
I go to AD DC and see only one-way trust.
> > 
> > I think I must be doing something wrong for having that trust
> > established (or I least I think I have it) when @IPA end I do:
> > 
> > $ kinit Administrator@ad_dom
> > Password for Administrator@ad_dom: 
> > kinit: KDC reply did not match expectations while getting initial
> > credentials
> > 

> 
> This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If
> you specified it in lower case, AD DC would accept that and would issue
> a ticket with corrected principal name but 'kinit' utility would not
> accept the changed principal.
> 
> kinit Administrator@AD_DOM is what would you need to try. However, being
> able to kinit as AD user from IPA machine has nothing to do with IPA -
> AD trust.
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

[Rob Crittenden]

Adam Kaczka wrote:

I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that
CA chain is missing; so I am thinking I may have to use
|ipa-server-certinstall| to reinstall the two certs.


I really doubt it. I'm not sure what can't be found, maybe one of the 
dogtag devs has an idea.





5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.


On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka > wrote:

Certmonger cannot communicate with CA; the result of getlist cert shows:

RPC failed at server.  Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)

After setting time back, from /var/log/pki-ca/debug I get:

[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
 at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
 at

com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
 at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
 at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
 at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
 at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
 at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
 at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
 at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
 at

org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
 at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
 at

org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
 at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
 at

org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
 at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
 at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
 at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
 at

org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
 at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
 at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
 at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
 at

org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
 at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
 at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
 at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
 at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
 at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
 at

Re: [Freeipa-users] How to determine cause/source of user lockout?

[Rob Crittenden]

John Duino wrote:

Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.

ipa user-status admin will show something like:
Failed logins: 6
Last successful authentication: 20160516214142Z
Last failed authentication: 20160516224718Z
Time now: 2016-05-16T22:52:00Z

ipa user-unlock admin  does unlock it.

But parsing through the various logs on the affected host doesn't give
me what I need to know, primarily, which host(s) are trying to access
admin and causing it to lock.

FreeIPA 4.2.0 on CentOS 7.2.1511


I think you'd need to poke around in the KDC and 389-ds access log to 
find the auth attempts. I guess I'd look for PREAUTH_FAILED in 
/var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then 
correlate the conn value with a BIND to see who was authenticating.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] win2012 r2 and trust type = realm

[Alexander Bokovoy]

On Tue, 17 May 2016, lejeczek wrote:

hi users/devs

I've used wiki pages to set AD - IPA trust, and it always end up being
realm type of trust (@ AC DC end) whereas wiki shows forest type.
What am I doing wrong?

Probably because you are choosing wrong type of trust on AD side.

Remove any trust with the same name as IPA on AD side and try to create
the trust using 'ipa trust-add' command, as described in the wiki or in
the documentation.


I think I must be doing something wrong for having that trust
established (or I least I think I have it) when @IPA end I do:

$ kinit Administrator@ad_dom
Password for Administrator@ad_dom: 
kinit: KDC reply did not match expectations while getting initial
credentials

This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If
you specified it in lower case, AD DC would accept that and would issue
a ticket with corrected principal name but 'kinit' utility would not
accept the changed principal.

kinit Administrator@AD_DOM is what would you need to try. However, being
able to kinit as AD user from IPA machine has nothing to do with IPA -
AD trust.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renable 7389 port on multimaster

[Rob Crittenden]

barry...@gmail.com wrote:

Hi :


2 servers configured as multi master nut one of them cannot telnet  7389

how can I check and renable it ?

Server  cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING


You'd need to see if a CA is configured on this master at all. If no CA 
is configured you can add using ipa-ca-install.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Changing spec.page_length?

[Jeffery Harrell]

Is there a “soft” way to change the number of rows in tables like the hosts and 
DNS records search facets? I think I’d happily trade a little interactivity 
when going from one facet to another for the ability to see four or five times 
as much information on a single screen at once. I get that I can write a 
JavaScript mod that pokes into the individual tables and modifies 
spec.page_length, but is there an easier way? A setting somewhere maybe? The 
source code suggests the answer is no but I figured it couldn’t hurt to ask.

Thanks,

Jeffery

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't set nsslapd-sizelimit

[Ludwig Krispenz]

On 05/17/2016 12:49 PM, Ludwig Krispenz wrote:


On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:


Hello,

I am new to freeIPA and I am recently working on a project to 
integrate freeIPA with some legacy application which uses LDAP for 
user management.


I have initially created our own ldap structure and I tried to run 
the code against freeIPA/389DS. While running this example I noticed 
that 389DS takes quite some time to load profile data from the 
different ldap nodes (~2000 entries). In a previous prototype using 
OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 
with good results. I am wondering now whether we can do the same for 
the freeIPA/389DS server. I found the following pages but I could not 
work out what the exact command should be to modify those parameters.


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html

http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

I attempted the following but received a ObjectClass violation:

[centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D 
"cn=Directory Manager" -w '' -f slimit


modifying entry "dc=ldap,dc=adeptra,dc=com"

ldap_modify: Object class violation (65)

additional info: attribute "nsslapd-sizelimit" not allowed

slimit:

dn: dc=ldap,dc=example,dc=com

changetype: modify

add:nsslapd-sizelimit

nsslapd-sizelimit: 1000

I also attempted using a user dn but with the same result.

the example in the doc is unfortunately incorrect, 
in the latest doc it is corected: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line
nsslapd-sizelimit is the general limit in cn=config, the attribute per 
user is nsSizeLimit ( as used in the text in teh doc).

And you have to add it to a user used for binding


Can anybody help ?

Thanks,

Giuseppe.


Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac 
(Adeptra) Limited (Co. No. 03295455) are registered in England and 
Wales and have a registered office address of Cottons Centre, 5th 
Floor, Hays Lane, London, SE1 2QP.


This email and any files transmitted with it are confidential, 
proprietary and intended solely for the individual or entity to whom 
they are addressed. If you have received this email in error please 
delete it immediately.





--
Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] win2012 r2 and trust type = realm

[lejeczek]

hi users/devs

I've used wiki pages to set AD - IPA trust, and it always end up being
realm type of trust (@ AC DC end) whereas wiki shows forest type.
What am I doing wrong?
I think I must be doing something wrong for having that trust
established (or I least I think I have it) when @IPA end I do:

$ kinit Administrator@ad_dom
Password for Administrator@ad_dom: 
kinit: KDC reply did not match expectations while getting initial
credentials

regards
L.##SELECTION_END##-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[Simo Sorce]

On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is
> > > such a
> > > way so I tap my IPA into specific OU within that AD.
> > 
> > I'm not exactly sure what you mean here. Do you want to join a
> > computer
> > which is already a client in an IPA domain to AD as well? If this is
> > the
> > case I would recommend to consider the IPA trust feature. Joining 2
> > domain is in general possible with SSSD but has to be done with very
> > great care, e.g. by using different keytabs for each domain.
> Can IPA domain establish a trust between win AD if IPA admin only has
> admin control over an OU in win AD ?

No, you need to be a Domain Admin with full privileges.

> I know very little about AD and only started with IPA - I don't suppose
> control of OU delegated to a user makes that user AD admin.

It doesn't.

> I guess what I'm thinking, asking, is - what would be the correct
> possible way to plug in, connect IPA domain to win AD when one has
> admin control only over a OU in win AD?

Not sure you can even do sync, there isn't really much you can do with
those privileges, you are basically just allowed to administer a
"group".

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Jakub Hrozek]

On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
> FWIW,
> 
> We are seeing the issues that are described here:
> 
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
> 
> I was about to write when I found this, it explains exactly what I am
> seeing - right down to the "impossible to reproduce because it's so
> (seemingly) random".
> 
> 
> I am about to read up on the SSSD trouble shooting in order to up the logs
> , but here is some output I can share - note that this all happened in
> ~5 minutes. As you can see, clearing the cache has various unpredictable
> effects. Both users should return the same list of groups. This was
> performed on a FreeIPA client.

There were some bugs related to external groups, what server and client
packages version are you running?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't set nsslapd-sizelimit

[Ludwig Krispenz]

On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:


Hello,

I am new to freeIPA and I am recently working on a project to 
integrate freeIPA with some legacy application which uses LDAP for 
user management.


I have initially created our own ldap structure and I tried to run the 
code against freeIPA/389DS. While running this example I noticed that 
389DS takes quite some time to load profile data from the different 
ldap nodes (~2000 entries). In a previous prototype using OpenDJ we 
had to increase the parameter ds-cfg-size-limit: to ~1000 with good 
results. I am wondering now whether we can do the same for the 
freeIPA/389DS server. I found the following pages but I could not work 
out what the exact command should be to modify those parameters.


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html

http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

I attempted the following but received a ObjectClass violation:

[centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D 
"cn=Directory Manager" -w '' -f slimit


modifying entry "dc=ldap,dc=adeptra,dc=com"

ldap_modify: Object class violation (65)

additional info: attribute "nsslapd-sizelimit" not allowed

slimit:

dn: dc=ldap,dc=example,dc=com

changetype: modify

add:nsslapd-sizelimit

nsslapd-sizelimit: 1000

I also attempted using a user dn but with the same result.

the example in the doc is unfortunately incorrect, nsslapd-sizelimit is 
the general limit in cn=config, the attribute per user is nsSizeLimit ( 
as used in the text in teh doc).

And you have to add it to a user used for binding


Can anybody help ?

Thanks,

Giuseppe.


Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac 
(Adeptra) Limited (Co. No. 03295455) are registered in England and 
Wales and have a registered office address of Cottons Centre, 5th 
Floor, Hays Lane, London, SE1 2QP.


This email and any files transmitted with it are confidential, 
proprietary and intended solely for the individual or entity to whom 
they are addressed. If you have received this email in error please 
delete it immediately.





--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't set nsslapd-sizelimit

[Petr Spacek]

On 16.5.2016 23:19, Giuseppe Sarno wrote:
> Hello,
> I am new to freeIPA and I am recently working on a project to integrate 
> freeIPA with some legacy application which uses LDAP for user management.
> I have initially created our own ldap structure and I tried to run the code 
> against freeIPA/389DS. While running this example I noticed that 389DS takes 
> quite some time to load profile data from the different ldap nodes (~2000 
> entries). In a previous prototype using OpenDJ we had to increase the 
> parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now 
> whether we can do the same for the freeIPA/389DS server. I found the 
> following pages but I could not work out what the exact command should be to 
> modify those parameters.
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
> 
> http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html
> 
> I attempted the following but received a ObjectClass violation:
> 
> [centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D "cn=Directory 
> Manager" -w '' -f slimit
> modifying entry "dc=ldap,dc=adeptra,dc=com"
> ldap_modify: Object class violation (65)
> additional info: attribute "nsslapd-sizelimit" not allowed

System-wide config is stored in "cn=config".

For further details please see
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line

Petr^2 Spacek


> slimit:
> dn: dc=ldap,dc=example,dc=com
> changetype: modify
> add:nsslapd-sizelimit
> nsslapd-sizelimit: 1000
> 
> I also attempted using a user dn but with the same result.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't set nsslapd-sizelimit

[Martin Babinsky]

On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:

Hello,

I am new to freeIPA and I am recently working on a project to integrate
freeIPA with some legacy application which uses LDAP for user management.

I have initially created our own ldap structure and I tried to run the
code against freeIPA/389DS. While running this example I noticed that
389DS takes quite some time to load profile data from the different ldap
nodes (~2000 entries). In a previous prototype using OpenDJ we had to
increase the parameter ds-cfg-size-limit: to ~1000 with good results. I
am wondering now whether we can do the same for the freeIPA/389DS
server. I found the following pages but I could not work out what the
exact command should be to modify those parameters.



https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html



I attempted the following but received a ObjectClass violation:



[centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D
"cn=Directory Manager" -w '' -f slimit

modifying entry "dc=ldap,dc=adeptra,dc=com"

ldap_modify: Object class violation (65)

additional info: attribute "nsslapd-sizelimit" not allowed



slimit:

dn: dc=ldap,dc=example,dc=com

changetype: modify

add:nsslapd-sizelimit

nsslapd-sizelimit: 1000



I also attempted using a user dn but with the same result.



Can anybody help ?



Thanks,

Giuseppe.





Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra)
Limited (Co. No. 03295455) are registered in England and Wales and have
a registered office address of Cottons Centre, 5th Floor, Hays Lane,
London, SE1 2QP.

This email and any files transmitted with it are confidential,
proprietary and intended solely for the individual or entity to whom
they are addressed. If you have received this email in error please
delete it immediately.




Hi Guiseppe,

the best way to tweak directory server configuration is this:

1.) stop directory server (systemctl stop dirsrv@EXAMPLE-COM

2.) edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file:
locate the nsslapd-sizelimit entry and change the value

3.) start directory server (systemctl start dirsrv@EXAMPLE-COM)

You should see the new value if you search for it in the 'cn=config' 
subtree which hosts the configuration (not the dc=example,dc=com suffix 
you use).


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA as subdomain, part of AD ?

[Petr Spacek]

On 16.5.2016 19:59, Simo Sorce wrote:
> On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote:
>> hi users/devel
>>
>> I'm trying to grasp the concepts - can IPA be plugged into AD domain,
>> be part of it as a subdomain?
> 
> No, the only trust type we handle is a Forest level trust, so FreeIPA
> needs to be its own forest in AD terms.
> 
>> I'm guessing it'd be quite common scenario, I see wiki describes
>> opposite arrangement, but how##SELECTION_END## how to have IPA as
>> ipa.activedir.local whereas activedir.local is top domain of an
>> enterprise?
>> Would this still be - setting cross-domain trust?
> 
> It would still create a trust between 2 different forests, it's just so
> happen that one of them will be in a DNS subdomain.
> 
> For this to work, no other windows machine may have used the
> ipa.activedir.local domain before.

Please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[lejeczek]

On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > .. if possible, would you know?
> > hi everybody,
> > I'm trying, and hoping it is possible to realm join an AD but is
> > such a
> > way so I tap my IPA into specific OU within that AD.
> 
> I'm not exactly sure what you mean here. Do you want to join a
> computer
> which is already a client in an IPA domain to AD as well? If this is
> the
> case I would recommend to consider the IPA trust feature. Joining 2
> domain is in general possible with SSSD but has to be done with very
> great care, e.g. by using different keytabs for each domain.
Can IPA domain establish a trust between win AD if IPA admin only has
admin control over an OU in win AD ?
I know very little about AD and only started with IPA - I don't suppose
control of OU delegated to a user makes that user AD admin.
I guess what I'm thinking, asking, is - what would be the correct
possible way to plug in, connect IPA domain to win AD when one has
admin control only over a OU in win AD?
many thanks
L.
> > 
> > The thing is - I'm thinking it would make user access control ideal
> > from the start as I need only users from that OU, but also because I'm
> > only granted access to the user/group who has control over that OU.
> > I'm trying that but I see:
> > 
> > ! The computer account RIDER already exists, but is not in the desired
> > organizational unit.
> > adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> > already exists,
> > 

> 
> 
> Computer account names in AD must be unique even if they are added to
> different OUs. So if there is already a computer called RIDER joined to
> AD and it is not your computer you have to rename your computer to join.
> If it is your computer and you want to create it in a different OU you
> have to delete to old computer object first and then do a fresh join.
> 
> HTH
> 
> bye,
> Sumit
> 
> 
> > 
> >  ! Failed to join the domain
> > 
> > I'm doing this:
> > $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> > 
> > and computer is in OU=private of ccc.bb.aa
> > so is the user private-user
> > 
> > many thanks.
> > L##SELECTION_END##
> > 

> 
> 
> 
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > 
https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > Go to http://freeipa.org for more info on the project
> >  for more info on the project
> > 

> 
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

[Răzvan Corneliu C.R. VILT]

> I have some questions for the author himself or anyone who has replicated
> his work:
> 
>   - Which OS X versions has this been tested on?

10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May 
2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions 
and the rest were Mavericks slowly upgraded during the project to Yosemite.

>   - Does changing a expired password work on an OS X GUI login?


I don't recall testing it. I recall testing the password change with the 
Kerberos "Ticket Viewer.app" and from the Users and Groups applet of System 
Preferences.

>   - Does the LDIF file included in that thread only work for MIT Kerberos
>   or does it also work for Heimdal?


It should work for both. IIRC FreeIPA uses MIT while OS X uses Heimdal.

Let's start with a bit of background:
The project that I worked on was for an all Apple house (50+ of OS X 
installations, hundreds of iOS and only 2 Windows stations).
It took place between late November 2014 and February 2015 and I monitored it 
through May 2015.
I reasonably sure that we haven't set password expiration.
One of the criteria for the project was to actually migrate the original 
passwords stored in almost clear-text in OpenDirectory to the FreeIPA server 
(80 lines of code and the /var/db/authdb file).
We've migrated the file sharing to Samba and NetATalk. Samba was a royal pain 
for LDAP+Kerberos in user mode.
We migrated L2TP/IPSec and PPTP using Winbind for authentication (again with 
LDAP+Kerberos).
We migrated mail and calendar to Postfix+Dovecot+SOGo.
And we've also migrated a few simple (static) websites.
Mostly unrelated to IPA we also migrated DHCP and DNS. DiscoveryD gave us major 
headaches.
The interesting part that we've accomplished was that we've managed to do the 
migration almost transparently because FreeIPA was seen as a Kerberized OD 
Server. As such, the clients were able to use Kerberized logins to each others 
services (local file shares and such).-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC access denied, all AD groups not detected

[Lachlan Musicman]

FWIW,

We are seeing the issues that are described here:

https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html

I was about to write when I found this, it explains exactly what I am
seeing - right down to the "impossible to reproduce because it's so
(seemingly) random".


I am about to read up on the SSSD trouble shooting in order to up the logs
, but here is some output I can share - note that this all happened in
~5 minutes. As you can see, clearing the cache has various unpredictable
effects. Both users should return the same list of groups. This was
performed on a FreeIPA client.

[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10011(facs-comp...@unix.petermac.org.au)
10004(bioinf-c...@unix.petermac.org.au)
10005(rcf-st...@unix.petermac.org.au)
[root@emts-facs ~]# systemctl stop sssd
[root@emts-facs ~]# rm -rf /var/lib/sss/db/*
[root@emts-facs ~]# systemctl start sssd
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)
[root@emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd
[root@emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
[root@emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10
1750673801(external - exchange 2010 us...@petermac.org.au)
10007(cluster-u...@unix.petermac.org.au)



Cheers
L.




--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

[Simpson Lachlan]

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Alexander Bokovoy
> Sent: Monday, 16 May 2016 11:46 PM
> To: Lachlan Musicman
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?
> 
> On Mon, 16 May 2016, Lachlan Musicman wrote:
> >Hola,
> >
> >We have an interesting scenario that is hard to find any information on.
> >
> >Due to permission restrictions, a NAS that is mounted and visible by
> >both AD and 'nix clients, every user belongs to a particular primary group.
> What scope these primary groups have in AD?

They are a mix of Global and Universal.

> >When we try doing idoverride's on the groups, it fails with the Primary
> >Group. In some cases, the primary group doesn't even appear in a getent
> >or id request. Sometimes it appears with incorrect name or GID.
> >
> >We have found it hard to get repeatable "failures", but here are two:
> >
> >1. getent group  (where groupname is any group, but is a
> >primary group for a subset of members)
> >
> > - does not return any member that has groupname as a primary group in AD.
> >
> >2. Overriding a group
> >
> >if the user has that group as a primary group (in AD), it will override
> >the name, but not the GID.
> >else, the override works.
> >
> >There were a number of other unusual results that are hard to explain
> >how to reproduce because it was all so seemingly random.
> Primary groups in AD are a bit complex. SSSD needs to improve on their 
> handling
> as, for example, Samba only recognizes primary groups from AD, not any others,
> and there should be some coherence to make things actually work correctly.

Yep - for us it's a samba issue at the bottom (the last yak to shave is the 
samba straddling both windows and linux domains, which is a solved 
problem/fixed constraint).

>
> >I feel like it would be an obvious need - to translate or override AD
> >primary groups to FreeIPA groups, but this doesn't seem possible.
> There is only one primary group for a user. For Kerberos operations we 
> currently
> don't take ID overrides into account when constructing MS-PAC, so if AD users
> comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned 
> to
> AD's group, ignoring ID overrides.

What is MS-PAC?

> I'm not sure it would be possible to amend primary group SIDs with ID 
> overrides in
> general because a numeric value in the override for a gid does not mean there 
> is
> an actual group with a proper SID and name in FreeIPA for that gid.


Not interested in changing the SID. I want to change the GID. When the AD 
groups are read in FreeIPA they are given a GID like 171880.

I want that GID to be the same as it is in AD - eg 10004. That way, when a user 
rights to the shared drive on the linux side, the file is given the group 
ownership 10004. Which, when read on the Windows side, correctly maps to a 
group of users (instead of an individual). This is working in the current 
non-IPA system, but that system is not integrated. We want to integrate, hence 
FreeIPA.

> There is another issue, though. If a users' primary group has a domain local
> scope, FreeIPA will not be able to use that group through the forest 
> boundary, at
> least, it should be ignored according to the AD specs.

Ah, hence the scope question. 

No, none are Domain Local to my knowledge. 

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

[Alexander Bokovoy]

On Tue, 17 May 2016, Simpson Lachlan wrote:

>I feel like it would be an obvious need - to translate or override AD
>primary groups to FreeIPA groups, but this doesn't seem possible.
There is only one primary group for a user. For Kerberos operations we currently
don't take ID overrides into account when constructing MS-PAC, so if AD users
comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to
AD's group, ignoring ID overrides.


What is MS-PAC?

https://msdn.microsoft.com/en-us/library/cc237917.aspx




I'm not sure it would be possible to amend primary group SIDs with ID overrides 
in
general because a numeric value in the override for a gid does not mean there is
an actual group with a proper SID and name in FreeIPA for that gid.



Not interested in changing the SID. I want to change the GID. When the
AD groups are read in FreeIPA they are given a GID like 171880.

I want that GID to be the same as it is in AD - eg 10004. That way,
when a user rights to the shared drive on the linux side, the file is
given the group ownership 10004. Which, when read on the Windows side,
correctly maps to a group of users (instead of an individual). This is
working in the current non-IPA system, but that system is not
integrated. We want to integrate, hence FreeIPA.

So you have POSIX attributes defined in AD already? Why then you are
using POSIX attributes defined in IPA? You could have defined an ID
range type that forces SSSD to use POSIX attributes from Active
Directory.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Renable 7389 port on multimaster

[barrykfl]

Hi :


2 servers configured as multi master nut one of them cannot telnet  7389

how can I check and renable it ?

Server  cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

thks

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

[Simpson Lachlan]

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Martin Kosek
> Sent: Monday, 16 May 2016 11:28 PM
> To: Lachlan Musicman; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?
> 
> On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> > Hola,
> >
> > We have an interesting scenario that is hard to find any information on.
> >
> > Due to permission restrictions, a NAS that is mounted and visible by
> > both AD and 'nix clients, every user belongs to a particular primary group.
> >
> > When we try doing idoverride's on the groups, it fails with the Primary 
> > Group.
> > In some cases, the primary group doesn't even appear in a getent or id 
> > request.
> > Sometimes it appears with incorrect name or GID.
> >
> > We have found it hard to get repeatable "failures", but here are two:
> >
> > 1. getent group  (where groupname is any group, but is a
> > primary group for a subset of members)
> >
> >   - does not return any member that has groupname as a primary group in AD.
> >
> > 2. Overriding a group
> >
> > if the user has that group as a primary group (in AD), it will
> > override the name, but not the GID.
> > else, the override works.
> >
> > There were a number of other unusual results that are hard to explain
> > how to reproduce because it was all so seemingly random.
> >
> >
> > I feel like it would be an obvious need - to translate or override AD
> > primary groups to FreeIPA groups, but this doesn't seem possible.
> >
> > Have we set IPA  up incorrectly, or are we hitting on something else?
> >
> > I found this AD support problem for Win2003, but I feel like it's old
> > and would surely have been solved?
> > https://support.microsoft.com/en-us/kb/275523
> >
> > Also, their solution ("hack AD, then hack your other LDAP software")
> > is, for some reason, funny to me.
> 
> It seems you are looking for this extension:
> https://fedorahosted.org/sssd/ticket/1872
> 
> It is not done yet, there is a plenty of information in the ticket comments.
> Please let us know if this does not help.

Martin,

Thanks for your response. This doesn't quite fit our issues. This is explicitly 
about *private* groups in NIX (where adding new user creates GID==UID and 
enrols that user).

Our problem is explicitly a *Primary Groups in AD* problem. Users that exist in 
AD have a primary group (traditionally "Domain Users") which we are using for 
other reasons (access control based on groups to files that are mounted on both 
AD and NIX servers).

In FreeIPA ( ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 on fully up to date 
Centos 7.2), after joining the AD (domain.org) in a one way trust as a 
subdomain (unix.domain.org), when we query AD, it explicitly ignores AD based 
Primary Groups - membership and overrides seem to fail.

Does that make sense?

I can see that it's vaguely related to the private group, but only in so much 
as it's the group that is assigned to the user (if you look in /etc/passwd on 
our pre-IPA system, our user data look like: 
lsimpson:x:1542:10007::/home/lsimpson:/bin/bash where 10007 is the id of the 
primary group in AD).

Obviously this data is no longer in /etc/passwd, but it doesn't seem to be able 
to be affected (via idoverrides).

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to determine cause/source of user lockout?

[John Duino]

Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.

ipa user-status admin will show something like:
Failed logins: 6
Last successful authentication: 20160516214142Z
Last failed authentication: 20160516224718Z
Time now: 2016-05-16T22:52:00Z

ipa user-unlock admin  does unlock it.

But parsing through the various logs on the affected host doesn't give me
what I need to know, primarily, which host(s) are trying to access admin
and causing it to lock.

FreeIPA 4.2.0 on CentOS 7.2.1511
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

[Adam Kaczka]

I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA
chain is missing; so I am thinking I may have to use ipa-server-certinstall
to reinstall the two certs.

5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.


On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka  wrote:

> Certmonger cannot communicate with CA; the result of getlist cert shows:
>
> RPC failed at server.  Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)
>
> After setting time back, from /var/log/pki-ca/debug I get:
>
> [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
> at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> 

Re: [Freeipa-users] IPA and RSA

[Sean Hogan]

Forgot to mention this is for ipa-server-3.0.0-47.el6_7.1.x86_64

Thanks


Sean Hogan






From:   Sean Hogan/Durham/IBM@IBMUS
To: freeipa-users 
Date:   05/16/2016 04:01 PM
Subject:[Freeipa-users] IPA and RSA
Sent by:freeipa-users-boun...@redhat.com



Hello all,

New req coming down the pipe which is RSA 2 factor auth and IPA
integration. Does anyone have a good source to start reading up on this? I
have been reading the freeipa docs and setting up the otp and what not..
but wondering if anyone has specific RSA integration docs/info?







Sean Hogan


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Can't set nsslapd-sizelimit

[Giuseppe Sarno]

Hello,
I am new to freeIPA and I am recently working on a project to integrate freeIPA 
with some legacy application which uses LDAP for user management.
I have initially created our own ldap structure and I tried to run the code 
against freeIPA/389DS. While running this example I noticed that 389DS takes 
quite some time to load profile data from the different ldap nodes (~2000 
entries). In a previous prototype using OpenDJ we had to increase the parameter 
ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we 
can do the same for the freeIPA/389DS server. I found the following pages but I 
could not work out what the exact command should be to modify those parameters.

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html

http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

I attempted the following but received a ObjectClass violation:

[centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D "cn=Directory 
Manager" -w '' -f slimit
modifying entry "dc=ldap,dc=adeptra,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "nsslapd-sizelimit" not allowed

slimit:
dn: dc=ldap,dc=example,dc=com
changetype: modify
add:nsslapd-sizelimit
nsslapd-sizelimit: 1000

I also attempted using a user dn but with the same result.

Can anybody help ?

Thanks,
Giuseppe.



Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) Limited 
(Co. No. 03295455) are registered in England and Wales and have a registered 
office address of Cottons Centre, 5th Floor, Hays Lane, London, SE1 2QP.

This email and any files transmitted with it are confidential, proprietary and 
intended solely for the individual or entity to whom they are addressed. If you 
have received this email in error please delete it immediately.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project