Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Rob Crittenden 

dan.finkelst...@high5games.com wrote:

And, from the 'ipactl -d --ignore-service-failures restart' we get this:

ipa: DEBUG: stderr=

ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300

ipa: DEBUG: Waiting until the CA is running

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:38--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:43--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

Which leads me to believe that tomcat doesn't have the right certificate(s).


I don't think that's the problem. I'd check the pki logs to see if it 
started and if not, why. Note that it is quite possible for tomcat to 
start and the CA to fail because tomcat is just a container.


In a previous e-mail you said something about a restore, what was that?

rob





*Daniel Alex Finkelstein*| Lead Dev Ops Engineer

_dan.finkelst...@h5g.com _| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com 

Play High 5 Casino  and Shake
the Sky 

Follow us on: Facebook , Twitter
, YouTube
, Linkedin


//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: * on behalf of Daniel
Finkestein 
*Date: *Friday, June 10, 2016 at 14:52
*To: *"freeipa-users@redhat.com" 
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
Error 4301: CertificateOperationError)

That’s exactly right, and we got the files and links back to serviceable
order. Now we're (merely) facing issues with our restored certificate
store, which the pki-tomcatd process is not happy with. All IPA services
start normally except for tomcat, which spits out SSL errors (and we're
pretty sure must be related to bad certs… somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Internal Database Error encountered: Could not connect to LDAP server
host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)

 at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)

 at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)

 at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)

 at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)

 at com.netscape.certsrv.apps.CMS.init(CMS.java:187)

 at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)

 at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)

 at
javax.servlet.GenericServlet.init(GenericServlet.java:158)

Re: [Freeipa-users] Redhat Summit

2016-06-10 Thread Rob Crittenden 

Randy Morgan wrote:

Do you know the vendor name on the booth, or will it be under Redhat?


I'm told there will be an Identity Management kiosk/demo area at the Red 
Hat booth.


rob



Randy

Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

On 6/10/2016 11:51 AM, Rob Crittenden wrote:

Randy Morgan wrote:

So I have a slightly different question. Redhat Summit is the end of
this month, and I was wondering why FreeIPA was not doing a presentation
at the summit?  This is a subject I would be very interested in at the
summit.

Randy



IPA will be there in at least these sessions:

Practical steps implementing Red Hat identity management solution
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364


Red Hat identity and access management vision, solution, and roadmap
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061


and a lab:

Up and running with Red Hat identity management
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128


There will also be folks in a booth showing demos and answering
questions.

rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Redhat Summit

2016-06-10 Thread Randy Morgan 

Do you know the vendor name on the booth, or will it be under Redhat?

Randy

Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

On 6/10/2016 11:51 AM, Rob Crittenden wrote:

Randy Morgan wrote:

So I have a slightly different question. Redhat Summit is the end of
this month, and I was wondering why FreeIPA was not doing a presentation
at the summit?  This is a subject I would be very interested in at the
summit.

Randy



IPA will be there in at least these sessions:

Practical steps implementing Red Hat identity management solution 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 



Red Hat identity and access management vision, solution, and roadmap 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061


and a lab:

Up and running with Red Hat identity management 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128


There will also be folks in a booth showing demos and answering 
questions.


rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein 
And, from the 'ipactl -d --ignore-service-failures restart' we get this:

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-06-10 15:29:38--  
https://ipa.example.com:8443/ca/admin/ca/getStatus
Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command 
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit 
status 4
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-06-10 15:29:43--  
https://ipa.example.com:8443/ca/admin/ca/getStatus
Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command 
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit 
status 4
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'

Which leads me to believe that tomcat doesn't have the right certificate(s).

[cid:image001.jpg@01D1C32D.5D927900]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From:  on behalf of Daniel Finkestein 

Date: Friday, June 10, 2016 at 14:52
To: "freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 
4301: CertificateOperationError)

That’s exactly right, and we got the files and links back to serviceable order. 
Now we're (merely) facing issues with our restored certificate store, which the 
pki-tomcatd process is not happy with. All IPA services start normally except 
for tomcat, which spits out SSL errors (and we're pretty sure must be related 
to bad certs… somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Internal Database Error encountered: Could not connect to LDAP server host 
ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating 
JSS SSL Socket (-1)
at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at

Re: [Freeipa-users] Can't establish trust with 2008 AD

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, pgb205 wrote:

Alexander, here you go.
One thing that came to mind that might the a problem. My Active
directory is adserver.addomain.comwhile IPA is ipax1.ipadomain; there
is no suffix. Not sure if that would matter.  Anyway here is the log as
requested. 

So here is what we see:
ads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null))
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 172.19.1.10 failed.

You have real connectivity issues -- CLDAP is UDP port 389.
Check your firewall.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication time and relation to cache size

2016-06-10 Thread Ash Alam 
Hello

I have been going through the lists but i have not found the answer i am
looking for. I am seeing few issues for which i am looking for some
clarification.

1. What is the relationship between replication time and cache size?

- I am noticing that it's taking up to 5 minutes for some things to
replication when change is made on one node and there are two additional
masters. The ipa nodes are all virtual machines within the same cluster.

- WARNING: changelog: entry cache size 2097152B is less than db size
116154368B; We recommend to increase the entry cache size
nsslapd-cachememsize.

- I don't understand the cache size. Would't increasing it cause the same
issue when we hit the new limit?

- connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max
allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in
cn=config to increase.


2. Is there a definitive solution to this error? This seems to pop up every
so often.

- NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning:
Attempting to release replica, but unable to receive endReplication
extended operation response from the replica. Error -5 (Timed out)


Thank You
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein 
That’s exactly right, and we got the files and links back to serviceable order. 
Now we're (merely) facing issues with our restored certificate store, which the 
pki-tomcatd process is not happy with. All IPA services start normally except 
for tomcat, which spits out SSL errors (and we're pretty sure must be related 
to bad certs… somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Internal Database Error encountered: Could not connect to LDAP server host 
ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating 
JSS SSL Socket (-1)
at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

I think we might be willing to toss out the existing certificate store and 
start anew, which fortunately should preserve the DNS, user, group, etc., data 
already in LDAP. If we wanted to create a new trust and self-signed cert for 
the server, how are those steps different from promoting a replica to a 
cert-signing master?

Thanks,
Dan

[cid:image001.jpg@01D1C327.BEB26C00]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube,

Re: [Freeipa-users] problem in sudo policy when target commands use local environment variables

2016-06-10 Thread Mitra Dehghan 
Dear Paul,
Thanks for your suggestion. It worked.
By the way,  using -i option I had to change sudocmd definition in IPA
SERVER,  to the " /bin/bash -c  /path/to/target_cmd" then after -i option
worked successfully.
Thanks a lot.
On Jun 6, 2016 8:33 PM, "Brennan, Paul J" 
wrote:

> Hi Mitra,
>I'm not sure if '-H' is the best option for this. If I'm reading the
> documentation correctly, it sounds like that option only sets the value of
> $HOME to ~*srvusr*. You may want to try:
>
> $ sudo -u *srvusr* -i
>
> */path/to/target_cmd *That should run the command using a login shell for
> *srvusr*, instantiating that user's variables.
>
> Good luck,
> Paul Brennan
>
> (Apologies if this ends up in the wrong thread or something, I just signed
> up to this list.)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Redhat Summit

2016-06-10 Thread Randy Morgan 

Awesome, Thanks Rob, I am looking forward to it.

Randy

Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

On 6/10/2016 11:51 AM, Rob Crittenden wrote:

Randy Morgan wrote:

So I have a slightly different question. Redhat Summit is the end of
this month, and I was wondering why FreeIPA was not doing a presentation
at the summit?  This is a subject I would be very interested in at the
summit.

Randy



IPA will be there in at least these sessions:

Practical steps implementing Red Hat identity management solution 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 



Red Hat identity and access management vision, solution, and roadmap 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061


and a lab:

Up and running with Red Hat identity management 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128


There will also be folks in a booth showing demos and answering 
questions.


rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Redhat Summit

2016-06-10 Thread Rob Crittenden 

Randy Morgan wrote:

So I have a slightly different question.  Redhat Summit is the end of
this month, and I was wondering why FreeIPA was not doing a presentation
at the summit?  This is a subject I would be very interested in at the
summit.

Randy



IPA will be there in at least these sessions:

Practical steps implementing Red Hat identity management solution 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364


Red Hat identity and access management vision, solution, and roadmap 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061


and a lab:

Up and running with Red Hat identity management 
https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128


There will also be folks in a booth showing demos and answering questions.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Redhat Summit

2016-06-10 Thread Randy Morgan 
So I have a slightly different question.  Redhat Summit is the end of 
this month, and I was wondering why FreeIPA was not doing a presentation 
at the summit?  This is a subject I would be very interested in at the 
summit.


Randy

--

Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using LDAP directly - Password Expiry

2016-06-10 Thread Rob Crittenden 

Prashant Bapat wrote:

Hi,

I'm using FreeIPA's LDAP component as user database in another
application. The binds happen using the user's credentials
(password+otp) and the search happens by a service account created under
cn=sysaccounts.

Things are working as expected except one small hitch. Password Expiry.
Binds are allowed even for users with expired passwords.

Are others using the LDAP directly ? If yes, how are you handing the
password expiry.

Thanks.
--Prashant




There is a bit of a chicken and egg problem, see 
https://fedorahosted.org/freeipa/ticket/1539


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Martin Basti 



On 10.06.2016 18:14, Günther J. Niederwimmer wrote:

Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti:

On 10.06.2016 17:33, Günther J. Niederwimmer wrote:

Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek:

On 10.6.2016 14:21, Günther J. Niederwimmer wrote:

Hello,

Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:

On 10.06.2016 09:09, Günther J. Niederwimmer wrote:

Hello,

can any help me to clear a question for DNSSEC, NSEC3

I have a domain created with bind and DNSSEC and NSEC3 I test this
Domain
and other, not my Domain with

http://dnsviz.net/d/esslmaier.at/dnssec/

This site from Verisign tell me, I have all Secure and also the A,

Records

FreeIPA 4.3.1 Centos 7.2

I mean with the FreeIPA 4.2 I have A or  Records but one from the
list
tell me 4.3.1 is the better version for DNSSEC ?


But when I test my IPA created domain
http://dnsviz.net/d/4gjn.com/dnssec/

I miss the A,  Records

can this be correct ?

Thanks for a answer

Hello,
do you have configured A and  records in zone apex of '4gjn.com'?

Yes I have configured A  Records, but something is wrong with the
Zone
File ? when I look on my secondary DNS this is a PDNS then I found total
different entry for esslmaier.at and my 4gjn.com.


I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
+dnssec 4gjn.com. A` , it looks like there is no A/ records.

Yes I wrote this before but I have no answer, what I can do :-(.


Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?

this is all !!!

[root@ipa ~]# ipa dnsrecord-show 4gjn.com. @

Datensatzname: @
MX record: 10 smtp.4gjn.com.
NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net.,

ns1.gratisdns.dk.

TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28

ip6:2001:470:6f:

8f1::223

ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
   
   ipa dnsrecord-show 4gjn.com. 


ipa: ERROR: : DNS resource record nicht gefunden

Is this a LDAP Problem ?

Apparently you do not have any A/ records defined in IPA. Add some
and
you will see :-)

NO ;-(  I have configurede all my server with A and  Records ?

But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second
one contains A/ records.

4gjn.com AFAIK is your IPA domain, so it should not contain A/
records by default, unless you manually added them there.

When I make a ipa dnsrecord-show

I miss the RRSIG Record ?

ipa dnsrecord-show
Datensatzname: ipa
Zonenname: 4gjn.com
   Datensatzname: ipa
   A record: 89.26.XXX.6
    record: 2001:470:6f:XXX::204
   SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2
 59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB
05763604, 1 2
 537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755
8E8789A0, 3 1
 02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B

RRSIG records are not stored in LDAP, they are dynamically generated on 
named server for each record, so ipa commands cannot show them, you must use


dig +dnssec @ipaserveraddress ipa.4gjn.com. A

Martin




Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get
for
DNSSEC. There is many bugs in older versions.

I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found
4.3.2

I have this Repo

group_freeipa-freeipa-4-3-centos-7-epel-7.repo





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Günther J . Niederwimmer 
Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti:
> On 10.06.2016 17:33, Günther J. Niederwimmer wrote:
> > Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek:
> >> On 10.6.2016 14:21, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
>  On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > can any help me to clear a question for DNSSEC, NSEC3
> > 
> > I have a domain created with bind and DNSSEC and NSEC3 I test this
> > Domain
> > and other, not my Domain with
> > 
> > http://dnsviz.net/d/esslmaier.at/dnssec/
> > 
> > This site from Verisign tell me, I have all Secure and also the A,
> > 
> > Records
> > 
> > FreeIPA 4.3.1 Centos 7.2
> >>> 
> >>> I mean with the FreeIPA 4.2 I have A or  Records but one from the
> >>> list
> >>> tell me 4.3.1 is the better version for DNSSEC ?
> >>> 
> > But when I test my IPA created domain
> > http://dnsviz.net/d/4gjn.com/dnssec/
> > 
> > I miss the A,  Records
> > 
> > can this be correct ?
> > 
> > Thanks for a answer
>  
>  Hello,
>  do you have configured A and  records in zone apex of '4gjn.com'?
> >>> 
> >>> Yes I have configured A  Records, but something is wrong with the
> >>> Zone
> >>> File ? when I look on my secondary DNS this is a PDNS then I found total
> >>> different entry for esslmaier.at and my 4gjn.com.
> >>> 
>  I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
>  +dnssec 4gjn.com. A` , it looks like there is no A/ records.
> >>> 
> >>> Yes I wrote this before but I have no answer, what I can do :-(.
> >>> 
>  Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?
> >>> 
> >>> this is all !!!
> >>> 
> >>> [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @
> >>> 
> >>>Datensatzname: @
> >>>MX record: 10 smtp.4gjn.com.
> >>>NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net.,
> >>> 
> >>> ns1.gratisdns.dk.
> >>> 
> >>>TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28
> > 
> > ip6:2001:470:6f:
> >>> 8f1::223
> >>> 
> >>>ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
> >>>   
> >>>   ipa dnsrecord-show 4gjn.com. 
> >>> 
> >>> ipa: ERROR: : DNS resource record nicht gefunden
> >>> 
> >>> Is this a LDAP Problem ?
> >> 
> >> Apparently you do not have any A/ records defined in IPA. Add some
> >> and
> >> you will see :-)
> > 
> > NO ;-(  I have configurede all my server with A and  Records ?
> 
> But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second
> one contains A/ records.
> 
> 4gjn.com AFAIK is your IPA domain, so it should not contain A/
> records by default, unless you manually added them there.
When I make a ipa dnsrecord-show

I miss the RRSIG Record ?

ipa dnsrecord-show
Datensatzname: ipa
Zonenname: 4gjn.com
  Datensatzname: ipa
  A record: 89.26.XXX.6
   record: 2001:470:6f:XXX::204
  SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2
59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB 
05763604, 1 2
537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755 
8E8789A0, 3 1
02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B



> >> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get
> >> for
> >> DNSSEC. There is many bugs in older versions.
> > 
> > I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found
> > 4.3.2
> > 
> > I have this Repo
> > 
> > group_freeipa-freeipa-4-3-centos-7-epel-7.repo



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Martin Basti 



On 10.06.2016 17:33, Günther J. Niederwimmer wrote:

Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek:

On 10.6.2016 14:21, Günther J. Niederwimmer wrote:

Hello,

Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:

On 10.06.2016 09:09, Günther J. Niederwimmer wrote:

Hello,

can any help me to clear a question for DNSSEC, NSEC3

I have a domain created with bind and DNSSEC and NSEC3 I test this
Domain
and other, not my Domain with

http://dnsviz.net/d/esslmaier.at/dnssec/

This site from Verisign tell me, I have all Secure and also the A, 
Records

FreeIPA 4.3.1 Centos 7.2

I mean with the FreeIPA 4.2 I have A or  Records but one from the list
tell me 4.3.1 is the better version for DNSSEC ?


But when I test my IPA created domain
http://dnsviz.net/d/4gjn.com/dnssec/

I miss the A,  Records

can this be correct ?

Thanks for a answer

Hello,
do you have configured A and  records in zone apex of '4gjn.com'?

Yes I have configured A  Records, but something is wrong with the Zone
File ? when I look on my secondary DNS this is a PDNS then I found total
different entry for esslmaier.at and my 4gjn.com.


I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
+dnssec 4gjn.com. A` , it looks like there is no A/ records.

Yes I wrote this before but I have no answer, what I can do :-(.


Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?

this is all !!!

[root@ipa ~]# ipa dnsrecord-show 4gjn.com. @

   Datensatzname: @
   MX record: 10 smtp.4gjn.com.
   NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net.,

ns1.gratisdns.dk.

   TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28

ip6:2001:470:6f:

8f1::223

   ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
  
  ipa dnsrecord-show 4gjn.com. 


ipa: ERROR: : DNS resource record nicht gefunden

Is this a LDAP Problem ?

Apparently you do not have any A/ records defined in IPA. Add some and
you will see :-)

NO ;-(  I have configurede all my server with A and  Records ?


But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second 
one contains A/ records.


4gjn.com AFAIK is your IPA domain, so it should not contain A/ 
records by default, unless you manually added them there.


Martin
  

Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for
DNSSEC. There is many bugs in older versions.

I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found
4.3.2

I have this Repo

group_freeipa-freeipa-4-3-centos-7-epel-7.repo


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't establish trust with 2008 AD

2016-06-10 Thread pgb205 
Alexander, here you go.
One thing that came to mind that might the a problem. My Active directory is 
adserver.addomain.comwhile IPA is ipax1.ipadomain; there is no suffix. Not sure 
if that would matter. 
Anyway here is the log as requested. 
Thank you.

 net ads lookup -d 10 -S  dc.addomain.comINFO: Current debug levels:  all: 10  
tdb: 10  printdrivers: 10  lanman: 10  smb: 10  rpc_parse: 10  rpc_srv: 10  
rpc_cli: 10  passdb: 10  sam: 10  auth: 10  winbind: 10  vfs: 10  idmap: 10  
quota: 10  acls: 10  locking: 10  msdfs: 10  dmapi: 10  registry: 10  
scavenger: 10  dns: 10  ldb: 10lp_load_ex: refreshing parametersInitialising 
global parametersrlimit_max: increasing rlimit_max (1024) to minimum Windows 
limit (16384)INFO: Current debug levels:  all: 10  tdb: 10  printdrivers: 10  
lanman: 10  smb: 10  rpc_parse: 10  rpc_srv: 10  rpc_cli: 10  passdb: 10  sam: 
10  auth: 10  winbind: 10  vfs: 10  idmap: 10  quota: 10  acls: 10  locking: 10 
 msdfs: 10  dmapi: 10  registry: 10  scavenger: 10  dns: 10  ldb: 10Processing 
section "[global]"doing parameter debug pid = yesdoing parameter config backend 
= registrypm_process() returned Yeslp_load_ex: changing to config backend 
registryFreeing parametrics:Initialising global parametersrlimit_max: 
increasing rlimit_max (1024) to minimum Windows limit (16384)INFO: Current 
debug levels:  all: 10  tdb: 10  printdrivers: 10  lanman: 10  smb: 10  
rpc_parse: 10  rpc_srv: 10  rpc_cli: 10  passdb: 10  sam: 10  auth: 10  
winbind: 10  vfs: 10  idmap: 10  quota: 10  acls: 10  locking: 10  msdfs: 10  
dmapi: 10  registry: 10  scavenger: 10  dns: 10  ldb: 10lp_load_ex: refreshing 
parametersInitialising global parametersrlimit_max: increasing rlimit_max 
(1024) to minimum Windows limit (16384)INFO: Current debug levels:  all: 10  
tdb: 10  printdrivers: 10  lanman: 10  smb: 10  rpc_parse: 10  rpc_srv: 10  
rpc_cli: 10  passdb: 10  sam: 10  auth: 10  winbind: 10  vfs: 10  idmap: 10  
quota: 10  acls: 10  locking: 10  msdfs: 10  dmapi: 10  registry: 10  
scavenger: 10  dns: 10  ldb: 10doing parameter registry shares = 
yesregistry_init_smbconf calledregdb_init: registry db openend. refcount reset 
(1)reghook_cache_init: new tree with default ops 0x7f2130163000 for key 
[]regdb_fetch_values: Looking for values of key 
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports]regdb_unpack_values: 
value[0]: name[Samba Printer Port] len[2]regdb_fetch_values: Looking for values 
of key [HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Print\Printers]regdb_unpack_values: value[0]: 
name[DefaultSpoolDirectory] len[70]regdb_fetch_values: Looking for values of 
key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog]regdb_unpack_values: 
value[0]: name[DisplayName] len[20]regdb_unpack_values: value[1]: 
name[ErrorControl] len[4]regdb_fetch_values: Looking for values of key 
[HKLM\SYSTEM\CurrentControlSet\Services\Eventlog]regdb_unpack_values: value[0]: 
name[DisplayName] len[20]regdb_unpack_values: value[1]: name[ErrorControl] 
len[4]reghook_cache_add: Adding ops 0x7f2132ee2520 for key 
[\HKLM\SOFTWARE\Samba\smbconf]pathtree_add: Enterpathtree_add: Successfully 
added node [HKLM\SOFTWARE\Samba\smbconf] to treepathtree_add: Exitregdb_close: 
decrementing refcount (1->0)regdb_open: registry db opened. refcount reset 
(1)regkey_open_onelevel: name = [HKLM]regdb_open: incrementing refcount 
(1->2)reghook_cache_find: Searching for keyname [\HKLM]pathtree_find: Enter 
[\HKLM]pathtree_find: Exitreghook_cache_find: found ops 0x7f2130163000 for key 
[\HKLM]regkey_open_onelevel: name = [SOFTWARE]regdb_open: incrementing refcount 
(2->3)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE]pathtree_find: 
Enter [\HKLM\SOFTWARE]pathtree_find: Exitreghook_cache_find: found ops 
0x7f2130163000 for key [\HKLM\SOFTWARE]regkey_open_onelevel: name = 
[Samba]regdb_open: incrementing refcount (3->4)reghook_cache_find: Searching 
for keyname [\HKLM\SOFTWARE\Samba]pathtree_find: Enter 
[\HKLM\SOFTWARE\Samba]pathtree_find: Exitreghook_cache_find: found ops 
0x7f2130163000 for key [\HKLM\SOFTWARE\Samba]regkey_open_onelevel: name = 
[smbconf]regdb_open: incrementing refcount (4->5)reghook_cache_find: Searching 
for keyname [\HKLM\SOFTWARE\Samba\smbconf]pathtree_find: Enter 
[\HKLM\SOFTWARE\Samba\smbconf]pathtree_find: Exitreghook_cache_find: found ops 
0x7f2132ee2520 for key [\HKLM\SOFTWARE\Samba\smbconf]regdb_close: decrementing 
refcount (5->4)regdb_close: decrementing refcount (4->3)regdb_close: 
decrementing refcount (3->2)process_registry_service: service name 
globalregkey_open_onelevel: name = [global]regdb_open: incrementing refcount 
(2->3)reghook_cache_find: Searching for keyname 
[\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Enter 
[\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Exitreghook_cache_find: 
found ops 0x7f2132ee2520 for key 
[\HKLM\SOFTWARE\Samba\smbconf\global]regdb_close: decrementing refcount 
(3->2)regkey_open_onelevel: name = [global]regdb_open: incrementing

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Günther J . Niederwimmer 
Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek:
> On 10.6.2016 14:21, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
> >> On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> can any help me to clear a question for DNSSEC, NSEC3
> >>> 
> >>> I have a domain created with bind and DNSSEC and NSEC3 I test this
> >>> Domain
> >>> and other, not my Domain with
> >>> 
> >>> http://dnsviz.net/d/esslmaier.at/dnssec/
> >>> 
> >>> This site from Verisign tell me, I have all Secure and also the A, 
> >>> Records
> >>> 
> >>> FreeIPA 4.3.1 Centos 7.2
> > 
> > I mean with the FreeIPA 4.2 I have A or  Records but one from the list
> > tell me 4.3.1 is the better version for DNSSEC ?
> > 
> >>> But when I test my IPA created domain
> >>> http://dnsviz.net/d/4gjn.com/dnssec/
> >>> 
> >>> I miss the A,  Records
> >>> 
> >>> can this be correct ?
> >>> 
> >>> Thanks for a answer
> >> 
> >> Hello,
> >> do you have configured A and  records in zone apex of '4gjn.com'?
> > 
> > Yes I have configured A  Records, but something is wrong with the Zone
> > File ? when I look on my secondary DNS this is a PDNS then I found total
> > different entry for esslmaier.at and my 4gjn.com.
> > 
> >> I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
> >> +dnssec 4gjn.com. A` , it looks like there is no A/ records.
> > 
> > Yes I wrote this before but I have no answer, what I can do :-(.
> > 
> >> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?
> > 
> > this is all !!!
> > 
> > [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @
> > 
> >   Datensatzname: @
> >   MX record: 10 smtp.4gjn.com.
> >   NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net.,
> > 
> > ns1.gratisdns.dk.
> > 
> >   TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 
ip6:2001:470:6f:
> > 8f1::223
> > 
> >   ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
> >  
> >  ipa dnsrecord-show 4gjn.com. 
> > 
> > ipa: ERROR: : DNS resource record nicht gefunden
> > 
> > Is this a LDAP Problem ?
> 
> Apparently you do not have any A/ records defined in IPA. Add some and
> you will see :-)

NO ;-(  I have configurede all my server with A and  Records ?
 
> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for
> DNSSEC. There is many bugs in older versions.
I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found 
4.3.2

I have this Repo

group_freeipa-freeipa-4-3-centos-7-epel-7.repo
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein 
An update: The journalctl command has some really interesting output:

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/alias' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/alias’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/logs' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/logs’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/bin' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/bin’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/conf' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/conf’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com systemd[1]: pki-tomcatd@pki-tomcat.service: 
control process exited, code=exited status=1
Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat Server 
pki-tomcat.

Which makes me think All we have to do is create the right directory 
structures/links and/or change the file permissions? But which ones and to whom?

—Dan

[cid:image001.jpg@01D1C30A.B174B4C0]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From:  on behalf of Daniel Finkestein 

Date: Wednesday, June 8, 2016 at 17:11
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: 
CertificateOperationError)

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this 
error in the httpd logs whenever the WebUI tries to see the certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] 
Connection refused)
[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: 
[jsonserver_session] dfinkelst...@example.com: cert_find(version=u'2.156'): 
CertificateOperationError

The certificates appear as follows:

[root@ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
auditSigningCert cert-pki-ca u,u,u
EXAMPLE.COM IPA CA CTu,u,Cu
ipaCert  u,u,u
ocspSigningCert cert-pki-ca

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 
On Fri, 2016-06-10 at 11:08 +0200, Sumit Bose wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> > 
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> > 
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> > 
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
> > ,dc=c
> >  cnr,dc=aaa,dc=private,dc=dom
> > 
> > how to trace the culprit config responsible for this?
> > 
> > and funny(?) thing is that these users do not get replicated to IPA
> > replicas.
> 
> Did you remove the trust on the AD side as well. If not SSSD running
> on
> the IPA server might still have valid credentials in a keytab in
> /var/lib/sss/db and is able to read the user data from AD.
nope, not agreements left @AD,
I tried: $ sss_cache -E -d ad.domain
but it segfaulted:
[1316003.857780] sss_cache[31028]: segfault at 0 ip 7fab730f434c sp
7fffbf576c10 error 4 in libsss_util.so[7fab730c8000+68000]
so that would be sssd actually pulling and inserting these entries in
IPA's ldap?
many thanks,
L
> HTH
> 
> bye,
> Sumit
> 
> 
> > 
> > 
> > many thanks,
> > 
> > L
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > 
https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > Go to http://freeipa.org for more info on the project
> >  for more info on the project
> > 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 
On Fri, 2016-06-10 at 15:34 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, lejeczek wrote:
> > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> > > On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > > > hi everyone
> > > > > 
> > > > > there is a master IPA which in some weird way puts AD users
> > > > > into
> > > > > its ldap
> > > > > catalog. I say weird cause there is no trust nor other sync
> > > > > established,
> > > > > there was a trust agreement, one way type, but now 'trust-
> > > > > find'
> > > > > shows
> > > > > nothing, that trust was removed.
> > > > > 
> > > > > but still when I create a user @AD DS a second later I see it
> > > > > in
> > > > > IPA's ldap,
> > > > > eg.
> > > > > 
> > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=p
> > > > > riva
> > > > > te,dc=c
> > > > >  cnr,dc=aaa,dc=private,dc=dom
> > > > > 
> > > > > how to trace the culprit config responsible for this?
> > > > 
> > > > Check the DN, this is not the IPA tree (cn=account), but the
> > > > compat
> > > > tree
> > > > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > > > make the
> > > > AD users available to non-SSSD clients that can only use LDAP
> > > > as an
> > > > interface.
> > > 
> > > Yes. If you enabled slapi-nis on IPA master but didn't establish
> > > actual
> > > trust to AD and instead added an SSSD configuration to lookup AD
> > > users
> > > directly, then slapi-nis will happily ask SSSD for whatever users
> > > with @
> > > in the name were requested by the LDAP clients and SSSD would
> > > look
> > > them
> > > up in AD.
> > but would entries from AD wound up in IPA's ldap?
> > I'm poking around and still am puzzled, I believe I've enabled nis
> > on a
> > replica but it's not doing it there, those AD users are not in IPA
> > replica ldap whereas they exist on the master.
> They wouldn't be in LDAP tree.
> 
> cn=compat is purely virtual and is not replicated. The tree is
> populated
> on demand and if your replica is configured differently to the master
> w.r.t. AD trust or SSSD, you'll get different results.
so it's a square one then, I forget IPA replicas for now, only master,
while I'm looking at https://git.fedorahosted.org/cgit/slapi-nis.git/pl
ain/doc/nis-getting-started.txt
before I use ipa-compat-manage (to disable to test) - where in ldap
config (or anywhere) it says this plugin is on & working so I can be
sure?
And flat configs for sssd & krb are virtually identical on both IPA
master & replica, I just copied those manually to be sure, replica
still has no AD users entries.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Petr Spacek 
On 10.6.2016 14:21, Günther J. Niederwimmer wrote:
> Hello,
> 
> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
>> On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> can any help me to clear a question for DNSSEC, NSEC3
>>>
>>> I have a domain created with bind and DNSSEC and NSEC3 I test this Domain
>>> and other, not my Domain with
>>>
>>> http://dnsviz.net/d/esslmaier.at/dnssec/
>>>
>>> This site from Verisign tell me, I have all Secure and also the A, 
>>> Records
>>>
>>> FreeIPA 4.3.1 Centos 7.2
> 
> I mean with the FreeIPA 4.2 I have A or  Records but one from the list 
> tell me 4.3.1 is the better version for DNSSEC ? 
>  
>>> But when I test my IPA created domain
>>> http://dnsviz.net/d/4gjn.com/dnssec/
>>>
>>> I miss the A,  Records
>>>
>>> can this be correct ?
>>>
>>> Thanks for a answer
>>
>> Hello,
>> do you have configured A and  records in zone apex of '4gjn.com'?
> 
> Yes I have configured A  Records, but something is wrong with the Zone 
> File 
> ? when I look on my secondary DNS this is a PDNS then I found total different 
> entry for esslmaier.at and my 4gjn.com.
> 
>  
>> I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
>> +dnssec 4gjn.com. A` , it looks like there is no A/ records.
> Yes I wrote this before but I have no answer, what I can do :-(.
>  
>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?
> 
> this is all !!!
> 
> [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @
>   Datensatzname: @
>   MX record: 10 smtp.4gjn.com.
>   NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., 
> ns1.gratisdns.dk.
>   TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f:
> 8f1::223
>   ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
> 
>  ipa dnsrecord-show 4gjn.com. 
> ipa: ERROR: : DNS resource record nicht gefunden
> 
> Is this a LDAP Problem ?

Apparently you do not have any A/ records defined in IPA. Add some and you
will see :-)

Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for
DNSSEC. There is many bugs in older versions.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA trust external DNS Default-First-Site-Name records

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, Jan Karásek wrote:

Hi,

I am trying to setup external DNS for IPA with AD trust.
I have set all records in DNS according doc but in the internal IPA DNS I can 
see 3 more DNS records which are not mentioned in doc. They were set 
automatically during ipa trust-add commnad I guess:

_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

Could you please explained what are they good for and if they should be added 
to the external DNS as well ?

Active Directory uses them to discover default site of IPA. This is
standard behavior of Active Directory regarding any Active Directory.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA trust external DNS Default-First-Site-Name records

2016-06-10 Thread Jan Karásek 
Hi, 

I am trying to setup external DNS for IPA with AD trust. 
I have set all records in DNS according doc but in the internal IPA DNS I can 
see 3 more DNS records which are not mentioned in doc. They were set 
automatically during ipa trust-add commnad I guess: 

_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs 

Could you please explained what are they good for and if they should be added 
to the external DNS as well ? 

Thanks, 
Jan 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, lejeczek wrote:

On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:

On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> >
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> >
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> >
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > te,dc=c
> >  cnr,dc=aaa,dc=private,dc=dom
> >
> > how to trace the culprit config responsible for this?
>
> Check the DN, this is not the IPA tree (cn=account), but the compat
> tree
> (cn=compat) populated by the slapi-nis plugin. The intent is to
> make the
> AD users available to non-SSSD clients that can only use LDAP as an
> interface.

Yes. If you enabled slapi-nis on IPA master but didn't establish
actual
trust to AD and instead added an SSSD configuration to lookup AD
users
directly, then slapi-nis will happily ask SSSD for whatever users
with @
in the name were requested by the LDAP clients and SSSD would look
them
up in AD.

but would entries from AD wound up in IPA's ldap?
I'm poking around and still am puzzled, I believe I've enabled nis on a
replica but it's not doing it there, those AD users are not in IPA
replica ldap whereas they exist on the master.

They wouldn't be in LDAP tree.

cn=compat is purely virtual and is not replicated. The tree is populated
on demand and if your replica is configured differently to the master
w.r.t. AD trust or SSSD, you'll get different results.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Günther J . Niederwimmer 
Hello,

Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
> On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > can any help me to clear a question for DNSSEC, NSEC3
> > 
> > I have a domain created with bind and DNSSEC and NSEC3 I test this Domain
> > and other, not my Domain with
> > 
> > http://dnsviz.net/d/esslmaier.at/dnssec/
> > 
> > This site from Verisign tell me, I have all Secure and also the A, 
> > Records
> > 
> > FreeIPA 4.3.1 Centos 7.2

I mean with the FreeIPA 4.2 I have A or  Records but one from the list 
tell me 4.3.1 is the better version for DNSSEC ? 
 
> > But when I test my IPA created domain
> > http://dnsviz.net/d/4gjn.com/dnssec/
> > 
> > I miss the A,  Records
> > 
> > can this be correct ?
> > 
> > Thanks for a answer
> 
> Hello,
> do you have configured A and  records in zone apex of '4gjn.com'?

Yes I have configured A  Records, but something is wrong with the Zone File 
? when I look on my secondary DNS this is a PDNS then I found total different 
entry for esslmaier.at and my 4gjn.com.

 
> I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
> +dnssec 4gjn.com. A` , it looks like there is no A/ records.
Yes I wrote this before but I have no answer, what I can do :-(.
 
> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?

this is all !!!

[root@ipa ~]# ipa dnsrecord-show 4gjn.com. @
  Datensatzname: @
  MX record: 10 smtp.4gjn.com.
  NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., 
ns1.gratisdns.dk.
  TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f:
8f1::223
  ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"

 ipa dnsrecord-show 4gjn.com. 
ipa: ERROR: : DNS resource record nicht gefunden

Is this a LDAP Problem ?

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 
On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > hi everyone
> > > 
> > > there is a master IPA which in some weird way puts AD users into
> > > its ldap
> > > catalog. I say weird cause there is no trust nor other sync
> > > established,
> > > there was a trust agreement, one way type, but now 'trust-find'
> > > shows
> > > nothing, that trust was removed.
> > > 
> > > but still when I create a user @AD DS a second later I see it in
> > > IPA's ldap,
> > > eg.
> > > 
> > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > > te,dc=c
> > >  cnr,dc=aaa,dc=private,dc=dom
> > > 
> > > how to trace the culprit config responsible for this?
> > 
> > Check the DN, this is not the IPA tree (cn=account), but the compat
> > tree
> > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > make the
> > AD users available to non-SSSD clients that can only use LDAP as an
> > interface.
> 
> Yes. If you enabled slapi-nis on IPA master but didn't establish
> actual
> trust to AD and instead added an SSSD configuration to lookup AD
> users
> directly, then slapi-nis will happily ask SSSD for whatever users
> with @
> in the name were requested by the LDAP clients and SSSD would look
> them
> up in AD.
but would entries from AD wound up in IPA's ldap?
I'm poking around and still am puzzled, I believe I've enabled nis on a
replica but it's not doing it there, those AD users are not in IPA
replica ldap whereas they exist on the master.
> Not sure how useful is that at all but yes, this is a side-effect of
> slapi-nis features.
> 
> -- 
> / Alexander Bokovoy
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 
On Fri, 2016-06-10 at 13:24 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, lejeczek wrote:
> > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:
> > > On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > > > > hi everyone
> > > > > 
> > > > > there is a master IPA which in some weird way puts AD users
> > > > > into
> > > > > its ldap
> > > > > catalog. I say weird cause there is no trust nor other sync
> > > > > established,
> > > > > there was a trust agreement, one way type, but now 'trust-
> > > > > find'
> > > > > shows
> > > > > nothing, that trust was removed.
> > > > > 
> > > > > but still when I create a user @AD DS a second later I see it
> > > > > in
> > > > > IPA's ldap,
> > > > > eg.
> > > > > 
> > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=p
> > > > > riva
> > > > > te,dc=c
> > > > >  cnr,dc=aaa,dc=private,dc=dom
> > > > > 
> > > > > how to trace the culprit config responsible for this?
> > > > 
> > > > Check the DN, this is not the IPA tree (cn=account), but the
> > > > compat
> > > > tree
> > > > (cn=compat) populated by the slapi-nis plugin. The intent is to
> > > > make the
> > > > AD users available to non-SSSD clients that can only use LDAP
> > > > as an
> > > > interface.
> > > 
> > > Yes. If you enabled slapi-nis on IPA master but didn't establish
> > > actual
> > > trust to AD and instead added an SSSD configuration to lookup AD
> > > users
> > > directly, then slapi-nis will happily ask SSSD for whatever users
> > > with @
> > > in the name were requested by the LDAP clients and SSSD would
> > > look
> > > them
> > > up in AD.
> > > 
> > > Not sure how useful is that at all but yes, this is a side-effect 
> > > of
> > > slapi-nis features.
> > > 
> > this is very freaking useful :) I was wondering how to get my
> > radius
> > there... and, ups, just like that, it was there, so thanks!
> There are no passwords in that tree.
maybe it's not slapi-nis then? radius definitely works and
checks/validates passwords.
I'm looking at https://docs.fedoraproject.org/en-US/Fedora/17/html/Free
IPA_Guide/migrating-from-nis.html trying to have this working on a
replica now and I think it could have not been nis plugin. Having it
enabled first IPA fails to start for 587 is already in use and master
IPA also uses that port, also master does not show ypserv in rpcinfo.
How to be 100% sure it's slapi-nis ? And if it is not then what else
gets those AD users?
many thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, lejeczek wrote:

On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote:

On Fri, 10 Jun 2016, Jakub Hrozek wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> >
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> >
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> >
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva
> > te,dc=c
> >  cnr,dc=aaa,dc=private,dc=dom
> >
> > how to trace the culprit config responsible for this?
>
> Check the DN, this is not the IPA tree (cn=account), but the compat
> tree
> (cn=compat) populated by the slapi-nis plugin. The intent is to
> make the
> AD users available to non-SSSD clients that can only use LDAP as an
> interface.

Yes. If you enabled slapi-nis on IPA master but didn't establish
actual
trust to AD and instead added an SSSD configuration to lookup AD
users
directly, then slapi-nis will happily ask SSSD for whatever users
with @
in the name were requested by the LDAP clients and SSSD would look
them
up in AD.

Not sure how useful is that at all but yes, this is a side-effect of
slapi-nis features.


this is very freaking useful :) I was wondering how to get my radius
there... and, ups, just like that, it was there, so thanks!

There are no passwords in that tree.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, lejeczek wrote:

On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:

On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
>
> there is a master IPA which in some weird way puts AD users into
> its ldap
> catalog. I say weird cause there is no trust nor other sync
> established,
> there was a trust agreement, one way type, but now 'trust-find'
> shows
> nothing, that trust was removed.
>
> but still when I create a user @AD DS a second later I see it in
> IPA's ldap,
> eg.
>
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
> ,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
>
> how to trace the culprit config responsible for this?

Check the DN, this is not the IPA tree (cn=account), but the compat
tree
(cn=compat) populated by the slapi-nis plugin. The intent is to make
the
AD users available to non-SSSD clients that can only use LDAP as an
interface.


any chance this plugin gets included without user/admin intention, eg.
during migrate-ds ?

The slapi-nis plugin is enabled by default when IPA is installed because
ou=sudoers tree is emulated by the slapi-nis.


is ipa toolkit or I have to go directly to ldap to de/activate
plugin(s) ?

See ipa-compat-manage

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 
On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> > 
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> > 
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> > 
> > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
> > ,dc=c
> >  cnr,dc=aaa,dc=private,dc=dom
> > 
> > how to trace the culprit config responsible for this?
> 
> Check the DN, this is not the IPA tree (cn=account), but the compat
> tree
> (cn=compat) populated by the slapi-nis plugin. The intent is to make
> the
> AD users available to non-SSSD clients that can only use LDAP as an
> interface.
> 
any chance this plugin gets included without user/admin intention, eg.
during migrate-ds ?
is ipa toolkit or I have to go directly to ldap to de/activate
plugin(s) ?-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, Jakub Hrozek wrote:

On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:

hi everyone

there is a master IPA which in some weird way puts AD users into its ldap
catalog. I say weird cause there is no trust nor other sync established,
there was a trust agreement, one way type, but now 'trust-find' shows
nothing, that trust was removed.

but still when I create a user @AD DS a second later I see it in IPA's ldap,
eg.

dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
 cnr,dc=aaa,dc=private,dc=dom

how to trace the culprit config responsible for this?


Check the DN, this is not the IPA tree (cn=account), but the compat tree
(cn=compat) populated by the slapi-nis plugin. The intent is to make the
AD users available to non-SSSD clients that can only use LDAP as an
interface.


Yes. If you enabled slapi-nis on IPA master but didn't establish actual
trust to AD and instead added an SSSD configuration to lookup AD users
directly, then slapi-nis will happily ask SSSD for whatever users with @
in the name were requested by the LDAP clients and SSSD would look them
up in AD.

Not sure how useful is that at all but yes, this is a side-effect of
slapi-nis features.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeOTP

2016-06-10 Thread Winfried de Heiden 

  
  
Hi all,


I agree on it's look like a 32 bit issue.
  Trying to reproduce on Fedora 64 bit; no problems

  Trying to reproduce on Fedora 23 32 bit (x886):


[root@freeipa ~]# journalctl -l -u
ipa-otpd@0-6397-0.service
  -- Logs begin at vr 2016-06-10 09:23:33 CEST,
end at vr 2016-06-10 10:53:28 CEST. --
  jun 10 10:53:27 freeipa.local.lan systemd[1]:
Started ipa-otpd service (PID 6397/UID 0).
  jun 10 10:53:27 freeipa.local.lan systemd[1]:
Starting ipa-otpd service (PID 6397/UID 0)...
  jun 10 10:53:27 freeipa.local.lan
ipa-otpd[7320]: LDAP:
ldapi://%2fvar%2frun%2fslapd-LOCAL-LAN.socket
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: request received
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: user query start
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: user query end:
uid=otpuser,cn=users,cn=accounts,dc=local,dc=lan
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: bind start:
uid=otpuser,cn=users,cn=accounts,dc=local,dc=lan
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: bind end: success
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: otpu...@local.lan: response sent: Access-Accept
  jun 10 10:53:28 freeipa.local.lan
ipa-otpd[7320]: stdio.c:073: Connection reset by peer: Error
receiving packet
  jun 10 10:53:28 freeipa.local.lan systemd[1]:
ipa-otpd@0-6397-0.service: Main process exited, code=exited,
status=1/FAILURE
  jun 10 10:53:28 freeipa.local.lan systemd[1]:
ipa-otpd@0-6397-0.service: Unit entered failed state.
  jun 10 10:53:28 freeipa.local.lan systemd[1]:
ipa-otpd@0-6397-0.service: Failed with result 'exit-code'.


Same error as on Fedora ARM which is also 32 bit.
Removing libverto-tevent doesn't work.
Cheers you all!


Winny
Op 09-06-16 om 18:51 schreef Sumit
  Bose:


  On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote:

  
On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote:


  On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote:

  
Hi all,

I can install libvert-libev but removing libverto-tevent will
remove 123
dependencies also. (wget, tomcat and much more...)

Hence, I installed libverto-libev, but dit not remove libverto-
tevent to give
it a try. After ipactl restart still the same problem:

  
  
fyi, I think I can reproduce the issue on 32bit Fedora. I tried
libverto-libev as well but I removed libverto-tevent after installing
libverto-libev with 'rpm -e --nodeps ' to make sure libverto has
no
other chance.

So it looks a bit like a libverto 32bit issue. I used
libverto-0.2.6-4.fc22. Since I knew that is was working before on
32bits
I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock.

Nathaniel, do you have any suggestions what to check with gdb?



It may not be a libverto issue at all. Just to summarize, krb5kdc sends
the otp request to ipa-otpd using RADIUS-over-UNIX-socket.

It appears that ipa-otpd receives the request and sends the appropriate
response. However, krb5kdc never appears to receive the request and
times out. Once it times out, it closes the socket and ipa-otpd exits.

The question is: why?

This could be a bug in krb5kdc, libkrad or libverto. Does the event
actually fire from libverto? Does libkrad process it correctly? Does
krb5kdc process it correctly?

There are lots of places to attach gdb. I would probably start here:
https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193

  
  
It looks like the 3rd argument of recv(), the buffer length, becomes
negative aka very big in on_io_read()

i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
 pktlen - rr->buffer.length, 0);

because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. I
wonder if pktlen isn't sufficient here because it already is the result
of 'len - buffer->length' which is calculated in
krad_packet_bytes_needed() ?

bye,
Sumit




  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Sumit Bose 
On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
> 
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
> nothing, that trust was removed.
> 
> but still when I create a user @AD DS a second later I see it in IPA's ldap,
> eg.
> 
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
> 
> how to trace the culprit config responsible for this?
> 
> and funny(?) thing is that these users do not get replicated to IPA
> replicas.

Did you remove the trust on the AD side as well. If not SSSD running on
the IPA server might still have valid credentials in a keytab in
/var/lib/sss/db and is able to read the user data from AD.

HTH

bye,
Sumit

> 
> many thanks,
> 
> L
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread Jakub Hrozek 
On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
> 
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
> nothing, that trust was removed.
> 
> but still when I create a user @AD DS a second later I see it in IPA's ldap,
> eg.
> 
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
> 
> how to trace the culprit config responsible for this?

Check the DN, this is not the IPA tree (cn=account), but the compat tree
(cn=compat) populated by the slapi-nis plugin. The intent is to make the
AD users available to non-SSSD clients that can only use LDAP as an
interface.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-10 Thread lejeczek 

hi everyone

there is a master IPA which in some weird way puts AD users 
into its ldap catalog. I say weird cause there is no trust 
nor other sync established, there was a trust agreement, one 
way type, but now 'trust-find' shows nothing, that trust was 
removed.


but still when I create a user @AD DS a second later I see 
it in IPA's ldap, eg.


dn: 
uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c

 cnr,dc=aaa,dc=private,dc=dom

how to trace the culprit config responsible for this?

and funny(?) thing is that these users do not get replicated 
to IPA replicas.


many thanks,

L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install

2016-06-10 Thread Martin Basti 



On 09.06.2016 22:36, David Zabner wrote:

Occassionally in our system we will see a failure in ipa-client-install script 
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already exists.
Is there any way to make sure that failure’s cause the host to be cleaned up?
Is there a command I can run that will delete the host that does not require 
the client to be installed?

Thanks for the assistance,
David



Hello,

you can use ipa host-del  to remove client that failed to do 
cleanup properly.


or you can use ipa-client-install --force-join

Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Martin Basti 



On 10.06.2016 10:12, Martin Basti wrote:



On 10.06.2016 09:09, Günther J. Niederwimmer wrote:

Hello,

can any help me to clear a question for DNSSEC, NSEC3

I have a domain created with bind and DNSSEC and NSEC3 I test this 
Domain and

other, not my Domain with

http://dnsviz.net/d/esslmaier.at/dnssec/

This site from Verisign tell me, I have all Secure and also the A, 
Records

FreeIPA 4.3.1 Centos 7.2

But when I test my IPA created domain
http://dnsviz.net/d/4gjn.com/dnssec/

I miss the A,  Records

can this be correct ?

Thanks for a answer


Hello,
do you have configured A and  records in zone apex of '4gjn.com'?

I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig 
+dnssec 4gjn.com. A` , it looks like there is no A/ records.


Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?

Martin



http://dnsviz.net/d/ipa.4gjn.com/dnssec/

Visualized here, thank you for page I didn't know about it before, I 
like it :) .


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Martin Basti 



On 10.06.2016 09:09, Günther J. Niederwimmer wrote:

Hello,

can any help me to clear a question for DNSSEC, NSEC3

I have a domain created with bind and DNSSEC and NSEC3 I test this Domain and
other, not my Domain with

http://dnsviz.net/d/esslmaier.at/dnssec/

This site from Verisign tell me, I have all Secure and also the A, 
Records

FreeIPA 4.3.1 Centos 7.2

But when I test my IPA created domain
http://dnsviz.net/d/4gjn.com/dnssec/

I miss the A,  Records

can this be correct ?

Thanks for a answer


Hello,
do you have configured A and  records in zone apex of '4gjn.com'?

I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig 
+dnssec 4gjn.com. A` , it looks like there is no A/ records.


Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNSSEC A, AAAA Records

2016-06-10 Thread Günther J . Niederwimmer 
Hello,

can any help me to clear a question for DNSSEC, NSEC3

I have a domain created with bind and DNSSEC and NSEC3 I test this Domain and 
other, not my Domain with

http://dnsviz.net/d/esslmaier.at/dnssec/

This site from Verisign tell me, I have all Secure and also the A,  
Records

FreeIPA 4.3.1 Centos 7.2

But when I test my IPA created domain
http://dnsviz.net/d/4gjn.com/dnssec/

I miss the A,  Records

can this be correct ?

Thanks for a answer
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't establish trust with 2008 AD

2016-06-10 Thread Alexander Bokovoy 

On Fri, 10 Jun 2016, pgb205 wrote:

The trust setup still results in
Shared secret for the trust:: ERROR: CIFS server communication error: code "None",                  
message "NT_STATUS_IO_TIMEOUT" (both may be "None")
If you want I can provide with logs.

Can you show output of

net ads lookup -d 10 -S dc.addomain.com

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project