Re: [Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen 
You mean the /var/log/dirsrv//error right?

Clean except for when I do ipa backup, which actually doesn't look like tis 
errors, but more info..

However, sometimes, at 0:20 I have:

[07/Jul/2016:00:15:41 +0200] NSMMReplicationPlugin - replication keep alive 
entry

[Freeipa-users] ipa-server-upgrade fails on PKI CentOS 7.2

2016-07-07 Thread Matt . 
Hi,

I have some issue with the ipa-server-upgrade command where PKI fails.

This seems to be a known issue but I'm unsure where to report it as
it's fixed in FC

https://bugzilla.redhat.com/show_bug.cgi?id=1328522

Does someone have a clue how to get around this ?

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with properly removing replica master from cluster

2016-07-07 Thread Christophe TREFOIS 
Hi Petr,

The cleaning task worked. No more errors.

Thanks for that.

Kind regards,

—
Christophe

Dr Christophe Trefois, Dipl.-Ing.  
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine  
6, avenue du Swing 
L-4367 Belvaux  
T: +352 46 66 44 6124 
F: +352 46 66 44 6949  
http://www.uni.lu/lcsb




This message is confidential and may contain privileged information. 
It is intended for the named recipient only. 
If you receive it in error please notify me and permanently delete the original 
message and any copies. 


  

> On 07 Jul 2016, at 18:06, Petr Vobornik  wrote:
> 
> On 07/04/2016 05:54 PM, Christophe TREFOIS wrote:
>> Dear all,
>> 
>> First of all, thanks to mbasti for helping out so far.
>> 
>> We have a 3-node master cluster (—setup-ca) on 4.1 and setup a 4th using 
>> 4.2.0 as we want to migrate there.
>> 
>> First, we had some orphan entries in ipa-replica-manage list. We removed 
>> those by manually removing the LDAP node + children in 
>> cn=etc,cn=ipa,cn=masters.
>> Then, we saw that there is still an orphan entry here:
>> 
>> ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu 
>> '(&(nsuniqueid=---)(objectclass=nstombstone))’
>> 
>> In particular, there is one ghost entry for nsDS5ReplicaBindDN
>> 
>> This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 
>> 'cn=Replication Manager 
>> masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config'
>> 
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base

Re: [Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Rob Crittenden 

Troels Hansen wrote:

Hi, we have 2 IPA servers setup in replication.
All works fine, except sometimes I see unable to authenticate.
It goes on for like 2-5 minutes, and then everything works again. When
looking at the logs I see nothing, except err?53 which means incorrect
password, but its NOT!

[07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM
[07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND
dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3
[07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97
nentries=0 etime=0
[07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND
[07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1

Anyone having any clues about where to look?


53 is not bad password, it is unwilling to perform. The error log might 
have additional details.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen 
Hi, we have 2 IPA servers setup in replication. 
All works fine, except sometimes I see unable to authenticate. 
It goes on for like 2-5 minutes, and then everything works again. When looking 
at the logs I see nothing, except err?53 which means incorrect password, but 
its NOT! 

[07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM 
[07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND 
dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3 
[07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97 nentries=0 
etime=0 
[07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND 
[07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1 

Anyone having any clues about where to look? 


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone 

On 07/07/16 16:30, Petr Vobornik wrote:

On 07/07/2016 05:09 PM, Roderick Johnstone wrote:

On 07/07/16 15:02, Rob Crittenden wrote:

Roderick Johnstone wrote:

On 05/07/16 11:52, Roderick Johnstone wrote:

On 04/07/2016 15:12, Martin Babinsky wrote:

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago
(Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2
ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some
info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'







ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37
GMT',
'content-length': '161', 'content-type': 'application/xml',
'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server
Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",






line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",






line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",






line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError:
Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on
both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be
located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.



Martin

Thanks for the pointers. We had looked at a lot of log files, but not
those ones!

We were running the ipa-replica-prepare during the afternoon of 1
July.
Here are the last few entries in the system log file.

0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap
(bound) connection pool to host server1.example.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3]
CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the
internaldb. Error LDAP operation failure -
cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca
netscape.ldap.LDAPException: error result (1)
0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not
store certificate serial number 0x3
0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not
store certificate serial number 0x3


At corresponding times, in

Re: [Freeipa-users] Problem with properly removing replica master from cluster

2016-07-07 Thread Petr Vobornik 

On 07/04/2016 05:54 PM, Christophe TREFOIS wrote:

Dear all,

First of all, thanks to mbasti for helping out so far.

We have a 3-node master cluster (—setup-ca) on 4.1 and setup a 4th using 4.2.0 
as we want to migrate there.

First, we had some orphan entries in ipa-replica-manage list. We removed those 
by manually removing the LDAP node + children in cn=etc,cn=ipa,cn=masters.
Then, we saw that there is still an orphan entry here:

ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu 
'(&(nsuniqueid=---)(objectclass=nstombstone))’

In particular, there is one ghost entry for nsDS5ReplicaBindDN

This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 
'cn=Replication Manager 
masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config'

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Petr Vobornik 

On 07/07/2016 05:09 PM, Roderick Johnstone wrote:

On 07/07/16 15:02, Rob Crittenden wrote:

Roderick Johnstone wrote:

On 05/07/16 11:52, Roderick Johnstone wrote:

On 04/07/2016 15:12, Martin Babinsky wrote:

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago
(Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2
ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some
info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'






ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37
GMT',
'content-length': '161', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server
Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",





line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",





line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",





line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError:
Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on
both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be
located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.



Martin

Thanks for the pointers. We had looked at a lot of log files, but not
those ones!

We were running the ipa-replica-prepare during the afternoon of 1 July.
Here are the last few entries in the system log file.

0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap
(bound) connection pool to host server1.example.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3]
CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the
internaldb. Error LDAP operation failure -
cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca
netscape.ldap.LDAPException: error result (1)
0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not
store certificate serial number 0x3
0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not
store certificate serial number 0x3


At corresponding times, in the debug logs there are entries like:

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-07 Thread Prashant Bapat 
Anyone ?!

On 6 July 2016 at 22:36, Prashant Bapat  wrote:

> Hi,
>
> We are using FreeIPA's LDAP as the base for user authentication in a
> different application. So far I have created a sysaccount which does the
> lookup etc for a user and things are working as expected. I'm even able to
> use OTP from the external app.
>
> One problem I'm struggling to fix is the expired passwords. Is there a way
> to deny bind to LDAP only from this application? Obviously the user would
> need to go to IPA's web UI and reset his password there.
>
> I came across this ticket https://fedorahosted.org/freeipa/ticket/1539
> but looks like this is an old one.
>
> Thanks.
> --Prashant
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone 

On 07/07/16 15:02, Rob Crittenden wrote:

Roderick Johnstone wrote:

On 05/07/16 11:52, Roderick Johnstone wrote:

On 04/07/2016 15:12, Martin Babinsky wrote:

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago
(Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'





ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT',
'content-length': '161', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",




line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",




line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",




line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError:
Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on
both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.



Martin

Thanks for the pointers. We had looked at a lot of log files, but not
those ones!

We were running the ipa-replica-prepare during the afternoon of 1 July.
Here are the last few entries in the system log file.

0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap
(bound) connection pool to host server1.example.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3]
CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the
internaldb. Error LDAP operation failure -
cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca
netscape.ldap.LDAPException: error result (1)
0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not
store certificate serial number 0x3
0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not
store certificate serial number 0x3


At corresponding times, in the debug logs there are entries like:

[01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP

Re: [Freeipa-users] Replication time and relation to cache size

2016-07-07 Thread thierry bordaz 



On 07/07/2016 03:47 PM, Martin Kosek wrote:

On 06/21/2016 05:19 PM, Ash Alam wrote:

anyone have any thoughts on this?

Thank You

On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote:

 Hello

 I have been going through the lists but i have not found the answer i am
 looking for. I am seeing few issues for which i am looking for some
 clarification.

 1. What is the relationship between replication time and cache size?

 - I am noticing that it's taking up to 5 minutes for some things to
 replication when change is made on one node and there are two additional
 masters. The ipa nodes are all virtual machines within the same cluster.

Hi Ash,

There is no direct relation between replication time (latency) and the 
cache size.
But it is possible that with a greater cache, processing of the 
replicated updates will be faster.
Now many parameters can explain latency (power of the boxes, masters 
competing for exclusive access to a replica, many updates filtered 
before sending one...)

The latency was greatly reduced since 1.3.5.4.




 - WARNING: changelog: entry cache size 2097152B is less than db size
 116154368B; We recommend to increase the entry cache size 
nsslapd-cachememsize.


This warning is generic for all suffixes. Now changelog is a special 
suffix and a small entry cache should not create any issue.


 - I don't understand the cache size. Would't increasing it cause the same
 issue when we hit the new limit?
To process an entry (search/update), the entry is loaded in memory into 
a cache.
The entry remains in the cache until it needs space to load others 
entries. The cache is always full and this does not create any issue.
If you have a small database and all the entries can fit in the cache, 
it worth testing with a large cache.

Otherwise a cache of [100-200] Mb is most of the time a good tuning.


 - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max
 allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in
 cn=config to increase.
It comes from a failure (overflow) to decode a ber (ber_get_next). The 
maxbersize is 200Mb that looks large enough to handle any req. Is it a 
frequent issue ? Is there any network issue ?


 2. Is there a definitive solution to this error? This seems to pop up every
 so often.

 - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning:
 Attempting to release replica, but unable to receive endReplication 
extended
This message comes from a replica agreement that is responsible to 
replicate updates to an other DS instance (ipa0009).
When this replica agreement has no more update to send, it send an 
'endReplication' and expects  a response (from ipa0009). Here for some 
reason, ipa0009 is not responding. You may check the error logs.



Hi Ash,

I see no reply, let me try and hook Thierry/Ludwig, they should know more.

Martin

P.S. sorry for the delay, most of FreeIPA core developers were focused on
getting FreeIPA 4.4 out of the door.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error with DNS forwarding on replica.

2016-07-07 Thread Petr Spacek 
On 15.6.2016 09:37, Nuno Higgs wrote:
> Hello Petr,
> 
> [root@slave ~]# cat  /var/log/ipareplica-install.log | grep -i DNSSEC | grep 
> -i not | grep -i support
> 
> It’s empty.

Interesting. At this point I'm unable to say what happened to your install. If
it happens again please get back to us and we will investigate.

Petr^2 Spacek

> 
> Thanks
> Nuno
> 
>> On 15 Jun 2016, at 07:45, Petr Spacek  wrote:
>>
>> On 14.6.2016 17:29, Nuno Higgs wrote:
>>> Hello,
>>>
>>> I am running CentOS7:
>>>
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> I configured my dos forward when i did the install process of the secondary 
>>> node of IPA:
>>>
>>> [root@slave ~]#  ipa-replica-install --setup-ca --setup-dns --forwarder  
>>> 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
>>
>> Interesting, 4.2.0 should checks to detect this problem.
>>
>> Could you check /var/log/ipareplica-install.log for warnings related to 
>> DNSSEC?
>>
>> It should be something like
>> "DNS server  does not support DNSSEC"
>>
>> Thanks.
>>
>> Petr^2 Spacek
>>
>>
>>>
>>> Thanks,
>>> Nuno
>>>
 On 14 Jun 2016, at 15:28, Petr Spacek  wrote:

 On 14.6.2016 13:01, Nuno Higgs wrote:
> Hello,
>
> Found it:
>
> It appears that my forwarder is NOT DNSSEC happy:
>
> in:  /var/named/data/named.run
>
> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent 
> indicates it should be secure
> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>
> So, i changed the /etc/named.conf 
>
> from:
>
>   dnssec-enable yes;
>   dnssec-validation yes;
>
> to:
>
>   dnssec-enable yes;
>   dnssec-validation no;
>
> Everything is working fine now.

 Okay, it explains a lot.

 Please note that configuration "dnssec-validation no;" lowers security bar 
 for
 attackers and is strongly discouraged!

 The issue is most likely caused by non-compliant forwarder which mangles 
 DNS
 data somehow before they reach your IPA DNS server.

 I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
 configured with its equivalent of "dnssec-enable yes;". I strongly 
 recommend
 returning back to "dnssec-validation yes;" after fixing the forwarder 
 config.

 IPA 4.3 or newer should print a warning about such broken forwarders 
 whenever
 you try to configure them using IPA commands.

 What version of IPA do you use?

 How did you configure the forwarder in IPA?

 Petr^2 Spacek

>
> Thanks for your help!
> Nuno
>
>> On 13 Jun 2016, at 10:14, Nuno Higgs  wrote:
>>
>> Hello again,
>>
>> [root@ipa01 ~]# kinit user
>> Password for user@DOMAIN.LOCAL:
>> [root@ipa01 ~]# ipa dnsforwardzone-show domain.eu
>> Zone name: domain.eu.
>> Active zone: TRUE
>> Zone forwarders: 194.65.3.20 195.65.3.21
>> Forward policy: only
>> [root@ipa01 ~]#
>>
>>
>> [root@ipa02 ~]# ipa dnsforwardzone-show domain.eu
>> Zone name: domain.eu.
>> Active zone: TRUE
>> Zone forwarders: 194.65.3.20 195.65.3.21
>> Forward policy: only
>> [root@ipa02 ~]#
>>
>> On both servers the return is the same.
>> I haven't touched the DNS config besides deleting the zone and recreating
>> it.
>>
>> I am at a loss. What can be the issue here?
>>
>> Thanks,
>> Nuno
>>
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
>> Sent: segunda-feira, 13 de junho de 2016 06:50
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>
>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>> Hello all,
>>>
>>>
>>>
>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>> geographic replication.
>>>
>>>
>>>
>>> I have added it as stated in the documentation here:
>>> >> x/7/ht 
>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>> replic
>>> a.html#replica-install-with-dns>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>> /7/htm 
>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>> eplica
>>> .html#replica-install-with-dns
>>>
>>>
>>>
>>> All was replicated correctly, and i can do a kinit user@DOMAIN with 
>>> success within the replica.
>>>
>>> However there is a problem with the DNS sections:
>>>
>>>
>>>
>>> Although it DNS is ok, my configuration within IPA on the first server 
>>> regarding DNS zones

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Rob Crittenden 

Roderick Johnstone wrote:

On 05/07/16 11:52, Roderick Johnstone wrote:

On 04/07/2016 15:12, Martin Babinsky wrote:

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago
(Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'




ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT',
'content-length': '161', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",



line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",



line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",



line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError:
Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.



Martin

Thanks for the pointers. We had looked at a lot of log files, but not
those ones!

We were running the ipa-replica-prepare during the afternoon of 1 July.
Here are the last few entries in the system log file.

0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap
(bound) connection pool to host server1.example.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3]
CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the
internaldb. Error LDAP operation failure -
cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca
netscape.ldap.LDAPException: error result (1)
0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not
store certificate serial number 0x3
0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not
store certificate serial number 0x3


At corresponding times, in the debug logs there are entries like:

[01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure -
cn=1,ou=certificateRepository,

Re: [Freeipa-users] Replication time and relation to cache size

2016-07-07 Thread Martin Kosek 
On 06/21/2016 05:19 PM, Ash Alam wrote:
> anyone have any thoughts on this?
> 
> Thank You
> 
> On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam  > wrote:
> 
> Hello
> 
> I have been going through the lists but i have not found the answer i am
> looking for. I am seeing few issues for which i am looking for some
> clarification.
> 
> 1. What is the relationship between replication time and cache size?
> 
> - I am noticing that it's taking up to 5 minutes for some things to
> replication when change is made on one node and there are two additional
> masters. The ipa nodes are all virtual machines within the same cluster.
> 
> - WARNING: changelog: entry cache size 2097152B is less than db size
> 116154368B; We recommend to increase the entry cache size 
> nsslapd-cachememsize.
> 
> - I don't understand the cache size. Would't increasing it cause the same
> issue when we hit the new limit?
> 
> - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max
> allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in
> cn=config to increase.
> 
> 
> 2. Is there a definitive solution to this error? This seems to pop up 
> every
> so often.
> 
> - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning:
> Attempting to release replica, but unable to receive endReplication 
> extended

Hi Ash,

I see no reply, let me try and hook Thierry/Ludwig, they should know more.

Martin

P.S. sorry for the delay, most of FreeIPA core developers were focused on
getting FreeIPA 4.4 out of the door.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

2016-07-07 Thread Martin Kosek 
On 06/26/2016 06:57 PM, Supratik Goswami wrote:
> Hi
> 
> I am using ipa-server-4.2.0  in my environment, it is having winsync 
> agreement 
> with the AD server.
> I want to move all new users to "Stage Users" state automatically when they 
> are 
> synced from the AD, can anyone please guide me on how to achieve it?
> 
> Any help is highly appreciated.
> 
> -- 
> Warm Regards

Hi Supratik,

This is not possible at the moment - this is an RFE. Please feel free to file
an upstream ticket, I assume it should be doable. Please just note you would
probably need to contribute patches to make this working as winsync is not a
priority for most of the core developers, AD Trust is.

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Petr Spacek 
On 7.7.2016 11:32, Günther J. Niederwimmer wrote:
> Hello Petr,
> 
> Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek:
>> On 23.6.2016 15:27, Günther J. Niederwimmer wrote:
>>> Hello Martin,
>>>
>>> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti:
 On 20.06.2016 18:48, Günther J. Niederwimmer wrote:
> Hello,
>
> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
>>> hello,
>>>
>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
 On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
> Hello,
>
> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
>>> Hello List,
>>>
>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
 On 16.6.2016 21:51, Lukas Slebodnik wrote:
> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
>> Hello
>>
>> on my system the ods-exporter i mean have a problem.
>>
>> I have this in the logs
>> CentOS 7.(2) ipa 4.3.1
>>
>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise
>> errors.ACIError(info=info)
>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
>> Insufficient
>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified
>> GSS
>> failure.
>> Minor code may provide more information (Ticket expired)
>   
>   Here seems to be a reason why it failed.
>   But I can't help you more.

 Lukas is right. Interesting, this should never happen :-)
>>>
>>> this have I also found ;-)
>>>
 Please enable debugging using procedure
 http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o
 r_
 re
 tu
 rn
 s_n o_data and check logs after next ipa-ods-exporter restart.
 Thank you!
>>>
>>> OK,
>>>
>>> I attache the messages log?
>>>
>>> I mean this is a problem with my DNS ?
>>
>> Hello,
>> can you check kerberos status of ipa-ods-exporter service in webUI?
>>
>> identity/services/ipa-ods-exported/
>> There should be kerberos status in right top corner in details view
>
> I have a
> identity/services/ipa-ods-exporter/..
>
> with a "Kerberos Key Present, Service Provisioned"
>
> but no Certificate ?

 Can you try,

 # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
 ipa-ods-exporter/$(hostname)
>>>
>>> OK
>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
>>> exporter/$(hostname)"
>>>
>>> written on one line!! is this OK.
>>>
 and do ldapsearch
 # ldapsearch -Y GSSAPI
>>>
>>> and also ldapsearch is OK
>>>
 It should show us if keytab is okay
>>>
>>> But the Error is present :-(.
>>
>> We need to see precise error. Please copy it into the e-mail.
>
> that is it.
>
> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed.
>
>> It would be awesome if you could follow general rules for bug
>> reporting:
>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html
>>
>> Besides other things it would allow us to help you in shorter time.
>>
>> Have a nice day!

 This is weird, It looks like your kerberos keytab is valid, but I have
 no idea why you are getting ticket expired messages. It should just
 kinit again.

 Can you please remove this ccache file?
 /var/opendnssec/tmp/ipa-ods-exporter.ccache
>>>
>>> OK now i make a ipactl stop remove the ccache file and start ipa again.
>>>
>>> to start the ods-exporte I have to wait a long time 1-2 min. ;-)
>>>
>>> I send you the log without debug when you like this with debug tell me.
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last):
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
>>> exporter", line 656, in 
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind()
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: File
>>> "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in
>>> gssapi_bind
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls,
>>> client_controls)
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/
>>> contextlib.py", line 35, in __exit__
>>> Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value,
>>> traceback) Jun 23 14:57:56

Re: [Freeipa-users] Sync & BaseDN change

2016-07-07 Thread Petr Spacek 
On 7.7.2016 01:44, Brad Cesarone wrote:
> I have two questions
> 1) Is it possible to sync/replicate with another ldap server? i.e Oracle
> Identity Manager

IPA provides one-time import script called ipa-migrate-ds, see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/using-migrate-ds.html

It does not have any run-time synchronization capabilities.

> 2) If #1 is true, is it possible to sync with two different suffixs?

No.

> 3) Is it possible to either install IPA with a custom ldap Suffix or change
> the suffix once it is created?

No, the suffix is derived from Kerberos realm and stays the same for lifetime
of the IPA installation.


What are you trying to achieve? Maybe we can approach it from a different angle.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sync & BaseDN change

2016-07-07 Thread Brad Cesarone 
Hello

I have two questions
1) Is it possible to sync/replicate with another ldap server? i.e Oracle
Identity Manager
2) If #1 is true, is it possible to sync with two different suffixs?
3) Is it possible to either install IPA with a custom ldap Suffix or change
the suffix once it is created?

Thank you
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone 

On 05/07/16 11:52, Roderick Johnstone wrote:

On 04/07/2016 15:12, Martin Babinsky wrote:

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago (Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'



ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT',
'content-length': '161', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",


line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",


line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",


line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError: Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be located
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and
"debug" logs mainly.



Martin

Thanks for the pointers. We had looked at a lot of log files, but not
those ones!

We were running the ipa-replica-prepare during the afternoon of 1 July.
Here are the last few entries in the system log file.

0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap
(bound) connection pool to host server1.example.com port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)
0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3]
CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the
internaldb. Error LDAP operation failure -
cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca
netscape.ldap.LDAPException: error result (1)
0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not
store certificate serial number 0x3
0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not
store certificate serial number 0x1
0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not
store certificate serial number 0x2
0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not
store certificate serial number 0x3


At corresponding times, in the debug logs there are entries like:

[01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure -
cn=1,ou=certificateRepository, ou=ca, o=ipaca

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Günther J . Niederwimmer 
Hello Petr,

Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek:
> On 23.6.2016 15:27, Günther J. Niederwimmer wrote:
> > Hello Martin,
> > 
> > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti:
> >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
>  On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
> > hello,
> > 
> > Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
> >> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
>  On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
> > Hello List,
> > 
> > Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
> >> On 16.6.2016 21:51, Lukas Slebodnik wrote:
> >>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
>  Hello
>  
>  on my system the ods-exporter i mean have a problem.
>  
>  I have this in the logs
>  CentOS 7.(2) ipa 4.3.1
>  
>  Jun 16 11:38:28 ipa ipa-ods-exporter: raise
>  errors.ACIError(info=info)
>  Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
>  Insufficient
>  access: SASL(-1): generic failure: GSSAPI Error: Unspecified
>  GSS
>  failure.
>  Minor code may provide more information (Ticket expired)
> >>>   
> >>>   Here seems to be a reason why it failed.
> >>>   But I can't help you more.
> >> 
> >> Lukas is right. Interesting, this should never happen :-)
> > 
> > this have I also found ;-)
> > 
> >> Please enable debugging using procedure
> >> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o
> >> r_
> >> re
> >> tu
> >> rn
> >> s_n o_data and check logs after next ipa-ods-exporter restart.
> >> Thank you!
> > 
> > OK,
> > 
> > I attache the messages log?
> > 
> > I mean this is a problem with my DNS ?
>  
>  Hello,
>  can you check kerberos status of ipa-ods-exporter service in webUI?
>  
>  identity/services/ipa-ods-exported/
>  There should be kerberos status in right top corner in details view
> >>> 
> >>> I have a
> >>> identity/services/ipa-ods-exporter/..
> >>> 
> >>> with a "Kerberos Key Present, Service Provisioned"
> >>> 
> >>> but no Certificate ?
> >> 
> >> Can you try,
> >> 
> >> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
> >> ipa-ods-exporter/$(hostname)
> > 
> > OK
> > I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
> > exporter/$(hostname)"
> > 
> > written on one line!! is this OK.
> > 
> >> and do ldapsearch
> >> # ldapsearch -Y GSSAPI
> > 
> > and also ldapsearch is OK
> > 
> >> It should show us if keytab is okay
> > 
> > But the Error is present :-(.
>  
>  We need to see precise error. Please copy it into the e-mail.
> >>> 
> >>> that is it.
> >>> 
> >>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed.
> >>> 
>  It would be awesome if you could follow general rules for bug
>  reporting:
>  http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html
>  
>  Besides other things it would allow us to help you in shorter time.
>  
>  Have a nice day!
> >> 
> >> This is weird, It looks like your kerberos keytab is valid, but I have
> >> no idea why you are getting ticket expired messages. It should just
> >> kinit again.
> >> 
> >> Can you please remove this ccache file?
> >> /var/opendnssec/tmp/ipa-ods-exporter.ccache
> > 
> > OK now i make a ipactl stop remove the ccache file and start ipa again.
> > 
> > to start the ods-exporte I have to wait a long time 1-2 min. ;-)
> > 
> > I send you the log without debug when you like this with debug tell me.
> > Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last):
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
> > exporter", line 656, in 
> > Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind()
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File
> > "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in
> > gssapi_bind
> > Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls,
> > client_controls)
> > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/
> > contextlib.py", line 35, in __exit__
> > Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value,
> > traceback) Jun 23 14:57:56 ipa

Re: [Freeipa-users] k5login not working?

2016-07-07 Thread Sumit Bose 
On Wed, Jul 06, 2016 at 04:59:36PM -0400, Jeffery Harrell wrote:
> Oh wow, I see. I did some playing around with
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a
> minimum-change scenario and found that this:
> 
> [plugins]
>  localauth = {
>   module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> #  enable_only = sssd
>  }
> 
> seems to get me where I need to be. Adding that one character seems to be
> enough to make .k5login work as expected.
> 
> Specifically:
> 
> Take a brand new IPA client, created with “ipa-client-install” and
> accepting the defaults.
> 
> Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out
> the enable_only line as above.
> 
> cat <<'EOF' > /root/.k5loginyourusern...@yourdomain.com
> EOF
> 
> From another computer anywhere in the domain:
> 
> kinit yourusern...@yourdomain.com
> 
> Then:
> 
> ssh -K root@wherever
> 
> This works for me. I’ve got all my servers under Salt config management
> anyway, so it’s not *that* big a deal to add that one byte to each of them.

ok, make sense. As long as the target users are local (from /etc/passwd)
removing 'enable_only = sssd'. For IPA users sssd_krb5_localauth_plugin
would still act authoritative, i.e. you have to remove/comment-out it as
well if you want to use k5login for IPA user to IPA user.

Please note that SSSD will rewrite the file on restart, so you still
might want to use chattr +i to keep your changes.

> 
> Thank you very, very much for the help.

You're welcome.

bye,
Sumit

> 
> 
> 
> 
> On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote:
> 
> On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> > I must be missing something really obvious.
> >
> > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> > install ipa-server” and then an “ipa-server-install.” DNS is set up
> > correctly and is working.
> >
> > I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
> > install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
> > domain and server were normal.
> >
> > But k5login is not working as expected. If I have this .k5login file in
> the
> > admin user’s home directory on server A:
> >
> > alice@charlietango.com...@charlietango.com
> >
> > I would expect to be able to do this:
> >
> > kinit al...@charlietango.com
> > ssh -K admin@serverA
> >
> > from anywhere in the Kerberos realm. Instead my credentials get rejected
> > and I’m asked for the admin user’s password.
> >
> > It feels like sshd on the server isn’t even looking at k5login. (I also
> > tried k5users; same result.)
> >
> > The permissions on .k5login are correct. I tried it with SELinux off as
> > well just in case that was it.
> >
> > What blindingly obvious thing have I overlooked?
> 
> I guess you have an issue similar to
> https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth
> plugin provided by SSSD has too stricts default settings. One is the
> 'enable_only = sssd' option in the config snippet. The other is that it
> acts authoritative for SSSD users. A fix for both was just pushed
> upstream today.
> 
> If you currently do not need the localauth plugin you can disable it by
> creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> file and make it unmodifiable with
> 
> chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> 
> This should allow the default methods including k5login again. Please
> note that you might need to add the old RULE based mapping as described
> in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
> or add .k5login files for every user to make GSSAPI authentication work
> smoothly.
> 
> As an alternative we hope to release the next SSSD version including the
> patches anytime soon and later on there might be build for 7.2
> available.
> 
> HTH
> 
> bye,
> Sumit
> 
> >
> > Thanks.
> 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Petr Spacek 
On 23.6.2016 15:27, Günther J. Niederwimmer wrote:
> Hello Martin,
> 
> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti:
>> On 20.06.2016 18:48, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
 On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
> hello,
>
> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
 On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
> Hello List,
>
> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
>> On 16.6.2016 21:51, Lukas Slebodnik wrote:
>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
 Hello

 on my system the ods-exporter i mean have a problem.

 I have this in the logs
 CentOS 7.(2) ipa 4.3.1

 Jun 16 11:38:28 ipa ipa-ods-exporter: raise
 errors.ACIError(info=info)
 Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
 Insufficient
 access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
 failure.
 Minor code may provide more information (Ticket expired)

>>>  ^^
>>>   
>>>   Here seems to be a reason why it failed.
>>>   But I can't help you more.
>>
>> Lukas is right. Interesting, this should never happen :-)
>
> this have I also found ;-)
>
>> Please enable debugging using procedure
>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_
>> re
>> tu
>> rn
>> s_n o_data and check logs after next ipa-ods-exporter restart.
>> Thank you!
>
> OK,
>
> I attache the messages log?
>
> I mean this is a problem with my DNS ?

 Hello,
 can you check kerberos status of ipa-ods-exporter service in webUI?

 identity/services/ipa-ods-exported/
 There should be kerberos status in right top corner in details view
>>>
>>> I have a
>>> identity/services/ipa-ods-exporter/..
>>>
>>> with a "Kerberos Key Present, Service Provisioned"
>>>
>>> but no Certificate ?
>>
>> Can you try,
>>
>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
>> ipa-ods-exporter/$(hostname)
>
> OK
> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
> exporter/$(hostname)"
>
> written on one line!! is this OK.
>
>> and do ldapsearch
>> # ldapsearch -Y GSSAPI
>
> and also ldapsearch is OK
>
>> It should show us if keytab is okay
>
> But the Error is present :-(.

 We need to see precise error. Please copy it into the e-mail.
>>>
>>> that is it.
>>>
>>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed.
>>>
 It would be awesome if you could follow general rules for bug reporting:
 http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html

 Besides other things it would allow us to help you in shorter time.

 Have a nice day!
>>
>> This is weird, It looks like your kerberos keytab is valid, but I have
>> no idea why you are getting ticket expired messages. It should just
>> kinit again.
>>
>> Can you please remove this ccache file?
>> /var/opendnssec/tmp/ipa-ods-exporter.ccache
> 
> OK now i make a ipactl stop remove the ccache file and start ipa again.
> 
> to start the ods-exporte I have to wait a long time 1-2 min. ;-)
> 
> I send you the log without debug when you like this with debug tell me. 
> Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last):
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
> exporter", line 656, in 
> Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind()
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/
> ipapython/ipaldap.py", line 1085, in gssapi_bind
> Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, 
> client_controls)
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/
> contextlib.py", line 35, in __exit__
> Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback)
> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/
> ipapython/ipaldap.py", line 992, in error_handler
> Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info)
> Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient 
> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.

Re: [Freeipa-users] dns zone forward - no valid signature found

2016-07-07 Thread Petr Spacek 
On 6.7.2016 16:37, lejeczek wrote:
> hi everybody
> 
> I think this was working some time ago, but for while queries IPA's DNS
> forwards wound up like this:
> 
> validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found
> validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS)
> error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53
> 
> dig at IPA DNS and nothing, logs:
> 
>   validating @0x7f85e0134880: my.dom SOA: no valid signature found
>   validating @0x7f85e0134880: my.dom NSEC: no valid signature found
>   validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found
>   validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS)
> 
> I dig +dnssec directly at the receiving server and result seems normal, no
> errors.
> 
> IPA's dns is not dnsseced, is this the root of the problem? Or what else might
> be?

Obfuscated domain names are making impossible to tell where the problem lies.

Try dnsviz.net or similar tool, enter domain name into it and let it diagnose
the domain for you. If DNSviz claims that the domain is correctly signed (or
not) then the problem is likely in forwarder configuration.

All forwarders used in your DNS chain have to be configured with equivalent of
named.conf option 'dnssec-enable yes;'.

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] +dnssec in vendor repos - when?

2016-07-07 Thread Petr Spacek 
On 6.7.2016 10:35, lejeczek wrote:
> seems like official repos, centos at least lags a bit behind, currently it's
> 4.2.0 - question - does this support fully secure dns ?

Version 4.2.0 is not the best for DNSSEC deployment.

IPA 4.3.1 contains important fixes related to DNSSEC.

Please note that even 4.3.1 contains some bug which may force you to restart
named-pkcs11 from time to time. We did not find the root cause yet.

> if not would devel know when we might be able to feed new/latest stable off
> the official repos?

Exact date is unclear, as usual. Stay tuned :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password sync settings not working

2016-07-07 Thread Martin Kosek 
Good! Thanks for confirmation (I suspected PEBKAC, thus my questions).

Martin

On 07/02/2016 10:01 PM, Joshua J. Kugler wrote:
> Thanks. In a case of extreme PEBKAC, I had copied the example and failed to 
> update the DN.  It works now.
> 
> j
> 
> 
> On Monday, June 13, 2016 09:35:53 Martin Kosek wrote:
>> On 06/10/2016 01:59 AM, Joshua J. Kugler wrote:
>>> Howdy!
>>>
>>> We are trying to set up password sync.  I have read this:
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
>>> tml-single/Windows_Integration_Guide/index.html#password-sync
>>>
>>> I have added that attribute:
>>> echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config\nchangetype:
>>> modify\nadd: passSyncManagersDNs\npassSyncManagersDNs:
>>> uid=admin,cn=users,cn=accounts,dc=example,dc=com' | ldapmodify -x -D
>>> 'cn=Directory Manager' -w {{ ipaserver_dir_admin_password }} -h localhost
>>> -p 389
>>>
>>> However, when I reset a password as the 'admin' user, the user's password
>>> is still set to expired.  This is CentOS 7 with the latest FreeIPA there.
>>>
>>> What might I be missing?
>>
>> I would try to double check that the passSyncManagersDNs is indeed filled
>> properly in the plugin configuration. Base ldapsearch will help.
>>
>> Then I would also recommend checking your global password policy "ipa
>> pwpolicy-show" to make sure that you for example do not have the password
>> max life set to 0, which would cause this behavior in current FreeIPA
>> version.
>>
>> Martin
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project