Re: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

[Peter Pakos]

I've now set up a test box using exactly the same install command, SSL
certificate etc...

The /etc/ipa/ca.crt contains only 3 certificates but they are not CA
certificates that were included in the PKCS12 file:

[root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in
cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert2
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert3
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2


So out of the box, the certificate "USERTrust RSA Certification
Authority" is listed there twice.

[root@dupa temp]# certutil -L -d /etc/pki/nssdb/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,

[root@dupa temp]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,

[root@dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,


Please note, in the databases the certificate "USERTrust RSA
Certification Authority - AddTrust AB" is only listed once.

How do I fix our production installation?

-- 

Kind regards,
 Peter Pakos
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

[Peter Pakos]

Hi,

We moved our CA-less FreeIPA install into production only few days ago and
today I've noticed some problem with certificates.

This is FreeIPA 4.2 installation on Centos 7.2.

I've installed the first node with the following command:

  ipa-server-install \
-U \
-r $REALM \
-n $DOMAIN \
-p $PASSWD \
-a $PASSWD \
--mkhomedir \
--setup-dns \
--no-forwarders \
--no-dnssec-validation \
--idstart=1100 \
--dirsrv-cert-file=${CERT_FILE} \
--dirsrv-cert-name=${CERT_NAME} \
--http-cert-file=${CERT_FILE} \
--http-cert-name=${CERT_NAME} \
--dirsrv-pin='' \
--http-pin=''

The ${CERT_FILE} was in PKCS12 format and it included the whole certificate
chain (AddTrustExternalCARoot.pem -> USERTrustRSACA.pem ->
GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt):

$ openssl verify -verbose -CAfile <(cat AddTrustExternalCARoot.pem
USERTrustRSACA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

Today I've noticed that the /etc/ipa/ca.crt file is not the same across all
nodes and I've attempted to fix it by running ipa-certupdate.

Now, instead of 3 CA certificates in /etc/ipa/ca.crt I can see 5
certificates (the last 2 are the same). To investigate this, I've split
ca.cert into 5 separate files cert1-5:

[root@shdc01 temp]# for i in {1..5}; do echo cert${i}; openssl x509
-in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP
Network, CN=AddTrust External CA Root
cert2
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert3
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
cert4
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert5
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority

As you can see, cert4 and cert5 are equal yet listed twice and they are
completely different to cert3 - the one from the certificate chain supplied
by SSL provider.

As per our previous conversation with Jan Cholasta, cert4/5 must have been
added (by ipa-certupdate?) from certificates available on the server
(ca-certificates package?).

So now, we ended up with having "USERTrust RSA Certification Authority -
AddTrust AB" listed twice - one of them is correct (from the chain), the
other one is incorrect:

[root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,
USERTrust RSA Certification Authority - AddTrust AB  ,,


[root@shdc01 ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,
USERTrust RSA Certification Authority - AddTrust AB  ,,


[root@shdc01 ~]# certutil -L -d /etc/pki/nssdb/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

USERTrust RSA Certification Authority - AddTrust AB  ,,
AddTrust External CA Root - AddTrust AB  ,,
USERTrust RSA Certification Authority - AddTrust AB  ,,
Gandi Standard SSL CA 2 - The USERTRUST Network  C,,


Now, if I try to query FreeIPA's LDAP directory (for example using
ldapsearch), I get the following errors:

TLS: during handshake: peer cert is valid, or was ignored if verification
disabled (-9841)
TLS: during handshake: Peer certificate is not trusted:
kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).

We can clearly see that the certificate chain advertised by the server is
not correct hence it's failing SSL handshake:

$ openssl s_client -connect shdc01.ipa.wandisco.com:636
CONNECTED(0003)
depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST

[Freeipa-users] regenerate certificate

[mohammad sereshki]

hiI check my IPA server which is version ipa-server-3.0.0-25 , command 
"ipa-get-cert list" show, my certificate will be expired in next 20 days, 
I do not know how to regenerate thembut command "getcert list" shows epirtion 
certificates are related just to "CA:IPA" and certificate " CA: 
dogtag-ipa-renew-agent" ,  has enough time .would you please help me to know 
how to regenerate CA:IPA certificates?
Best Regards

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,

Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than  this?

[root@caer ~]# ipa cert-show 1
  Certificate:
MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
  Subject: CN=Certificate Authority,O=TELOIP.NET
  Issuer: CN=Certificate Authority,O=TELOIP.NET
  Not Before: Wed Dec 14 22:29:56 2011 UTC
  Not After: Sat Dec 14 22:29:56 2019 UTC
  Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
  Fingerprint (SHA1):
ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
  Serial number (hex): 0x1
  Serial number: 1
[root@caer ~]#


*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
".*





On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden  wrote:

> Linov Suresh wrote:
>
>> Thanks for your help Rob, I will create a separate thread for IPA
>> replication issue. But we are still getting
>> *
>> *
>> *ca-error: Internal error: no response to
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
>> ".*
>>
>> Could you please help us to fix this?
>>
>
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do
> something like: ipa cert-show 1
>
> You should get back a cert (doesn't really matter what cert).
>
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
>
> rob
>
>
>>
>> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > > wrote:
>>
>> Glad you got the certificates successfully renewed.
>>
>> Can you open a new e-mail thread on this new problem so we can keep
>> the issues separated?
>>
>> IPA gets little information back when dogtag fails to install. You
>> need to look in /var/log//debug for more information. The
>> exact location depends on the version of IPA.
>>
>> rob
>>
>> Linov Suresh wrote:
>>
>> Great! That worked, and I was successfully renewed the
>> certificates on
>> the IPA server and I was trying to create a IPA replica server
>> and got
>> an error,[root@neit-lab > >~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory
>> Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring
>> ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon
>> (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating
>> directory
>> server instance [3/3]: restarting directory server Done
>> configuring
>> directory server for the CA (pkids). Configuring certificate
>> server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>> 
>>  -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
>> -admin_email
>> 

Re: [Freeipa-users] FreeIPA Client Install 403 error

[Rubin Binder]

Rob, 

My apologies, I only provided a tail of the log, I should have provided more. I 
can see now there is much more detail in there. 

I followed your lead regarding the HTTP error log from the server and found 
this: 

[Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client 
172.16.10.12:49727] AH01630: client denied by server configuration: 
/usr/share/ipa/wsgi.py, referer: https://ldap.mydomain.com/ipa/xml 

So, that is most likely the next track for me to follow. 

Thank you for your assistance to this point, and in case there is interest here 
is the full client log: 

2016-07-20T18:33:18Z DEBUG /usr/sbin/ipa-client-install was invoked with 
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 
'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': 
None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': 
True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 
'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': None, 
'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': 
None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': 
None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': 
True, 'force_join': False, 'firefox_dir': None, 'server': None, 
'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': 
False, 'mkhomedir': False, 'uninstall': False} 
2016-07-20T18:33:18Z DEBUG missing options might be asked for interactively 
later 
2016-07-20T18:33:18Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.17 
2016-07-20T18:33:18Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index' 
2016-07-20T18:33:18Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state' 
2016-07-20T18:33:18Z DEBUG Starting external process 
2016-07-20T18:33:18Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 
2016-07-20T18:33:18Z DEBUG Process finished, return code=0 
2016-07-20T18:33:18Z DEBUG stdout=enabled 

2016-07-20T18:33:18Z DEBUG stderr= 
2016-07-20T18:33:18Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 
2016-07-20T18:33:18Z DEBUG [IPA Discovery] 
2016-07-20T18:33:18Z DEBUG Starting IPA discovery with domain=None, 
servers=None, hostname=centostest.mydomain.com 
2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in 
"mydomain.com" (domain of the hostname) and its sub-domains 
2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 
2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 
2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.com 
2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 
2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in 
"mydomain.com" (search domain from /etc/resolv.conf) and its sub-domains 
2016-07-20T18:33:18Z DEBUG Already searched mydomain.com; skipping 
2016-07-20T18:33:18Z DEBUG No LDAP server found 
2016-07-20T18:33:18Z DEBUG No LDAP server found 
2016-07-20T18:33:18Z INFO DNS discovery failed to determine your DNS domain 
2016-07-20T18:33:20Z DEBUG will use interactively provided domain: mydomain.com 
2016-07-20T18:33:20Z DEBUG [IPA Discovery] 
2016-07-20T18:33:20Z DEBUG Starting IPA discovery with domain=mydomain.com, 
servers=None, hostname=centostest.mydomain.com 
2016-07-20T18:33:20Z DEBUG Search for LDAP SRV record in mydomain.com 
2016-07-20T18:33:20Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 
2016-07-20T18:33:20Z DEBUG DNS record not found: NXDOMAIN 
2016-07-20T18:33:20Z DEBUG No LDAP server found 
2016-07-20T18:33:20Z DEBUG IPA Server not found 
2016-07-20T18:33:20Z DEBUG DNS discovery failed to find the IPA Server 
2016-07-20T18:33:23Z DEBUG will use interactively provided server: 
ldap.mydomain.com 
2016-07-20T18:33:23Z DEBUG [IPA Discovery] 
2016-07-20T18:33:23Z DEBUG Starting IPA discovery with domain=mydomain.com, 
servers=['ldap.mydomain.com'], hostname=centostest.mydomain.com 
2016-07-20T18:33:23Z DEBUG Server and domain forced 
2016-07-20T18:33:23Z DEBUG [Kerberos realm search] 
2016-07-20T18:33:23Z DEBUG Search DNS for TXT record of _kerberos.mydomain.com 
2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 
2016-07-20T18:33:23Z DEBUG Search DNS for SRV record of 
_kerberos._udp.mydomain.com 
2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 
2016-07-20T18:33:23Z DEBUG SRV record for KDC not found! Domain: mydomain.com 
2016-07-20T18:33:23Z DEBUG [LDAP server check] 
2016-07-20T18:33:23Z DEBUG Verifying that ldap.mydomain.com (realm None) is an 
IPA server 
2016-07-20T18:33:23Z DEBUG Init LDAP connection to: ldap.mydomain.com 
2016-07-20T18:33:24Z DEBUG Search LDAP server for IPA base DN 
2016-07-20T18:33:24Z DEBUG Check if naming context 'dc=mydomain,dc=com' is for 
IPA 
2016-07-20T18:33:24Z DEBUG Naming context 'dc=mydomain,dc=com' is a valid IPA 
context 
2016-07-20T18:33:24Z DEBUG Search for 

Re: [Freeipa-users] FreeIPA Client Install 403 error

[Rob Crittenden]

Rubin Binder wrote:

Justin,

Thank you very much for the prompt response.  The log output is as follows:

2016-07-20T17:02:52Z DEBUG Starting external process
2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s'
'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'
2016-07-20T17:02:52Z DEBUG Process finished, return code=17
2016-07-20T17:02:52Z DEBUG stdout=
2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200

2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is
403, not 200

2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes.
2016-07-20T17:02:52Z ERROR IPA client is not configured on this system.


Seeing the entire file is usually more helpful but in this case you did 
provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. 
This may be the same 403 as reported elsewhere. I'd suggest looking in 
/var/log/httpd/error_log on the master.


rob



Regards,
Rubin


*From: *"Justin Stephenson" 
*To: *"Rubin Binder" , freeipa-users@redhat.com
*Sent: *Wednesday, July 20, 2016 2:49:16 PM
*Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error

Could you please share with us the /var/log/ipaclient-install.log ?

Kind regards,

Justin Stephenson


On 07/20/2016 01:23 PM, Rubin Binder wrote:
 > Hello all,
 >
 > I am testing Free IPA server for use under a test environment, so far
smooth sailing and have it up and running, no problems.
 >
 > The problem is occurring during client installation. I have installed
the ipa-client package on a clean CentOS 7 OS. When I execute
ipa-client-install... I get the following:
 >
 >   Client hostname: centostest.mydomain.com
 >   Realm: MYDOMAIN.COM
 >   DNS Domain: mydomain.com
 >   IPA Server: ldap.mydomain.com
 >   BaseDN: dc=mydomain,dc=com
 >
 >   Continue to configure the system with these values? [no]: yes
 >   Skipping synchronizing time with NTP server.
 >   User authorized to enroll computers: admin
 >   Password for ad...@mydomain.com:
 >   Successfully retrieved CA cert
 >   Subject: CN=Certificate Authority,O=MYDOMAIN.COM
 >   Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
 >   Valid From: Wed Jul 13 13:12:08 2016 UTC
 >   Valid Until: Sun Jul 13 13:12:08 2036 UTC
 >
 >   Joining realm failed: HTTP response code is 403, not 200
 >
 >   Installation failed. Rolling back changes.
 >   IPA client is not configured on this system.
 >
 > I can't make sense of why I'd be seeing a 403 error.  I've done my
share of searching but have not found a similar issue.  Some have report
401 errors in some circumstances, but not 403.
 >
 > Has anyone seen this before.
 >
 > Thanks,
 > Rubin
 >






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Client Install 403 error

[Rubin Binder]

Justin, 

Thank you very much for the prompt response. The log output is as follows: 

2016-07-20T17:02:52Z DEBUG Starting external process 
2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' 
'-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 
2016-07-20T17:02:52Z DEBUG Process finished, return code=17 
2016-07-20T17:02:52Z DEBUG stdout= 
2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 

2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is 403, not 
200 

2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. 
2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. 

Regards, 
Rubin 

- Original Message -

From: "Justin Stephenson"  
To: "Rubin Binder" , freeipa-users@redhat.com 
Sent: Wednesday, July 20, 2016 2:49:16 PM 
Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error 

Could you please share with us the /var/log/ipaclient-install.log ? 

Kind regards, 

Justin Stephenson 


On 07/20/2016 01:23 PM, Rubin Binder wrote: 
> Hello all, 
> 
> I am testing Free IPA server for use under a test environment, so far smooth 
> sailing and have it up and running, no problems. 
> 
> The problem is occurring during client installation. I have installed the 
> ipa-client package on a clean CentOS 7 OS. When I execute 
> ipa-client-install... I get the following: 
> 
> Client hostname: centostest.mydomain.com 
> Realm: MYDOMAIN.COM 
> DNS Domain: mydomain.com 
> IPA Server: ldap.mydomain.com 
> BaseDN: dc=mydomain,dc=com 
> 
> Continue to configure the system with these values? [no]: yes 
> Skipping synchronizing time with NTP server. 
> User authorized to enroll computers: admin 
> Password for ad...@mydomain.com: 
> Successfully retrieved CA cert 
> Subject: CN=Certificate Authority,O=MYDOMAIN.COM 
> Issuer: CN=Certificate Authority,O=MYDOMAIN.COM 
> Valid From: Wed Jul 13 13:12:08 2016 UTC 
> Valid Until: Sun Jul 13 13:12:08 2036 UTC 
> 
> Joining realm failed: HTTP response code is 403, not 200 
> 
> Installation failed. Rolling back changes. 
> IPA client is not configured on this system. 
> 
> I can't make sense of why I'd be seeing a 403 error. I've done my share of 
> searching but have not found a similar issue. Some have report 401 errors in 
> some circumstances, but not 403. 
> 
> Has anyone seen this before. 
> 
> Thanks, 
> Rubin 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Rob Crittenden]

Linov Suresh wrote:

Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*
*
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".*

Could you please help us to fix this?


I think your CA isn't quite fixed yet. I'd restart pki-cad then do 
something like: ipa cert-show 1


You should get back a cert (doesn't really matter what cert).

Otherwise I'd check the CA debug log somewhere in /var/log/pki

rob




On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > wrote:

Glad you got the certificates successfully renewed.

Can you open a new e-mail thread on this new problem so we can keep
the issues separated?

IPA gets little information back when dogtag fails to install. You
need to look in /var/log//debug for more information. The
exact location depends on the version of IPA.

rob

Linov Suresh wrote:

Great! That worked, and I was successfully renewed the
certificates on
the IPA server and I was trying to create a IPA replica server
and got
an error,[root@neit-lab >~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring
ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon
(ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating
directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net

 -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost >-admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
 
-ldap_host neit-lab.teloip.net 
 -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET  
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET

 -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  
-ca_server_cert_subject_name
CN=neit-lab.teloip.net 
,O=TELOIP.NET 
 -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET  
-ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET 
 -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password

-sd_hostname caer.teloip.net 
 -sd_admin_port 443
-sd_admin_name admin -sd_admin_password 
-clone_start_tls true
-clone_uri https://caer.teloip.net:443'
returned non-zero exit status 255
Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
>~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall
but it
wasn't helpful.Wondering if you can help us on this,



On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden

[Freeipa-users] IPA Replication failed: Your system may be partly configured. Run ipa-server-install --uninstall to clean up. Configuration of CA failed

[Linov Suresh]

I was trying to replicate our IPA server which is running on CentOS6.4,
FreeIPA 3.0 and I got an error,

*Your system may be partly configured.*
*Run /usr/sbin/ipa-server-install --uninstall to clean up.*

*Configuration of CA failed*

I ran /usr/sbin/ipa-server-install --uninstall couple of times before
installing the replica, but was unsuccessful in creating the replica
server,

[root@neit-lab ~]#* ipa-replica-install  --setup-ca --setup-dns
--no-forwarders  --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg*
Directory Manager (existing master) password:

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-QAXI9A
-client_certdb_pwd  -preop_pin UpMxkDYjV90WLL041tDU -domain_name
IPA -admin_user admin -admin_email root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
 -ldap_host neit-lab.teloip.net -ldap_port 7389 -bind_dn cn=Directory
Manager -bind_password  -base_dn o=ipaca -db_name ipaca -key_size
2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
 -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
TELOIP.NET  -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name CN=
neit-lab.teloip.net,O=TELOIP.NET 
-ca_audit_signing_cert_subject_name
CN=CA Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET  -external false
-clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443 ' returned non-zero
exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
[root@neit-lab ~]#

Could you please help me?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Client Install 403 error

[Justin Stephenson]

Could you please share with us the /var/log/ipaclient-install.log ?

Kind regards,

Justin Stephenson


On 07/20/2016 01:23 PM, Rubin Binder wrote:

Hello all,

I am testing Free IPA server for use under a test environment, so far smooth 
sailing and have it up and running, no problems.

The problem is occurring during client installation. I have installed the 
ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... 
I get the following:

  Client hostname: centostest.mydomain.com
  Realm: MYDOMAIN.COM
  DNS Domain: mydomain.com
  IPA Server: ldap.mydomain.com
  BaseDN: dc=mydomain,dc=com

  Continue to configure the system with these values? [no]: yes
  Skipping synchronizing time with NTP server.
  User authorized to enroll computers: admin
  Password for ad...@mydomain.com:
  Successfully retrieved CA cert
  Subject: CN=Certificate Authority,O=MYDOMAIN.COM
  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  Valid From: Wed Jul 13 13:12:08 2016 UTC
  Valid Until: Sun Jul 13 13:12:08 2036 UTC

  Joining realm failed: HTTP response code is 403, not 200

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

I can't make sense of why I'd be seeing a 403 error.  I've done my share of 
searching but have not found a similar issue.  Some have report 401 errors in 
some circumstances, but not 403.

Has anyone seen this before.

Thanks,
Rubin



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting

*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
".*


   Could you please help us to fix this?


On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden 
wrote:

> Glad you got the certificates successfully renewed.
>
> Can you open a new e-mail thread on this new problem so we can keep the
> issues separated?
>
> IPA gets little information back when dogtag fails to install. You need to
> look in /var/log//debug for more information. The exact location
> depends on the version of IPA.
>
> rob
>
> Linov Suresh wrote:
>
>> Great! That worked, and I was successfully renewed the certificates on
>> the IPA server and I was trying to create a IPA replica server and got
>> an error,[root@neit-lab ~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating directory
>> server instance [3/3]: restarting directory server Done configuring
>> directory server for the CA (pkids). Configuring certificate server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>>  -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
>> root@localhost -admin_password 
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
>> -ldap_host neit-lab.teloip.net  -ldap_port
>> 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
>> SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
>> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
>> Subsystem,O=TELOIP.NET 
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
>>  -ca_ocsp_cert_subject_name CN=OCSP
>> Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name
>> CN=neit-lab.teloip.net ,O=TELOIP.NET
>>  -ca_audit_signing_cert_subject_name CN=CA
>> Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
>> CN=Certificate Authority,O=TELOIP.NET  -external
>> false -clone true -clone_p12_file ca.p12 -clone_p12_password 
>> -sd_hostname caer.teloip.net  -sd_admin_port 443
>> -sd_admin_name admin -sd_admin_password  -clone_start_tls true
>> -clone_uri https://caer.teloip.net:443'
>> returned non-zero exit status 255 Your
>> system may be partly configured. Run /usr/sbin/ipa-server-install
>> --uninstall to clean up. Configuration of CA failed [root@neit-lab
>> ~]#
>>
>> I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
>> wasn't helpful.Wondering if you can help us on this,
>>
>>
>>
>> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > wrote:
>>
>> Linov Suresh wrote:
>>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate
>> renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
>> *add:
>> usercertificate;binary*
>>
>> Just wondering if we need to*add *the certificate? or*replace* the
>> existing certificate and which format do we need to use? *pem*
>> or *der*.
>>
>> We already successfully renewed the certificates about months
>> back, but
>> they were expired about 6 months back and we were not able to
>> renew till
>> now, and is affected our production environment.
>>
>> Pleas help us.
>>
>>
>> You shouldn't have to mess with these values at 

[Freeipa-users] FreeIPA Client Install 403 error

[Rubin Binder]

Hello all, 

I am testing Free IPA server for use under a test environment, so far smooth 
sailing and have it up and running, no problems. 

The problem is occurring during client installation. I have installed the 
ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... 
I get the following: 

 Client hostname: centostest.mydomain.com 
 Realm: MYDOMAIN.COM 
 DNS Domain: mydomain.com 
 IPA Server: ldap.mydomain.com 
 BaseDN: dc=mydomain,dc=com 

 Continue to configure the system with these values? [no]: yes 
 Skipping synchronizing time with NTP server. 
 User authorized to enroll computers: admin 
 Password for ad...@mydomain.com: 
 Successfully retrieved CA cert 
 Subject: CN=Certificate Authority,O=MYDOMAIN.COM 
 Issuer: CN=Certificate Authority,O=MYDOMAIN.COM 
 Valid From: Wed Jul 13 13:12:08 2016 UTC 
 Valid Until: Sun Jul 13 13:12:08 2036 UTC 

 Joining realm failed: HTTP response code is 403, not 200 

 Installation failed. Rolling back changes. 
 IPA client is not configured on this system. 

I can't make sense of why I'd be seeing a 403 error.  I've done my share of 
searching but have not found a similar issue.  Some have report 401 errors in 
some circumstances, but not 403.

Has anyone seen this before.

Thanks,
Rubin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA SSL certificates installed to multiple hosts

[Alexander Bokovoy]

On Tue, 19 Jul 2016, Rob Crittenden wrote:

Jeremy Utley wrote:

Hello all!

We're looking at replacing a lot of our currently self-signed internal
SSL certificates in our infrastructure with certificates generated by
the FreeIPA CA.  However, I've run into something that I haven't been
able to find documented as of yet, and I'm hoping some of you can point
me in the right direction.  Some of our internal SSL sites are
load-balanced between multiple hosts, so we end up with the same SSL/Key
installed to each host.  For example:

hostname.domain.com  is hosted on hostA and
hostB.

Both hostA and hostB have the certs at
/etc/httpd/certs/hostname.domain.com/hostname.crt
, and the private key at
/etc/httpd/certs/hostname.domain.com/hostname.key


I would expect I can have both hostA and hostB be able to work with the
FreeIPA certificates by adding additional ipa host-add-managedby and ipa
service-add-host commands, to specify both hostA and hostB.  However,
from my understanding, running the "ipa-getcert request" command on
hostA will put the certs on hostA only, and I'd need the same certs on
both hostA and hostB.  Is there a special ipa-getcert incantation that
can retrieve the already-issued certificate files, and allow them to be
managed by FreeIPA on both hosts?  Or is there another recommended way
of doing this?

Thanks for any info you can give me!



IPA doesn't have any provision for sharing keys between machines. I 
think you'd need to manage it similar to the way you probably do now: 
manually copying files around.


What you can do is setup one machine to "own" the certs and keys and 
do the renewals via certmonger, but beyond that you're on your own.

In FreeIPA 4.4.x we provide (and use for own needs) Custodia[1] which
can be used to store and retrieve a commonly accessed secrets. It would
be interesting to extend certmonger to be able to retrieve a certificate
material stored in Custodia. A post-retrieval script could be added to
push the certificate material to Custodia on a master.

[1] https://github.com/latchset/custodia
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD trust with POSIX attributes

[Alexander Bokovoy]

On Wed, 20 Jul 2016, Jan Karásek wrote:

Hi,

thank you.

ldapsearch reply:

search: 2
result: 32 No such object
matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best
match of:
'CN=RpcServices,CN=System,DC=rwe,DC=tt'

actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is 
empty.

Do I missed to set something on the AD site ?

Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft
removed IDMU tools. The LDAP schema will stay but there will
be no means to visually edit POSIX attributes.

https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/





Thanks,
Jan







From: "Justin Stephenson" 
To: "Jan Karásek" 
Cc: freeipa-users@redhat.com
Sent: Wednesday, July 20, 2016 4:09:02 PM
Subject: Re: [Freeipa-users] AD trust with POSIX attributes



These attributes should be available from port 389 and not the global catalog, 
please try a command such as:

ldapsearch -H ldap://  -D "DOMAIN\Administrator" -W -b 
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber 
msSFU30MaxUidNumber msSFU30MaxGidNumber

Replacing the root suffix in the search base, the ip-address and bind 
credentials.

Kind regards,
Justin Stephenson

On 07/20/2016 08:15 AM, Jan Karásek wrote:



Hi,

thank you for the hint.

In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:

It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.

If I understand it right, it is base uid number and the number of uids in range.

If not discovered nor given via CLI, then it generate random base and add some 
default_range_size.

So these two attributes must be set to use ipa-ad-trust-posix range ?

Could anybody help me how and where to check these attributes ? I have looked 
in the ldapsearch dump from my AD(Global calaog) and I can see these attributes 
only in schema - so no values assigned.
I'm using W2012 R2.

Thank you,
Jan



From: "Justin Stephenson" 
To: "Jan Karásek"  , freeipa-users@redhat.com
Sent: Tuesday, July 19, 2016 8:36:00 PM
Subject: Re: [Freeipa-users] AD trust with POSIX attributes

Hello,

When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will 
search AD for the ID space of existing POSIX attributes to automatically create 
a suitable ID range inside IPA.

You can check the exact steps and attributes searched by looking at the 
add_range function definition in 
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py

I would suggest reviewing the output of 'ipa idrange-find' to confirm that the 
range matches up with the uid and gidNumbers of your AD environment.

Kind regards,
Justin Stephenson

On 07/19/2016 09:44 AM, Jan Karásek wrote:

BQ_BEGIN

Hi,

I am still fighting with storing user's POSIX attributes in AD. Please can 
anybody provide some simple reference settings of IPA-AD trust where users are 
able to get uid from AD - not from IPA ID pool ?

I have tried to set values of attributes before and after creating trust, I 
have tried different sssd setting but I'm still getting uid from IPA idrange 
pool instead of from AD user's attribute.

What exactly is IPA checking when it tries to decide what type of trust will be 
set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?

Do I have to mandatory fill some AD user's attributes to get it work ? 
Currently I'am testing just with uidNumber and gidNumber.

There is almost no documentation about this topic so I don't know what else I 
can try ...

Thanks for help,

Jan



Date: Tue, 21 Jun 2016 21:38:15 +0200
From: Jakub Hrozek 
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD trust with POSIX attributes
Message-ID: <20160621193815.GS29512@hendrix>
Content-Type: text/plain; charset=iso-8859-1

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:

Hi all,

I have a questions about IPA with AD forest trust. What I am trying to do is 
setup environment, where all informations about users are stored in one place - 
AD. I would like to read at least uid, home, shell and sshkey from AD.

I have set up trust with this parameters:

ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 
--admin=administrator


Did you add the POSIX attributes to AD after creating the trust maybe?



[root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
Range name: EXAMPLE.TT_id_range
First Posix ID of the range: 139200
Number of IDs in the range: 20
Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756
Range type: Active Directory trust range with POSIX attributes


I have set attributes in AD for u...@example.tt
- uidNumber -1
- homeDirectory -/home/user
- loginShell - /bin/bash

Trust itself works fine. I can do kinit with u...@example.tt , I can run id and 
getent passwd 

Re: [Freeipa-users] AD trust with POSIX attributes

[Jan Karásek]

Hi, 

thank you. 

ldapsearch reply: 

search: 2 
result: 32 No such object 
matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt 
text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best 
match of: 
'CN=RpcServices,CN=System,DC=rwe,DC=tt' 

actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is 
empty. 

Do I missed to set something on the AD site ? 

Thanks, 
Jan 







From: "Justin Stephenson"  
To: "Jan Karásek"  
Cc: freeipa-users@redhat.com 
Sent: Wednesday, July 20, 2016 4:09:02 PM 
Subject: Re: [Freeipa-users] AD trust with POSIX attributes 



These attributes should be available from port 389 and not the global catalog, 
please try a command such as: 

ldapsearch -H ldap://  -D "DOMAIN\Administrator" -W -b 
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" 
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber 

Replacing the root suffix in the search base, the ip-address and bind 
credentials. 

Kind regards, 
Justin Stephenson 

On 07/20/2016 08:15 AM, Jan Karásek wrote: 



Hi, 

thank you for the hint. 

In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: 

It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. 

If I understand it right, it is base uid number and the number of uids in 
range. 

If not discovered nor given via CLI, then it generate random base and add some 
default_range_size. 

So these two attributes must be set to use ipa-ad-trust-posix range ? 

Could anybody help me how and where to check these attributes ? I have looked 
in the ldapsearch dump from my AD(Global calaog) and I can see these attributes 
only in schema - so no values assigned. 
I'm using W2012 R2. 

Thank you, 
Jan 



From: "Justin Stephenson"  
To: "Jan Karásek"  , freeipa-users@redhat.com 
Sent: Tuesday, July 19, 2016 8:36:00 PM 
Subject: Re: [Freeipa-users] AD trust with POSIX attributes 

Hello, 

When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will 
search AD for the ID space of existing POSIX attributes to automatically create 
a suitable ID range inside IPA. 

You can check the exact steps and attributes searched by looking at the 
add_range function definition in 
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py 

I would suggest reviewing the output of 'ipa idrange-find' to confirm that the 
range matches up with the uid and gidNumbers of your AD environment. 

Kind regards, 
Justin Stephenson 

On 07/19/2016 09:44 AM, Jan Karásek wrote: 

BQ_BEGIN

Hi, 

I am still fighting with storing user's POSIX attributes in AD. Please can 
anybody provide some simple reference settings of IPA-AD trust where users are 
able to get uid from AD - not from IPA ID pool ? 

I have tried to set values of attributes before and after creating trust, I 
have tried different sssd setting but I'm still getting uid from IPA idrange 
pool instead of from AD user's attribute. 

What exactly is IPA checking when it tries to decide what type of trust will be 
set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? 

Do I have to mandatory fill some AD user's attributes to get it work ? 
Currently I'am testing just with uidNumber and gidNumber. 

There is almost no documentation about this topic so I don't know what else I 
can try ... 

Thanks for help, 

Jan 



Date: Tue, 21 Jun 2016 21:38:15 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] AD trust with POSIX attributes 
Message-ID: <20160621193815.GS29512@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> 
> I have a questions about IPA with AD forest trust. What I am trying to do is 
> setup environment, where all informations about users are stored in one place 
> - AD. I would like to read at least uid, home, shell and sshkey from AD. 
> 
> I have set up trust with this parameters: 
> 
> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 
> --admin=administrator 

Did you add the POSIX attributes to AD after creating the trust maybe? 

> 
> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range 
> Range name: EXAMPLE.TT_id_range 
> First Posix ID of the range: 139200 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 
> Range type: Active Directory trust range with POSIX attributes 
> 
> 
> I have set attributes in AD for u...@example.tt 
> - uidNumber -1 
> - homeDirectory -/home/user 
> - loginShell - /bin/bash 
> 
> Trust itself works fine. I can do kinit with u...@example.tt , I can run id 
> and getent passwd u...@example.tt and I can use u...@example.tt for ssh. 
> 
> Problem is, that I am not getting uid from AD but from idrange: 
> 
> uid=1392001107( u...@example.tt ) 
> 
> Also I have tried to switch off id mapping in sssd.conf with 

[Freeipa-users] RPM Update fails on some replicas in ipa-server-upgrade

[Patrick Hurrelmann]

Hi all,

today I updated all of our IPA servers (CentOS 7.2) with some minor RPM
updates, but one of the replicas failed with:

RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API',
domain='ipa', localedir=None)

Log excerpt (ipaupgrade.log) from this host:
(Also available as https://paste.fedoraproject.org/392759/90042561/)

2016-07-20T08:39:10Z INFO [Migrating certificate profiles to LDAP]
2016-07-20T08:39:10Z DEBUG Created connection context.ldap2_79620048
2016-07-20T08:39:10Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2016-07-20T08:39:10Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
conn=
2016-07-20T08:39:10Z DEBUG Destroyed connection context.ldap2_79620048
2016-07-20T08:39:10Z DEBUG request GET
https://ipa1.loc1.example.com:8443/ca/rest/account/login
2016-07-20T08:39:10Z DEBUG request body ''
2016-07-20T08:39:10Z DEBUG NSSConnection init ipa1.loc1.example.com
2016-07-20T08:39:11Z DEBUG Connecting: 1.2.3.210:0
2016-07-20T08:39:11Z DEBUG approved_usage = SSL Server intended_usage =
SSL Server
2016-07-20T08:39:11Z DEBUG cert valid True for
"CN=ipa1.loc1.example.com,O=Example Org,OU=CA,L=City,ST=State,C=DE"
2016-07-20T08:39:11Z DEBUG handshake complete, peer = 1.2.3.210:8443
2016-07-20T08:39:11Z DEBUG Protocol: TLS1.2
2016-07-20T08:39:11Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2016-07-20T08:39:11Z DEBUG response status 401
2016-07-20T08:39:11Z DEBUG response headers {'content-length': '951',
'content-language': 'en', 'expires': 'Thu, 01 Jan 1970 01:00:00 CET',
'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed,
20 Jul 2016 08:39:11 GMT', 'content-type': 'text/html;charset=utf-8',
'www-authenticate': 'Basic realm="Certificate Authority"'}
2016-07-20T08:39:11Z DEBUG response body 'Apache
Tomcat/7.0.54 - Error report
HTTP Status 401 - type Status reportmessage
description This request requires HTTP
authentication.Apache
Tomcat/7.0.54'
2016-07-20T08:39:11Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-07-20T08:39:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
server.upgrade()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1618, in upgrade
upgrade_configuration()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1548, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 341, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap(caconfig)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1868, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1874, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py",
line 2038, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to
CA REST API'))

2016-07-20T08:39:11Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Gettext('Failed to authenticate to CA
REST API', domain='ipa', localedir=None)
2016-07-20T08:39:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API',
domain='ipa', localedir=None)


And with further help from mbaste on IRC, I found the following error in
ca debug log:
(Also available as https://paste.fedoraproject.org/392897/02195914/)

[20/Jul/2016:10:39:04][profileChangeMonitor]: BasicProfile: done init
[20/Jul/2016:10:39:04][profileChangeMonitor]: Done Profile Creation -
IECUserRoles
[20/Jul/2016:10:39:11][http-bio-8443-exec-4]: PKIRealm.logDebug:
Authenticating certificate chain:
[20/Jul/2016:10:39:11][http-bio-8443-exec-4]:
PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=Example Org, OU
=CA, L=City, ST=State, C=DE
[20/Jul/2016:10:39:11][http-bio-8443-exec-4]: PKIRealm.logDebug:  
CN=IPA RA, O=Example Org, OU=CA, 

Re: [Freeipa-users] Unable to ssh after establishing trust

[pgb205]

thank you! that was it

  From: Simpson Lachlan 
 To: pgb205 ; Sumit Bose  
Cc: Freeipa-users 
 Sent: Tuesday, July 19, 2016 7:30 PM
 Subject: RE: Re: [Freeipa-users] Unable to ssh after establishing trust
   
#yiv1956000891 #yiv1956000891 -- _filtered #yiv1956000891 
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1956000891 
{panose-1:2 11 6 9 7 2 5 8 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 
2 5 8 2 4;} _filtered #yiv1956000891 {font-family:Calibri;panose-1:2 15 5 2 2 2 
4 3 2 4;} _filtered #yiv1956000891 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 
4 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 2 5 8 2 4;}#yiv1956000891 
#yiv1956000891 p.yiv1956000891MsoNormal, #yiv1956000891 
li.yiv1956000891MsoNormal, #yiv1956000891 div.yiv1956000891MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1956000891 a:link, 
#yiv1956000891 span.yiv1956000891MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv1956000891 a:visited, #yiv1956000891 
span.yiv1956000891MsoHyperlinkFollowed 
{color:purple;text-decoration:underline;}#yiv1956000891 
span.yiv1956000891EmailStyle17 
{color:windowtext;font-weight:normal;font-style:normal;}#yiv1956000891 
span.yiv1956000891SpellE {}#yiv1956000891 .yiv1956000891MsoChpDefault 
{font-size:10.0pt;} _filtered #yiv1956000891 {margin:72.0pt 72.0pt 72.0pt 
72.0pt;}#yiv1956000891 div.yiv1956000891WordSection1 {}#yiv1956000891 From: 
freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On 
Behalf Ofpgb205
Sent: Wednesday, 20 July 2016 5:28 AM
To: Sumit Bose
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust    
well...I'm not sure what I changed, if anything, but I am able to login with my 
AD credentials. I have restarted ipa server and cleared sss_cache, so maybe 
that helped.    A few other things still remain though:    right now im logging 
in asjsmith@ADDOMAIN.LOCAL I would want it to be eitherjsm...@addomain.com or 
better yet jsmith  --without specifying the domain name.    How can this be 
accomplished?    [Lachlan Simpson]       You are looking for the 
default_domain_suffix setting in the sssd stanza of /etc/sssd/sssd.conf    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-user-ids.html
    CheersL.          thanks    From: Sumit Bose 
To: pgb205 
Cc: Freeipa-users 
Sent: Tuesday, July 19, 2016 3:33 AM
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust 
On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
> 
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
> 
> /etc/hosts:
> Reachable_IP_BOX  172.10.10.1
> DC1                            172.10.10.1
> DC2                            172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

> 
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

> 
> 
> Additionally I have configured 
> [domain/ipa.internal]
>      with 
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> 
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye, 
Sumit

> 
> 
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
> 
> thanks
> ━━━
> From: Sumit Bose 
> To: pgb205 
> Cc: Sumit Bose ; Freeipa-users 
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> 
> On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> > +freeipa-users list
> >
> >      From: pgb205 
> >  To: Sumit Bose 
> >  Sent: Tuesday, July 12, 2016 2:12 PM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >  
> > Sumit, thanks for replying
> > So the first issue is my fault, probably from when I was 

Re: [Freeipa-users] IPA certificates expired, please help!

[Rob Crittenden]

Glad you got the certificates successfully renewed.

Can you open a new e-mail thread on this new problem so we can keep the 
issues separated?


IPA gets little information back when dogtag fails to install. You need 
to look in /var/log//debug for more information. The exact 
location depends on the version of IPA.


rob

Linov Suresh wrote:

Great! That worked, and I was successfully renewed the certificates on
the IPA server and I was trying to create a IPA replica server and got
an error,[root@neit-lab ~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net
 -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
-ldap_host neit-lab.teloip.net  -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
 -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name
CN=neit-lab.teloip.net ,O=TELOIP.NET
 -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET  -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net  -sd_admin_port 443
-sd_admin_name admin -sd_admin_password  -clone_start_tls true
-clone_uri https://caer.teloip.net:443'
returned non-zero exit status 255 Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
wasn't helpful.Wondering if you can help us on this,



On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > wrote:

Linov Suresh wrote:

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
*add:
usercertificate;binary*

Just wondering if we need to*add *the certificate? or*replace* the
existing certificate and which format do we need to use? *pem*
or *der*.

We already successfully renewed the certificates about months
back, but
they were expired about 6 months back and we were not able to
renew till
now, and is affected our production environment.

Pleas help us.


You shouldn't have to mess with these values at all. In 3.0 this is
handled somewhat automatically.

I'd restart the CA, then certmonger and see if the communication
error goes away for the CA subservice certificates (the internal error).

# service pki-cad restart

# service certmonger restart

I find it very strange that the certificates were set to expire
yesterday but it isn't a show-stopper necessarily assuming you can
get the CA back up.

Assuming you can, then go back in time again, this time just a few
days and try renewing the LDAP and Apache server certs again.

rob


On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh

   

Re: [Freeipa-users] AD trust with POSIX attributes

[Justin Stephenson]

These attributes should be available from port 389 and not the global 
catalog, please try a command such as:


 ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b 
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" 
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber



Replacing the root suffix in the search base, the ip-address and bind 
credentials.


Kind regards,
Justin Stephenson

On 07/20/2016 08:15 AM, Jan Karásek wrote:

Hi,

thank you for the hint.

In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:

It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.

If I understand it right, it is base uid number and the number of uids 
in range.


If not discovered nor given via CLI, then it generate random base and  
add some default_range_size.


So these two attributes must be set to use ipa-ad-trust-posix range ?

Could anybody help me how and where to check these attributes ? I have 
looked in the ldapsearch dump from my AD(Global calaog)  and I can see 
these attributes only in schema - so no values assigned.

I'm using W2012 R2.

Thank you,
Jan



*From: *"Justin Stephenson" 
*To: *"Jan Karásek" , freeipa-users@redhat.com
*Sent: *Tuesday, July 19, 2016 8:36:00 PM
*Subject: *Re: [Freeipa-users] AD trust with POSIX attributes

Hello,

When adding the AD trust using 'ipa-ad-trust-posix' range type then 
IPA will search AD for the ID space of existing POSIX attributes to 
automatically create a suitable ID range inside IPA.


You can check the exact steps and attributes searched by looking at 
the add_range function definition in 
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py


I would suggest reviewing the output of 'ipa idrange-find' to confirm 
that the range matches up with the uid and gidNumbers of your AD 
environment.


Kind regards,
Justin Stephenson

On 07/19/2016 09:44 AM, Jan Karásek wrote:

Hi,

I am still fighting with storing user's POSIX attributes in AD.
Please can anybody provide some simple reference settings of
IPA-AD trust where users are able to get uid from AD - not from
IPA ID pool ?

I have tried to set values of attributes before and after creating
trust, I have tried different sssd setting but I'm still getting
uid from  IPA idrange pool instead of from AD user's attribute.

What exactly is IPA checking when it tries to decide what type of
trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?

Do I have to mandatory fill some AD user's attributes to get it
work ? Currently I'am testing just with uidNumber and gidNumber.

There is almost no documentation about this topic so I don't know
what else I can try ...

Thanks for help,

Jan



Date: Tue, 21 Jun 2016 21:38:15 +0200
From: Jakub Hrozek 
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD trust with POSIX attributes
Message-ID: <20160621193815.GS29512@hendrix>
Content-Type: text/plain; charset=iso-8859-1

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
> Hi all,
>
> I have a questions about IPA with AD forest trust. What I am
trying to do is setup environment, where all informations about
users are stored in one place - AD. I would like to read at least
uid, home, shell and sshkey from AD.
>
> I have set up trust with this parameters:
>
> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix --admin=administrator

Did you add the POSIX attributes to AD after creating the trust maybe?

>
> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
> Range name: EXAMPLE.TT_id_range
> First Posix ID of the range: 139200
> Number of IDs in the range: 20
> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756
> Range type: Active Directory trust range with POSIX attributes
>
>
> I have set attributes in AD for u...@example.tt
> - uidNumber -1
> - homeDirectory -/home/user
> - loginShell - /bin/bash
>
> Trust itself works fine. I can do kinit with u...@example.tt , I
can run id and getent passwd u...@example.tt and I can use
u...@example.tt for ssh.
>
> Problem is, that I am not getting uid from AD but from idrange:
>
> uid=1392001107(u...@example.tt)
>
> Also I have tried to switch off id mapping in sssd.conf with
ldap_id_mapping = true in sssd.conf but no luck.

This has no effect, in IPA-AD trust scenario, the id mapping
properties
are managed on the server.

>
> I know, that it is probably better to use ID views for this, but
in our case we need to set centrally managed environment, where
all users information are externally 

Re: [Freeipa-users] AD trust with POSIX attributes

[Jan Karásek]

Hi, 

thank you for the hint. 

In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: 

It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. 

If I understand it right, it is base uid number and the number of uids in 
range. 

If not discovered nor given via CLI, then it generate random base and add some 
default_range_size. 

So these two attributes must be set to use ipa-ad-trust-posix range ? 

Could anybody help me how and where to check these attributes ? I have looked 
in the ldapsearch dump from my AD(Global calaog) and I can see these attributes 
only in schema - so no values assigned. 
I'm using W2012 R2. 

Thank you, 
Jan 



From: "Justin Stephenson"  
To: "Jan Karásek" , freeipa-users@redhat.com 
Sent: Tuesday, July 19, 2016 8:36:00 PM 
Subject: Re: [Freeipa-users] AD trust with POSIX attributes 

Hello, 

When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will 
search AD for the ID space of existing POSIX attributes to automatically create 
a suitable ID range inside IPA. 

You can check the exact steps and attributes searched by looking at the 
add_range function definition in 
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py 

I would suggest reviewing the output of 'ipa idrange-find' to confirm that the 
range matches up with the uid and gidNumbers of your AD environment. 

Kind regards, 
Justin Stephenson 

On 07/19/2016 09:44 AM, Jan Karásek wrote: 



Hi, 

I am still fighting with storing user's POSIX attributes in AD. Please can 
anybody provide some simple reference settings of IPA-AD trust where users are 
able to get uid from AD - not from IPA ID pool ? 

I have tried to set values of attributes before and after creating trust, I 
have tried different sssd setting but I'm still getting uid from IPA idrange 
pool instead of from AD user's attribute. 

What exactly is IPA checking when it tries to decide what type of trust will be 
set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? 

Do I have to mandatory fill some AD user's attributes to get it work ? 
Currently I'am testing just with uidNumber and gidNumber. 

There is almost no documentation about this topic so I don't know what else I 
can try ... 

Thanks for help, 

Jan 



Date: Tue, 21 Jun 2016 21:38:15 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] AD trust with POSIX attributes 
Message-ID: <20160621193815.GS29512@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> 
> I have a questions about IPA with AD forest trust. What I am trying to do is 
> setup environment, where all informations about users are stored in one place 
> - AD. I would like to read at least uid, home, shell and sshkey from AD. 
> 
> I have set up trust with this parameters: 
> 
> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 
> --admin=administrator 

Did you add the POSIX attributes to AD after creating the trust maybe? 

> 
> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range 
> Range name: EXAMPLE.TT_id_range 
> First Posix ID of the range: 139200 
> Number of IDs in the range: 20 
> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 
> Range type: Active Directory trust range with POSIX attributes 
> 
> 
> I have set attributes in AD for u...@example.tt 
> - uidNumber -1 
> - homeDirectory -/home/user 
> - loginShell - /bin/bash 
> 
> Trust itself works fine. I can do kinit with u...@example.tt , I can run id 
> and getent passwd u...@example.tt and I can use u...@example.tt for ssh. 
> 
> Problem is, that I am not getting uid from AD but from idrange: 
> 
> uid=1392001107( u...@example.tt ) 
> 
> Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping 
> = true in sssd.conf but no luck. 

This has no effect, in IPA-AD trust scenario, the id mapping properties 
are managed on the server. 

> 
> I know, that it is probably better to use ID views for this, but in our case 
> we need to set centrally managed environment, where all users information are 
> externally inserted to AD from HR system - included POSIX attributes and we 
> need IPA to read them from AD. 

I think idviews are better for overriding POSIX attributes for a 
specific set of hosts, but in your environment, it sounds like you want 
to use the POSIX attributes across the board. 

> 
> So my questions are: 
> 
> Is it possible to read user's POSIX attributes directly from AD - namely uid 
> ? 

Yes 

> Which atributes can be stored in AD ? 

Homedir is a bit special, for backwards compatibility the 
subdomains_homedir takes precedence. The others should be read from AD. 

I don't have the environment set at the moment, though, so I'm operating 
purely from memory. 

> Am I doing something wrong ? 
> 
> my sssd.conf: 
> [domain/a.example.tt] 
> debug_level = 5 
> cache_credentials 

Re: [Freeipa-users] HBAC and AD users

[Lachlan Musicman]

Sure - I've got tomorrow off, so it will be Friday morning.

cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 20 July 2016 at 17:14, Jakub Hrozek  wrote:

> On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote:
> > On 19 July 2016 at 16:40, Jakub Hrozek  wrote:
> >
> > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > > > I think the thing that frustrates the most is that id
> u...@domain.com is
> > > > returning correct data on both but they can't loginand I can't
> even
> > > > show that this is the case because now they can login. Difficult to
> > > > reproduce :/
> > >
> > > Debugging from HBAC should at least tell you why the rules didn't
> > > match...
> > >
> >
> >
> > Sorry, I should have been clear - the issue is exactly the same. HBAC
> > rejected the user because they weren't in the correct groups, but sssd
> > hadn't got the correct number of groups from the AD server, and had
> missed
> > the group in question.
>
> Do you have the logs from the server and the client? If yes, feel free
> to send them in private mail if they are confidential, I'll try to
> find something in them.
>
> Specifying which groups are missing would help as well.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

[Jakub Hrozek]

On Wed, Jul 20, 2016 at 09:27:34AM +0530, Visakh MV wrote:
> Hi,
> 
> 
> first case: As per your direction, things are going well even if we are
> facing some issues as well. even like once logged in to ipa-client machine
> with ipa user with certain privilege after that while using terminal " TAB"
> and " Arrow " keys have not working. due to the same we can not use the
> system properly.

I don't think keyboard keys have much to do with IPA. I wonder if the
user has the shell you'd expect set or the correct homedir with your
shell dotfiles?

> 
> second case: if any policy would have to edit at any certain reason then it
> will not update it with at real time, it could take some time to update new
> changes. is there any command to update at real time?

Depends on what do you need to update. But it's true that sssd caches a
lot of information. For user and group data, you can call sss_cache.
Please note that invalidating sudo rules with sss_cache was only added
to sssd-1.14.

> 
> third case: what are the sudo rule option?
> 
> only one sudo option you have shared across the doc " !authenticate " has
> working fine. and it will not take other custom options.
> 
> example:  I added one sudo option inside sudo rule like " rootprivilege "
> but its showing one error on client machine while checking allowed
> commands.

I'm afraid you need to enable debugging and look a bit into the logs.
We have an upstream sudo troubleshooting guide:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC and AD users

[Jakub Hrozek]

On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote:
> On 19 July 2016 at 16:40, Jakub Hrozek  wrote:
> 
> > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > > I think the thing that frustrates the most is that id u...@domain.com is
> > > returning correct data on both but they can't loginand I can't even
> > > show that this is the case because now they can login. Difficult to
> > > reproduce :/
> >
> > Debugging from HBAC should at least tell you why the rules didn't
> > match...
> >
> 
> 
> Sorry, I should have been clear - the issue is exactly the same. HBAC
> rejected the user because they weren't in the correct groups, but sssd
> hadn't got the correct number of groups from the AD server, and had missed
> the group in question.

Do you have the logs from the server and the client? If yes, feel free
to send them in private mail if they are confidential, I'll try to
find something in them.

Specifying which groups are missing would help as well.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project