Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

[Rob Crittenden]

pgb205 wrote:

so initially the setup was
with ipa-server-03 having replication to ipa-server-02
i have then decomissioned ipa-server-03 and setup a new one with the
same name.
right now replication is between ipa-server-03 and ipa-server-01 but i
would want to add another
replication agreement 02 and 03 same as before but am getting the error
message.


Details, need details. What does decommissioned mean? What commands did 
you run?


How were the current agreements created? ipa-replica-manage, 
automatically when one was created as a replica of another?



All systems are centos 7 so I'd expect freeipa to be the latest version.


Latest doesn't mean anything, especially if someone finds this thread in 
the future.


rpm -q ipa-server

rob





*From:* Rob Crittenden 
*To:* Martin Basti ; pgb205 ;
Freeipa-users 
*Sent:* Friday, August 5, 2016 9:28 AM
*Subject:* Re: [Freeipa-users]  is an IPA Server, but it might
be unknown, foreign or previously deleted one

Martin Basti wrote:

 >
 >
 > On 05.08.2016 05:24, pgb205 wrote:
 >> my previous setup was
 >> srv2->replica
 >> srv1->srv2
 >>
 >> I have removed replica and set it up with the one with identical
hostname.
 >> Now  I have replication from srv1->replica
 >> and am trying to create another agreement from srv2=>replica
 >> but i am getting the error message above. My guess is that old
 >> hostname is there somewhere
 >> but ipa-replica-manage del command does not produce any results.
 >>
 >>
 >
 > Hello,
 >
 > I don't see the error message you are referring


This is an IPA 3.0 error message from ticket
https://fedorahosted.org/freeipa/ticket/3105

What do you mean you removed it and setup an identical one? Did you do
this with ipa-replica-install?

ipa-replica-manage is looking up the masters and it doesn't consider
replica a master which is why it is throwing this error. I'd
double-check that replication is working properly.

On each master run: ipa-replica-manage list -v `hostname`

And really, ipa-replica-manage list should show a list of all known masters.
rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

[pgb205]

so initially the setup waswith ipa-server-03 having replication to 
ipa-server-02i have then decomissioned ipa-server-03 and setup a new one with 
the same name.right now replication is between ipa-server-03 and ipa-server-01 
but i would want to add anotherreplication agreement 02 and 03 same as before 
but am getting the error message.
All systems are centos 7 so I'd expect freeipa to be the latest version.

  From: Rob Crittenden 
 To: Martin Basti ; pgb205 ; Freeipa-users 
 
 Sent: Friday, August 5, 2016 9:28 AM
 Subject: Re: [Freeipa-users]  is an IPA Server, but it might be 
unknown, foreign or previously deleted one
   
Martin Basti wrote:
>
>
> On 05.08.2016 05:24, pgb205 wrote:
>> my previous setup was
>> srv2->replica
>> srv1->srv2
>>
>> I have removed replica and set it up with the one with identical hostname.
>> Now  I have replication from srv1->replica
>> and am trying to create another agreement from srv2=>replica
>> but i am getting the error message above. My guess is that old
>> hostname is there somewhere
>> but ipa-replica-manage del command does not produce any results.
>>
>>
>
> Hello,
>
> I don't see the error message you are referring

This is an IPA 3.0 error message from ticket 
https://fedorahosted.org/freeipa/ticket/3105

What do you mean you removed it and setup an identical one? Did you do 
this with ipa-replica-install?

ipa-replica-manage is looking up the masters and it doesn't consider 
replica a master which is why it is throwing this error. I'd 
double-check that replication is working properly.

On each master run: ipa-replica-manage list -v `hostname`

And really, ipa-replica-manage list should show a list of all known masters.
rob


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured
with --setup-ca option) and replica- ipa02 (configured without --setup-ca)
option.

We use a script ipa clients to the server, when we tried to add new ipa
clients, we are getting error,

*ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
returned error string: NOT_ALLOWED_TO_DELEGATE)*

What we have noticed is, memberPrincipal: HTTP/ipa02.teloip@teloip.net
missing on both master and replica servers

IPA Master,

[root@ipa01 ~]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Querying the dir srv

[Petr Vobornik]

On 08/04/2016 06:43 PM, Sean Hogan wrote:
> Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any 
> specific 
> ldap viewer to view the internals? I was looking at apache dir studio I think 
> it 
> was... but needs java and I don't want to add java
> to a server that does not have it increasing the mitigation/vulnerability 
> factor 
> of the box.
> 
> I ran ipa host-find --all
> and noticed this setting in the list
> Keytab: True
> 
> I am thinking Keytab entry = enroll true

That is correct. Entrolled == true in Web UI means has_keytab in CLI
which means that the host object has krbprincipalkey LDAP attribute set.


> 
> Sean Hogan
> 
> 
> 
> 
> Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On 
> 08/04/2016 
> 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 09:08:40 AM---On 
> 08/04/2016 11:31 AM, Sean Hogan wrote: >
> 
> From: Ben Lipton 
> To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users 
> Date: 08/04/2016 09:08 AM
> Subject: Re: [Freeipa-users] Querying the dir srv
> 
> 
> 
> 
> 
> On 08/04/2016 11:31 AM, Sean Hogan wrote:
>  >
>  > Hi All,
>  >
>  > Where can I find information about the IPA schema as in what = what in
>  > the dir srv? I do not have a ldap viewer.
>  > I am looking to pull specific info from it such as a list of servers
>  > that have enrolled = true and have been playing with ldapsearch to no
>  > avail.
>  >
> 
> You could try something like 'ipa -show --all ' to
> see the dn of the associated LDAP object for a particular IPA entity.
> This would give you a sense of what tree to ldapsearch. You could try
> adding the --raw flag as well to see the LDAP attributes of the object.
> 
> # ipa user-show --all admin
>dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain
> [...]
> # ldapsearch -xLLL -D cn='Directory manager' -w 
> -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' |
> perl -p0e 's/\n //g' | less
> 
> You can also take a look at
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78
> for a list of LDAP entities that act as containers for IPA objects
> (subtrees to search under).
> 
> Someone else may have some better ideas, but maybe this can get you started.
> 
> Ben
> 
> 
> 
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

[Rob Crittenden]

Martin Basti wrote:



On 05.08.2016 05:24, pgb205 wrote:

my previous setup was
srv2->replica
srv1->srv2

I have removed replica and set it up with the one with identical hostname.
Now  I have replication from srv1->replica
and am trying to create another agreement from srv2=>replica
but i am getting the error message above. My guess is that old
hostname is there somewhere
but ipa-replica-manage del command does not produce any results.




Hello,

I don't see the error message you are referring


This is an IPA 3.0 error message from ticket 
https://fedorahosted.org/freeipa/ticket/3105


What do you mean you removed it and setup an identical one? Did you do 
this with ipa-replica-install?


ipa-replica-manage is looking up the masters and it doesn't consider 
replica a master which is why it is throwing this error. I'd 
double-check that replication is working properly.


On each master run: ipa-replica-manage list -v `hostname`

And really, ipa-replica-manage list should show a list of all known masters.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

[Martin Kosek]

Are you now asking about when upstream version is FIPS compliant or some
downstream distribution? If you are asking about RHEL, as indicated by
https://bugzilla.redhat.com/show_bug.cgi?id=1125174
the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is
too late to add it there.

However, as Rob mentioned, it would really great if you file a support case (if
we are talking about RHEL) and get it linked to that bug. Due to the interest,
it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt and
you may also receive updates on development status.

Martin

On 08/04/2016 06:40 PM, Michael Sean Conley wrote:
> Is there any indication of a timeframe for it to become FIPS compliant?  If we
> are talking weeks, rather than years...
> 
> *Michael Sean Conley*
> 
> 
> Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23 AM---Michael
> Sean Conley wrote: > Does ANYONE have any experienRob Crittenden ---08/04/2016
> 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any experience
> getting IPA to work with FIPS?
> 
> From: Rob Crittenden 
> To: Michael Sean Conley ,
> freeipa-users@redhat.com
> Date: 08/04/2016 11:37 AM
> Subject: Re: [Freeipa-users] IPA and FIPS 140-2
> 
> ---
> 
> 
> 
> Michael Sean Conley wrote:
>> Does ANYONE have any experience getting IPA to work with FIPS?
>>
>> We're trying desperately to get this going, as we have some requirements
>> that the Identity Management Tool we choose must be FIPS 140-2 compliant.
> 
> No, it doesn't work in FIPS mode yet. If you open a support case with
> Red Hat your case can be added to
> https://bugzilla.redhat.com/show_bug.cgi?id=1125174
> 
> While most, if not all, of the individual components can run in FIPS
> mode there are a lot of moving parts to coordinate to ensure they comply
> with the FIPS Security Policy and to handle some corner cases in the
> management framework.
> 
> rob
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Querying the dir srv

[Martin Basti]

On 04.08.2016 18:43, Sean Hogan wrote:


Thanks Ben.. appreciated.. will give it a go. Do you guys recommend 
any specific ldap viewer to view the internals? I was looking at 
apache dir studio I think it was... but needs java and I don't want to 
add java
to a server that does not have it increasing the 
mitigation/vulnerability factor of the box.


I ran ipa host-find --all
and noticed this setting in the list
Keytab: True

I am thinking Keytab entry = enroll true

Sean Hogan




You can use also --raw option together with --all to see raw LDAP values

I use apache directory studio and ldapsearch

Martin




Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On 
08/04/2016 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 
09:08:40 AM---On 08/04/2016 11:31 AM, Sean Hogan wrote: >


From: Ben Lipton 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users 
Date: 08/04/2016 09:08 AM
Subject: Re: [Freeipa-users] Querying the dir srv





On 08/04/2016 11:31 AM, Sean Hogan wrote:
>
> Hi All,
>
> Where can I find information about the IPA schema as in what = what in
> the dir srv? I do not have a ldap viewer.
> I am looking to pull specific info from it such as a list of servers
> that have enrolled = true and have been playing with ldapsearch to no
> avail.
>

You could try something like 'ipa -show --all ' to
see the dn of the associated LDAP object for a particular IPA entity.
This would give you a sense of what tree to ldapsearch. You could try
adding the --raw flag as well to see the LDAP attributes of the object.

# ipa user-show --all admin
  dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain
[...]
# ldapsearch -xLLL -D cn='Directory manager' -w 
-b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' |
perl -p0e 's/\n //g' | less

You can also take a look at
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78
for a list of LDAP entities that act as containers for IPA objects
(subtrees to search under).

Someone else may have some better ideas, but maybe this can get you 
started.


Ben








-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

[Martin Basti]

On 05.08.2016 05:24, pgb205 wrote:

my previous setup was
srv2->replica
srv1->srv2

I have removed replica and set it up with the one with identical hostname.
Now  I have replication from srv1->replica
and am trying to create another agreement from srv2=>replica
but i am getting the error message above. My guess is that old 
hostname is there somewhere

but ipa-replica-manage del command does not produce any results.




Hello,

I don't see the error message you are referring

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project