Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Georgios Kafataridis]

 These are fresh logs from a last attempt to create a replica

Centos 7

/var/log/pki/pki-tomcat/ca/debug


[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Token Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Security Domain Panel ===
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Joining existing security
domain
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Resolving security domain
URLhttps://ipa-server.nelios:443
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting security domain cert
chain
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Getting old cookie
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Token: null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Install token is null
[09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Failed to obtain installation
token from security domain


Centos 6

/var/log/pki-ca/debug

[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie before auth, url =
https://ipa2-server2.nelios:443/ca/admin/console/config/wizard?p=5=CA
[09/Sep/2016:22:59:42][TP-Processor3]: IP: 192.168.4.175
[09/Sep/2016:22:59:42][TP-Processor3]: AuthMgrName: passwdUserDBAuthMgr
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: no client certificate
found
[09/Sep/2016:22:59:42][TP-Processor3]: Authentication: UID=admin
[09/Sep/2016:22:59:42][TP-Processor3]: In LdapBoundConnFactory::getConn()
[09/Sep/2016:22:59:42][TP-Processor3]: masterConn is connected: true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: conn is connected true
[09/Sep/2016:22:59:42][TP-Processor3]: getConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory::getConn
[09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory.getConn(): num
avail conns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 3
[09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 2
[09/Sep/2016:22:59:42][TP-Processor3]: SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$]
authentication failure

[09/Sep/2016:22:59:42][TP-Processor3]: GetCookie authentication failed
[09/Sep/2016:22:59:42][TP-Processor3]:
mErrorFormPath=/admin/ca/securitydomainlogin.template
[09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: curDate=Fri Sep 09
22:59:42 EEST 2016 id=caGetCookie time=39

/var/log/httpd/access_log

192.168.4.175 - - [09/Sep/2016:22:59:21 +0300] "GET
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 315
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET
/ca/admin/ca/getDomainXML HTTP/1.1" 200 1148
192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET /ca/rest/account/login
HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:41 +0300] "POST
/ca/admin/ca/getCertChain HTTP/1.0" 200 1398
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "GET /ca/rest/account/login
HTTP/1.1" 404 303
192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "POST /ca/admin/ca/getCookie
HTTP/1.1" 200 5170

/var/log/httpd/error_log

[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca
[Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca
[Fri Sep 09 22:59:42 2016] [error] [client 192.168.4.175] File does not
exist: /var/www/html/ca


/var/log/pki-ca/system

5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to
authenticate as admin UID=admin. Error: netscape.ldap.LDAPException: error
result (49)
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet
caGetCookie: Error getting servlet output stream when rendering  template.
Error Invalid Credential..

/var/log/pki-ca/catalina.out

Sep 08, 2016 4:17:34 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Sep 08, 2016 4:17:35 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447
Sep 08, 2016 4:17:35 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/123  config=null
Sep 08, 2016 4:17:35 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8550 ms

Catalina seems to not have logged anything from yesterday.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on 

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Georgios Kafataridis]

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] automated ftp service only accounts and passwords

[Larry Rosen]

Why does it (secure log) say:
Sep  9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received 
for user xfseuftp: 13 (User account has expired)

User info:

[sysadmin@redmine ~]$ ipa pwpolicy-show service_accts
  Group: service_accts
  Max lifetime (days): 2
  Min lifetime (hours): 0
  History size: 0
  Character classes: 2
  Min length: 8
  Priority: 5
  Max failures: 0
  Failure reset interval: 0
  Lockout duration: 0

[sysadmin@redmine ~]$ date
Fri Sep  9 11:35:31 EDT 2016
[sysadmin@redmine ~]$ ipa user-show xfseuftp
  User login: xfseuftp
  First name: xfs
  Last name: eur
  Home directory: /export/xfseur
  Login shell: /bin/bash
  Email address: xfseuftp@ipajdr.local
  UID: 100618
  GID: 1333200036
  Account disabled: False
  Password: True
  Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info
  Member of HBAC rule: access_lamp_stor_01_server
  Kerberos keys available: True

[sysadmin@redmine ~]$ ipa hbactest --user=xfseuftp 
--host=lamp-stor-01.ipajdr.local --service sshd

Access granted: True

  Matched rules: access_lamp_stor_01_server 
<--- this is the sftp server attempting to access
  Not matched rules: access_all_servers
  Not matched rules: access_il09_app_mufg_server
  Not matched rules: access_ipa_servers
  Not matched rules: access_lampuat_server
  Not matched rules: access_ssh_gate_01_server
  Not matched rules: access_uat_xfs_il10_server
  Not matched rules: access_xfs_il10_server
  Not matched rules: dsiroot_access
  Not matched rules: il10web_access_xfs_il10_server
  Not matched rules: xfsroot_access
ssh/sftp setup:

Match User xfseuftp
# Force the connection to use the built-in SFTP support.
ForceCommand internal-sftp -u 6
# Chroot the connection into the specified directory.
ChrootDirectory /export/xfseur
# Disable authentication agent forwarding.
AllowAgentForwarding no
# Disable TCP connection forwarding.
AllowTcpForwarding no
# Disable X11 remote desktop forwarding.
X11Forwarding no

When I attempt to change the account's password (I am sure it's the password I 
set).  I've even tried deleting & re-creating the ID from scratch:

[sysadmin@redmine ~]$ ipa passwd xfseuftp
New Password: 
Enter New Password again to verify: 

Changed password for "xfseuftp@IPAJDR.LOCAL"


[sysadmin@redmine ~]$ ssh xfseuftp@10.120.97.149
xfseuftp@10.120.97.149's password: 
Permission denied, please try again.
xfseuftp@10.120.97.149's password:


Even if I su  to the user

[root@lamp-stor-01 export]# ipa passwd xfseuftp
New Password: 
Enter New Password again to verify: 

Changed password for "xfseuftp@IPAJDR.LOCAL"

[root@lamp-stor-01 export]# su - xfseuftp
Last login: Fri Sep  9 11:57:24 EDT 2016 on pts/1
-bash-4.2$ passwd
Changing password for user xfseuftp.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error



secure log entries when attempted to change password:

Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138  user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info 
message: Permission denied.
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp
Sep  9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user 
xfseuftp: 13 (User account has expired)
Sep  9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 
10.10.90.138 port 33534 ssh2
.
Sep  9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for 
user xfseuftp
Sep  9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for 
user xfseuftp by root(uid=0)
Sep  9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user 
"xfseuftp" does not exist in /etc/passwd
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info 
message: Password change failed. Server message: Old password not accepted.
Sep  9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication 
failed for user xfseuftp: 4 (System error)
Sep  9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for 
user xfseuftp

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, September 09, 2016 9:30 AM
To: Larry Rosen ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords

Larry Rosen wrote:
> How do I set the password on a chroot jailed sftp id account that is 
> not allowed a shell to not expire 

[Freeipa-users] ERROR CA configuration failed. - again

[lejeczek]

hi everybody,

looking at ipareplica-install.log:

 raise RuntimeError("%s configuration failed." % 
self.subsystem)

RuntimeError: CA configuration failed.

2016-09-09T16:23:17Z DEBUG   [error] RuntimeError: CA 
configuration failed.
2016-09-09T16:23:17Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", 
line 171, in execute


then at /var/log/pki/pki-tomcat/ca/system

0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [3] [3] 
Cannot build CA chain. Error 
java.security.cert.CertificateException: Certificate is not 
a PKCS #11 certificate
0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [13] 
[3] authz instance DirAclAuthz initialization failed and 
skipped, error=Property internaldb.ldapconn.port missing value


I cannot find anything more telling in the logs. Does it 
have anything to do with what's in:

/etc/httpd/alias/
?
I yum removed
`rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server 
krb5-workstation pki-tomcat certmonger
rm dirs + reinstalled, yet I cannot find the the root cause 
of this mess.


best regards
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Endi Sukma Dewata]

On 9/9/2016 8:09 AM, Petr Vobornik wrote:

On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:



Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

to the letter.
The only reason I had to recreate the cacert.p12 file is because it
is not
renewed automatically in v3, so the cacert.p12 was outdated and the
CA was
throwing an "p12 invalid digest" error.

   * I opened all necessary ports
   * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica
'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip
and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file:
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid
token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed

to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3
installation against
a v4.2 freeipa installation to check for any errors before going
through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca
flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?




Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
accept: [application/json]

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/09/2016 04:09 PM, Petr Vobornik wrote:

On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote:

Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

to the letter.
The only reason I had to recreate the cacert.p12 file is because it
is not
renewed automatically in v3, so the cacert.p12 was outdated and the
CA was
throwing an "p12 invalid digest" error.

* I opened all necessary ports
* I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica
'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip
and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
 [1/24]: creating certificate server user
 [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
 [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file:
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
 InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid
token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed

to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3
installation against
a v4.2 freeipa installation to check for any errors before going
through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca
flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?



Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor:
accept: [application/json]

Re: [Freeipa-users] automated ftp service only accounts and passwords

[Rob Crittenden]

Larry Rosen wrote:

How do I set the password on a chroot jailed sftp id account that is not
allowed a shell to not expire its password after setting it?  There’s no
way to change it to the fixed password I want.

I have created a service_account password policy that has no expiration
(set to Max lifetime (days) = 2 ).


More details are needed. Did you create a service account user or are 
you using an IPA user?


You created a new password policy, is the sftp account in that group?

Why can't you set the password to what you want?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

Yes, I have followed
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
to the letter.
The only reason I had to recreate the cacert.p12 file is because it is not
renewed automatically in v3, so the cacert.p12 was outdated and the CA was
throwing an "p12 invalid digest" error.

   * I opened all necessary ports
   * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica 'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip and I
still get the  the error below*

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
[1/24]: creating certificate server user
[2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration 
failed.

*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR'
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file: 
/var/log/pki/pki-ca-spawn.20160909044214.log
Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain user/password
through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
to obtain installation token from security domain"}


Is there a way to validate the repilca .gpg file from a v3 installation against
a v4.2 freeipa installation to check for any errors before going through the
ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca flag but I
don't want that


There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?




Contents  of /var/log/pki/pki-tomcat/ca/debug:

[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
SystemConfigResource.configure()
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
content-type: application/json
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
accept: [application/json]
[09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: 
request format: 

[Freeipa-users] automated ftp service only accounts and passwords

[Larry Rosen]

How do I set the password on a chroot jailed sftp id account that is not 
allowed a shell to not expire its password after setting it?  There's no way to 
change it to the fixed password I want.
I have created a service_account password policy that has no expiration (set to 
Max lifetime (days) = 2 ).

Larry

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Petr Vobornik]

On 09/09/2016 12:13 PM, Giorgos Kafataridis wrote:
> Yes, I have followed 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>  
> to the letter.
> The only reason I had to recreate the cacert.p12 file is because it is not 
> renewed automatically in v3, so the cacert.p12 was outdated and the CA was 
> throwing an "p12 invalid digest" error.
> 
>   * I opened all necessary ports
>   * I checked all certs and they are valid for another year
> 
> 
> /Run connection check to master//
> //Check connection from replica to remote master 'ipa-server.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //   PKI-CA: Directory Service port (7389): OK//
> //
> //The following list of ports use UDP protocol and would need to be//
> //checked manually://
> //   Kerberos KDC: UDP (88): SKIPPED//
> //   Kerberos Kpasswd: UDP (464): SKIPPED//
> //
> //Connection from replica to master is OK.//
> //Start listening on required ports for remote master check//
> //Get credentials to log in to remote master//
> //Check SSH connection to remote master//
> //Execute check on remote master//
> //Check connection from master to remote replica 'ipa2-server2.nelios'://
> //   Directory Service: Unsecure port (389): OK//
> //   Directory Service: Secure port (636): OK//
> //   Kerberos KDC: TCP (88): OK//
> //   Kerberos KDC: UDP (88): OK//
> //   Kerberos Kpasswd: TCP (464): OK//
> //   Kerberos Kpasswd: UDP (464): OK//
> //   HTTP Server: Unsecure port (80): OK//
> //   HTTP Server: Secure port (443): OK//
> //
> //Connection from master to replica is OK.//
> //
> //Connection check OK/
> 
> *Even with a fresh install of centos 7 with different hostname and ip and I 
> still get the  the error below*
> 
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
> seconds
>[1/24]: creating certificate server user
>[2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' 
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation 
> logs 
> and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
>[error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration 
> failed.
> 
> *
> **With debug enabled I get: *
> 
> pa : DEBUGStarting external process
> ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
> '/tmp/tmpwY8XjR'
> ipa : DEBUGProcess finished, return code=1
> ipa : DEBUGstdout=Log file: 
> /var/log/pki/pki-ca-spawn.20160909044214.log
> Loading deployment configuration from /tmp/tmpwY8XjR.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into 
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> 
> Installation failed.
> 
> 
> ipa : DEBUG 
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
> certificate verification is strongly advised. See: 
> https://urllib3.readthedocs.org/en/latest/security.html
>InsecureRequestWarning)
> pkispawn: WARNING  ... unable to validate security domain 
> user/password 
> through REST interface. Interface not available
> pkispawn: ERROR... Exception from Java Configuration Servlet: 500 
> Server Error: Internal Server Error
> pkispawn: ERROR... ParseError: not well-formed (invalid token): 
> line 
> 1, column 0: 
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
>  
> to obtain installation token from security domain"}
> 
> 
> Is there a way to validate the repilca .gpg file from a v3 installation 
> against 
> a v4.2 freeipa installation to check for any errors before going through the 
> ipa-replica-install?
> The ipa-replica-install completes if I don't include the --setup-ca flag but 
> I 
> don't want that
> 

There is no automatic method to verify the replica file.

Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug  +
couple lines before and after?

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org 

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Lukas Slebodnik]

On (07/09/16 17:39), Venkataramana Kintali wrote:
>Hi,
>Of late, I am learning FreeIPA . I have installed IPA server and few
>clients (Version 3.0.0)
>I am facing an issue with ssh key authentication in my setup.
>I generated a putty ssh private key (using putty keygen) ,and uploaded it
>under a user through IPA GUI.
I assume you uploaded public key to the IPA
otherwise you did something wrong and I wonder why it works on some machines.

>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
>
Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all
machines)
Is sshd configuration the same on all machines?
/etc/ssh/ssh_config /etc/ssh/sshd_config

>Public Key Authentication is enabled on all clients.
>I am able to from one client to other clients successfully (after doing
>kinit) without promting password.
>
>Can someone  please throw some light on this as to what the issue could be
>here and what else I can check to understand where  the problem is ?
>
>I searched this online but couldn't find any solution in the context of IPA.
>

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

Yes, I have followed 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html 
to the letter.
The only reason I had to recreate the cacert.p12 file is because it is 
not renewed automatically in v3, so the cacert.p12 was outdated and the 
CA was throwing an "p12 invalid digest" error.


 * I opened all necessary ports
 * I checked all certs and they are valid for another year


/Run connection check to master//
//Check connection from replica to remote master 'ipa-server.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//   PKI-CA: Directory Service port (7389): OK//
//
//The following list of ports use UDP protocol and would need to be//
//checked manually://
//   Kerberos KDC: UDP (88): SKIPPED//
//   Kerberos Kpasswd: UDP (464): SKIPPED//
//
//Connection from replica to master is OK.//
//Start listening on required ports for remote master check//
//Get credentials to log in to remote master//
//Check SSH connection to remote master//
//Execute check on remote master//
//Check connection from master to remote replica 'ipa2-server2.nelios'://
//   Directory Service: Unsecure port (389): OK//
//   Directory Service: Secure port (636): OK//
//   Kerberos KDC: TCP (88): OK//
//   Kerberos KDC: UDP (88): OK//
//   Kerberos Kpasswd: TCP (464): OK//
//   Kerberos Kpasswd: UDP (464): OK//
//   HTTP Server: Unsecure port (80): OK//
//   HTTP Server: Secure port (443): OK//
//
//Connection from master to replica is OK.//
//
//Connection check OK/

*Even with a fresh install of centos 7 with different hostname and ip 
and I still get the  the error below*


Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpbMwmp_'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.


*
**With debug enabled I get: *

pa : DEBUGStarting external process
ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpwY8XjR'

ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Log file: 
/var/log/pki/pki-ca-spawn.20160909044214.log

Loading deployment configuration from /tmp/tmpwY8XjR.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.


Installation failed.


ipa : DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain 
user/password through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration 
Servlet: 500 Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid 
token): line 1, column 0: 
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed 
to obtain installation token from security domain"}



Is there a way to validate the repilca .gpg file from a v3 installation 
against a v4.2 freeipa installation to check for any errors before going 
through the ipa-replica-install?
The ipa-replica-install completes if I don't include the --setup-ca flag 
but I don't want that
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project