Re: [Freeipa-users] Replica created with expired certs

2016-09-28 Thread Jim Richard 
Thanks Rob, that worked.

Still on the subject of certs, any idea how to solve this error:

Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
database is in an old, unsupported format.

I see that in the gui when querying hosts as well as from cli when I ipa-show 
or ipa-find


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 28, 2016, at 7:44 AM, Rob Crittenden  wrote:
> 
> Jim Richard wrote:
>> I have a master with apparently correct, non expired certs but when I
>> create a new replica master I end up with expired certs.
>> How is this possible, why and of course, how do I fix?
> 
> I assume you are running IPA v3.0.0?
> 
> The problem is that the root CA stash isn't updated when a replica file is 
> prepared in that version (fixed in 3.3 IIRC). You can do this manually with 
> something like:
> 
> # PKCS12Export -d /var/lib/pki-ca/alias -p /root/dbpass -w /root/dmpass -o 
> /root/cacert.p12
> 
> where /root/dmpass is a file that contains the Directory Manager password.
> 
> Then rerun ipa-replica-prepare and things should work.
> 
> You can look at the certs in /root/cacert.p12 util pk12util to see the change.
> 
> rob
> 
>> 
>> first set is the original master and the second is the certs I get on
>> the new replica
>> 
>> [root@sso-110:(NYM) nssdb]$ getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140923213643':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile
>> .txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=PLACEIQ.NET 
>> subject: CN=sso-110.nym1.placeiq.net
>> ,O=PLACEIQ.NET 
>> expires: 2018-08-28 10:36:04 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>> track: yes
>> auto-renew: yes
>> Request ID '20140923213732':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=PLACEIQ.NET 
>> subject: CN=sso-110.nym1.placeiq.net
>> ,O=PLACEIQ.NET 
>> expires: 2018-08-06 10:36:02 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20140923213814':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS

[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-28 Thread Prasun Gera 
I started seeing some selinux errors on one of my RHEL 7 clients recently
(possibly after a recent yum update ?), which prevents users from logging
in with passwords. I've put SELinux in permissive mode for now. Logs follow


SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests
**

If you believe that krb5_child should be allowed read access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Contextsystem_u:system_r:sssd_t:s0
Target Contextsystem_u:system_r:unconfined_service_t:s0
Target ObjectsUnknown [ key ]
Sourcekrb5_child
Source Path   /usr/libexec/sssd/krb5_child
Port  
Host  
Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModePermissive
Host Name example.com
Platform  Linux example.com 4.4.19-1.el7.x86_64
  #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count   38
First Seen2016-09-28 18:37:43 EDT
Last Seen 2016-09-28 22:08:41 EDT
Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,read



SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests
**

If you believe that krb5_child should be allowed view access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Contextsystem_u:system_r:sssd_t:s0
Target Contextsystem_u:system_r:unconfined_service_t:s0
Target ObjectsUnknown [ key ]
Sourcekrb5_child
Source Path   /usr/libexec/sssd/krb5_child
Port  
Host  
Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModePermissive
Host Name example.com
Platform  Linux example.com 4.4.19-1.el7.x86_64
  #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count   10
First Seen2016-09-28 18:40:00 EDT
Last Seen 2016-09-28 22:08:41 EDT
Local ID  22ec0970-9447-444a-9631-69749e4e7226
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90789): avc:  denied  { view } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,view



SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests

Re: [Freeipa-users] unable to add or remove host (exists but doesn't exist) 4.2

2016-09-28 Thread Rob Crittenden 

"Răzvan Corneliu C.R. VILT" wrote:

Hi Jake,

 From the output below (assuming a non-altered copy+paste), the host-add
request is interpreted by ipa as "server100.example.com
" while the delete is interpreted as
"server100.example.com ". If that's the
case, try using quotes or searching the LDAP manually for the entry to
see the actual registered hostname. If what I'm seeing over here is
correct, you might be able to fix it by issuing:
ipa host-del "server100.example.com "
(use quotes when issuing the command).

Then again, it might be a wrong copy+paste.


Yeah, that quoted space sure looks strange. I think this suggestion is 
good, though I'm not sure how an embedded space could happen.


An ldapsearch might give additional feedback, something like:

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com 
fqdn="*server100*"


rob



Cheers,
Răzvan

On 28 Sep 2016, at 22:15, Jake > wrote:

One of my tech's had an issue adding a machine, now it seems to be stuck.

it can neither be added or removed

-bash-4.2$ ipa host-add server100.example.com  --force
ipa: ERROR: host with name " server100.example.com
" already exists


-bash-4.2$ ipa host-del server100.example.com 
ipa: ERROR: server100.example.com : host
not found


IP web client gives this error:


Operations Error

Some operations failed.
Hide details 

 *
server100.example.com : host not found


Attempts to delete it via webui


Operations Error

Some entries were not deleted
Hide details 

 *
server100.example.com : host not found



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] New Installation won't start after reboot

2016-09-28 Thread Floyd Lorch 
Installed FreeIPA 4.2 on a fresh CentOS 7.2. After initial setup and
configuration a one way trust was added to windows AD. Server was shut down
and moved to a different rack. When it was started back up IPA no longer
runs.

ipa-admintools.x86_64   4.2.0-15.0.1.el7.centos.19
ipa-client.x86_64   4.2.0-15.0.1.el7.centos.19
ipa-python.x86_64   4.2.0-15.0.1.el7.centos.19
ipa-server.x86_64   4.2.0-15.0.1.el7.centos.19
ipa-server-dns.x86_64   4.2.0-15.0.1.el7.centos.19
ipa-server-trust-ad.x86_64  4.2.0-15.0.1.el7.centos.19
libipa_hbac.x86_64  1.13.0-40.el7_2.12
python-iniparse.noarch  0.4-9.el7
python-libipa_hbac.x86_64   1.13.0-40.el7_2.12
sssd-ipa.x86_64 1.13.0-40.el7_2.12

In the service list IPA, polkit. postfix, and smb service are currently
failed. kadmin is also failed sometimes, however I'm able to start it
occasionally without explanation.

running IPA restart results in the following error:

[root@SERVER ~]# ipactl restart
Starting Directory Service
Stopping pki-tomcatd Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Starting smb Service
Job for smb.service failed because the control process exited with error
code. See "systemctl status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl

Checking the SMB service I get the following

[root@SERVER ~]# systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-09-28 17:15:50 EDT;
43s ago
  Process: 7186 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited,
status=1/FAILURE)
 Main PID: 7186 (code=exited, status=1/FAILURE)
   Status: "Starting process..."

Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:49.718669,  0] ipa_sam.c:4208(bind_callback_cleanup)
Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]:   kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
server.sub.domain@sub.domain.com
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:50.718869,  0] ipa_sam.c:4520(pdb_init_ipasam)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]:   Failed to get base DN.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:50.718900,  0]
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]:   pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-SUB.DOMAIN.COM.socket did not correctly
init (error was NT_STATUS_UNSUCCESSFUL)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service: main process
exited, code=exited, status=1/FAILURE
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Samba SMB
Daemon.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Unit smb.service entered
failed state.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service failed.


I had issues when first trying to add one way trust with SMB but I was able
to restart the service and move forward. That doesn't appear to be
happening this time. I've also tried using kinit to obtain a ticket but
that doesn't work. I'm not sure if that should work at this juncture or
not. After restarting ipa the kadmin service also fails to start some of
the time.

if kadmin is running
===
[root@SERVER ~]# kinit -V admin
Using default cache: persistent:0:0
Using principal: ad...@sub.domain.com
kinit: Generic error (see e-text) while getting initial credentials


if kadmin isn't running
===
[root@SERVER ~]# kinit -V admin
Using default cache: persistent:0:0
Using principal: ad...@sub.domain.com
kinit: Cannot contact any KDC for realm 'SUB.DOMAIN.COM' while getting
initial credentials


Attempts to get kadmin to run
===
[root@SERVER ~]# systemctl start kadmin
Job for kadmin.service failed because the control process exited with error
code. See "systemctl status kadmin.service" and "journalctl -xe" for
details.


Journal for kadmin attempt
==
-- Subject: Unit kadmin.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kadmin.service has begun starting up.
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM _kadmind[7978]: kadmind: kadmind:
Server error while initializing, aborting
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: kadmin.service: control
process exited, code=exited status=1
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Kerberos
5 Password-changing and Administration.
-- Subject: Unit kadmin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kadmin.service has failed.
--
-- The result is failed.
Sep 28

Re: [Freeipa-users] unable to add or remove host (exists but doesn't exist) 4.2

2016-09-28 Thread Răzvan Corneliu C.R. VILT 
Hi Jake,

From the output below (assuming a non-altered copy+paste), the host-add request 
is interpreted by ipa as "server100.example.com 
" while the delete is interpreted as 
"server100.example.com ". If that's the case, 
try using quotes or searching the LDAP manually for the entry to see the actual 
registered hostname. If what I'm seeing over here is correct, you might be able 
to fix it by issuing:
ipa host-del "server100.example.com "
(use quotes when issuing the command).

Then again, it might be a wrong copy+paste.

Cheers,
Răzvan
> On 28 Sep 2016, at 22:15, Jake  wrote:
> 
> One of my tech's had an issue adding a machine, now it seems to be stuck.
> 
> it can neither be added or removed
> 
> -bash-4.2$ ipa host-add server100.example.com --force
> ipa: ERROR: host with name " server100.example.com" already exists
> 
> 
> -bash-4.2$ ipa host-del server100.example.com
> ipa: ERROR: server100.example.com: host not found
> 
> 
> IP web client gives this error:
> 
> 
> Operations Error
> Some operations failed.
> Hide details 
> server100.example.com: host not found
> 
> Attempts to delete it via webui
> Operations Error
> Some entries were not deleted
> Hide details 
> server100.example.com: host not found
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] unable to add or remove host (exists but doesn't exist) 4.2

2016-09-28 Thread Jake 
One of my tech's had an issue adding a machine, now it seems to be stuck. 

it can neither be added or removed 

-bash-4.2$ ipa host-add server100 .example.com --force 
ipa: ERROR: host with name " server100 .example.com " already exists 


-bash-4.2$ ipa host-del server100 .example.com 
ipa: ERROR: server100.example.com: host not found 


IP web client gives this error: 


Operations Error 


Some operations failed. 
[ https://c05-rd-ipa01.ipa.clarkinc.io/ipa/ui/# | Hide details ] 


* 

server100.example.com: host not found 

Attempts to delete it via webui 
Operations Error 


Some entries were not deleted 
[ https://c05-rd-ipa01.ipa.clarkinc.io/ipa/ui/# | Hide details ] 


* 

server100.example.com : host not found 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Bret Wortman 

Perfect. That did the trick. Many thanks, Flo.


Bret


On 09/28/2016 09:47 AM, Florence Blanc-Renaud wrote:

On 09/27/2016 08:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and a
key file. These seem to be .pem files. Is there an easy way to gather
these 3 files from a typical IPA client node?


Hi,

you can retrieve the new cert using the GUI. Navigate to Identity tab, 
then Users or Hosts or Services and pick your user, host or service. 
You will find in the "Actions" button a command to "Get Certificate". 
This will open a new window with the content of the cert, that you can 
copy/paste into mycert.pem.


Once you have obtained mycert.pem, you can add it to the NSS database 
that you used previously in order to generate the CSR:

$ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert

Add IPA CA to the nss database:
$ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < 
/etc/ipa/ca.crt


Then pk12util and openssl will allow you to extract the key and certs 
through a temp keys.p12 file:

$ pk12util -o keys.p12 -n mycert -d path_to_database
$ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes

The output is mykey.pem which contains the key, the new certificate 
and IPA CA certificate.


HTH,
Flo.


Merci!


Bret


On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity,
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
Certificates for a User, Host, or Service [1]

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request 




On 09/27/2016 04:20 PM, Bret Wortman wrote:
Is there a guide anywhere for how to obtain an SSL certificate for 
a new

server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to 
keep it

in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/










--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Florence Blanc-Renaud 

On 09/27/2016 08:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and a
key file. These seem to be .pem files. Is there an easy way to gather
these 3 files from a typical IPA client node?


Hi,

you can retrieve the new cert using the GUI. Navigate to Identity tab, 
then Users or Hosts or Services and pick your user, host or service. You 
will find in the "Actions" button a command to "Get Certificate". This 
will open a new window with the content of the cert, that you can 
copy/paste into mycert.pem.


Once you have obtained mycert.pem, you can add it to the NSS database 
that you used previously in order to generate the CSR:

$ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert

Add IPA CA to the nss database:
$ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < /etc/ipa/ca.crt

Then pk12util and openssl will allow you to extract the key and certs 
through a temp keys.p12 file:

$ pk12util -o keys.p12 -n mycert -d path_to_database
$ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes

The output is mykey.pem which contains the key, the new certificate and 
IPA CA certificate.


HTH,
Flo.


Merci!


Bret


On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity,
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
Certificates for a User, Host, or Service [1]

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request


On 09/27/2016 04:20 PM, Bret Wortman wrote:

Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to keep it
in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/








--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Bret Wortman 
Yeah, I'm still not getting this, and I'm probably missing something 
painfully obvious.


I follow the steps here:

1. Log into the server for which I need the cert.

2. # certutil -R -d /etc/pki/nssdb -a -g 2048 -s 
"CN=testesk1.internal.net,O=INTERNAL.NET" > ssl.csr


I then copy the contents of the csr file and paste it into the FreeIPA 
UI after selecting Actions->New Certificiate from the Host Settings page.


3. I then click Actions->Get Certificate on that same page to extract 
the contents and paste it into a new .pem file on the requesting host.


But how do I get at the key that was used in the creation of this cert? 
I can get the cacert, and I've got the newly-issued cert, but what about 
the key?


Thanks!


Bret


On 09/27/2016 02:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and 
a key file. These seem to be .pem files. Is there an easy way to 
gather these 3 files from a typical IPA client node?


Merci!


Bret


On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity, 
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New 
Certificates for a User, Host, or Service [1]


Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request


On 09/27/2016 04:20 PM, Bret Wortman wrote:
Is there a guide anywhere for how to obtain an SSL certificate for a 
new

server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to 
keep it

in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/








--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica created with expired certs

2016-09-28 Thread Rob Crittenden 

Jim Richard wrote:

I have a master with apparently correct, non expired certs but when I
create a new replica master I end up with expired certs.
How is this possible, why and of course, how do I fix?


I assume you are running IPA v3.0.0?

The problem is that the root CA stash isn't updated when a replica file 
is prepared in that version (fixed in 3.3 IIRC). You can do this 
manually with something like:


# PKCS12Export -d /var/lib/pki-ca/alias -p /root/dbpass -w /root/dmpass 
-o /root/cacert.p12


where /root/dmpass is a file that contains the Directory Manager password.

Then rerun ipa-replica-prepare and things should work.

You can look at the certs in /root/cacert.p12 util pk12util to see the 
change.


rob



first set is the original master and the second is the certs I get on
the new replica

[root@sso-110:(NYM) nssdb]$ getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140923213643':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile
.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=PLACEIQ.NET 
 subject: CN=sso-110.nym1.placeiq.net
,O=PLACEIQ.NET 
 expires: 2018-08-28 10:36:04 UTC
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
 track: yes
 auto-renew: yes
Request ID '20140923213732':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
 certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=PLACEIQ.NET 
 subject: CN=sso-110.nym1.placeiq.net
,O=PLACEIQ.NET 
 expires: 2018-08-06 10:36:02 UTC
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20140923213814':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PLACEIQ-NET
/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=PLACEIQ.NET 
 subject: CN=sso-110.nym1.placeiq.net
,O=PLACEIQ.NET 
 expires: 2018-08-28 10:36:04 UTC
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
PLACEIQ-NET
 track: yes
 auto-renew: yes
Request ID '20140923213856':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=PLACEIQ.NET 
 subject: CN=sso-110.nym1.placeiq.net
,O=PLACEIQ.NET 
 expires: 2018-08-28 10:36:04 UTC
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 track: yes
 auto-renew: yes
Request ID '20160119021025':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
 certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=PLACEIQ.NET 
 subject: CN=CA Audit,O=PLACEIQ.NET 
 expires: 2017-10-26 04:38:19 UTC
 key usage:

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Sumit Bose 
On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
> 
> > Yes, this makes sense as well. If you are not in the forest root you
> > first need a cross-realm TGT for your domain and the forest root. Then
> > you need a cross-realm TGT for the forest root and the IPA domain.
> > 
> > As a next step you should see a request to the IPA KDC to get the actual
> > service ticket for the host in the IPA domain.
> 
> Yes, this is the traffic that's never seen in the capture.
> It seems Windows(Putty) never asks for at host ticket for the IPA host. I 
> receive the krbtgt for the IPA domain, but never sees any traffic from the 
> Windows client to IPA, and thus, never receives the host ticket on the 
> Windows client.

Please check the other traffic on the client after receiving the
cross-realm ticket for the IPA domain. Since the client get the name to
the IPA realm from the AD DC in the last response I would expect that it
will try some DNS SRV lookups to find a KDC in the IPA realm.

HTH

bye,
Sumit

> 
> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own 
> Kerberos libraryes and that these fail.
> 
> I Linux not joined to IPA, just installed with kerberos and use dns config in 
> krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just 
> fine, so it seems the problem just relates to putty.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen 

> Yes, this makes sense as well. If you are not in the forest root you
> first need a cross-realm TGT for your domain and the forest root. Then
> you need a cross-realm TGT for the forest root and the IPA domain.
> 
> As a next step you should see a request to the IPA KDC to get the actual
> service ticket for the host in the IPA domain.

Yes, this is the traffic that's never seen in the capture.
It seems Windows(Putty) never asks for at host ticket for the IPA host. I 
receive the krbtgt for the IPA domain, but never sees any traffic from the 
Windows client to IPA, and thus, never receives the host ticket on the Windows 
client.

I'm not at all sure how Kerberos works in Putty, but it seems it uses its own 
Kerberos libraryes and that these fail.

I Linux not joined to IPA, just installed with kerberos and use dns config in 
krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine, 
so it seems the problem just relates to putty.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Sumit Bose 
On Wed, Sep 28, 2016 at 10:33:43AM +0200, Troels Hansen wrote:
> 
> 
> - On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> > Kerberos communication is typically started via UDP. But the PAC data in
> > the ticket is typically larger than a single UPD packet. The KDC tells
> > the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
> > response can be reliably send in multiple tcp packets. If
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
> > suspect that port 88 tcp is blocked somewhere.
> > 
> 
> 
> Yes, you are absolutely correct. We actually switch to TCP after the initial 
> try on UDP.
> 
> I can see that we send a TGS-REQ over TCP to the AD for the current domain 
> (NET), and AD answers back with a TGS-REP where I can see "KerberosString" 
> tor the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ 
> and get a TGS-REP with KerberosString for the IPA domain.
> 
> So, actually kerberos traffic seems to be OK

Yes, this makes sense as well. If you are not in the forest root you
first need a cross-realm TGT for your domain and the forest root. Then
you need a cross-realm TGT for the forest root and the IPA domain.

As a next step you should see a request to the IPA KDC to get the actual
service ticket for the host in the IPA domain.

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen 


- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> Kerberos communication is typically started via UDP. But the PAC data in
> the ticket is typically larger than a single UPD packet. The KDC tells
> the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
> response can be reliably send in multiple tcp packets. If
> KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
> suspect that port 88 tcp is blocked somewhere.
> 


Yes, you are absolutely correct. We actually switch to TCP after the initial 
try on UDP.

I can see that we send a TGS-REQ over TCP to the AD for the current domain 
(NET), and AD answers back with a TGS-REP where I can see "KerberosString" tor 
the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ and 
get a TGS-REP with KerberosString for the IPA domain.

So, actually kerberos traffic seems to be OK

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Sumit Bose 
On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote:
> 
> 
> - On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
> 
> > About the DNS SRV records, did you add matching records for _udp as
> > well? I'm not sure if the AD client will fallback to _tcp if they are
> > missing or just stop?
> > 
> 
> 
> Ok, finally got some time to debug this.
> 
> tcpdump'ing in the IPA server and logging in, and analyzing the traffic in 
> wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of 
> the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed 
> by KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the 
> server being HP, so somewhere in the network a Cisco router is breaking our 
> Kerberos.

KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
Kerberos communication is typically started via UDP. But the PAC data in
the ticket is typically larger than a single UPD packet. The KDC tells
the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
response can be reliably send in multiple tcp packets. If
KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
suspect that port 88 tcp is blocked somewhere.

HTH

bye,
Sumit

> 
> I'll start hunting a solution somewhere else but IPA..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen 


- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:

> About the DNS SRV records, did you add matching records for _udp as
> well? I'm not sure if the AD client will fallback to _tcp if they are
> missing or just stop?
> 


Ok, finally got some time to debug this.

tcpdump'ing in the IPA server and logging in, and analyzing the traffic in 
wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of 
the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed by 
KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the server 
being HP, so somewhere in the network a Cisco router is breaking our Kerberos.

I'll start hunting a solution somewhere else but IPA..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project