Re: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem.

2016-10-08 Thread Alan Latteri 
I think you problem is FreeNAS and not IPA itself.  In FreeNAS 10 they will 
have built in IPA functionality.
> On Oct 8, 2016, at 5:47 PM, Arthur Morales Sampaio  wrote:
> 
> Good morning, my name is Arthur and I am working on the integration of 
> FreeIPA and NFSv4 mounting for home directory sharing for authenticated users.
> 
> This is the first time I am doing this so the problem could be simple. It's 
> been already a week that I have been struggling with this and I don't know 
> where else to ask for help. I have read pretty much everything that is to be 
> read online regarding Freeipa integration.
> 
> Here is my scenario:
> - FreeIPA server 4.2.0 - Centos7
> - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS)
> - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and 
> imported LDAP credentials. Kerberos login is working properly I can log into 
> the machines using IPA users. But can't mount NFS4 using sec=krb5 option.
> 
> I have a functional FreeIPA server with Kerberos authentication working 
> properly. But I can't get NFSv4 authenticated to work in freeipa-clients. 
> 
> Following is the error that I am getting:
> 
> 
> 
> I know that this might not be enough detail for me to get help for this 
> problem. But the thing is that I don't know how to enable a more verbosity 
> functionality for this.
> 
> The desired behavior would be to create mounts for home directories of users 
> and enable kerberos security to mount them. Meaning that I need only the 
> owners to be able to mount them. 
> 
> This is something that is very confusing for me. Wouldn't I be required to 
> somehow pass to the mount command the username or any credentials of the 
> kerberos user just so the NFS server would know WHO is trying to mount the 
> directory?
> 
> I really exhausted my resources in trying to fix this issue. 
> 
> Does FreeIPA work with NFSv4? 
> 
> I sincerely appreciate your help on this one.
> 
> Best regards,
> Arthur
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem.

2016-10-08 Thread Arthur Morales Sampaio 
Good morning, my name is Arthur and I am working on the integration of
FreeIPA and NFSv4 mounting for home directory sharing for authenticated
users.

This is the first time I am doing this so the problem could be simple. It's
been already a week that I have been struggling with this and I don't know
where else to ask for help. I have read pretty much everything that is to
be read online regarding Freeipa integration.

Here is my scenario:
- FreeIPA server 4.2.0 - Centos7
- FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS)
- Client Ubuntu 16.04. Installed IPA client using ipa-client-install and
imported LDAP credentials. Kerberos login is working properly I can log
into the machines using IPA users. But can't mount NFS4 using sec=krb5
option.

I have a functional FreeIPA server with Kerberos authentication working
properly. But I can't get NFSv4 authenticated to work in freeipa-clients.

Following is the error that I am getting:



I know that this might not be enough detail for me to get help for this
problem. But the thing is that I don't know how to enable a more verbosity
functionality for this.

The desired behavior would be to create mounts for home directories of
users and enable kerberos security to mount them. Meaning that I need only
the owners to be able to mount them.

This is something that is very confusing for me. Wouldn't I be required to
somehow pass to the mount command the username or any credentials of the
kerberos user just so the NFS server would know *WHO* is trying to mount
the directory?

I really exhausted my resources in trying to fix this issue.

Does FreeIPA work with NFSv4?

I sincerely appreciate your help on this one.

Best regards,
Arthur
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15 SOLVED

2016-10-08 Thread Marco Antonio Carcano 

Thank you Fraser,

it solved - despite the error about replacing Jettison with Jackson

pki-server-upgrade

Upgrading from version 10.1.99 to 10.2.0:
1. Move web application context file (Yes/No) [Y]: Y
2. Replace Jettison with Jackson (Yes/No) [Y]: Y
ERROR:
Failed upgrading pki-tomcat instance. Continue (Yes/No) [Y]? Y
3. Added RESTEasy client (Yes/No) [Y]: Y
4. Replace RESTEasy application class (Yes/No) [Y]: Y
5. Remove config path from web.xml (Yes/No) [Y]: Y

Upgrading from version 10.2.0 to 10.2.1:
1. Add TLS Range Support (Yes/No) [Y]: Y

Upgrading from version 10.2.1 to 10.2.2:
1. Add TLS Range Support (Yes/No) [Y]: Y

Upgrading from version 10.2.2 to 10.2.3:
1. Move Web application deployment locations (Yes/No) [Y]: Y
2. Enabled Web application auto deploy (Yes/No) [Y]: Y
3. Remove dependency on Jackson 2 (Yes/No) [Y]: Y

Upgrading from version 10.2.3 to 10.2.4:
1. Fix instance work folder ownership (Yes/No) [Y]: Y
2. Fix bindPWPrompt for internalDB (Yes/No) [Y]: Y

Upgrading from version 10.2.4 to 10.2.5:
1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances 
(Yes/No) [Y]: Y

2. Fix nuxwdog listener class (Yes/No) [Y]: Y

Upgrading from version 10.2.5 to 10.2.5:
1. Add new KRA audit events (Yes/No) [Y]: Y

pki-tomcat instance:
  Configuration version: 10.1.99
  Last completed scriptlet: 1

pki-tomcat/ca subsystem:
  Configuration version: 10.2.5

Upgrade incomplete.



Il 05/10/16 02:20, Fraser Tweedale ha scritto:

On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote:

Hi all,

I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7
(7.2.1511) and I’m no more able to list certificates using the web ui

when I go on “Authentication”,  “Certificates” and chose “Certificates” I
got the following error

Certificate operation cannot be completed: Unable to communicate with CMS
(Internal Server Error)

and tomcat logs contain the following exception:

Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet Resteasy
java.lang.ClassNotFoundException:
com.netscape.ca.CertificateAuthorityApplication
 at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
 at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
 at 
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28
 at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95)
 at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:606)
 at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
 at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
 at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
 at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
 at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
 at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
 at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
 at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864)
 at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134)
 at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
 at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
 at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
 at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
 at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40
 at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
 at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
 at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
 at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
 at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at