Re: [Freeipa-users] Would fixing hosts file break kerberos

2016-11-18 Thread Simo Sorce 
On Thu, 2016-11-17 at 15:53 -0500, William Muriithi wrote:
> Afternoon.
> 
> I just noticed that I used inappropriate way of setting up my hosts
> files and I am planning to make a fix.  I am however worried this may
> break Kerberos.  Should this change be of concern and have anyone made
> the changes before?
> 
> My current /etc/hosts are as follows:
> 192.168.20.2 ipa  ipa.example.com
> 
> I am planning to change them so that the above line looks like this:
> 192.168.20.2ipa.example.com  ipa

The former may actually break things, the second should "fix" them ...
unless you depended on the incorrect configuration in some way ...

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 3 to FreeIPA 4 migration and Kerberos realm is a forwarded zone

2016-11-18 Thread Michael Plemmons 
Hello,

My existing FreeIPA 3.0 (CentOS 6) setup is as follows:

Kerberos Realm: test.com
I have several DNS zones
test.com
dev.test.com
stage.test.com
qa.test.com
prod.test.com
mgmt.test.com

ipa01.mgmt.test.com - FreeIPA 3.0 Master
ipa02.mgmt.test.com - FreeIPA 3.0 Replica

The FreeIPA servers actually reside in mgmt.test.com.  test.com in FreeIPA
3 has forwarding DNS servers configured.

We are going to move to FreeIPA 4.2 (CentOS 7) and here is the path I have
tested that appears to work.

I followed this guide.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html


1 Create an IPA 4 server (ipa03.mgmt.test.com) that is a replica of the IPA
3 master server (ipa01.mgmt.test.com)
2 Remove replica agreement for ipa02.mgmt.test.com on IPA 3 master (
ipa01.mgmt.test.com)
3 Shutdown ipa02.mgmt.test.com to prep for an IPA 4 server to take its place
4 Build a new server and install IPA 4 server that will become a new
ipa02.mgmt.test.com
5 Make ipa02.mgmt.test.com a replica of ipa03.mgmt.test.com
6 Make ipa02.mgmt.test.com the master CRL server instead of
ipa01.mgmt.test.com
7 Shutdown ipa01.mgmt.test.com to prep for an IPA 4 server to take its place
8 Build a new server and install IPA 4 server that will become a new
ipa01.mgmt.test.com
9 Make ipa01.mgmt.test.com a replica of ipa02.mgmt.test.com

The reason for removing old servers to take the place of new servers is so
that I can reuse the IP addresses and do not need to change DNS entries on
any client

The problem occurs when I realize that the test.com zone needs to be a
forwarded zone in IPA 4 but in IPA 3 is it a normal DNS zone and I need to
have test.com be a forwarded zone.  In IPA 3 there is no entry for
ipa-ca.test.com but I do see it in IPA 4.  In my testing I have removed the
test.com zone and made it a forwarding zone but that removes the entry for
ipa-ca.test.com as well as all the test.com kerberos entries.

What I do not know is what did I break when I removed test.com since it is
the Kerberos realm.  It appears that replication between the servers still
works and I was able to add a IPA 4 client server without issue.  We plan
on using certs generated from IPA 4 for OpenVPN but I do not have enough
information to know if the removal of the test.com zone will break that
certificate validation and revocation since the ipa-ca.test.com DNS entry
no longer exists.

I believe where I went wrong was that I should have setup mgmt.test.com as
the Kerberos realm rather than test.com and I would not have the questions
I do now.

Thank you for your help.

*Mike Plemmons | Senior DevOps Engineer*
614-741-5475
mike.plemm...@crosschx.com
www.crosschx.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Is there an simple way to add in sudo time window options in FreeIPA?

2016-11-18 Thread Robert Kleinberg 
Would like to establish valid sudo usage windows with sudonotbefore and
sudonotafter options.  However, I did not see an easy way to set this up
other than via an sudo options text entry line.  Is there another
menu-driven way that shows a schedule of allowed times?

 

Bob Kleinberg

Lead System Engineer

 

KEYW Corporation|www.keywcorp.com

7740 Milestone Parkway, Suite 400 | Hanover, MD 21076

443-737-9703

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP bind permitted for expired passwords

2016-11-18 Thread Brian Candler 
Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds 
succeed even for DNs whose krbPasswordExpiration time has passed. Is 
this fixed, or is it possible to change this?


The reason I ask is because some applications use LDAP bind as a 
password validation oracle: for example, if you configure a Sophos UTM 
to use LDAP, it works this way.


I realise that an LDAP bind doesn't give a way to prompt the user to 
change their password. However, a failure could be used to force the 
user to go to the web UI to reset it (and you could always notify people 
by E-mail if their password is about to expire)


Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden 
Morgan Marodin wrote:
> What do you mean with backup database?
> 
> Updating again the mod_nss RPM, Apache doesn't start ... so, this is the
> problem.

You said "and restoring the original /etc/httpd/alias/ folder". Original
from what, where did that come from?

So merely updating mod_nss breaks things? Strange. What is the working
version? rpm -q mod_nss

rob

> 
> 2016-11-18 15:43 GMT+01:00 Rob Crittenden  >:
> 
> Morgan Marodin wrote:
> > It works!
> > Thanks for your support.
> >
> > Anyway, I will try to update againt mod_nss package! :D
> 
> Glad it's working for you. I'm curious what the backup database was for.
> Did you create that?
> 
> rob
> 
> > Bye!
> >
> >
> > 2016-11-18 15:21 GMT+01:00 Morgan Marodin  
> > >>:
> >
> > A little good news.
> >
> > Downgrading the /mod_nss/ RPM package, and restoring the original
> > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> > finished well:
> > /# ipa-server-upgrade
> > Upgrading IPA:
> >   [1/10]: stopping directory server
> >   [2/10]: saving configuration
> >   [3/10]: disabling listeners
> >   [4/10]: enabling DS global lock
> >   [5/10]: starting directory server
> >   [6/10]: updating schema
> >   [7/10]: upgrading server
> >   [8/10]: stopping directory server
> >   [9/10]: restoring configuration
> >   [10/10]: starting directory server
> > Done.
> > Update complete
> > Upgrading IPA services
> > Upgrading the configuration of the IPA services
> > [Verifying that root certificate is published]
> > [Migrate CRL publish directory]
> > CRL tree already moved
> > [Verifying that CA proxy configuration is correct]
> > [Verifying that KDC configuration is using ipa-kdb backend]
> > [Fix DS schema file syntax]
> > Syntax already fixed
> > [Removing RA cert from DS NSS database]
> > RA cert already removed
> > [Enable sidgen and extdom plugins by default]
> > [Updating HTTPD service IPA configuration]
> > [Updating mod_nss protocol versions]
> > Protocol versions already updated
> > [Updating mod_nss cipher suite]
> > [Fixing trust flags in /etc/httpd/alias]
> > Trust flags already processed
> > [Exporting KRA agent PEM file]
> > KRA is not enabled
> > [Removing self-signed CA]
> > [Removing Dogtag 9 CA]
> > [Checking for deprecated KDC configuration files]
> > [Checking for deprecated backups of Samba configuration files]
> > [Setting up Firefox extension]
> > [Add missing CA DNS records]
> > IPA CA DNS records already processed
> > [Removing deprecated DNS configuration options]
> > [Ensuring minimal number of connections]
> > [Enabling serial autoincrement in DNS]
> > [Updating GSSAPI configuration in DNS]
> > [Updating pid-file configuration in DNS]
> > [Checking global forwarding policy in named.conf to avoid
> conflicts
> > with automatic empty zones]
> > Global forward policy in named.conf will be changed to "only" to
> > avoid conflicts with automatic empty zones
> > [Adding server_id to named.conf]
> > Changes to named.conf have been made, restart named
> > Custodia service is being configured
> > Configuring ipa-custodia
> >   [1/5]: Generating ipa-custodia config file
> >   [2/5]: Making sure custodia container exists
> >   [3/5]: Generating ipa-custodia keys
> >   [4/5]: starting ipa-custodia
> >   [5/5]: configuring ipa-custodia to start on boot
> > Done configuring ipa-custodia.
> > [Upgrading CA schema]
> > CA schema update complete
> > [Verifying that CA audit signing cert has 2 year validity]
> > [Update certmonger certificate renewal configuration to version 5]
> > Configuring certmonger to stop tracking system certificates for CA
> > Certmonger certificate renewal configuration updated to version 5
> > [Enable PKIX certificate path discovery and validation]
> > PKIX already enabled
> > [Authorizing RA Agent to modify profiles]
> > [Authorizing RA Agent to manage lightweight CAs]
> > [Ensuring Lightweight CAs container exists in Dogtag database]
> > [Adding default OCSP URI configuration]
> > pki-tomcat configuration changed, restart pki-tomcat
> > [Ensuring CA is using LDAPProfileSubsystem]
> > [Migrating certificate profiles to LDAP]
> > [Ensuring presence of included profiles]
>

Re: [Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

2016-11-18 Thread deepak dimri 
Got it working, after uninstalling and reinstalling the replica. Not sure
why it did not work at the first place...

On Fri, Nov 18, 2016 at 7:15 PM, deepak dimri 
wrote:

> Hello All,
>
> I have IPA Master deployed in AWS US West region and replica in US East
> region. The replication installation went successfully however when i am
> trying to access the replication web UI (after making proxypass changes
> etc..) i am getting  Error. I have ProxyPassReverseCookieDomain set
> correctly but still i get the error. Master & Replica are time
> synchronized. Can come please help me with this?  I have tried it in all
> kinds of browser but no luck.
>
> i have followed this document in setting up the reverse proxy
> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name.
>
> Thanks,
> Deepak
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Rob Crittenden 
Morgan Marodin wrote:
> It works!
> Thanks for your support.
> 
> Anyway, I will try to update againt mod_nss package! :D

Glad it's working for you. I'm curious what the backup database was for.
Did you create that?

rob

> Bye!
> 
> 
> 2016-11-18 15:21 GMT+01:00 Morgan Marodin  >:
> 
> A little good news.
> 
> Downgrading the /mod_nss/ RPM package, and restoring the original
> //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> finished well:
> /# ipa-server-upgrade
> Upgrading IPA:
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
>   [4/10]: enabling DS global lock
>   [5/10]: starting directory server
>   [6/10]: updating schema
>   [7/10]: upgrading server
>   [8/10]: stopping directory server
>   [9/10]: restoring configuration
>   [10/10]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> [Removing self-signed CA]
> [Removing Dogtag 9 CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Checking global forwarding policy in named.conf to avoid conflicts
> with automatic empty zones]
> Global forward policy in named.conf will be changed to "only" to
> avoid conflicts with automatic empty zones
> [Adding server_id to named.conf]
> Changes to named.conf have been made, restart named
> Custodia service is being configured
> Configuring ipa-custodia
>   [1/5]: Generating ipa-custodia config file
>   [2/5]: Making sure custodia container exists
>   [3/5]: Generating ipa-custodia keys
>   [4/5]: starting ipa-custodia
>   [5/5]: configuring ipa-custodia to start on boot
> Done configuring ipa-custodia.
> [Upgrading CA schema]
> CA schema update complete
> [Verifying that CA audit signing cert has 2 year validity]
> [Update certmonger certificate renewal configuration to version 5]
> Configuring certmonger to stop tracking system certificates for CA
> Certmonger certificate renewal configuration updated to version 5
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> [Authorizing RA Agent to modify profiles]
> [Authorizing RA Agent to manage lightweight CAs]
> [Ensuring Lightweight CAs container exists in Dogtag database]
> [Adding default OCSP URI configuration]
> pki-tomcat configuration changed, restart pki-tomcat
> [Ensuring CA is using LDAPProfileSubsystem]
> [Migrating certificate profiles to LDAP]
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> Default CA ACL already added
> [Set up lightweight CA key retrieval]
> Creating principal
> Retrieving keytab
> Creating Custodia keys
> Configuring key retriever
> The IPA services were upgraded
> The ipa-server-upgrade command was successful/
> 
> And Apache has started, BUT there is a problem with the web certificate:
> /# tail -f /var/log/httpd/error_log
> [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to
> child 2 established (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)
> [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input
> filter read failed.
> [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library
> Error: -12285 Unable to find the certificate or key necessary for
> authentication
> [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to
> child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)/
>

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
It works!
Thanks for your support.

Anyway, I will try to update againt mod_nss package! :D
Bye!


2016-11-18 15:21 GMT+01:00 Morgan Marodin :

> A little good news.
>
> Downgrading the *mod_nss* RPM package, and restoring the original
> */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished
> well:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
> [2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
> DS global lock  [5/10]: starting directory server  [6/10]: updating schema
> [7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
> restoring configuration  [10/10]: starting directory serverDone.Update
> completeUpgrading IPA servicesUpgrading the configuration of the IPA
> services[Verifying that root certificate is published][Migrate CRL publish
> directory]CRL tree already moved[Verifying that CA proxy configuration is
> correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
> database]RA cert already removed[Enable sidgen and extdom plugins by
> default][Updating HTTPD service IPA configuration][Updating mod_nss
> protocol versions]Protocol versions already updated[Updating mod_nss cipher
> suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
> processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
> self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
> configuration files][Checking for deprecated backups of Samba configuration
> files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
> records already processed[Removing deprecated DNS configuration
> options][Ensuring minimal number of connections][Enabling serial
> autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
> pid-file configuration in DNS][Checking global forwarding policy in
> named.conf to avoid conflicts with automatic empty zones]Global forward
> policy in named.conf will be changed to "only" to avoid conflicts with
> automatic empty zones[Adding server_id to named.conf]Changes to named.conf
> have been made, restart namedCustodia service is being
> configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
> file  [2/5]: Making sure custodia container exists  [3/5]: Generating
> ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
> ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
> schema]CA schema update complete[Verifying that CA audit signing cert has 2
> year validity][Update certmonger certificate renewal configuration to
> version 5]Configuring certmonger to stop tracking system certificates for
> CACertmonger certificate renewal configuration updated to version 5[Enable
> PKIX certificate path discovery and validation]PKIX already
> enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
> manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
> database][Adding default OCSP URI configuration]pki-tomcat configuration
> changed, restart pki-tomcat[Ensuring CA is using
> LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
> presence of included profiles][Add default CA ACL]Default CA ACL already
> added[Set up lightweight CA key retrieval]Creating principalRetrieving
> keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
> upgradedThe ipa-server-upgrade command was successful*
>
> And Apache has started, BUT there is a problem with the web certificate:
>
>
>
>
> *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
> [:info] [pid 18673] Connection to child 2 established (server
> mlv-ipa01.ipa.mydomain.com:443 ,
> client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
> SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
> [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
> necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
> 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> , client 192.168.0.252)*
>
> How do you suggest to go on with my issue?
>
> Thanks, Morgan
>
> 2016-11-18 12:11 GMT+01:00 Morgan Marodin :
>
>> I've tried to add it to a new test folder, with a new certificate
>> nickname, and then to replace it to *nss.conf*.
>>
>> But the problem persists:
>>
>> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
>> is valid*
>>
>>
>> *# tail -f /var/log/httpd/error_log*
>>
>>
>>
>>
>>
>>
>>
>> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
A little good news.

Downgrading the *mod_nss* RPM package, and restoring the original
*/etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well:


















































































*# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
[2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
DS global lock  [5/10]: starting directory server  [6/10]: updating schema
[7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
restoring configuration  [10/10]: starting directory serverDone.Update
completeUpgrading IPA servicesUpgrading the configuration of the IPA
services[Verifying that root certificate is published][Migrate CRL publish
directory]CRL tree already moved[Verifying that CA proxy configuration is
correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
database]RA cert already removed[Enable sidgen and extdom plugins by
default][Updating HTTPD service IPA configuration][Updating mod_nss
protocol versions]Protocol versions already updated[Updating mod_nss cipher
suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
configuration files][Checking for deprecated backups of Samba configuration
files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
records already processed[Removing deprecated DNS configuration
options][Ensuring minimal number of connections][Enabling serial
autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
pid-file configuration in DNS][Checking global forwarding policy in
named.conf to avoid conflicts with automatic empty zones]Global forward
policy in named.conf will be changed to "only" to avoid conflicts with
automatic empty zones[Adding server_id to named.conf]Changes to named.conf
have been made, restart namedCustodia service is being
configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
file  [2/5]: Making sure custodia container exists  [3/5]: Generating
ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
schema]CA schema update complete[Verifying that CA audit signing cert has 2
year validity][Update certmonger certificate renewal configuration to
version 5]Configuring certmonger to stop tracking system certificates for
CACertmonger certificate renewal configuration updated to version 5[Enable
PKIX certificate path discovery and validation]PKIX already
enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
database][Adding default OCSP URI configuration]pki-tomcat configuration
changed, restart pki-tomcat[Ensuring CA is using
LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
presence of included profiles][Add default CA ACL]Default CA ACL already
added[Set up lightweight CA key retrieval]Creating principalRetrieving
keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
upgradedThe ipa-server-upgrade command was successful*

And Apache has started, BUT there is a problem with the web certificate:




*# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
[:info] [pid 18673] Connection to child 2 established (server
mlv-ipa01.ipa.mydomain.com:443 ,
client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
[pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
, client 192.168.0.252)*

How do you suggest to go on with my issue?

Thanks, Morgan

2016-11-18 12:11 GMT+01:00 Morgan Marodin :

> I've tried to add it to a new test folder, with a new certificate
> nickname, and then to replace it to *nss.conf*.
>
> But the problem persists:
>
> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
> is valid*
>
>
> *# tail -f /var/log/httpd/error_log*
>
>
>
>
>
>
>
> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
> 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
> deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>  -> ipa01cert[Fri Nov 18 12:09:39.824880
> 2016] [:error] [pid 11552] The server key database has not been
> initialized.[Fri Nov 18 12:09:39.832443

Re: [Freeipa-users] IPA 4.4 replica installation failing

2016-11-18 Thread Baird, Josh 
Martin,

Yes, this is the exact scenario.  My lab started with a RHEL 7.2 master/replica 
with 'domain level' set to 0.  

I raised the 'domain level' to 1, and now I'm trying to introduce a new replica 
into the environment.

I will check on 'nsds5replicabinddn' and report back.

Thanks,

Josh

-Original Message-
From: Martin Babinsky [mailto:mbabi...@redhat.com] 
Sent: Friday, November 18, 2016 3:17 AM
To: Baird, Josh ; 'freeipa-users@redhat.com' 

Subject: Re: [Freeipa-users] IPA 4.4 replica installation failing

On 11/17/2016 03:51 PM, Baird, Josh wrote:
> Hi all,
>
> In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, 
> and I seem to be hitting something similar to #5412 [1].
>
> The 'ipa-replica-install' is getting stuck on:
>
>   [4/26]: creating installation admin user
>
> Dirsrv error logs on the new replica:
>
> [17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - 
> agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to 
> acquire replica: permission denied. The bind dn "" does not have permission 
> to supply replication updates to the replica. Will retry later.
>
> Dirsrv access logs on existing master:
>
> [17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH 
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH 
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH 
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 
> tag=101 nentries=0 etime=0
> [17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH 
> base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
> scope=0 filter="(objectClass=*)" attrs=ALL
> [17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 
> tag=101 nentries=0 etime=0
>
> Dirsrv logs on the existing master:
>
> [17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - 
> conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: 
> permission denied
> [17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - 
> conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: 
> permission denied
> [17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - 
> conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: 
> permission denied
>
> Has anyone else experienced this issue?
>
> Thanks,
>
> Josh
>
> [1] https://fedorahosted.org/freeipa/ticket/5412
>
>
Hi Josh,

in the original ticket the issue was occuring when creating CA replica against 
7.2 master upgraded to 7.3 with domain level raised to 1. Do you have the same 
scenario?

Also, during the stuck installation can you check for the presence of replica's 
LDAP principal in 'nsds5replicabinddn' attribute on master's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?

I would also check for the reverse, i.e. if the master's LDAP principal is in 
the 'nsds5replicabinddn' attribute on replica's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.

--
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

2016-11-18 Thread deepak dimri 
Hello All,

I have IPA Master deployed in AWS US West region and replica in US East
region. The replication installation went successfully however when i am
trying to access the replication web UI (after making proxypass changes
etc..) i am getting  Error. I have ProxyPassReverseCookieDomain set
correctly but still i get the error. Master & Replica are time
synchronized. Can come please help me with this?  I have tried it in all
kinds of browser but no luck.

i have followed this document in setting up the reverse proxy
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name.

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

2016-11-18 Thread Sumit Bose 
On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote:
> Hi,
> 
> 
> I removed the pam_winbind module. User are able to login now. But some time
> they are not. Below are logs when user are not able to login.  Also SSH

see comment at the end of the email.

> login  is very slow for AD user. I am using sssd 1.4

Please note that SSSD does more than a simple kinit, it will validate
the returned TGT of the user by requesting a service ticket for a
service form the local keytab. This requires for AD users at least one
round trip to an AD DC and another one to the IPA server. If the AD user
is coming from a member domain in the AD forest and not from the forest
root there are even more round trips. 


> =
> rpm -qa | grep sssd
> sssd-krb5-common-1.14.0-43.el7.x86_64
> python-sssdconfig-1.14.0-43.el7.noarch
> sssd-ldap-1.14.0-43.el7.x86_64
> sssd-client-1.14.0-43.el7.x86_64
> sssd-ipa-1.14.0-43.el7.x86_64
> sssd-proxy-1.14.0-43.el7.x86_64
> sssd-common-1.14.0-43.el7.x86_64
> sssd-ad-1.14.0-43.el7.x86_64
> sssd-1.14.0-43.el7.x86_64
> sssd-krb5-1.14.0-43.el7.x86_64
> sssd-common-pac-1.14.0-43.el7.x86_64
> ===
> 
> =
> My sssd.conf on ipa clinet
> 
> cat /etc/sssd/sssd.conf
> [domain/ipa.preprod.local]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.ipadomain.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ilt-gif-ipa02.ipa.ipadomain.local
> chpass_provider = ipa
> ipa_server = _srv_, ilt-gif-ipa01.ipa.ipadomain.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level = 10
> krb5_use_enterprise_principal = True
> 
> 
> 
> [sssd]
> default_domain_suffix = corp.addomain.com
> services = nss, sudo, pam, ssh
> 
> domains = ipa.ipadomain.local
> debug_level = 10
> 
> [nss]
> override_homedir = /home/%u
> debug_level = 10
> 
> 
> 
> [pam]
> debug_level = 10
> 
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> debug_level = 10
> 
> 
> [pac]
> 
> [ifp]
> ==
> 
> 
> 
...
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [main] (0x0400):
> krb5_child started.
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [unpack_buffer]
> (0x1000): total buffer size: [168]
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [unpack_buffer]
> (0x0100): cmd [241] uid [1007629326] gid [1007629326] validate [true]
> enterprise principal [false] offline [true] UPN [subarancha...@mydomaon.com]

SSSD is in offline mode again, if the user never successfully login in
with a password authentication will fail. You should check the SSSD
domain log to figure out why SSSD switches into offline mode.

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
I've tried to add it to a new test folder, with a new certificate nickname,
and then to replace it to *nss.conf*.

But the problem persists:

*# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is
valid*


*# tail -f /var/log/httpd/error_log*







*[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipa01cert[Fri Nov 18 12:09:39.824880
2016] [:error] [pid 11552] The server key database has not been
initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016]
[:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678
2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'*

I've found this guide:






*Combine the server cert and key into a single file# cp localhost.crt >
Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server
cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out
Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys
into the database at the same time.#pk12util -i
/tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert*

Where is stored the key certificate file?

Thanks, Morgan

2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud :

> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>
>> Hi Florence.
>>
>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
>> and with this Apache started.
>> So I think the problem is in the /Server-Cert/ stored in
>> //etc/httpd/alias/, even if all manul checks are ok.
>>
>> These are logs with the wrong certificate test:
>> /# tail -f /var/log/httpd/error_log/
>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>  -> ipaCert
>>
>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com 
>> as virtual name.
>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
>> AH01757: generating secret for digest authentication ...
>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
>> AH02282: No slotmem from mod_heartmonitor
>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>  -> ipaCert
>>
>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
>> AH00163: Apache/2.4.6 ()

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

2016-11-18 Thread rajat gupta 
Hi,


I removed the pam_winbind module. User are able to login now. But some time
they are not. Below are logs when user are not able to login.  Also SSH
login  is very slow for AD user. I am using sssd 1.4
=
rpm -qa | grep sssd
sssd-krb5-common-1.14.0-43.el7.x86_64
python-sssdconfig-1.14.0-43.el7.noarch
sssd-ldap-1.14.0-43.el7.x86_64
sssd-client-1.14.0-43.el7.x86_64
sssd-ipa-1.14.0-43.el7.x86_64
sssd-proxy-1.14.0-43.el7.x86_64
sssd-common-1.14.0-43.el7.x86_64
sssd-ad-1.14.0-43.el7.x86_64
sssd-1.14.0-43.el7.x86_64
sssd-krb5-1.14.0-43.el7.x86_64
sssd-common-pac-1.14.0-43.el7.x86_64
===

=
My sssd.conf on ipa clinet

cat /etc/sssd/sssd.conf
[domain/ipa.preprod.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.ipadomain.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ilt-gif-ipa02.ipa.ipadomain.local
chpass_provider = ipa
ipa_server = _srv_, ilt-gif-ipa01.ipa.ipadomain.local
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
krb5_use_enterprise_principal = True



[sssd]
default_domain_suffix = corp.addomain.com
services = nss, sudo, pam, ssh

domains = ipa.ipadomain.local
debug_level = 10

[nss]
override_homedir = /home/%u
debug_level = 10



[pam]
debug_level = 10


[sudo]

[autofs]

[ssh]
debug_level = 10


[pac]

[ifp]
==




/var/log/sssd/krb5_child.log
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [main] (0x0400):
krb5_child started.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [unpack_buffer]
(0x1000): total buffer size: [63]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [unpack_buffer]
(0x0100): cmd [249] uid [1007629326] gid [1007629326] validate [true]
enterprise principal [false] offline [true] UPN [subarancha...@mydomaon.com]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [become_user]
(0x0200): Trying to become user [1007629326][1007629326].
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [main] (0x2000):
Running as [1007629326][1007629326].
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [become_user]
(0x0200): Trying to become user [1007629326][1007629326].
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [become_user]
(0x0200): Already user [1007629326].
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [k5c_setup]
(0x2000): Running as [1007629326][1007629326].
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [main] (0x0400):
Will perform pre-auth
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MYDOMAON.COM]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[sss_child_krb5_trace_cb] (0x4000): [16083] 1479465985.794345: Getting
initial credentials for subarancha...@mydomaon.com
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[sss_child_krb5_trace_cb] (0x4000): [16083] 1479465985.796449: Sending
request (176 bytes) to MYDOMAON.COM
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[sss_child_krb5_trace_cb] (0x4000): [16083] 1479465985.797433: Retrying AS
request with master KDC
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[sss_child_krb5_trace_cb] (0x4000): [16083] 1479465985.797466: Getting
initial credentials for subarancha...@mydomaon.com
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[sss_child_krb5_trace_cb] (0x4000): [16083] 1479465985.797508: Sending
request (176 bytes) to MYDOMAON.COM (master)
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328230} during
pre-auth.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [k5c_send_data]
(0x0200): Received error code 0
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083
[pack_response_packet] (0x2000): response packet size: [4]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [k5c_send_data]
(0x4000): Response sent.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16083 [main] (0x0400):
krb5_child completed successfully
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [main] (0x0400):
krb5_child started.
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [unpack_buffer]
(0x1000): total buffer size: [168]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [unpack_buffer]
(0x0100): cmd [241] uid [1007629326] gid [1007629326] validate [true]
enterprise principal [false] offline [true] UPN [subarancha...@mydomaon.com]
(Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084 [unpack_buffer]

Re: [Freeipa-users] IPA 4.4 replica installation failing

2016-11-18 Thread thierry bordaz 



On 11/18/2016 09:16 AM, Martin Babinsky wrote:

On 11/17/2016 03:51 PM, Baird, Josh wrote:

Hi all,

In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new 
replica, and I seem to be hitting something similar to #5412 [1].


The 'ipa-replica-install' is getting stuck on:

  [4/26]: creating installation admin user

Dirsrv error logs on the new replica:

[17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - 
agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): 
Unable to acquire replica: permission denied. The bind dn "" does not 
have permission to supply replication updates to the replica. Will 
retry later.


Dirsrv access logs on existing master:

[17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 
tag=101 nentries=0 etime=0
[17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" 
scope=0 filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 
tag=101 nentries=0 etime=0


Dirsrv logs on the existing master:

[17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - 
conn=120 op=13 replica="o=ipaca": Unable to acquire replica: error: 
permission denied
[17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - 
conn=123 op=5 replica="o=ipaca": Unable to acquire replica: error: 
permission denied
[17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - 
conn=130 op=5 replica="o=ipaca": Unable to acquire replica: error: 
permission denied


Has anyone else experienced this issue?

Thanks,

Josh

[1] https://fedorahosted.org/freeipa/ticket/5412



Hi Josh,

in the original ticket the issue was occuring when creating CA replica 
against 7.2 master upgraded to 7.3 with domain level raised to 1. Do 
you have the same scenario?


Also, during the stuck installation can you check for the presence of 
replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?


I would also check for the reverse, i.e. if the master's LDAP 
principal is in the 'nsds5replicabinddn' attribute on replica's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.



Hi Josh,

Both direction Replica Agreements should use GSSAPI authentication with 
accounts in 'cn=replication managers,cn=sysaccounts,cn=etc,'
Would you check the members (on master and replica) of this entry and 
see if it contains the expected principals ?


regards
thierry

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Florence Blanc-Renaud 

On 11/18/2016 10:04 AM, Morgan Marodin wrote:

Hi Florence.

I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
and with this Apache started.
So I think the problem is in the /Server-Cert/ stored in
//etc/httpd/alias/, even if all manul checks are ok.

These are logs with the wrong certificate test:
/# tail -f /var/log/httpd/error_log/
/[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert
[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
for SSL protocol
[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.
[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com 
as virtual name.
[Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
AH01757: generating secret for digest authentication ...
[Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
AH02282: No slotmem from mod_heartmonitor
[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert
[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
[Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
proxy_util.c(1838): AH00924: worker ajp://localhost shared already
initialized
[Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
proxy_util.c(1880): AH00926: worker ajp://localhost local already
initialized
...
[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
proxy_util.c(1838): AH00924: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
initialized
[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
proxy_util.c(1880): AH00926: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
initialized
[Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
[Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
[Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
[Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
Hi Florence.

I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and
with this Apache started.
So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*,
even if all manul checks are ok.

These are logs with the wrong certificate test:
*# tail -f /var/log/httpd/error_log*










































































































*[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
09:34:32.584142 2016] [:warn] [pid 7709] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
 -> ipaCert[Fri Nov 18 09:34:32.844487
2016] [:info] [pid 7709] Configuring server for SSL protocol[Fri Nov 18
09:34:32.844635 2016] [:debug] [pid 7709] nss_engine_init.c(770):
NSSProtocol:  Enabling TLSv1.0[Fri Nov 18 09:34:32.844657 2016] [:debug]
[pid 7709] nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1[Fri Nov
18 09:34:32.844668 2016] [:debug] [pid 7709] nss_engine_init.c(780):
NSSProtocol:  Enabling TLSv1.2[Fri Nov 18 09:34:32.844677 2016] [:debug]
[pid 7709] nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)[Fri
Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] nss_engine_init.c(866):
NSSProtocol:  [TLS 1.2] (maximum)[Fri Nov 18 09:34:32.844738 2016] [:debug]
[pid 7709] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18
09:34:32.844746 2016] [:debug] [pid 7709] nss_engine_init.c(916): Enabling
DHE key exchange[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:32.845105 2016] [:debug]
[pid 7709] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:32.845110 2016] [:info] [pid
7709] Using nickname ipaCert.[Fri Nov 18 09:34:32.847451 2016] [:error]
[pid 7709] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
 as virtual name.[Fri Nov 18
09:34:33.028056 2016] [auth_digest:notice] [pid 7709] AH01757: generating
secret for digest authentication ...[Fri Nov 18 09:34:33.030039 2016]
[lbmethod_heartbeat:notice] [pid 7709] AH02282: No slotmem from
mod_heartmonitor[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.[Fri Nov 18 09:34:33.030176
2016] [:debug] [pid 7709] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com  ->
ipaCert[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured --
resuming normal operations[Fri Nov 18 09:34:33.051551 2016] [core:notice]
[pid 7709] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'[Fri Nov
18 09:34:33.096050 2016] [proxy:debug] [pid 7717] proxy_util.c(1838):
AH00924: worker ajp://localhost shared already initialized[Fri Nov 18
09:34:33.096163 2016] [proxy:debug] [pid 7717] proxy_util.c(1880): AH00926:
worker ajp://localhost local already initialized...[Fri Nov 18
09:34:33.105626 2016] [proxy:debug] [pid 7719] proxy_util.c(1838): AH00924:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
 shared already initialized[Fri Nov 18
09:34:33.105632 2016] [proxy:debug] [pid 7719] proxy_util.c(1880): AH00926:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
 local already initialized[Fri Nov 18
09:34:33.342762 2016] [:info] [pid 7717] Configuring server for SSL
protocol[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0[Fri Nov 18
09:34:33.342880 2016] [:debug] [pid 7717] nss_engine_init.c(775):
NSSProtocol:  Enabling TLSv1.1[Fri Nov 18 09:34:33.342885 2016] [:debug]
[pid 7717] nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2[Fri Nov
18 09:34:33.342890 2016] [:debug] [pid 7717] nss_engine_init.c(839):
NSSProtocol:  [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.342894 2016] [:debug]
[pid 7717] nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.342904 2016] [:debug]
[pid 7717] nss_engine_init.c(916): Enabling

Re: [Freeipa-users] IPA 4.4 replica installation failing

2016-11-18 Thread Martin Babinsky 

On 11/17/2016 03:51 PM, Baird, Josh wrote:

Hi all,

In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, 
and I seem to be hitting something similar to #5412 [1].

The 'ipa-replica-install' is getting stuck on:

  [4/26]: creating installation admin user

Dirsrv error logs on the new replica:

[17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - 
agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire 
replica: permission denied. The bind dn "" does not have permission to supply replication 
updates to the replica. Will retry later.

Dirsrv access logs on existing master:

[17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 
nentries=0 etime=0

Dirsrv logs on the existing master:

[17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied

Has anyone else experienced this issue?

Thanks,

Josh

[1] https://fedorahosted.org/freeipa/ticket/5412



Hi Josh,

in the original ticket the issue was occuring when creating CA replica 
against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you 
have the same scenario?


Also, during the stuck installation can you check for the presence of 
replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?


I would also check for the reverse, i.e. if the master's LDAP principal 
is in the 'nsds5replicabinddn' attribute on replica's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project