Re: [Freeipa-users] attempting to Import Local Accounts into FreeIPA Server on Fedora 25: ipa: ERROR: Could not get User login interactively

[Standa Laznicka]

On 11/29/2016 09:35 PM, Robert Kudyba wrote:


On Nov 29, 2016, at 11:37 AM, Rob Crittenden > wrote:


Robert Kudyba wrote:

I知 trying to use the script posted on
https://urldefense.proofpoint.com/v2/url?u=https-3A__shellonearth.net_import-2Dlocal-2Daccounts-2Din-2Dfreeipa-2Drhelcentos_=DgIDAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUO21wyGfiMBRaZk6rjEMSMEMYZB0QpBVyQTCq3U6lw=9CmZV-vE0Nle4yup0VrHuHVnMuPNCBaOcJQkR4GzebM= 
.

I知 getting the below error. Have the options for ipa user-add changed
recently? Here痴 what the error looks like in context from the CLI:

Password for admin@ourdomain:
User login:
ipa: ERROR: Could not get User login interactively

Here is what痴 in the script:

ipa user-add $USER --first=$FIRST --last=$LAST --cn="$FULL"
--displayname="$FULL" --uid=$UUID --gidnumber=$GID --setattr
userpassword='{crypt}$CRYPT'




Are you sure $USER has a value?

It looks like it is falling back on interactive prompting for required
fields.


Thanks that gave me a clue. The script was looking for a group ID of 8 
characters long I changed it to 4:
forline in"$(echo $p | grep "x:[0-9][0-9][0-9][0-9]*:")"# Only grep 
user accounts with IDs of 4 digits or more


But now the script just “hangs” and no response. I confirmed 
permissions of the shadow and passwd files and just using 20 login 
names from each file. Nothing shows up in the user search of the 
FreeIPA GUI.




Well, I may not be that fluent in bash as I used to be, but from what I 
see here, it's quite obvious. Line 39 - you have a `while read p` part 
there that waits for input from stdin. That's where you hang. How you 
managed to get to `ipa user-add` line before I am not really certain.


Did you perhaps mean to read from /tmp/passwd or /tmp/shadow on L39? :)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[Florence Blanc-Renaud]

On 11/29/2016 03:19 PM, David Dejaeghere wrote:

Can you give me a couple of test commands?
I am not familiar with Dogtag.


Hi,

To reproduce the issue:
1. install IPA server
2. On the replica, run ipa-client-install
3. On the server, stop dogtag with
$ systemctl stop pki-tomcatd@pki-tomcat.service
4. On the replica, run ipa-replica-install

When you want to restart dogtag, you can run
$ systemctl start pki-tomcatd@pki-tomcat.service

If you want to check if dogtag is running:
$ systemctl status pki-tomcatd@pki-tomcat.service

You may find more information on Dogtag here:
http://pki.fedoraproject.org/wiki/PKI_Main_Page
http://pki.fedoraproject.org/wiki/IPA
http://pki.fedoraproject.org/wiki/Debugging_the_state_of_dogtag_in_an_ipa_install

Flo


Groeten,

David

2016-11-29 14:57 GMT+01:00 David Kupka >:

On 29/11/16 13:55, David Dejaeghere wrote:

Correct.  Same symptoms.

2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)

Fedora 24 Server

[root@ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-server-4.3.2-2.fc24.x86_64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64


Ok. I've reproduced it by simply stopping dogtag on FreeIPA server
while installing the replica. I see the exactly same errors as
you've reported and are described in the ticket, now.

Is dogtag running on your master? Is in responding (e.g. issuing
certificates for users)? Is it accessible from the replica?



2016-11-29 13:41 GMT+01:00 Petr Vobornik >:

On 11/29/2016 12:43 PM, David Kupka wrote:

On 29/11/16 12:15, David Dejaeghere wrote:

Seems like it is but it does not show a server cert
for dirsrv

[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw---. 1 dirsrv root
 unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db
-rw-rw. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db.orig
-r--r-. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
1623
Nov 29 11:29 certmap.conf
-rw---. 1 dirsrv dirsrv
system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif
-rw---. 2 dirsrv dirsrv
system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.bak
-rw---. 2 dirsrv dirsrv
system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.startOK
-r--r-. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
36228
Nov 29 11:28 dse_original.ldif
-rw---. 1 dirsrv root
 unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db
-rw-rw. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db.orig
-r. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s066
Nov 29 11:29 pin.txt
-rw---. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s040
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
4096
Nov 29 11:29 schema
-rw---. 1 dirsrv root
 unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db
-rw-rw. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db.orig
-r--r-. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0
15142
Nov 29 11:28 slapd-collations.conf

[root@ns02 ~]# certutil -d
/etc/dirsrv/slapd-SOMETHING-BE -L

Re: [Freeipa-users] attempting to Import Local Accounts into FreeIPA Server on Fedora 25: ipa: ERROR: Could not get User login interactively

[Robert Kudyba]

> On Nov 29, 2016, at 11:37 AM, Rob Crittenden  wrote:
> 
> Robert Kudyba wrote:
>> I知 trying to use the script posted on
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__shellonearth.net_import-2Dlocal-2Daccounts-2Din-2Dfreeipa-2Drhelcentos_=DgIDAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUO21wyGfiMBRaZk6rjEMSMEMYZB0QpBVyQTCq3U6lw=9CmZV-vE0Nle4yup0VrHuHVnMuPNCBaOcJQkR4GzebM=
>>  .
>> I知 getting the below error. Have the options for ipa user-add changed
>> recently? Here痴 what the error looks like in context from the CLI:
>> 
>> Password for admin@ourdomain:
>> User login:
>> ipa: ERROR: Could not get User login interactively
>> 
>> Here is what痴 in the script:
>> 
>> ipa user-add $USER --first=$FIRST --last=$LAST --cn="$FULL"
>> --displayname="$FULL" --uid=$UUID --gidnumber=$GID --setattr
>> userpassword='{crypt}$CRYPT'
>> 
>> 
> 
> Are you sure $USER has a value?
> 
> It looks like it is falling back on interactive prompting for required
> fields.

Thanks that gave me a clue. The script was looking for a group ID of 8 
characters long I changed it to 4:
for line in "$(echo $p | grep "x:[0-9][0-9][0-9][0-9]*:")" # Only grep user 
accounts with IDs of 4 digits or more

But now the script just “hangs” and no response. I confirmed permissions of the 
shadow and passwd files and just using 20 login names from each file. Nothing 
shows up in the user search of the FreeIPA GUI.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Mac OS X 10.12 Smart card authentication to FreeIPA server.

[Daly, John L CIV NAVAIR, 4G0000D]

Greetings,
I thumbed through the archive, but didn't find an answer.  If I missed it, 
perhaps someone will be kind enough to point me in the right direction.

I'm testing replacing our OpenDirectory server with a FreeIPA server for 
authenticating our Mac systems.  So far, I have the server and client running 
in a virtual machine (FreeIPA running on CentOS 7, Mac is MacOS 10.12.1), and, 
following a number of instructions found on the web, they are talking to each 
other and I can log in from the Mac client to the FreeIPA server with a user 
account on the FreeIPA server.

The final step in this is that I need to use smart card authentication instead 
of username/password.  I have managed to get the smart card's certificate added 
to the user account on the FreeIPA server, but that's as far as I've managed.

In MacOS 10.7-10.11, the method of getting smart card authorization to work is 
to get the hash of the certificate on the smart card and then add that to 
AuthenticationAuthority in Directory Utility as ;pubkeyhash;
In 10.12, it will actually ask you if you want to pair the smart card with the 
account, and if so, in the background it adds the hash as 
;tokenIdentity; to AuthenticationAuthority (but it only does 
that to local accounts.  to do it in Open Directory, you have to add it 
manually still)

In my ignorance, I'm guessing that I just somehow need to map the certificate 
that's been added to the user account in FreeIPA to AuthenticationAuthority in 
DirectoryUtility.  Right now the only thing mapped in the bind for 
AuthenticationAuthority is uid.

Could someone tell me what map I would need to make when setting up the bind to 
make this work? Or if I'm totally heading in the wrong direction, could someone 
send me in the right direction?

Nathan Kinder's blog was very helpful, but he mentions telling how to actually 
set up login on the next installment, and that was over a year ago and there's 
no next installment.  Most of what I've been able to find covers how to use 
sssd to get a linux machine to authenticate with the smartcard to FreeIPA, but 
I haven't been able to translate that to getting the Mac to authenticate.

Thank you,
John

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] attempting to Import Local Accounts into FreeIPA Server on Fedora 25: ipa: ERROR: Could not get User login interactively

[Rob Crittenden]

Robert Kudyba wrote:
> I’m trying to use the script posted on
> https://shellonearth.net/import-local-accounts-in-freeipa-rhelcentos/.
> I’m getting the below error. Have the options for ipa user-add changed
> recently? Here’s what the error looks like in context from the CLI:
> 
> Password for admin@ourdomain:
> User login:
> ipa: ERROR: Could not get User login interactively
> 
> Here is what’s in the script:
> 
> ipa user-add $USER --first=$FIRST --last=$LAST --cn="$FULL"
> --displayname="$FULL" --uid=$UUID --gidnumber=$GID --setattr
> userpassword='{crypt}$CRYPT'
> 
> 

Are you sure $USER has a value?

It looks like it is falling back on interactive prompting for required
fields.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] attempting to Import Local Accounts into FreeIPA Server on Fedora 25: ipa: ERROR: Could not get User login interactively

[Robert Kudyba]

I’m trying to use the script posted on 
https://shellonearth.net/import-local-accounts-in-freeipa-rhelcentos/. I’m 
getting the below error. Have the options for ipa user-add changed recently? 
Here’s what the error looks like in context from the CLI:

Password for admin@ourdomain:
User login:
ipa: ERROR: Could not get User login interactively

Here is what’s in the script:

ipa user-add $USER --first=$FIRST --last=$LAST --cn="$FULL" 
--displayname="$FULL" --uid=$UUID --gidnumber=$GID --setattr 
userpassword='{crypt}$CRYPT'-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd segfault

[Giulio Casella]

Il 29/11/2016 14:46, Giulio Casella ha scritto:

Il 29/11/2016 14:19, Mark Reynolds ha scritto:



On 11/29/2016 03:14 AM, Giulio Casella wrote:

Il 28/11/2016 19:22, Mark Reynolds ha scritto:



On 11/28/2016 10:22 AM, Giulio Casella wrote:

Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:

On (28/11/16 12:39), Giulio Casella wrote:

Hello,

I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing
service
is dirsrv@.service.
In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]

(just after a lot of SSL alerts complaining about some enabled
cypher suite,
but I cannot say if this could be related).

I'm using ipa 4.2.0, and 389-ds-base 1.3.4.


It would be good to know the exact version.
rpm -q 389-ds-base


Installed version is:

389-ds-base-1.3.4.0-33.el7_2.x86_64



Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.


Ok, you can find attached full stacktrace.

It's crashing trying to read updates from the replication changelog.

Are you using attribute encryption?
Any chance you have a way to reproduce this?

Since this is happening on only one server then I think recreating the
replication changelog will "fix" the issue.  Just re-initializing that
replica should do it.  Does this server start - so it can be reinited?
If not, you need to manually remove the changelog and start the
directory server, and reinit it.  Or perform a manual ldif
initialization.  (I can help with either one if needed)



No, directory server can't start, so I think I have to manually remove
the changelog.

Probably best:

Its under /var/lib/dirsrv/slapd-INSTANCE/db/changelog  (something like
that)


Any help is obviously welcome.
BTW: Do you confirm I won't lose data on second (working) server doing
removal of changelog?

Well the changelog appears to be hosed.  So if something is lost, its
already lost and is not recoverable.  As long as you have another master
you are okay, and IPA only creates masters so you should be good.



Thank you Mark,
I moved away and recreated entire
/var/lib/dirsrv/slapd-INSTANCE/db/changelog directory, rebooted server
and now it's up and running!



For completeness: I've removed also the content of 
/var/lib/dirsrv/slapd-INSTANCE/cldb (I think cldb stands for changelog 
database) to make it work.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Dejaeghere]

Can you give me a couple of test commands?
I am not familiar with Dogtag.

Groeten,

David

2016-11-29 14:57 GMT+01:00 David Kupka :

> On 29/11/16 13:55, David Dejaeghere wrote:
>
>> Correct.  Same symptoms.
>>
>> 2016-11-29T10:29:42Z DEBUG certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>
>> Fedora 24 Server
>>
>> [root@ns02 ~]# dnf history userinstalled
>> Packages installed by user
>> freeipa-client-4.3.2-2.fc24.x86_64
>> freeipa-server-4.3.2-2.fc24.x86_64
>> grub2-1:2.02-0.34.fc24.x86_64
>> kernel-4.5.5-300.fc24.x86_64
>> kernel-4.8.8-200.fc24.x86_64
>> lvm2-2.02.150-2.fc24.x86_64
>> xfsprogs-4.5.0-2.fc24.x86_64
>>
>
> Ok. I've reproduced it by simply stopping dogtag on FreeIPA server while
> installing the replica. I see the exactly same errors as you've reported
> and are described in the ticket, now.
>
> Is dogtag running on your master? Is in responding (e.g. issuing
> certificates for users)? Is it accessible from the replica?
>
>
>
>> 2016-11-29 13:41 GMT+01:00 Petr Vobornik :
>>
>> On 11/29/2016 12:43 PM, David Kupka wrote:
>>>
 On 29/11/16 12:15, David Dejaeghere wrote:

> Seems like it is but it does not show a server cert for dirsrv
>
> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
> total 468
> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> 65536
> Nov 29 11:29 cert8.db
> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 65536
> Nov 29 11:29 cert8.db.orig
> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 1623
> Nov 29 11:29 certmap.conf
> -rw---. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif
> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif.bak
> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif.startOK
> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 36228
> Nov 29 11:28 dse_original.ldif
> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 key3.db
> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 key3.db.orig
> -r. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s066
> Nov 29 11:29 pin.txt
> -rw---. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s040
> Nov 29 11:29 pwdfile.txt
> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 4096
> Nov 29 11:29 schema
> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 secmod.db
> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 secmod.db.orig
> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> 15142
> Nov 29 11:28 slapd-collations.conf
>
> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local
> CT,C,C
> SOMETHING.BE IPA CA CT,C,C
> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local
> CT,C,C
> SOMETHING.BE IPA CA CT,C,C
>
> [root@ns02 ~]# ausearch -m avc -i
> 
>
>
>
 Exactly, the NSSDB should be accessible to dirsrv and is missing the
 Server-Cert but I don't understand why there's "bad database" error in
 the errors log. I'll try to reproduce it. What version of FreeIPA are
 you using? On what system?

>>>
>>> Right.
>>>
>>> Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
>>> be good to check if it has the same symptoms, mainly
>>>   certmonger request is in state dbus.String(u'CA_UNREACHABLE',
>>> variant_level=1)
>>>
>>> in replica install log.
>>>
>>>
>>>

> 2016-11-29 12:09 GMT+01:00 David Kupka :
>
> On 29/11/16 11:51, David Dejaeghere wrote:
>>
>> Hi,
>>>
>>> I have a setup where i want to add a replica.  The first master
>>> setup has
>>> an externally signed cert for dirsrv and httpd.  The replica is
>>> prepapred
>>> succesfully with ipa-client-install but the replica install then
>>> keeps
>>> failing.  It seems that during install dirserv is not configured
>>> correctly
>>> with a valid server certificate. Output from the dirsrv error added
>>> to

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Kupka]

On 29/11/16 13:55, David Dejaeghere wrote:

Correct.  Same symptoms.

2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)

Fedora 24 Server

[root@ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-server-4.3.2-2.fc24.x86_64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64


Ok. I've reproduced it by simply stopping dogtag on FreeIPA server while 
installing the replica. I see the exactly same errors as you've reported 
and are described in the ticket, now.


Is dogtag running on your master? Is in responding (e.g. issuing 
certificates for users)? Is it accessible from the replica?




2016-11-29 13:41 GMT+01:00 Petr Vobornik :


On 11/29/2016 12:43 PM, David Kupka wrote:

On 29/11/16 12:15, David Dejaeghere wrote:

Seems like it is but it does not show a server cert for dirsrv

[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db.orig
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
1623
Nov 29 11:29 certmap.conf
-rw---. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif
-rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.bak
-rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.startOK
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
36228
Nov 29 11:28 dse_original.ldif
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db.orig
-r. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s066
Nov 29 11:29 pin.txt
-rw---. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s040
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
4096
Nov 29 11:29 schema
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db.orig
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
15142
Nov 29 11:28 slapd-collations.conf

[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=local
CT,C,C
SOMETHING.BE IPA CA CT,C,C
[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=local
CT,C,C
SOMETHING.BE IPA CA CT,C,C

[root@ns02 ~]# ausearch -m avc -i





Exactly, the NSSDB should be accessible to dirsrv and is missing the
Server-Cert but I don't understand why there's "bad database" error in
the errors log. I'll try to reproduce it. What version of FreeIPA are
you using? On what system?


Right.

Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
be good to check if it has the same symptoms, mainly
  certmonger request is in state dbus.String(u'CA_UNREACHABLE',
variant_level=1)

in replica install log.






2016-11-29 12:09 GMT+01:00 David Kupka :


On 29/11/16 11:51, David Dejaeghere wrote:


Hi,

I have a setup where i want to add a replica.  The first master
setup has
an externally signed cert for dirsrv and httpd.  The replica is
prepapred
succesfully with ipa-client-install but the replica install then keeps
failing.  It seems that during install dirserv is not configured
correctly
with a valid server certificate. Output from the dirsrv error added to
this
email as well.

[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: restarting directory server
  [4/43]: adding default schema
  [5/43]: enabling memberof plugin
  [6/43]: enabling winsync plugin
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: enabling ldapi
  [10/43]: configuring uniqueness plugin
  [11/43]: 

Re: [Freeipa-users] ns-slapd segfault

[Giulio Casella]

Il 29/11/2016 14:19, Mark Reynolds ha scritto:



On 11/29/2016 03:14 AM, Giulio Casella wrote:

Il 28/11/2016 19:22, Mark Reynolds ha scritto:



On 11/28/2016 10:22 AM, Giulio Casella wrote:

Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:

On (28/11/16 12:39), Giulio Casella wrote:

Hello,

I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing
service
is dirsrv@.service.
In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]

(just after a lot of SSL alerts complaining about some enabled
cypher suite,
but I cannot say if this could be related).

I'm using ipa 4.2.0, and 389-ds-base 1.3.4.


It would be good to know the exact version.
rpm -q 389-ds-base


Installed version is:

389-ds-base-1.3.4.0-33.el7_2.x86_64



Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.


Ok, you can find attached full stacktrace.

It's crashing trying to read updates from the replication changelog.

Are you using attribute encryption?
Any chance you have a way to reproduce this?

Since this is happening on only one server then I think recreating the
replication changelog will "fix" the issue.  Just re-initializing that
replica should do it.  Does this server start - so it can be reinited?
If not, you need to manually remove the changelog and start the
directory server, and reinit it.  Or perform a manual ldif
initialization.  (I can help with either one if needed)



No, directory server can't start, so I think I have to manually remove
the changelog.

Probably best:

Its under /var/lib/dirsrv/slapd-INSTANCE/db/changelog  (something like that)


Any help is obviously welcome.
BTW: Do you confirm I won't lose data on second (working) server doing
removal of changelog?

Well the changelog appears to be hosed.  So if something is lost, its
already lost and is not recoverable.  As long as you have another master
you are okay, and IPA only creates masters so you should be good.



Thank you Mark,
I moved away and recreated entire 
/var/lib/dirsrv/slapd-INSTANCE/db/changelog directory, rebooted server 
and now it's up and running!


Thank you again.

Bye,
gc

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Dejaeghere]

Correct.  Same symptoms.

2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)

Fedora 24 Server

[root@ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-server-4.3.2-2.fc24.x86_64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64

2016-11-29 13:41 GMT+01:00 Petr Vobornik :

> On 11/29/2016 12:43 PM, David Kupka wrote:
> > On 29/11/16 12:15, David Dejaeghere wrote:
> >> Seems like it is but it does not show a server cert for dirsrv
> >>
> >> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
> >> total 468
> >> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> >> 65536
> >> Nov 29 11:29 cert8.db
> >> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 65536
> >> Nov 29 11:29 cert8.db.orig
> >> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 1623
> >> Nov 29 11:29 certmap.conf
> >> -rw---. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif
> >> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif.bak
> >> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif.startOK
> >> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 36228
> >> Nov 29 11:28 dse_original.ldif
> >> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 key3.db
> >> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 key3.db.orig
> >> -r. 1 dirsrv dirsrv
> >> unconfined_u:object_r:dirsrv_config_t:s066
> >> Nov 29 11:29 pin.txt
> >> -rw---. 1 dirsrv dirsrv
> >> unconfined_u:object_r:dirsrv_config_t:s040
> >> Nov 29 11:29 pwdfile.txt
> >> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 4096
> >> Nov 29 11:29 schema
> >> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 secmod.db
> >> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 secmod.db.orig
> >> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 15142
> >> Nov 29 11:28 slapd-collations.conf
> >>
> >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
> >>
> >> Certificate Nickname Trust
> >> Attributes
> >>
> >>  SSL,S/MIME,JAR/XPI
> >>
> >> CN=something-PAPRIKA-CA,DC=something,DC=local
> >> CT,C,C
> >> SOMETHING.BE IPA CA CT,C,C
> >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
> >>
> >> Certificate Nickname Trust
> >> Attributes
> >>
> >>  SSL,S/MIME,JAR/XPI
> >>
> >> CN=something-PAPRIKA-CA,DC=something,DC=local
> >> CT,C,C
> >> SOMETHING.BE IPA CA CT,C,C
> >>
> >> [root@ns02 ~]# ausearch -m avc -i
> >> 
> >>
> >>
> >
> > Exactly, the NSSDB should be accessible to dirsrv and is missing the
> > Server-Cert but I don't understand why there's "bad database" error in
> > the errors log. I'll try to reproduce it. What version of FreeIPA are
> > you using? On what system?
>
> Right.
>
> Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
> be good to check if it has the same symptoms, mainly
>   certmonger request is in state dbus.String(u'CA_UNREACHABLE',
> variant_level=1)
>
> in replica install log.
>
>
> >
> >>
> >> 2016-11-29 12:09 GMT+01:00 David Kupka :
> >>
> >>> On 29/11/16 11:51, David Dejaeghere wrote:
> >>>
>  Hi,
> 
>  I have a setup where i want to add a replica.  The first master
>  setup has
>  an externally signed cert for dirsrv and httpd.  The replica is
>  prepapred
>  succesfully with ipa-client-install but the replica install then keeps
>  failing.  It seems that during install dirserv is not configured
>  correctly
>  with a valid server certificate. Output from the dirsrv error added to
>  this
>  email as well.
> 
>  [root@ns02 ~]# ipa-replica-install --setup-ca
>  WARNING: conflicting time synchronization service 'chronyd' will
>  be disabled in favor of ntpd
> 
>  Run connection check to master
>  Connection check OK
>  Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
>  Done configuring NTP daemon (ntpd).
>  Configuring directory server (dirsrv). Estimated time: 1 minute
>    [1/43]: creating directory server user
>    [2/43]: creating directory server instance
>    [3/43]: restarting directory server
>    

Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

[Tomas Krizek]

On 11/29/2016 10:50 AM, Tomas Krizek wrote:

On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self 
signed certificate vs. Let’s Encrypt. I tried to run the set up 
script from https://github.com/freeipa/freeipa-letsencrypt and below 
are some errors and logs.


Within the /etc/httpd/conf.d/ipa.conffile I commented out 
these directives as I had some Apache redirects that were breaking:


#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa 
application-group=ipa

#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
certificate issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial 
credentials


journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' 
(No such file or directory)


ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available (default cache: KEYRING:persistent:0))


ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11




Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.
--
Tomas Krizek


The issue should be fixed now. Please try to setup Let's Encrypt again. 
In case it does not work, you might need to reinstall IPA before setting 
up Let's Encrypt.


--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[Petr Vobornik]

On 11/29/2016 12:43 PM, David Kupka wrote:
> On 29/11/16 12:15, David Dejaeghere wrote:
>> Seems like it is but it does not show a server cert for dirsrv
>>
>> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>> total 468
>> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db
>> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db.orig
>> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 
>> 1623
>> Nov 29 11:29 certmap.conf
>> -rw---. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif
>> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.bak
>> -rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.startOK
>> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 36228
>> Nov 29 11:28 dse_original.ldif
>> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db
>> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db.orig
>> -r. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s066
>> Nov 29 11:29 pin.txt
>> -rw---. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s040
>> Nov 29 11:29 pwdfile.txt
>> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 
>> 4096
>> Nov 29 11:29 schema
>> -rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db
>> -rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db.orig
>> -r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 15142
>> Nov 29 11:28 slapd-collations.conf
>>
>> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local   
>> CT,C,C
>> SOMETHING.BE IPA CA CT,C,C
>> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local   
>> CT,C,C
>> SOMETHING.BE IPA CA CT,C,C
>>
>> [root@ns02 ~]# ausearch -m avc -i
>> 
>>
>>
> 
> Exactly, the NSSDB should be accessible to dirsrv and is missing the
> Server-Cert but I don't understand why there's "bad database" error in
> the errors log. I'll try to reproduce it. What version of FreeIPA are
> you using? On what system?

Right.

Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
be good to check if it has the same symptoms, mainly
  certmonger request is in state dbus.String(u'CA_UNREACHABLE',
variant_level=1)

in replica install log.


> 
>>
>> 2016-11-29 12:09 GMT+01:00 David Kupka :
>>
>>> On 29/11/16 11:51, David Dejaeghere wrote:
>>>
 Hi,

 I have a setup where i want to add a replica.  The first master
 setup has
 an externally signed cert for dirsrv and httpd.  The replica is
 prepapred
 succesfully with ipa-client-install but the replica install then keeps
 failing.  It seems that during install dirserv is not configured
 correctly
 with a valid server certificate. Output from the dirsrv error added to
 this
 email as well.

 [root@ns02 ~]# ipa-replica-install --setup-ca
 WARNING: conflicting time synchronization service 'chronyd' will
 be disabled in favor of ntpd

 Run connection check to master
 Connection check OK
 Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
 Done configuring NTP daemon (ntpd).
 Configuring directory server (dirsrv). Estimated time: 1 minute
   [1/43]: creating directory server user
   [2/43]: creating directory server instance
   [3/43]: restarting directory server
   [4/43]: adding default schema
   [5/43]: enabling memberof plugin
   [6/43]: enabling winsync plugin
   [7/43]: configuring replication version plugin
   [8/43]: enabling IPA enrollment plugin
   [9/43]: enabling ldapi
   [10/43]: configuring uniqueness plugin
   [11/43]: configuring uuid plugin
   [12/43]: configuring modrdn plugin
   [13/43]: configuring DNS plugin
   [14/43]: enabling entryUSN plugin
   [15/43]: configuring lockout plugin
   [16/43]: configuring topology plugin
   [17/43]: creating indices
   [18/43]: enabling referential integrity plugin
   [19/43]: configuring certmap.conf
   [20/43]: configure 

Re: [Freeipa-users] ns-slapd segfault

[Giulio Casella]

Il 28/11/2016 19:22, Mark Reynolds ha scritto:



On 11/28/2016 10:22 AM, Giulio Casella wrote:

Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:

On (28/11/16 12:39), Giulio Casella wrote:

Hello,

I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing
service
is dirsrv@.service.
In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]

(just after a lot of SSL alerts complaining about some enabled
cypher suite,
but I cannot say if this could be related).

I'm using ipa 4.2.0, and 389-ds-base 1.3.4.


It would be good to know the exact version.
rpm -q 389-ds-base


Installed version is:

389-ds-base-1.3.4.0-33.el7_2.x86_64



Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.


Ok, you can find attached full stacktrace.

It's crashing trying to read updates from the replication changelog.

Are you using attribute encryption?
Any chance you have a way to reproduce this?

Since this is happening on only one server then I think recreating the
replication changelog will "fix" the issue.  Just re-initializing that
replica should do it.  Does this server start - so it can be reinited?
If not, you need to manually remove the changelog and start the
directory server, and reinit it.  Or perform a manual ldif
initialization.  (I can help with either one if needed)



No, directory server can't start, so I think I have to manually remove 
the changelog.

Any help is obviously welcome.
BTW: Do you confirm I won't lose data on second (working) server doing 
removal of changelog?


Thanks in advance,
gc

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP Algorithm

[Callum Guy]

Hi Alexander,

I can confirm that I am using version 4.2.0.

The bug link provided mentions that it caused GA to fail to scan the codes.
In my situation it is FreeIPA (or related service) which appears to fail to
validate codes generated, meaning that only OTP codes generated using sha1
are validated and accepted.

Just for clarity I can confirm that I have only tested OTP codes generated
and configured via the FreeIPA web interface. I will check the command line
generation and let you know if this makes a difference.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:51 AM Alexander Bokovoy 
wrote:

> On ti, 29 marras 2016, Callum Guy wrote:
> >Hi Petr,
> >
> >Thanks for coming back to me on this.
> >
> >I have only tried using Google Authenticator. The generated QR code
> >successfully scans and codes are then generated on the GA device as
> normal.
> >The problem is that the codes simply do not work.
> >
> >My current thinking is that the service which interprets the codes
> >server-side is not configured to use the same algorithm meaning that it is
> >trying to validate sha256/sha512 (both tested and not functional for me)
> >etc codes against codes perhaps generated with sha1 (the only algorithm
> >that appears to work).
> >
> >I apologise in advance for my naive interpretation of the situation, this
> >really isn't an area where i have experience. I'd love to understand whats
> >going on however I can't find what i need in the OTP documentation.
> Which IPA version we are talking about? There was a case when the URI
> generated by 'ipa otptoken-add' was using a wrong case in the algorithm
> value and this was breaking Google Authenticator.
>
> https://fedorahosted.org/freeipa/ticket/5047
>
> This bug was fixed since 4.1.5 release.
>
> >
> >Best Regards,
> >
> >Callum
> >
> >
> >On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik 
> wrote:
> >
> >> On 11/28/2016 01:03 PM, Callum Guy wrote:
> >> > Hi All,
> >> >
> >> > I wanted to ask a quick question - perhaps a more experienced user
> will
> >> be able
> >> > to help or point me to the correct documentation.
> >> >
> >> > Basically we have implemented password+OTP type authentication which
> >> works great.
> >> >
> >> > When adding a OTP code using the admin login you can choose an
> >> algorithm. For us
> >> > the generated codes only work properly if the weakest sha1 algorithm
> is
> >> chosen/
> >> > To be clear the code generation works fine but the codes are not valid
> >> when
> >> > logging in. Is there a related setting we must change?
> >> >
> >> > Thanks,
> >> >
> >> > Callum
> >> >
> >>
> >> What type of otp token do you use? Does it work with some different?
> >> E.g. FreeOTP vs Google Authenticator ...
> >>
> >>
> >> --
> >> Petr Vobornik
> >>
> >
> >--
> >
> >
> >
> >*0333 332   |  www.x-on.co.uk   |   **
> >
> >
> > *
> >X-on is a trading name of Storacall Technology Ltd a limited company
> >registered in England and Wales.
> >Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> >Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> >The information in this e-mail is confidential and for use by the
> >addressee(s) only. If you are not the intended recipient, please notify
> >X-on immediately on +44(0)333 332  <+44%20333%20332%20> and
> delete the
> >message from your computer. If you are not a named addressee you must not
> >use, disclose, disseminate, distribute, copy, print or reply to this
> email. Views
> >or opinions expressed by an individual
> >within this email may not necessarily reflect the views of X-on or its
> >associated companies. Although X-on routinely screens for viruses,
> >addressees should scan this email and any attachments
> >for viruses. X-on makes no representation or warranty as to the absence of
> >viruses in this email or any attachments.
> >
>
> >--
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this 

Re: [Freeipa-users] OTP Algorithm

[Alexander Bokovoy]

On ti, 29 marras 2016, Callum Guy wrote:

Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as normal.
The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.

Which IPA version we are talking about? There was a case when the URI
generated by 'ipa otptoken-add' was using a wrong case in the algorithm
value and this was breaking Google Authenticator.

https://fedorahosted.org/freeipa/ticket/5047

This bug was fixed since 4.1.5 release.



Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik  wrote:


On 11/28/2016 01:03 PM, Callum Guy wrote:
> Hi All,
>
> I wanted to ask a quick question - perhaps a more experienced user will
be able
> to help or point me to the correct documentation.
>
> Basically we have implemented password+OTP type authentication which
works great.
>
> When adding a OTP code using the admin login you can choose an
algorithm. For us
> the generated codes only work properly if the weakest sha1 algorithm is
chosen/
> To be clear the code generation works fine but the codes are not valid
when
> logging in. Is there a related setting we must change?
>
> Thanks,
>
> Callum
>

What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...


--
Petr Vobornik



--



*0333 332   |  www.x-on.co.uk   |   **


 *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP Algorithm

[Callum Guy]

Hi Petr,

Thanks for coming back to me on this.

I have only tried using Google Authenticator. The generated QR code
successfully scans and codes are then generated on the GA device as normal.
The problem is that the codes simply do not work.

My current thinking is that the service which interprets the codes
server-side is not configured to use the same algorithm meaning that it is
trying to validate sha256/sha512 (both tested and not functional for me)
etc codes against codes perhaps generated with sha1 (the only algorithm
that appears to work).

I apologise in advance for my naive interpretation of the situation, this
really isn't an area where i have experience. I'd love to understand whats
going on however I can't find what i need in the OTP documentation.

Best Regards,

Callum


On Tue, Nov 29, 2016 at 11:10 AM Petr Vobornik  wrote:

> On 11/28/2016 01:03 PM, Callum Guy wrote:
> > Hi All,
> >
> > I wanted to ask a quick question - perhaps a more experienced user will
> be able
> > to help or point me to the correct documentation.
> >
> > Basically we have implemented password+OTP type authentication which
> works great.
> >
> > When adding a OTP code using the admin login you can choose an
> algorithm. For us
> > the generated codes only work properly if the weakest sha1 algorithm is
> chosen/
> > To be clear the code generation works fine but the codes are not valid
> when
> > logging in. Is there a related setting we must change?
> >
> > Thanks,
> >
> > Callum
> >
>
> What type of otp token do you use? Does it work with some different?
> E.g. FreeOTP vs Google Authenticator ...
>
>
> --
> Petr Vobornik
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Dejaeghere]

Seems like it is but it does not show a server cert for dirsrv

[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db.orig
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  1623
Nov 29 11:29 certmap.conf
-rw---. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif
-rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.bak
-rw---. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.startOK
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 36228
Nov 29 11:28 dse_original.ldif
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db.orig
-r. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s066
Nov 29 11:29 pin.txt
-rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s040
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  4096
Nov 29 11:29 schema
-rw---. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db
-rw-rw. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db.orig
-r--r-. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142
Nov 29 11:28 slapd-collations.conf

[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=localCT,C,C
SOMETHING.BE IPA CA CT,C,C
[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=localCT,C,C
SOMETHING.BE IPA CA CT,C,C

[root@ns02 ~]# ausearch -m avc -i




2016-11-29 12:09 GMT+01:00 David Kupka :

> On 29/11/16 11:51, David Dejaeghere wrote:
>
>> Hi,
>>
>> I have a setup where i want to add a replica.  The first master setup has
>> an externally signed cert for dirsrv and httpd.  The replica is prepapred
>> succesfully with ipa-client-install but the replica install then keeps
>> failing.  It seems that during install dirserv is not configured correctly
>> with a valid server certificate. Output from the dirsrv error added to
>> this
>> email as well.
>>
>> [root@ns02 ~]# ipa-replica-install --setup-ca
>> WARNING: conflicting time synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>   [1/43]: creating directory server user
>>   [2/43]: creating directory server instance
>>   [3/43]: restarting directory server
>>   [4/43]: adding default schema
>>   [5/43]: enabling memberof plugin
>>   [6/43]: enabling winsync plugin
>>   [7/43]: configuring replication version plugin
>>   [8/43]: enabling IPA enrollment plugin
>>   [9/43]: enabling ldapi
>>   [10/43]: configuring uniqueness plugin
>>   [11/43]: configuring uuid plugin
>>   [12/43]: configuring modrdn plugin
>>   [13/43]: configuring DNS plugin
>>   [14/43]: enabling entryUSN plugin
>>   [15/43]: configuring lockout plugin
>>   [16/43]: configuring topology plugin
>>   [17/43]: creating indices
>>   [18/43]: enabling referential integrity plugin
>>   [19/43]: configuring certmap.conf
>>   [20/43]: configure autobind for root
>>   [21/43]: configure new location for managed entries
>>   [22/43]: configure dirsrv ccache
>>   [23/43]: enabling SASL mapping fallback
>>   [24/43]: restarting directory server
>>   [25/43]: creating DS keytab
>>   [26/43]: retrieving DS Certificate
>>   [27/43]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server (Command
>> '/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero
>> exit
>> status 1). See the installation log for details.
>>   [28/43]: setting up initial replication
>>   [error] error: [Errno 111] Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>> Initialization:
>> Can't find certificate (Server-Cert) for family
>> cn=RSA,cn=encryption,cn=config (Netscape Portable 

Re: [Freeipa-users] OTP Algorithm

[Petr Vobornik]

On 11/28/2016 01:03 PM, Callum Guy wrote:
> Hi All,
> 
> I wanted to ask a quick question - perhaps a more experienced user will be 
> able 
> to help or point me to the correct documentation.
> 
> Basically we have implemented password+OTP type authentication which works 
> great.
> 
> When adding a OTP code using the admin login you can choose an algorithm. For 
> us 
> the generated codes only work properly if the weakest sha1 algorithm is 
> chosen/ 
> To be clear the code generation works fine but the codes are not valid when 
> logging in. Is there a related setting we must change?
> 
> Thanks,
> 
> Callum
> 

What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Kupka]

On 29/11/16 11:51, David Dejaeghere wrote:

Hi,

I have a setup where i want to add a replica.  The first master setup has
an externally signed cert for dirsrv and httpd.  The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing.  It seems that during install dirserv is not configured correctly
with a valid server certificate. Output from the dirsrv error added to this
email as well.

[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: restarting directory server
  [4/43]: adding default schema
  [5/43]: enabling memberof plugin
  [6/43]: enabling winsync plugin
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: enabling ldapi
  [10/43]: configuring uniqueness plugin
  [11/43]: configuring uuid plugin
  [12/43]: configuring modrdn plugin
  [13/43]: configuring DNS plugin
  [14/43]: enabling entryUSN plugin
  [15/43]: configuring lockout plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [20/43]: configure autobind for root
  [21/43]: configure new location for managed entries
  [22/43]: configure dirsrv ccache
  [23/43]: enabling SASL mapping fallback
  [24/43]: restarting directory server
  [25/43]: creating DS keytab
  [26/43]: retrieving DS Certificate
  [27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero exit
status 1). See the installation log for details.
  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


[29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization:
Can't find certificate (Server-Cert) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)





Hello David,

The error from the log indicates that either the NSSDB for dirsrv is not 
initialized or not accessible.


Could you please send output of the following commands?

# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

[David Dejaeghere]

Hi,

I have a setup where i want to add a replica.  The first master setup has
an externally signed cert for dirsrv and httpd.  The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing.  It seems that during install dirserv is not configured correctly
with a valid server certificate. Output from the dirsrv error added to this
email as well.

[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: restarting directory server
  [4/43]: adding default schema
  [5/43]: enabling memberof plugin
  [6/43]: enabling winsync plugin
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: enabling ldapi
  [10/43]: configuring uniqueness plugin
  [11/43]: configuring uuid plugin
  [12/43]: configuring modrdn plugin
  [13/43]: configuring DNS plugin
  [14/43]: enabling entryUSN plugin
  [15/43]: configuring lockout plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [20/43]: configure autobind for root
  [21/43]: configure new location for managed entries
  [22/43]: configure dirsrv ccache
  [23/43]: enabling SASL mapping fallback
  [24/43]: restarting directory server
  [25/43]: creating DS keytab
  [26/43]: retrieving DS Certificate
  [27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero exit
status 1). See the installation log for details.
  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


[29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization:
Can't find certificate (Server-Cert) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable anonymous pkinit on FreeIPA 4.3.1 on Ubuntu ?

[Simo Sorce]

On Tue, 2016-11-29 at 00:11 +0100, Diogenes S. Jesus wrote:
> I've got one freeipa instance for testing purposes and I'm trying to
> enable anonymous pkinit support on it[1], as Simon mentioned being
> possible :) [2]
> 
> For debug purposes, I have done:
> 
> /etc/kdc.conf
> ---
> [kdcdefaults]
>  kdc_ports = 88
>  kdc_tcp_ports = 88
>  restrict_anonymous_to_tgt = true
> 
> [realms]
>  REALM.EU = {
>   master_key_type = aes256-cts
>   max_life = 7d
>   max_renewable_life = 14d
>   acl_file = /etc/krb5kdc/kadm5.acl
>   dict_file = /usr/share/dict/words
>   default_principal_flags = +preauth
>   admin_keytab = /etc/krb5kdc/kadm5.keytab
>pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
>pkinit_eku_checking = none
>  }
> 
> The user krb5.conf file:
> [realms]
> REALM.EU = {
> master_kdc = kdc.realm.eu
> admin_server = kdc.realm.eu
> pkinit_anchors = /usr/local/share/ca-certificates/root-ca.crt
> }
> 
> 
> Openssl is able to verify the certificate:
> root@ipa01:~# openssl verify -verbose -CAfile
> /usr/local/share/ca-certificates/root-ca.crt /var/lib/krb5kdc/kdc.pem
> /var/lib/krb5kdc/kdc.pem: OK
> 
> The KDC certificate was created based on MIT Kerberos guidelines[3]
> 
> The anonymous user (created manually first with "-rankey"), resulting
> in the following user-side messages:
> root@ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
> [11573] 1480374327.337803: Getting initial credentials for
> WELLKNOWN/anonym...@realm.eu
> [11573] 1480374327.340203: Sending request (178 bytes) to REALM.EU
> [11573] 1480374327.443449: Retrying AS request with master KDC
> [11573] 1480374327.443939: Getting initial credentials for
> WELLKNOWN/anonym...@realm.eu
> [11573] 1480374327.444784: Sending request (178 bytes) to REALM.EU (master)
> [11573] 1480374327.445357: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
> [11573] 1480374327.471043: Sending initial UDP request to dgram 10.235.2.25:88
> [11573] 1480374328.472199: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
> [11573] 1480374328.498175: Sending initial UDP request to dgram 
> 10.235.2.25:750
> [11573] 1480374329.500579: Initiating TCP connection to stream 10.235.2.25:88
> [11573] 1480374329.527259: Sending TCP request to stream 10.235.2.25:88
> [11573] 1480374329.557528: Received answer (459 bytes) from stream
> 10.235.2.25:88
> [11573] 1480374329.558323: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [11573] 1480374329.558767: Processing preauth types: 16, 15, 14, 136,
> 19, 147, 2, 133
> [11573] 1480374329.558976: Selected etype info: etype aes256-cts, salt
> "REALM.EUWELLKNOWNANONYMOUS", params ""
> [11573] 1480374329.559480: Received cookie: MIT
> [11573] 1480374329.559532: Preauth module pkinit (147) (info)
> returned: 0/Success
> [11573] 1480374329.559627: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559651: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [11573] 1480374329.559669: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559680: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [11573] 1480374329.559696: PKINIT client has no configured identity; giving up
> [11573] 1480374329.559707: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Password for WELLKNOWN/anonym...@realm.eu:
> 
> 
> Then removed the anonymous user keys:
> root@ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
> 'purgekeys -all WELLKNOWN/ANONYMOUS'

This is not necessary and won't make any difference.

> On the client side:
> 
> root@ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
> [10593] 1480350802.381306: Getting initial credentials for
> WELLKNOWN/anonym...@realm.eu
> [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU
> [10593] 1480350802.433623: Retrying AS request with master KDC
> [10593] 1480350802.434688: Getting initial credentials for
> WELLKNOWN/anonym...@realm.eu
> [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master)
> [10593] 1480350802.436191: Resolving hostname kdc.domain.eu
> [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88
> [10593] 1480350803.465087: Resolving hostname kdc.domain.eu
> [10593] 1480350803.489656: Sending initial UDP request to dgram 
> 10.235.2.25:750
> [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88
> [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88
> [10593] 1480350804.547579: Received answer (269 bytes) from stream
> 10.235.2.25:88
> [10593] 1480350804.547663: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133
> [10593] 1480350804.547713: Received cookie: MIT
> [10593] 1480350804.547744: Preauth module pkinit (147) (info)
> returned: 0/Success

This means the client correctly selects Pkinit authentication.

> [10593] 1480350804.547758: 

Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

[Tomas Krizek]

On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self 
signed certificate vs. Let’s Encrypt. I tried to run the set up script 
from https://github.com/freeipa/freeipa-letsencrypt and below are some 
errors and logs.


Within the /etc/httpd/conf.d/ipa.conffile I commented out 
these directives as I had some Apache redirects that were breaking:


#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa 
application-group=ipa

#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
certificate issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No 
such file or directory)


ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available (default cache: KEYRING:persistent:0))


ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 
26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 
26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11




Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.

--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Request to help adding FreeIPA group to VMware VCenter6.0

[Jim Blenkins]

Muk

Look at how we have done we basically used a system account sudo and gave
rhis user a password this means all freeipa users can login but cant see
anything until individual privileges are assigned inside vmware

Jim

On 29 Nov 2016 9:40 a.m., "Mukarram Syed"  wrote:

> Hi,
>
> In VCenter 6.0 Web Appliance,  I would like to add the Admin group of
> users in FreeIPA.
> I looked through many articles on the internet and found recommended
> solutions, but none seem to work for me.
> Basically, I have group of "admins" in FreeIPA.
> In VCenter I
>
> Name: *IPA*
>
> Base DN for users: *cn=users,cn=accounts,dc=dev,dc=local*
>
> Domain Name: *dev.local*
>
> Base DN for groups: *cn=admins*,*cn=groups,cn=accounts,dc=dev,dc=local*
>
> Primary Server URL: *ldap://freeipa1.dev.local*
>
> Username: *uid=admin,cn=users,cn=accounts,dc=dev,dc=local*
> In doing this, I get all the users.  But I want only the users in the
> group "admins", which I am not able to accomplish.
>
> On Base DN for groups i tried using *(|memberOf=*
> *cn=admins,cn=groups,cn=accounts,dc=dev,dc=local)*
> But Vcenter does not seem to accept "memberOf" in the Base DN for groups.
> I have successfully used "memberOf" in other LDAP environments.
>
> Any help/suggestions are appreciated.
>
> Thanks
>
> # mukarram
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Request to help adding FreeIPA group to VMware VCenter6.0

[Mukarram Syed]

Hi,

In VCenter 6.0 Web Appliance,  I would like to add the Admin group of users
in FreeIPA.
I looked through many articles on the internet and found recommended
solutions, but none seem to work for me.
Basically, I have group of "admins" in FreeIPA.
In VCenter I

Name: *IPA*

Base DN for users: *cn=users,cn=accounts,dc=dev,dc=local*

Domain Name: *dev.local*

Base DN for groups: *cn=admins*,*cn=groups,cn=accounts,dc=dev,dc=local*

Primary Server URL: *ldap://freeipa1.dev.local*

Username: *uid=admin,cn=users,cn=accounts,dc=dev,dc=local*
In doing this, I get all the users.  But I want only the users in the group
"admins", which I am not able to accomplish.

On Base DN for groups i tried using *(|memberOf=*
*cn=admins,cn=groups,cn=accounts,dc=dev,dc=local)*
But Vcenter does not seem to accept "memberOf" in the Base DN for groups.
I have successfully used "memberOf" in other LDAP environments.

Any help/suggestions are appreciated.

Thanks

# mukarram
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS search timeouts and incomplete results

[Tomas Krizek]

On 11/28/2016 11:44 PM, Mike Driscoll wrote:

I'm running:
# rpm -qa | grep ipa-server
ipa-server-4.4.0-12.0.1.el7.x86_64
ipa-server-dns-4.4.0-12.0.1.el7.noarch
ipa-server-common-4.4.0-12.0.1.el7.noarch

Searching DNS for all hostnames containing "qa" times out in the GUI.  Setting 
aside the option to change server defaults, this cli command isn't giving me the content 
I need:

# ipa dnsrecord-find mydomain.com --sizelimit=1 --timelimit=20 | grep qa
ipa: WARNING: Search result has been truncated: Configured size limit exceeded

It seems like the sizelimit parameter greater than two thousand is being 
ignored:

# ipa dnsrecord-find mydomain.com --sizelimit=1900 --timelimit=20
...
---
Number of entries returned 1900
---

# ipa dnsrecord-find mydomain.com --sizelimit=2100 --timelimit=20
...
---
Number of entries returned 2000
---

Any suggestions?

Mike


Hi,

you seem to be hitting the size limit on LDAP side. To verify, check

ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep 
nsslapd-sizelimit


If you really need to increase this size limit, you will have to modify 
the nsslapd-sizelimit in cn=config.


--
Tomas Krizek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project