[Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)
Hallo, I have a problem to prepare the replica. Environment: OS: Newly installed EL7.3 IPA Server: Newly installed ipa-server 4.4.0 The error: # ipa-replica-prepare Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client. To set up a replica use the following procedure: 1.) set up a client on the host using 'ipa-client-install' 2.) promote the client to replica running 'ipa-replica-install' *without* replica file specified 'ipa-replica-prepare' is allowed only in domain level 0 The ipa-replica-prepare command failed. Any explanation for this and possible resolution, thanks, Zarko -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
On 03/21/2017 02:26 PM, Rob Crittenden wrote: Um, this _might_ work. Each httpd worker will have an fd open to the NSS database files so you'd want to do this rather carefully. I'm no expert on this stuff, but my understanding is that any file descriptors will continue to point to the older database files until a worker is restarted or it closes and reopens a file for some reason (which I have no reason to believe mod_nss does). Even if a worker does do this for some reason, the /etc/httpd/alias symlink can be changed atomically, so it will only be an issue if a worker reopens an NSS database at the same time that the symlink is being updated -- thus getting inconsistent versions of secmod.db, cert8.db, or key3.db. If this happens, NSS will presumably return SEC_ERROR_ALIENS_ATTACKING, or something similarly inaccurate and non- useful. (Even this wouldn't be an issue if NSS used openat() like a library that actually cares about ... security, but I digress.) In order for NSS to see a newly added certificate it will need to reopen the database. I'm fairly certain a SIGHUP will cause all the children to be respawned so except for those actually serving a request at the time the new certs should be available. I'll check on SIGHUP. Even if it doesn't work, a complete restart is much easier to coordinate than shutting down Apache, updating the database, and restarting it. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
Ian Pilcher wrote: > On 03/20/2017 11:02 AM, Rob Crittenden wrote: >> I think his concern may be around warnings that the NSS BDB databases >> should only be updated when quiet. In the case of mod_nss it explicitly >> opens the database read-only so I think you'd be safe updating the >> certificate. > > You are correct about my concern. I should have noticed that mod_nss > is opening the database read-only, based on the file permissions if > nothing else. > > Based on this, I should be able to do something with symlinks to make a > copy of the database, do my updates, rename the symlink to make the > updated database "live", and SIGHUP (or restart if necessary) Apache. Um, this _might_ work. Each httpd worker will have an fd open to the NSS database files so you'd want to do this rather carefully. In order for NSS to see a newly added certificate it will need to reopen the database. I'm fairly certain a SIGHUP will cause all the children to be respawned so except for those actually serving a request at the time the new certs should be available. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
yep, Ubuntu 16.04.2 *Artem Golubev* System Administrator *(exp)capital limited* On 21 March 2017 at 19:13, Vasily Yanovwrote: > Hi Lukas, > > You are right :) Ubuntu 16.04. > > -Original Message- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Tuesday, March 21, 2017 7:03 PM > To: Alexander Bokovoy > Cc: freeipa-users@redhat.com; Artem Golubev ; > IT Team > Subject: Re: [Freeipa-users] Certificate Access issue > > On (21/03/17 17:35), Alexander Bokovoy wrote: > >On ti, 21 maalis 2017, Lukas Slebodnik wrote: > >> On (21/03/17 16:29), Alexander Bokovoy wrote: > >> > On ti, 21 maalis 2017, Artem Golubev wrote: > >> > > We use sssd version 1.13.4 on our linux clients A user from ipa > >> > > successfully authorizes on a linux client via ssh without a > >> > > certificate. But then if we add a certificate - connection gets > lost. > >> > If Lukas is correct, 1.13.4 does not have the fix for broken > >> > certificate-as-ssh public key: > >> > > >> It has. > >> https://pagure.io/SSSD/sssd/issue/2977#comment-222198 > >> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004 > >> d > >> > >> It will be part of upstream release 1.13.5 > >That's my point -- it is *not* part of 1.13.4, therefore, this is the > >problem Artem sees. > > > >Artem, what is your Linux distribution? Can you move to a newer version? > > > I would gues ubuntu :-) > > You might file a bug to your distribution to backport patch from the > ticket https://pagure.io/SSSD/sssd/issue/2977 > > LS > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
On (21/03/17 17:35), Alexander Bokovoy wrote: >On ti, 21 maalis 2017, Lukas Slebodnik wrote: >> On (21/03/17 16:29), Alexander Bokovoy wrote: >> > On ti, 21 maalis 2017, Artem Golubev wrote: >> > > We use sssd version 1.13.4 on our linux clients >> > > A user from ipa successfully authorizes on a linux client via ssh >> > > without a >> > > certificate. But then if we add a certificate - connection gets lost. >> > If Lukas is correct, 1.13.4 does not have the fix for broken >> > certificate-as-ssh public key: >> > >> It has. >> https://pagure.io/SSSD/sssd/issue/2977#comment-222198 >> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d >> >> It will be part of upstream release 1.13.5 >That's my point -- it is *not* part of 1.13.4, therefore, this is the >problem Artem sees. > >Artem, what is your Linux distribution? Can you move to a newer version? > I would gues ubuntu :-) You might file a bug to your distribution to backport patch from the ticket https://pagure.io/SSSD/sssd/issue/2977 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Original master lost, cannot create additional CA clones
Hi all, Some time ago, I encountered issues requiring my first IPA master to be re-initialized, which failed, forcing me to remove it from the domain. While those original issues have since been resolved, I am having difficulty replacing the system. I can create a new replica, but I cannot use the '--setup-ca' option, nor can I run 'ipa-ca-install'. I have been working on this for quite some time, and seem to be going in circles. Any help would be greatly appreciated. (host and domain names have been modified) ipasrv001 was the original master, installed using an external CA, no DNS and no NTP. DNS and NTP are already provided in my environment. ipasrv201 is a replica installed with --setup-ca, which has since been re-configured as the new CA master following this guide: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0 I have also pointed cs-replication to this system from all other replicas. I used ipasrv201 to generate new replica-info for ipasrv001. These systems are Enterprise Linux 6.8. Current software versions are as follows: [root@ipasrv001 ~]# rpm -qa --queryformat='%{NAME} %{VERSION}-%{RELEASE}\n' ipa-server pki-ca 389-ds-base java-1.7.0-openjdk certmonger certmonger 0.77.5-2.el6 pki-ca 9.0.3-50.el6_8 389-ds-base 1.2.11.15-75.el6_8 java-1.7.0-openjdk 1.7.0.111-2.6.7.2.0.1.el6_8 ipa-server 3.0.0-50.el6_8.3 I receive the following error when attempting to create a new replica: [root@ipasrv001 ~]# ipa-replica-install --no-ntp --setup-ca --skip-conncheck replica-info-ipasrv001.example.com.gpg Directory Manager (existing master) password: Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipasrv001.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-BDfli8 -client_certdb_pwd -preop_pin SoawlFdqmJKt79OSoy1O -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM,OU=IPA -ldap_host ipasrv001.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM,OU=IPA -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM,OU=IPA -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM,OU=IPA -ca_server_cert_subject_name CN=ipasrv001.example.com,O=EXAMPLE.COM,OU=IPA -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM,OU=IPA -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM,OU=IPA -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipasrv201.example.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipasrv201.example.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed In /var/log/ipareplica-install.log, I see the following: # Attempting to connect to: ipasrv001.example.com:9445 Connected. Posting Query = https://ipasrv001.example.com:9445//ca/admin/console/config/wizard?p=5=CA_id=-1815206698136119192=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Date: Fri, 17 Mar 2017 15:50:34 GMT RESPONSE HEADER: Connection: close Exception in SecurityDomainLoginPanel(): java.lang.Exception: Invalid clone_uri ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ### 2017-03-17T15:50:35Z DEBUG stderr=java.lang.Exception:
Re: [Freeipa-users] Certificate Access issue
On ti, 21 maalis 2017, Lukas Slebodnik wrote: On (21/03/17 16:29), Alexander Bokovoy wrote: On ti, 21 maalis 2017, Artem Golubev wrote: We use sssd version 1.13.4 on our linux clients A user from ipa successfully authorizes on a linux client via ssh without a certificate. But then if we add a certificate - connection gets lost. If Lukas is correct, 1.13.4 does not have the fix for broken certificate-as-ssh public key: It has. https://pagure.io/SSSD/sssd/issue/2977#comment-222198 https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d It will be part of upstream release 1.13.5 That's my point -- it is *not* part of 1.13.4, therefore, this is the problem Artem sees. Artem, what is your Linux distribution? Can you move to a newer version? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
On (21/03/17 16:29), Alexander Bokovoy wrote: >On ti, 21 maalis 2017, Artem Golubev wrote: >> We use sssd version 1.13.4 on our linux clients >> A user from ipa successfully authorizes on a linux client via ssh without a >> certificate. But then if we add a certificate - connection gets lost. >If Lukas is correct, 1.13.4 does not have the fix for broken >certificate-as-ssh public key: > It has. https://pagure.io/SSSD/sssd/issue/2977#comment-222198 https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004d It will be part of upstream release 1.13.5 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
On ti, 21 maalis 2017, Artem Golubev wrote: We use sssd version 1.13.4 on our linux clients A user from ipa successfully authorizes on a linux client via ssh without a certificate. But then if we add a certificate - connection gets lost. If Lukas is correct, 1.13.4 does not have the fix for broken certificate-as-ssh public key: $ git tag --contains 60787fb44924e84a0c7ddfe9d5e62e64ea1edcd1 sssd-1_13_90 sssd-1_13_91 sssd-1_14_0 sssd-1_14_0_alpha1 sssd-1_14_0_beta1 sssd-1_14_1 sssd-1_14_2 sssd-1_15_0 sssd-1_15_1 sssd-1_15_2 So the issue is fixed only in 1.14+ if we would be counting released versions. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
We use sssd version 1.13.4 on our linux clients A user from ipa successfully authorizes on a linux client via ssh without a certificate. But then if we add a certificate - connection gets lost. Please find logs in attached files Thank you in advance *Artem Golubev* System Administrator *(exp)capital limited* On 20 March 2017 at 18:14, Lukas Slebodnikwrote: > On (20/03/17 16:39), Alexander Bokovoy wrote: > >On ma, 20 maalis 2017, Artem Golubev wrote: > >> Good day! > >> > >> We use freeipa server 4.3.1, we usually grant access via ssh keys to > linux > >> clients. > >> We currently face the following issue with access on certificate: when > we > >> add certificate to user's account, user is not able to login via ssh. > >> How can we solve this problem? We would like to have a possibility to > >> access linux clients via ssh keys and access to other resources using > >> certificates. > >You need to provide logs, obviously. Start with level 3 debug logs in > >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa > >user-show --raw --all username'). > > > >When you access SSH with ssh keys, SSSD is involved in account and > >session phases of PAM authentication. This means either user does not > >exist to sshd (it would then don't exist on system level at all) or > >something prevents session phase from success. In session phase SSSD > >does verify HBAC rules, for example. > > > >See https://fedorahosted.org/sssd/wiki/Troubleshooting for > >troubleshooting instructions. > > > The most important is to know version of sssd. > Because one related bug is already fixed. > https://pagure.io/SSSD/sssd/issue/2977 > > LS > sshd_log Description: Binary data sssd_ssh_log Description: Binary data user-show Description: Binary data -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Use SQLite format NSS database?
On 03/20/2017 11:02 AM, Rob Crittenden wrote: I think his concern may be around warnings that the NSS BDB databases should only be updated when quiet. In the case of mod_nss it explicitly opens the database read-only so I think you'd be safe updating the certificate. You are correct about my concern. I should have noticed that mod_nss is opening the database read-only, based on the file permissions if nothing else. Based on this, I should be able to do something with symlinks to make a copy of the database, do my updates, rename the symlink to make the updated database "live", and SIGHUP (or restart if necessary) Apache. Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Missing user's primary group after ipa migrate-ds
Hi, because HW failure(only one replica left - without CA and unfortunately without backup) we have decided to build fresh new IPA servers and move users and groups from old IPA server with ipa migrate-ds command. It's quite small use case just about 100 users and couple of groups. I was able successfully import users and groups into new server with: ipa-new# ipa -d migrate-ds ldap://ipa-old.example.com --user-container=cn=users,cn=accounts,dc=example,dc=com --group-container=cn=groups,cn=accounts,dc=example,dc=com Users and all groups were imported but all user's primary groups are missing. ipa-new# id user uid=891500508(user) gid=891500508 groups=891500508,147120(admins) No reply with: getent group 891500508 getent group user also: ipa-new# su user Password: /usr/bin/id: cannot find name for group ID 891500508 When creating new user it works correctly: ipa-new# ipa user-add tester . uid=147121(tester) gid=147121(tester) groups=147121(tester) getent group tester tester:*:147121: getent group tester tester:*:147121: ldapsearch doesn't show any user's primary groups in cn=groups,cn=accounts,dc=example,dc=com. It shows just the primary group of newly created user- tester + other non primary groups. Am I doing something wrong ? How to fix this ? Import primary groups manually with ldapmodify or can I create them with ipa group-add ? Thanks, Jan Jan Karásek ELOS Technologies s.r.o. Americká 36 120 00 Praha 2 tel. +420 607 008 891 e-mail: jan.kara...@elostech.cz www.elostech.cz "Tento e-mail a všechny připojené soubory obsahují důvěrné informace, které mohou být chráněny zákonem. Je určen pouze uvedenému příjemci a dalším osobám, které jsou jmenovitě uvedeny jako příjemci. Jestliže nejste oprávněný příjemce, pak jakákoliv forma zveřejnění, reprodukce, kopírování, distribuce nebo šíření je přísně zakázána. Pokud jste obdržel tento e-mail omylem, oznamte to, prosím, neprodleně jeho odesilateli a pak jej vymažte. ELOS Technologies s.r.o. neručí za bezchybný a úplný přenos zasílaných informaci, ani za zpoždění nebo přerušení přenosu a ani za škody způsobené použitím nebo důvěrou v tyto informace." -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] (no subject)
Hi All, I am getting following below error from my 2 nodes, Could anyone tell me what's the issue and how can resolve it. tail -f /var/log/dirsrv/slapd-EXPERTCITY-COM/errors 1) 6711e6-bf06e7fb-7c0c06d0, CSN 584b3f2a0001006b): Server is unwilling to perform (53). Will retry later. [21/Mar/2017:04:16:34 -0700] NSMMReplicationPlugin - agmt="cn= meToauthmgr1.ops.example.com" (authmgr1:389): Consumer failed to replay change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN 584b3f2a0001006b): Server is unwilling to perform (53). Will retry later. [21/Mar/2017:04:16:39 -0700] NSMMReplicationPlugin - agmt="cn= meToauthmgr1.ops.example.com" (authmgr1:389): Consumer failed to replay change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN 584b3f2a0001006b): Server is unwilling to perform (53). Will retry later. [21/Mar/2017:04:16:44 -0700] NSMMReplicationPlugin - agmt="cn= meToauthmgr1.ops.expertcity.com" (authmgr1:389): Consumer failed to replay change (uniqueid 492d6707-be6711e6-bf06e7fb-7c0c06d0, CSN 584b3f2a0001006b): Server is unwilling to perform (53). Will retry later. Second Node 2) [20/Mar/2017:14:02:13 -0700] NSMMReplicationPlugin - agmt="cn= meToauthmgr1.ops.expertcity.com" (authmgr1:389): Replication bind with GSSAPI auth resumed [20/Mar/2017:17:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com" (authmgr1:389)) [20/Mar/2017:17:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replicas have not been cleaned yet, retrying in 14400 seconds [20/Mar/2017:21:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com" (authmgr1:389)) [20/Mar/2017:21:39:07 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replicas have not been cleaned yet, retrying in 14400 seconds [21/Mar/2017:01:39:08 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replica is not cleaned yet (agmt="cn=meToauthmgr1.las.expertcity.com" (authmgr1:389)) [21/Mar/2017:01:39:08 -0700] NSMMReplicationPlugin - CleanAllRUV Task (rid 77): Replicas have not been cleaned yet, retrying in 14400 seconds -- *Thanks,* *TN* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap connector from IIQ to ipa
On Mon, Mar 20, 2017 at 05:23:31PM +0100, Iulian Roman wrote: > Hello, > > We do plan to integrate IPA with IdentityIQ (sailpoint) for user > provisioning. Because IPA does abstract all the ldap commands via new set > of commands and APIs, i am not sure if the standard ldap connector is the > right option and if it is supported ( taking into consideration that a > simple user creation does update/create more ldap containers). > > Could you please clarify if updating IPA via standard ldap commands is > supported but not necessarily a best practice or it is an absolute NO ? > > Thank You ! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello! We have staging area for this purpose. You can create and update user entries there and once the entry is complete you can call stageuser-activate to create user entry with using values from stageuser entry. You can find description of the feature and examples on design page [1]. [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project