Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

Sigh... Sorry, it's been a long day, I thought I put that log in the first
pastebin.  It's in this one:  https://pastebin.com/18PAXXNS

Also,
   Anyone else get the constant spam when mailing this list?  Got an
address to block for it?

Robert




On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman  wrote:

> Robert, did you look in /var/log/ipaserver-install.log as it says?
>
> Was there any other information?
>
> cheers
> L.
>
> --
> "Mission Statement: To provide hope and inspiration for collective action,
> to build collective power, to achieve collective transformation, rooted in
> grief and rage but pointed towards vision and dreams."
>
>  - Patrice Cullors, *Black Lives Matter founder*
>
> On 11 May 2017 at 13:24, Robert L. Harris 
> wrote:
>
>> Ok,  I gave up on Ubuntu.  I'm now trying the latest CentOS7.  I built
>> out a "minimal server" with some normal base packages which did include the
>> freeipa-client but otherwise, just standard tools.  Here's a pastebin of
>> the output of the install:  https://pastebin.com/zAWCgkUU
>>
>> Robert
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Lachlan Musicman]

Robert, did you look in /var/log/ipaserver-install.log as it says?

Was there any other information?

cheers
L.

--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."

 - Patrice Cullors, *Black Lives Matter founder*

On 11 May 2017 at 13:24, Robert L. Harris  wrote:

> Ok,  I gave up on Ubuntu.  I'm now trying the latest CentOS7.  I built out
> a "minimal server" with some normal base packages which did include the
> freeipa-client but otherwise, just standard tools.  Here's a pastebin of
> the output of the install:  https://pastebin.com/zAWCgkUU
>
> Robert
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

Ok,  I gave up on Ubuntu.  I'm now trying the latest CentOS7.  I built out
a "minimal server" with some normal base packages which did include the
freeipa-client but otherwise, just standard tools.  Here's a pastebin of
the output of the install:  https://pastebin.com/zAWCgkUU

Robert
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Domain Levels

[Michael Plemmons]

I am currently running 4.4.0 on a three node cluster.  My domain level is
currently 0 on all three nodes.  Is there a reason to keep the domain level
at 0?  I do not plan on adding any older versions of IPA into the cluster.
Is there anything I need to worry about if I elevate the domain level to 1?

My current setup is the server A is the master and B and C are replicas.  I
do not have replication agreements between B and C and I am looking into
creating those agreements.  If I increase the domain level do I have to
handle anything differently if I add the B to C replication agreement?



*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

[Sumit Bose]

On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> Hello everyone,
> 
> I set up my freeIPA instance and it works very well for my client
> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
> freeIPA managed user account.
> 
> My own HBAC rule also works for that. I disabled the "allow all" rule
> and created my own one. Works fine for SSH.
> 
> But I cannot login to the GNOME 3 Desktop on the client. I used the
> netinstall ISO image of Ubuntu. During installation, I have chose
> "Ubuntu GNOME Desktop" as the only desktop.
> 
> So my display manager is gdm3.
> 
> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on
> the safe side, I rebooted the client machine. But I still can't login to
> the GNOME Desktop with an account that can login via SSH.
> 
> So the services in my rule are
> 
> login, gdm, gdm-password
> 
> If you need any logs or other information, I will provide them.

Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in
the [pam] and [domain/...] section of sssd.conf.

bye,
Sumit

> 
> 
> Thanks in advance!
> 
> 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] I think I lost my CA...

[Bret Wortman]

The log slog continues but isn't turning up anything useful, or I'm 
looking in the wrong logs. Now getting twice-daily visits from users who 
need new SSL certs wondering when I'm going to be able to create them.


I'm happy to do the work to figure out what went wrong, I just don't 
grok these individual components at this level very well. When something 
goes wrong, it's not trivial to solve. Well, for me it isn't, anyway. ;-)



Bret


On 05/02/2017 10:50 AM, Bret Wortman wrote:
I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps 
out as looking like an error.


The cert-show failure is troubling, but my inability to get CSRs 
turned into certs is what's actually driving this.



Bret


On 04/26/2017 06:02 PM, Rob Crittenden wrote:

Bret Wortman wrote:

So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.

 # ipa cert-find
 :
 --
 Number of entries returned 385
 --
 # ipa cert-show 895
 ipa: ERROR: Certificate operation cannot be completed: Unable to
 communicate with CMS (503)
 # ipa cert-show 1 (which does not exist)
 ipa: ERROR: Certificate operation cannot be completed: Unable to
 communicate with CMS (503)
 # ipa cert-status 895
 ipa: ERROR: Certificate operation cannot be completed: Unable to
 communicate with CMS (503)
 #

Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.

Doubtful.

cert-find and cert-show use different APIs in dogtag. cert-find uses the
newer RESTful API and cert-show uses the older XML-based API (and is
authenticated). I'm guessing that is where the issue lies.

What I'd recommend doing is noting the time, restarting the CA, and then
plow through the debug log looking for failures. It could be that the CA
is only partially up (and I'd check your CA subsystem certs as well).

rob


Bret


On 04/26/2017 09:03 AM, Bret Wortman wrote:

Digging still deeper:

 # ipa cert-request f.f 
--principal=HTTP/`hostname`@DAMASCUSGRP.COM

 ipa: ERROR: Certificate operation cannot be completed: Unable to
 communicate with CMS (503)

Looks like this is an HTTP error; so is it possible that my IPA thinks
it has a CA but there's no CMS available?


On 04/26/2017 08:41 AM, Bret Wortman wrote:

Using the firefox debugger, I get these errors when trying to pop up
the New Certificate dialog:

 Empty string passed to getElementById(). (5)
 jquery.js:4:1060
 TypeError: u is undefined
 app.js:1:362059
 Empty string passed to getElementById(). (5)
 jquery.js:4:1060
 TypeError: t is undefined
 app.js:1:217432

I'm definitely not a web kind of guy so I'm not sure if this is
helpful or not. This is on 4.4.0, API Version 2.213.


Bret


On 04/26/2017 08:35 AM, Bret Wortman wrote:

Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other 
server?



Bret


On 04/25/2017 02:52 PM, Bret Wortman wrote:

I recently had to upgrade all my Fedora IPA servers to C7. It went
well, and we've been up and running nicely on 4.4.0 on C7 for the
past month or so.

Today, someone came and asked me to generate a new certificate for
their web server. All was good until I went to the IPA UI and tried
to perform Actions->New Certificate, which did nothing. I tried
each of our 3 servers in turn. All came back with no popup window
and no error, either.

I suspect the problem might be that we no longer have a CA server
due to the method I used to upgrade the servers. I likely missed a
"--setup-ca" in there somewhere, so my rolling update rolled over
the CA.

What's my best hope of recovery? I never ran this before, so I'm
not sure if this shows that I'm missing a CA or not:

 # ipa ca-find
 
 1 CA matched
 
   Name: ipa
   Description IPA CA
   Authority ID: 3ce3346[...]
   Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM
   Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM
 
 Number of entries returned 1
 
 # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA,
 O=DAMASCUSGRP.COM"
 ipa: ERROR: Failed to authenticate to CA REST API
 # klist
 Ticket cache: KEYRING:persistent:0:0
 Default principal: ad...@damascusgrp.com

 Valid starting  Expires  Service principal
 04/25/2017 18:48:26 04/26/2017 18:48:21
 krbtgt/damascusgrp@damascusgrp.com
 #


What's my best path of recovery?

--
*Bret Wortman*
The Damascus Group

















--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS update failing

[Jason Sherrill]

Hello,

I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!

One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior.  I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!


>From freeIPA server:

#  ipa dnszone-show int.dplcl.com --all


 dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com

 Zone name: int.dplcl.com.

 Active zone: TRUE

 Authoritative nameserver: ipa-1.int.dplcl.com.

 Administrator e-mail address: hostmaster.int.dplcl.com.

 SOA serial: 1494344164

 SOA refresh: 3600

 SOA retry: 900

 SOA expire: 1209600

 SOA minimum: 3600

 BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM
krb5-self * ; grant INT.DPLCL.COM krb5-self *

 SSHFP;

 Dynamic update: TRUE

 Allow query: any;

 Allow transfer: none;

 Allow PTR sync: TRUE

 Allow in-line DNSSEC signing: FALSE

 nsrecord: ipa-1.int.dplcl.com.

 objectclass: idnszone, top, idnsrecord, ipadnszone

/etc/named.conf from IPA server:

options {

   // turns on IPv6 for port 53, IPv4 is on by default for all ifaces

   listen-on-v6 {any;};

   // Put files that named is allowed to write in the data/ directory:

   directory "/var/named"; // the default

   dump-file   "data/cache_dump.db";

   statistics-file "data/named_stats.txt";

   memstatistics-file  "data/named_mem_stats.txt";

   // Any host is permitted to issue recursive queries

   allow-recursion { any; };

   tkey-gssapi-keytab "/etc/named.keytab";

   pid-file "/run/named/named.pid";

   dnssec-enable no;

   dnssec-validation no;

   /* Path to ISC DLV key */

   bindkeys-file "/etc/named.iscdlv.key";

   managed-keys-directory "/var/named/dynamic";

};

/* If you want to enable debugging, eg. using the 'rndc trace' command,

* By default, SELinux policy does not allow named to modify the /var/named
directory,

* so put the default debug log file in data/ :

*/

logging {

   channel default_debug {

   file "data/named.run";

   severity dynamic;

   print-time yes;

   };

};

zone "." IN {

   type hint;

   file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

dynamic-db "ipa" {

   library "ldap.so";

   arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";

   arg "base cn=dns, dc=int,dc=dplcl,dc=com";

   arg "server_id ipa-1.int.dplcl.com";

   arg "auth_method sasl";

   arg "sasl_mech GSSAPI";

   arg "sasl_user DNS/ipa-1.int.dplcl.com";

   arg "serial_autoincrement yes";

};


>From client macbook:

testbook3:etc jsherrill$ nsupdate

> debug

> update add testbook3.int.dplcl.com 86400 a 10.0.1.36

>

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   3049

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;testbook3.int.dplcl.com. IN SOA

;; AUTHORITY SECTION:

int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600

Found zone name: int.dplcl.com

The master is: ipa-1.int.dplcl.com

Sending update to 10.0.1.5#53

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  33167

;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0

;; UPDATE SECTION:

testbook3.int.dplcl.com. 86400 IN A 10.0.1.36


Reply from update query:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  33167

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; ZONE SECTION:
;int.dplcl.com. IN SOA
-- 


*Jason Sherrill*
Deeplocal Inc. 
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

[Jason B. Nance]

Make sure you are using "reply-all" as your replies are falling off the mailing 
list and coming to me only.

> They do have some of these lines.

Assuming your common-* modules are setup correctly (which you can verify by 
looking at your ssh module and seeing if it uses common-* or if the sssd 
libraries are in there directly) at this point we'll need to go to logs.  Tail 
your logs while attempting to do a GDM login and compare them to a tail when 
doing an SSH login.

j
 


> These are the contents:
> 
> 
> gdm-password:
> 
> #%PAM-1.0
> authrequisite   pam_nologin.so
> authrequiredpam_succeed_if.so user != root quiet_success
> @include common-auth
> authoptionalpam_gnome_keyring.so
> @include common-account
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible
> # that a module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad]pam_selinux.so close
> session requiredpam_loginuid.so
> # SELinux needs to intervene at login time to ensure that the process
> # starts in the proper default security context. Only sessions which are
> # intended to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad]pam_selinux.so open
> session optionalpam_keyinit.so force revoke
> session requiredpam_limits.so
> session requiredpam_env.so readenv=1
> session requiredpam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> session optionalpam_gnome_keyring.so auto_start
> @include common-password
> 
> 
> gdm-autologin:
> 
> #%PAM-1.0
> authrequisite   pam_nologin.so
> authrequiredpam_succeed_if.so user != root quiet_success
> authrequiredpam_permit.so
> @include common-account
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible
> # that a module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad]pam_selinux.so close
> session requiredpam_loginuid.so
> # SELinux needs to intervene at login time to ensure that the process
> # starts in the proper default security context. Only sessions which are
> # intended to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore
> default=bad]pam_selinux.so open
> session optionalpam_keyinit.so force revoke
> session requiredpam_limits.so
> session requiredpam_env.so readenv=1
> session requiredpam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> @include common-password
> 
> 
> gdm-launch-environment:
> 
> #%PAM-1.0
> authrequisite   pam_nologin.so
> authrequiredpam_permit.so
> @include common-account
> session optionalpam_keyinit.so force revoke
> session requiredpam_limits.so
> session requiredpam_env.so readenv=1
> session requiredpam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> @include common-password
> 
> Thanks already!
> 
> On 10-May-17 3:40 AM, Jason B. Nance wrote:
>>> I have three files:
>>>
>>> /etc/pam.d/gdm-autologin
>>>
>>> /etc/pam.d/gdm-launch-environment
>>>
>>> /etc/pam.d/gdm-password
>>>
>>> They all have a line "@ include common-session"
>>>
>>> The common-session file has a line "session optional pam_sss.so"
>>>
>>> I don't really know what to compare to the SSH module (which I guess is
>>> the /etc/pam.d/sshd file)
>> Do they only have session lines and no auth, account, or password?
>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project