[Freeipa-users] LDAP Conflicts

[James Harrison]

Hello All,According to ipa_check_consistency we have "LDAP Conflicts" 
(https://github.com/peterpakos/ipa_check_consistency).
How do I find and resolve them?
I've seen:Re: [Freeipa-devel] LDAP conflicts resolution API

  
|  
|   |  
Re: [Freeipa-devel] LDAP conflicts resolution API
   |  |

  |

 
But not sure if I am looking in the right place.
Many thanks,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

Hi,Was there any out-come to this?
I running: sudo1.8.12-1ubuntu3, which is well behind up to date releases.
Many thanks,James Harrison

  From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; 
"pbrez...@redhat.com" <pbrez...@redhat.com> 
Cc: "pbrez...@redhat.com" <pbrez...@redhat.com>
 Sent: Monday, 9 January 2017, 15:18
 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd 
version 1.13.4-1ubuntu1.1
   
Hi All,I have attached three files from running sudo -i on the same machine 
enrolled into Free IPA. They have the output from various versions of sudo. 
tail -f sudo_debug, syslog, auth.log and sssd/*.log from /var/log to show 
chronological order of events.

The attached files are: sudo-1.8.19-1.txt --- from Debian
sudo-1.8.16-0ubuntu1.2.txt   --- Current released Xenial sudo
sudo1.8.12-1ubuntu3.txt --- Previous sudo from "wily" 
https://launchpad.net/ubuntu/wily/amd64/sudo/1.8.12-1ubuntu3

The machine's /etc/sudo.conf has:Debug sudo /var/log/sudo_debug all@debug
Debug sudoers.so /var/log/sudo_debug all@debug
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so

Hope this helps.
Regards,James Harrison

  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; pbrez...@redhat.com
 Sent: Monday, 9 January 2017, 13:09
 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd 
version 1.13.4-1ubuntu1.1
  
On (09/01/17 12:44), James Harrison wrote:
>All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does.
>
Could you provide sudo logs with 1.8.19-1
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

sssd log files will be helpfull as well.


LS


   

   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does.

James
  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Saturday, 7 January 2017, 15:34
 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd 
version 1.13.4-1ubuntu1.1
   
On (06/01/17 17:15), James Harrison wrote:
>Any ideas?
>      From: James Harrison <jamesaharriso...@yahoo.co.uk>
> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
> Sent: Thursday, 5 January 2017, 13:36
> Subject: FreeIPA sudo not working on ububtu xenial sssd version 
> 1.13.4-1ubuntu1.1
>  
>Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>I get 1 rule returned, which I expect.
>Many thanks,James Harrison
>
>
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
>info for user [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
>Retrieving rules for [x_james.harrison] from [domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
>"ltdb_callback": 0x1c11d70
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
>get sudo rules from cache
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
>rules with higher-wins logic
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
>(0x0400): Returning 1 rules for [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle 
>timer re-set for client [0x1c0e770][18]
>
Yes, 1 rule was returned for user x_james.harrison.
Can you see something in output of "sudo -l"


>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client 
>creds: euid[0] egid[1082600012] pid[5470].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client 
>connected!
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): 
>Received client version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
>version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan  5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication 
>failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 
>ruser=x_james.harrison rhost=  user=x_james.harrison
>
I do not understand a reason why there is a failure in auth.log;
because there isn't sssd_pam.log @see above.

>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): 
>entering pam_cmd_authenticate
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_AUTHENTICATE
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): aut

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

All,1.8.19-1 from Debian does not appear to work too.
James


  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Saturday, 7 January 2017, 15:34
 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd 
version 1.13.4-1ubuntu1.1
   
On (06/01/17 17:15), James Harrison wrote:
>Any ideas?
>      From: James Harrison <jamesaharriso...@yahoo.co.uk>
> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
> Sent: Thursday, 5 January 2017, 13:36
> Subject: FreeIPA sudo not working on ububtu xenial sssd version 
> 1.13.4-1ubuntu1.1
>  
>Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>I get 1 rule returned, which I expect.
>Many thanks,James Harrison
>
>
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
>info for user [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
>Retrieving rules for [x_james.harrison] from [domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
>"ltdb_callback": 0x1c11d70
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
>get sudo rules from cache
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
>(0x0200): Searching sysdb with 
>[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
>rules with higher-wins logic
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
>(0x0400): Returning 1 rules for [x_james.harri...@domain.com]
>(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle 
>timer re-set for client [0x1c0e770][18]
>
Yes, 1 rule was returned for user x_james.harrison.
Can you see something in output of "sudo -l"


>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client 
>creds: euid[0] egid[1082600012] pid[5470].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client 
>connected!
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): 
>Received client version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
>version [3].
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>
>==> auth.log <==
>Jan  5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication 
>failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 
>ruser=x_james.harrison rhost=  user=x_james.harrison
>
I do not understand a reason why there is a failure in auth.log;
because there isn't sssd_pam.log @see above.

>==> sssd/sssd_pam.log <==
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer 
>re-set for client [0x2466e50][19]
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): 
>entering pam_cmd_authenticate
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
>name 'x_james.harrison' matched without domain, user is x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
>SSS_PAM_AUTHENTICATE
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: 
>/dev/pts/1
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
>x_james.harrison
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not 
>set
>(Thu Jan  5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

Any ideas?
  From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Thursday, 5 January 2017, 13:36
 Subject: FreeIPA sudo not working on ububtu xenial sssd version 
1.13.4-1ubuntu1.1
   
Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
I get 1 rule returned, which I expect.
Many thanks,James Harrison


(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
info for user [x_james.harri...@domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [x_james.harrison] from [domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1da40

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1da40 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c18790

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1b720

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1b720 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c12600

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0f550 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0dfd0

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0dfd0 "ltdb_timeout"

[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
I get 1 rule returned, which I expect.
Many thanks,James Harrison


(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
info for user [x_james.harri...@domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [x_james.harrison] from [domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1da40

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1da40 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c18790

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1b720

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1b720 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c12600

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0f550 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0dfd0

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0dfd0 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudo

[Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones

[James Harrison]

Hi All,I realise Free IPA doesn't yet support secondary zones in the web 
interface or command line tools (I might be wrong :) ) When I talk about 
secondary zones I mean a zone replicated from Windows DNS masters.
Can the Free IPA bind configs be manually altered to host secondary zones. Is 
it supported or will they just be over-written by Freeipa?
I've been hunting for an answer online, but found nothing about this.

Many thanks,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Openssh client install error

[James Harrison]

In the ipaclient-install.log I see:

2016-12-14T14:58:10Z DEBUG stderr=
2016-12-14T14:58:10Z DEBUG Backing up system configuration file 
'/etc/ssh/ssh_config'
2016-12-14T14:58:10Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-12-14T14:58:10Z INFO Configured /etc/ssh/ssh_config
2016-12-14T14:58:10Z DEBUG Backing up system configuration file 
'/etc/ssh/sshd_config'
2016-12-14T14:58:10Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-12-14T14:58:10Z DEBUG Starting external process
2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o 
AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys -o 
AuthorizedKeysCommandUser=nobody
2016-12-14T14:58:10Z DEBUG Process finished, return code=1
2016-12-14T14:58:10Z DEBUG stdout=
2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration 
option: AuthorizedKeysCommand^M

2016-12-14T14:58:10Z DEBUG Starting external process
2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o 
AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys -o 
AuthorizedKeysCommandRunAs=nobody
2016-12-14T14:58:10Z DEBUG Process finished, return code=1
2016-12-14T14:58:10Z DEBUG stdout=
2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration 
option: AuthorizedKeysCommand^M

2016-12-14T14:58:10Z DEBUG Starting external process
2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o 
PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u -o PubKeyAgentRunAs=nobody
2016-12-14T14:58:10Z DEBUG Process finished, return code=1
2016-12-14T14:58:10Z DEBUG stdout=
2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration 
option: PubKeyAgent^M

2016-12-14T14:58:10Z WARNING Installed OpenSSH server does not support 
dynamically loading authorized user keys. Public key authentication of IPA 
users will not be available.



  From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Wednesday, 14 December 2016, 15:18
 Subject: Free IPA Openssh client install error
   
Hi,I installed the freeipa client on an Ubuntu Precise system (12.04)

I get the following message at the end of the install:
"Installed OpenSSH server does not support dynamically loading authorized user 
keys. Public key authentication of IPA users will not be available."

Any clues? Is there a fix?

Best regards,James Harrison


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Free IPA Openssh client install error

[James Harrison]

Hi,I installed the freeipa client on an Ubuntu Precise system (12.04)

I get the following message at the end of the install:
"Installed OpenSSH server does not support dynamically loading authorized user 
keys. Public key authentication of IPA users will not be available."

Any clues? Is there a fix?

Best regards,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[James Harrison]

Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates
i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's  
credentials. AD Still doesn't work.
Thanks

  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Thursday, 8 December 2016, 11:22
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
   
On (07/12/16 18:19), James Harrison wrote:
>Hi all,
>
>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. 
>Its enrolled into a FreeIPA server. The following trace is the output of 
>syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
>
Are you able to reproduce with ubuntu 14.04
and sssd from trusty-updates(1.11.8-0ubuntu0.3)
You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
or at least 1.12.5-1~trusty1 from ppa
https://launchpad.net/~sssd

LS


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[James Harrison]

I tried to clone the git repos and I got access right errors
James

  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Thursday, 8 December 2016, 11:22
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
   
On (07/12/16 18:19), James Harrison wrote:
>Hi all,
>
>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. 
>Its enrolled into a FreeIPA server. The following trace is the output of 
>syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
>
Are you able to reproduce with ubuntu 14.04
and sssd from trusty-updates(1.11.8-0ubuntu0.3)
You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
or at least 1.12.5-1~trusty1 from ppa
https://launchpad.net/~sssd

LS


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[James Harrison]

Hi,An update.
I just got Trusty enrolled into FreeIPA by removing everything in: 
/etc/pki/nssdb and running:
/usr/bin/certutil -N --empty-password -d /etc/pki/nssdb
... before the client-install is run.
I get user IDs with Freeipa and AD domains:
root@jamestrusty:/etc/pki/nssdb# id 
x_james.harrison@IPA.REALM.COMuid=108269(x_james.harrison) 
gid=108269(x_james.harrison) 
groups=108269(x_james.harrison),108260(admins),1082600010(ipausers)

root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@AD.DOMAIN.LOCAL
uid=1039812876(x_james.harrison@ad.domain.local) 
gid=1039812876(x_james.harrison@ad.domain.local) 
groups=1039812876(x_james.harrison@ad.domain.locall)

However auth issues still the same as Precise. Doesnt accept the ssh public key 
stored with the IPA user or the Trust ID view user.

Xenial has no problems.
Regards,James Harrison

  From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Thursday, 8 December 2016, 15:02
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
   

Hi,I would prefer not to compile anything. It means we have to maintain the 
package, rather than the distro maintainers.

Trusty has a completely different set of errors to Precise.  

Xenial works with no problems.

I run a script that allows the system to join the IPA domain (the same script 
regardless of Ubuntu distro):
( $P_W is read in from stdin)

ipa-client-install \
 --server="$IPA_SERVER" \
 --domain=dns.domain.com \
 --principal=admin \
 --password="$P_W" \
 --preserve-sssd \
 --mkhomedir \
 --no-ntp \
 -U


Enter (Admins) Password:   
Confirm Password: 
Hostname: jamestrusty.dns.domain.com
Realm: IPA.REALM.COM
DNS Domain: dns.domain.com
IPA Server: pul-lv-ipa-01.dns.domain.com
BaseDN: dc=int,dc=worldfirst,dc=com

Synchronizing time with KDC...
Dec  8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct  5 
12:35:26 UTC 2016 (1)
Dec  8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting
...
...
...
...
...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject: CN=SOMECERT
    Issuer:  CN=SOMECERT
    Valid From:  Wed Mar 12 00:00:00 2014 UTC
    Valid Until: Sun Mar 11 23:59:59 3029 UTC

Enrolled in IPA realm IPA.REALM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration 
file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Client uninstall complete.


  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Thursday, 8 December 2016, 11:22
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
  
On (07/12/16 18:19), James Harrison wrote:
>Hi all,
>
>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. 
>Its enrolled into a FreeIPA server. The following trace is the output of 
>syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
>
Are you able to reproduce with ubuntu 14.04
and sssd from trusty-updates(1.11.8-0ubuntu0.3)
You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
or at least 1.12.5-1~trusty1 from ppa
https://launchpad.net/~sssd

LS


   

   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[James Harrison]

Hi,I would prefer not to compile anything. It means we have to maintain the 
package, rather than the distro maintainers.

Trusty has a completely different set of errors to Precise.  

Xenial works with no problems.

I run a script that allows the system to join the IPA domain (the same script 
regardless of Ubuntu distro):
( $P_W is read in from stdin)

ipa-client-install \
 --server="$IPA_SERVER" \
 --domain=dns.domain.com \
 --principal=admin \
 --password="$P_W" \
 --preserve-sssd \
 --mkhomedir \
 --no-ntp \
 -U


Enter (Admins) Password:   
Confirm Password: 
Hostname: jamestrusty.dns.domain.com
Realm: IPA.REALM.COM
DNS Domain: dns.domain.com
IPA Server: pul-lv-ipa-01.dns.domain.com
BaseDN: dc=int,dc=worldfirst,dc=com

Synchronizing time with KDC...
Dec  8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct  5 
12:35:26 UTC 2016 (1)
Dec  8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting
...
...
...
...
...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject: CN=SOMECERT
    Issuer:  CN=SOMECERT
    Valid From:  Wed Mar 12 00:00:00 2014 UTC
    Valid Until: Sun Mar 11 23:59:59 3029 UTC

Enrolled in IPA realm IPA.REALM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration 
file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Client uninstall complete.


  From: Lukas Slebodnik <lsleb...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
 Sent: Thursday, 8 December 2016, 11:22
 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise 
(12.04) authenticating with AD account
   
On (07/12/16 18:19), James Harrison wrote:
>Hi all,
>
>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. 
>Its enrolled into a FreeIPA server. The following trace is the output of 
>syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
>
Are you able to reproduce with ubuntu 14.04
and sssd from trusty-updates(1.11.8-0ubuntu0.3)
You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)
or at least 1.12.5-1~trusty1 from ppa
https://launchpad.net/~sssd

LS


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

[James Harrison]

Hi all,

I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its 
enrolled into a FreeIPA server. The following trace is the output of syslog 
auth sssd/*.log and full debug (-ddd) from the sshd service.

I am getting a PAM error at the end of the procedure. Also I cant seem to 
authenticate against the public ssh key from the id override user.

I appreciate any help you can send my way.

Best regards,

James Harrison
Below is more information


root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL
Password for x_james.harrison@AD.DOMAIN.LOCAL:

root@jamesprecise:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: x_james.harrison@AD.DOMAIN.LOCAL

Valid starting Expires    Service principal
07/12/16 17:56:30  08/12/16 03:56:30  krbtgt/AD.DOMAIN.LOCAL@AD.DOMAIN.LOCAL
    renew until 08/12/16 17:56:23

root@jamesprecise:~# id x_james.harrison@AD.DOMAIN.LOCAL
uid=1039812876(x_james.harrison@ad.domain.local) 
gid=1039812876(x_james.harrison@ad.domain.local) 
groups=1039812876(x_james.harrison@ad.domain.local)

root@pul-lv-ipa-02 ~]# ipa  idoverrideuser-show External_AD_views 
x_james.harrison@ad.domain.local
  Anchor to override: x_james.harrison@ad.domain.local
  User login: x_james.harrison
  Login shell: /bin/bash
  SSH public key: ssh-rsa
  
B3NzaC1yc2EDAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1n7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp
  JamesHarrison


Here are the software versions:

root@jamesprecise:# dpkg -l | grep -i freeipa
ii  freeipa-client 3.3.4-0ubuntu3.1~precise0.1  
  FreeIPA centralized identity framework -- client
ii  libipa-hbac0   1.11.5-1ubuntu3~precise1 
  FreeIPA HBAC Evaluator library
ii  python-freeipa 3.3.4-0ubuntu3.1~precise0.1  
  FreeIPA centralized identity framework -- python modules
ii  python-libipa-hbac 1.11.5-1ubuntu3~precise1 
  Python bindings for the FreeIPA HBAC Evaluator library

root@jamesprecise:# dpkg -l | grep -i openssh-server
ii  openssh-server 1:5.9p1-5ubuntu1.10  
  secure shell (SSH) server, for secure access from remote machines


root@jamesprecise:/var/log# dpkg -l | grep -i sssd
ii  libsss-idmap0  1.11.5-1ubuntu3~precise1 
  ID mapping library for SSSD
ii  sssd   1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- metapackage
ii  sssd-ad    1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- Active Directory back end
ii  sssd-ad-common 1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- PAC responder
ii  sssd-common    1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- common files
ii  sssd-ipa   1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- IPA back end
ii  sssd-krb5  1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common   1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- Kerberos helpers
ii  sssd-ldap  1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- LDAP back end
ii  sssd-proxy 1.11.5-1ubuntu3~precise1 
  System Security Services Daemon -- proxy back end
ii  sudo   1.8.9p5-1ubuntu1.1~sssd1 
  Provide limited super user privileges to specific users

Ubuntu PPAs:
root@jamesprecise:~# ls -l /etc/apt/sources.list.d/
total 16
-rw-r--r-- 1 root root 65 Dec  7 08:48 freeipa-ppa-precise.list
-rw-r--r-- 1 root root 61 Dec  7 08:48 ppa_freeipa_ppa_precise.list
-rw-r--r-- 1 root root 62 Dec  7 08:48 ppa_sssd_updates_precise.list
-rw-r--r-- 1 root root 66 Dec  7 08:48 sssd-updates-precise.list

cat /etc/pam.d/common-session
session    [default=1]    pam_permit.so
session    requisite    pam_deny.so
session    required    pam_permit.so
session optional    pam_umask.so
session    required    pam_mkhomedir.so umask=0022 
skel=/etc/skel
session    required    pam_unix.so
session    optional    pam_sss.so
session    [success=ok default=ignore]    pam_ldap.so minimum_uid=1000
root@jamesprecise:~#

root@jamesprecise:~# cat /etc/pam.d/common-auth
auth    [success=3 default=ignore]    pam_unix.so nullok_secure
auth    [success=2 default

[Freeipa-users] Something I dont get with FriiIPA and AD Trusts and Users and Greoups

[James Harrison]

Hi all,I have established an AD trust Between Free IPA and our Windows network 
and its working. No problems there.
I have created the IDM Groups for active directory as proposed in section 5.5 
of the Windows_Integration_Guide.
Now what? The group in Free IPA I've created (from section 5.5) allows me to do 
what? Am I supposed to get a synchronised list of Domain Admin users in Free 
IPA?

I can log in to a Linux client using AD credentials, regardless of the AD users 
external map (The user I'm logging is with is a member of the AD Domain Admins 
group).
Many thanks,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Differences between "ipa-replica-manage connect --winsync..." and ipa-adtrust-install ... ipa trust-add...

[James Harrison]

Hello,Are there any differences between establishing a Replication Agreement 
using "ipa-replica-manage connect --winsync"  and establishing an AD Trust 
Relationship using the commands  ipa-adtrust-install ...  ipa trust-add ...
Are they used together or are they different methods to accomplish the same 
goal: to get AD user accounts? Which one is preferred?

Best regards,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

[James Harrison]

Hello.Thanks for your help Martin that worked.
James Harrison  
 
  On Thu, 10 Nov, 2016 at 12:15, Martin Basti<mba...@redhat.com> wrote:   

 
 
 On 10.11.2016 13:00, James Harrison wrote:
  
  Hi All, We use port 2234 for all sshd connections on our systems. 
  It looks loke ipa-conncheck uses port 22. 
  Can this be changed to use 2234? This would be for replicas and clients I 
presume. 
  This is quite urgent.
  
  Many thanks, James Harrison
  
  
   
  
 
 Hello,
 
 maybe is possible to use local ssh config and manually set port per host
http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/
 
 if not then it is not possible to change SSH port without changing 
ipa-conncheck code
 You didn't specify version of IPA, so in master git branch related code is in 
ipa-replica-conncheck, class SshExec.__call__
 
 
 Martin
 
  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

[James Harrison]

We get the below message for replica machines and Ive seen it for client 
machines too:
[root@pul-lv-ipa-02 bin]# /root/bin/freeipa-replica-install.sh 
/var/lib/ipa/replica-info-$(hostname -f).gpg
Using reverse zone(s) 23.10.in-addr.arpa.
Run connection check to master
Check connection from replica to remote master 'aa..com ':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Could not SSH into remote host. Error output:
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 56: Applying options for *
    debug1: Connecting to aa..com [10.23.45.88] port 22.
    debug1: connect to address 10.23.45.88 port 22: Connection refused
    ssh: connect to host pul-lv-ipa-01.int.worldfirst.com port 22: Connection 
refused
Could not SSH to remote host.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check 
failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.


  From: James Harrison <jamesaharriso...@yahoo.co.uk>
 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Thursday, 10 November 2016, 12:00
 Subject: Specify different ssh port for ipa-conncheck
   
Hi All,We use port 2234 for all sshd connections on our systems.
It looks loke ipa-conncheck uses port 22.
Can this be changed to use 2234? This would be for replicas and clients I 
presume.
This is quite urgent.

Many thanks,James Harrison




   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Specify different ssh port for ipa-conncheck

[James Harrison]

Hi All,We use port 2234 for all sshd connections on our systems.
It looks loke ipa-conncheck uses port 22.
Can this be changed to use 2234? This would be for replicas and clients I 
presume.
This is quite urgent.

Many thanks,James Harrison


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Remove AD domain in auth commands

[James Harrison]

Hello
Sorry didn't explain. The ipa is the default domain, but I also want to use the 
Windows domain to authenticate, but I want the OS to detect what realm to use 
in the ssh command.
Thanks 
 
  On Mon, 7 Nov, 2016 at 11:48, Martin Basti<mba...@redhat.com> wrote:   
AFAIK Jakub already answered 
thathttps://www.redhat.com/archives/freeipa-users/2016-November/msg00031.html
 On 07.11.2016 12:05, James Harrison wrote:
  
Anyone ?
 
 Sent from Yahoo Mail on Android 
 
 On Fri, 4 Nov, 2016 at 11:04, James Harrison <jamesaharriso...@yahoo.co.uk> 
wrote:   Hello, 
  I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 
with its AD schema emulating a Windows 2012 system 
  I have established a trust between the two and it appears to work. I can 
reference a user on the AD domain, but the only way is to add the AD domain. 
  
  The only way to ssh to the master IPA server is like this:
  
   ssh "x_@IPAWIN.LOCAL"@10.10.10.10 
  Another example is using kinit: 
  I have to do the following to get a credential: kinit x_@IPAWIN.LOCAL 
  Ideally I would not need or use the "@IPAWIN.LOCAL". 
  
  Can anyone help? 
  Best regards, James Harrison

 
  
 
 
  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Remove AD domain in auth commands

[James Harrison]

Anyone ?

Sent from Yahoo Mail on Android 
 
  On Fri, 4 Nov, 2016 at 11:04, James Harrison<jamesaharriso...@yahoo.co.uk> 
wrote:   Hello,
I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with 
its AD schema emulating a Windows 2012 system
I have established a trust between the two and it appears to work. I can 
reference a user on the AD domain, but the only way is to add the AD domain. 

The only way to ssh to the master IPA server is like this:

 ssh "x_@IPAWIN.LOCAL"@10.10.10.10
Another example is using kinit:
I have to do the following to get a credential:kinit x_@IPAWIN.LOCAL
Ideally I would not need or use the "@IPAWIN.LOCAL". 

Can anyone help?
Best regards,James Harrison
  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Remove AD domain in auth commands

[James Harrison]

Hello,
I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with 
its AD schema emulating a Windows 2012 system
I have established a trust between the two and it appears to work. I can 
reference a user on the AD domain, but the only way is to add the AD domain. 

The only way to ssh to the master IPA server is like this:

 ssh "x_@IPAWIN.LOCAL"@10.10.10.10
Another example is using kinit:
I have to do the following to get a credential:kinit x_@IPAWIN.LOCAL
Ideally I would not need or use the "@IPAWIN.LOCAL". 

Can anyone help?
Best regards,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

[James Harrison]

Hello all,
That is really good to know. Thank you for helping me out with this.
James

  From: Rob Crittenden <rcrit...@redhat.com>
 To: "jamesaharriso...@yahoo.co.uk" <jamesaharriso...@yahoo.co.uk>; Martin 
Babinsky <mbabi...@redhat.com>; "freeipa-users@redhat.com" 
<freeipa-users@redhat.com> 
 Sent: Friday, 21 October 2016, 14:18
 Subject: Re: [Freeipa-users] Promote CA-less replica
   
James Harrison wrote:
> Hi,
> Thanks again.
>
> Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba
> compilation choice stopping AD trusts from working (samba isn't using
> MIT kerberos).  We're now using CentOS 7.2.
>
> While we know the CentOS version will operate correctly, we only get to
> use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for
> CentOS?

Not until RHEL 7.3 is released and rebuilt for CentOS.

rob

>
> Best regards
> James Harrison
> ----
> *From:* Rob Crittenden <rcrit...@redhat.com>
> *To:* James Harrison <jamesaharriso...@yahoo.co.uk>; Martin Babinsky
> <mbabi...@redhat.com>; "freeipa-users@redhat.com"
> <freeipa-users@redhat.com>
> *Sent:* Wednesday, 19 October 2016, 14:28
> *Subject:* Re: [Freeipa-users] Promote CA-less replica
>
> James Harrison wrote:
>  > Hi,
>  > Martin thanks for your quick response. Based on your comments. I have
>  > further questions.
>  >
>  >  >> equal peers and can be considered masters
>  >
>  > 1. If there any urgency for us to recreate a "master" server to perform
>  > any "master" type functions? How do we re-attach "replicas" to this new
>  > "master"?
>
> Like he said, all IPA servers are equal (some are just more equal than
> others). If you truly have a CA-less system the the only thing that
> distinguishes one master from another is the presence of the DNS
> service. From below it looks like you install DNS on all which makes
> them all masters.
>
> You can manage the replication topology using ipa-replica-manage.
>
>  >
>  >  >> As long as the others have valid CA and server certs
>  > 2. This is the install script we are using on the "replicas"
>  >
>  > ipa-replica-install \
>  >      --setup-dns --ssh-trust-dns --no-dnssec-validation \
>  >      -p x \
>  >      --admin-password=xxx \
>  >      --ip-address=replica_ip  \
>  >      --no-forwarders \
>  >      -U --mkhomedir --log-file=freeipa_log_file $1
>  >
>  > 3. The $1 is the cert generated from the "master".  If theres no
>  > distinction between a "master" and a "replica" in a CA-less environment,
>  > can a "replica" run the ipa-replica-prepare script once
>  > ipa-replica-install has been successfully run?
>
> I think you mean $1 is the replica file generated from some master.
> Seeing how you generate that would tell us whether you are truly in a
> CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to
> ipa-replica-prepare).
>
> To answer your question, yes. In a CA-less environment any master can
> generate a prepare file.
>
> You can add/remove connections using ipa-replica-manage. The initial
> connection is between the master that generated the prepare file and the
> host it was installed on.
>
> rob
>
>
>  >
>  > Thank you for any help.
>  > Best regards,
>  > James Harrison
>  >
>  > 
>  > *From:* Martin Babinsky <mbabi...@redhat.com >
>  > *To:* freeipa-users@redhat.com 
>  > *Sent:* Wednesday, 19 October 2016, 11:01
>  > *Subject:* Re: [Freeipa-users] Promote CA-less replica
>  >
>  > On 10/19/2016 11:35 AM, James Harrison wrote:
>  >
>  > Hi James,
>  >
>  >  > Hi,
>  >  > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>  >  >
>  >  > I have some questions:
>  >  > 1. Do DNS replicate among other replicas is we change/add DNS records?
>  >  > If not can this behaviour be changed?
>  > IPA-intergrated DNS stores records in the replicated LDAP subtree so any
>  > added/removed DNS record will replicate to other IPA DNS servers.
>  >
>  >  > 2. How do we promote a replica to become a master? We have not
>  >  > configured our servers to become a CA. Our CA is Comodo and we have
>  >  > configured FreeIPA to use a certificate, key and interim certificates
>  >  > from Comodo. using the options:
>  

Re: [Freeipa-users] Promote CA-less replica

[James Harrison]

Hi,Thanks again.
Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba 
compilation choice stopping AD trusts from working (samba isn't using MIT 
kerberos).  We're now using CentOS 7.2. 

While we know the CentOS version will operate correctly, we only get to use 4.2 
of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for CentOS?
Best regardsJames Harrison   From: Rob Crittenden <rcrit...@redhat.com>
 To: James Harrison <jamesaharriso...@yahoo.co.uk>; Martin Babinsky 
<mbabi...@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
 Sent: Wednesday, 19 October 2016, 14:28
 Subject: Re: [Freeipa-users] Promote CA-less replica
  
James Harrison wrote:
> Hi,
> Martin thanks for your quick response. Based on your comments. I have
> further questions.
>
>  >> equal peers and can be considered masters
>
> 1. If there any urgency for us to recreate a "master" server to perform
> any "master" type functions? How do we re-attach "replicas" to this new
> "master"?

Like he said, all IPA servers are equal (some are just more equal than 
others). If you truly have a CA-less system the the only thing that 
distinguishes one master from another is the presence of the DNS 
service. From below it looks like you install DNS on all which makes 
them all masters.

You can manage the replication topology using ipa-replica-manage.

>
>  >> As long as the others have valid CA and server certs
> 2. This is the install script we are using on the "replicas"
>
> ipa-replica-install \
>      --setup-dns --ssh-trust-dns --no-dnssec-validation \
>      -p x \
>      --admin-password=xxx \
>      --ip-address=replica_ip  \
>      --no-forwarders \
>      -U --mkhomedir --log-file=freeipa_log_file $1
>
> 3. The $1 is the cert generated from the "master".  If theres no
> distinction between a "master" and a "replica" in a CA-less environment,
> can a "replica" run the ipa-replica-prepare script once
> ipa-replica-install has been successfully run?

I think you mean $1 is the replica file generated from some master. 
Seeing how you generate that would tell us whether you are truly in a 
CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to 
ipa-replica-prepare).

To answer your question, yes. In a CA-less environment any master can 
generate a prepare file.

You can add/remove connections using ipa-replica-manage. The initial 
connection is between the master that generated the prepare file and the 
host it was installed on.

rob

>
> Thank you for any help.
> Best regards,
> James Harrison
>
> ----
> *From:* Martin Babinsky <mbabi...@redhat.com>
> *To:* freeipa-users@redhat.com
> *Sent:* Wednesday, 19 October 2016, 11:01
> *Subject:* Re: [Freeipa-users] Promote CA-less replica
>
> On 10/19/2016 11:35 AM, James Harrison wrote:
>
> Hi James,
>
>  > Hi,
>  > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>  >
>  > I have some questions:
>  > 1. Do DNS replicate among other replicas is we change/add DNS records?
>  > If not can this behaviour be changed?
> IPA-intergrated DNS stores records in the replicated LDAP subtree so any
> added/removed DNS record will replicate to other IPA DNS servers.
>
>  > 2. How do we promote a replica to become a master? We have not
>  > configured our servers to become a CA. Our CA is Comodo and we have
>  > configured FreeIPA to use a certificate, key and interim certificates
>  > from Comodo. using the options:
>  >
>  > --http_pkcs12=
>  > --http_pin=
>  > --dirsrv_pkcs12=...
>  > --dirsrv_pin=
>  >
>  > Hope someone can help. Quite urgent.
>  >
> The terms FreeIPA master/replica are quite arbitrary as all replicas are
> equal peers and can be considered masters. The only notion of 'master'
> is when you use a Dogtag CA (then one of the CA replicas is designated a
> renewal master and does renew certificates in the topology and one is
> CRL master generating certificate revocation lists) and/or DNSSec (then
> one of DNS replica is designated a key master generating zone signing
> keys and other DNS replicas pull these keys).
>
> As you are using CA-less replicas then there should be no loss in the
> fact that the one designated 'master' is down (unless it was e.g. the
> only DNS server). As long as the others have valid CA and server certs
> they should be working just fine.
>
>
>
> You can just install a new replica in place of the master by generating
> replica file on another replicaa nd supplying the requ

Re: [Freeipa-users] Promote CA-less replica

[James Harrison]

Hi,
Martin thanks for your quick response. Based on your comments. I have further 
questions.

>> equal peers and can be considered masters
1. If there any urgency for us to recreate a "master" server to perform any 
"master" type functions? How do we re-attach "replicas" to this new "master"?

>> As long as the others have valid CA and server certs 2. This is the install 
>> script we are using on the "replicas"

ipa-replica-install \
    --setup-dns --ssh-trust-dns --no-dnssec-validation \
    -p x \
    --admin-password=xxx \
    --ip-address=replica_ip   \
    --no-forwarders \
    -U --mkhomedir --log-file=freeipa_log_file $1

3. The $1 is the cert generated from the "master".  If theres no distinction 
between a "master" and a "replica" in a CA-less environment, can a "replica" 
run the ipa-replica-prepare script once ipa-replica-install has been 
successfully run?
Thank you for any help.Best regards,James Harrison

  From: Martin Babinsky <mbabi...@redhat.com>
 To: freeipa-users@redhat.com 
 Sent: Wednesday, 19 October 2016, 11:01
 Subject: Re: [Freeipa-users] Promote CA-less replica
   
On 10/19/2016 11:35 AM, James Harrison wrote:

Hi James,

> Hi,
> Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>
> I have some questions:
> 1. Do DNS replicate among other replicas is we change/add DNS records?
> If not can this behaviour be changed?
IPA-intergrated DNS stores records in the replicated LDAP subtree so any 
added/removed DNS record will replicate to other IPA DNS servers.

> 2. How do we promote a replica to become a master? We have not
> configured our servers to become a CA. Our CA is Comodo and we have
> configured FreeIPA to use a certificate, key and interim certificates
> from Comodo. using the options:
>
> --http_pkcs12=
> --http_pin=
> --dirsrv_pkcs12=...
> --dirsrv_pin=
>
> Hope someone can help. Quite urgent.
>
The terms FreeIPA master/replica are quite arbitrary as all replicas are 
equal peers and can be considered masters. The only notion of 'master' 
is when you use a Dogtag CA (then one of the CA replicas is designated a 
renewal master and does renew certificates in the topology and one is 
CRL master generating certificate revocation lists) and/or DNSSec (then 
one of DNS replica is designated a key master generating zone signing 
keys and other DNS replicas pull these keys).

As you are using CA-less replicas then there should be no loss in the 
fact that the one designated 'master' is down (unless it was e.g. the 
only DNS server). As long as the others have valid CA and server certs 
they should be working just fine.


You can just install a new replica in place of the master by generating 
replica file on another replicaa nd supplying the required certificates 
through options.

> Regards,
> James Harrison
>
>


-- 
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Promote CA-less replica

[James Harrison]

Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. 

I have some questions:1. Do DNS replicate among other replicas is we change/add 
DNS records? If not can this behaviour be changed? 
2. How do we promote a replica to become a master? We have not configured our 
servers to become a CA. Our CA is Comodo and we have configured FreeIPA to use 
a certificate, key and interim certificates from Comodo. using the options:
--http_pkcs12=--http_pin=
--dirsrv_pkcs12=...
--dirsrv_pin=

Hope someone can help. Quite urgent.
Regards,
James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI Authentication Issues

[Sam James]

Yes the cert is correct.  The userCertificate field matches the output of
"certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer
removed, and the serial number matches as well albeit in decimal instead of
hex.

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM;
 CN=IPA RA, O=DOMAIN.COM
userCertificate:: 
userstate: 1
uid: ipara
sn: ipara
usertype: agentType
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: ipara


On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 03/23/2016 03:50 PM, Sam James wrote:
>
>> Hello everyone,
>>
>> I've been banging my head against the wall for a few days now trying to
>> resolve
>> an issue with PKI and I'm hoping I might get some help.  First some
>> context.
>>
>> About a week ago I was alerted that all of our replicas were offline due
>> to
>> pki-tomcatd not starting.  Futher investigation determined that all of
>> the pki
>> certs had expired two days earlier.  I turned back time and successfully
>> updated
>> the certs and certmonger updated the rest of the replicas.
>>
>> Now I'm seeing the following symptoms:
>> 1.  Searching certificates via the web UI will display certificate info.
>> 2.  Attemping to view certificate details results in an "IPA Error 4301:
>> CertificateOperationError" the exception being "Invalid Credential.".
>> 3.  Issuing the ipa cert-show command results in the same "Invalid
>> Credential."
>> exception.
>> 4.  PKI debug log shows:  SignedAuditEventFactory: create()
>>
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure
>> 5.  PKI system log shows: Cannot authenticate agent with certificate
>> Serial
>> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>.
>> Error: User
>> not found.
>>
>
> PKI has some build-in accounts which uses certificates for authentication.
> It matches a user by a certificate. The error above means that it cannot
> find any user for cert with serial no 0x123456789
>
> So the possible cause is the user you checked
> (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated
> description, but is the cert correct?
>
>
>
>> In trolling this list I've done the following things troubleshooting:
>>
>> 1.  Ensured the certs being monitored by certmonger are correct.
>> 2.  Ensured the certs in the http and pki-tomcat NSS databases are as
>> expected.
>> 3.  Ensured the uid=ipara,ou=people,o=ipaca object has the correct
>> description
>> and cert (it had the wrong serialnumber in the description but i've
>> updated that).
>> 4.  Ensured the CS.cfg has the correct certs (it did).
>>
>> Any suggestions or assistance would be apprecitated.
>>
>> Thanks!
>> Sam
>>
>> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] PKI Authentication Issues

[Sam James]

Hello everyone,

I've been banging my head against the wall for a few days now trying to
resolve an issue with PKI and I'm hoping I might get some help.  First some
context.

About a week ago I was alerted that all of our replicas were offline due to
pki-tomcatd not starting.  Futher investigation determined that all of the
pki certs had expired two days earlier.  I turned back time and
successfully updated the certs and certmonger updated the rest of the
replicas.

Now I'm seeing the following symptoms:
1.  Searching certificates via the web UI will display certificate info.
2.  Attemping to view certificate details results in an "IPA Error 4301:
CertificateOperationError" the exception being "Invalid Credential.".
3.  Issuing the ipa cert-show command results in the same "Invalid
Credential." exception.
4.  PKI debug log shows:  SignedAuditEventFactory: create()
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=DOMAIN.COM] authentication failure
5.  PKI system log shows: Cannot authenticate agent with certificate Serial
0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM. Error: User not found.


In trolling this list I've done the following things troubleshooting:

1.  Ensured the certs being monitored by certmonger are correct.
2.  Ensured the certs in the http and pki-tomcat NSS databases are as
expected.
3.  Ensured the uid=ipara,ou=people,o=ipaca object has the correct
description and cert (it had the wrong serialnumber in the description but
i've updated that).
4.  Ensured the CS.cfg has the correct certs (it did).

Any suggestions or assistance would be apprecitated.

Thanks!
Sam
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

[James Kinney]

I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and
the replica process is failing to install on the new system:

2016-01-13T17:27:46Z DEBUG Starting external process
2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpjklK4o'
2016-01-13T17:28:19Z DEBUG Process finished, return code=1
2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-
spawn.20160113122746.log
Loading deployment configuration from /tmp/tmpjklK4o.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.

Installation failed.


2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site-
packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
Unverified HTTPS request is being made. Adding certifi
cate verification is strongly advised. See: https://urllib3.readthedocs
.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn: WARNING  ... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.P
KIException
","Code":500,"Message":"Clone does not have all the required
certificates"} 

2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o'' returned non-
zero exit status 1
2016-01-13T17:28:19Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-01-13T17:28:19Z CRITICAL   /var/log/pki-ca-install.log
2016-01-13T17:28:19Z CRITICAL   /var/log/pki/pki-tomcat
2016-01-13T17:28:19Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 418, in start_creation
run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 408, in run_step
method()
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/cainstance.py", line 620, in
__spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 201, in
spawn_instance
self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 465, in
handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-01-13T17:28:19Z DEBUG   [error] RuntimeError: CA configuration
failed.
2016-01-13T17:28:19Z DEBUG   File "/usr/lib/python2.7/site-
packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run






It looks to me that the original, first install version 3.0 system is 
generating a bad gpg file.  Will a reinstall of the orginal cert file solve 
this? If so, where and what is the best procedure? Is there a way to add CA 
capability to an existing master replicant by reusing it's original replica.gpg 
file?


Background: the old v3.0 system runs on a virtual machine (ovirt). The physical 
host had a series of "bad days" that involved multiple crashes and lock-ups 
that were ultimately attributed to insufficient cooling of the RAID card. It is 
suspected that the data was scrambled on the drive. The original cert is backed 
up but the remaining machine backups are of dubious quality (long story - bad 
week at the datacenter).


This is the last system on old hardware that was hit when the datacenter 
cooling totally failed and erased all the backups. Some days your're the 
pigeon, some days you're the statue.




-- 








  
  


Jim Kinney

Senior System Administrator

36 Eagle Row Suite 588

Department of Biomedical Informatics

Emory University School of Medicine

jkin...@emory.edu

404-712-0300


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

[James Kinney]

Followup:  I also tested converting an existing 4.2 system to be a CA
by running ipa-ca-install  and got the
same error. So it seems the original system had a failure point prior
to the heating issues. The 4.2 system has been running for quite a
while (with regular updates from an early 4.0).
On Wed, 2016-01-13 at 18:10 -0500, James Kinney wrote:
> I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and
> the replica process is failing to install on the new system:
> 
> 2016-01-13T17:27:46Z DEBUG Starting external process
> 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpjklK4o'
> 2016-01-13T17:28:19Z DEBUG Process finished, return code=1
> 2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-
> spawn.20160113122746.log
> Loading deployment configuration from /tmp/tmpjklK4o.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
> 
> Installation failed.
> 
> 
> 2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site-
> packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
> Unverified HTTPS request is being made. Adding certifi
> cate verification is strongly advised. See: https://urllib3.readthedo
> cs.org/en/latest/security.html
>   InsecureRequestWarning)
> pkispawn: WARNING  ... unable to validate security domain
> user/password through REST interface. Interface not available
> pkispawn: ERROR... Exception from Java Configuration
> Servlet: 500 Server Error: Internal Server Error
> pkispawn: ERROR... ParseError: not well-formed (invalid
> token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base
> .PKIException
> ","Code":500,"Message":"Clone does not have all the required
> certificates"} 
> 
> 2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance:
> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o''
> returned non-zero exit status 1
> 2016-01-13T17:28:19Z CRITICAL See the installation logs and the
> following files/directories for more information:
> 2016-01-13T17:28:19Z CRITICAL   /var/log/pki-ca-install.log
> 2016-01-13T17:28:19Z CRITICAL   /var/log/pki/pki-tomcat
> 2016-01-13T17:28:19Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/service.py", line 418, in start_creation
> run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/service.py", line 408, in run_step
> method()
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/cainstance.py", line 620, in
> __spawn_instance
> DogtagInstance.spawn_instance(self, cfg_file)
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/dogtaginstance.py", line 201, in
> spawn_instance
> self.handle_setup_error(e)
>   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/dogtaginstance.py", line 465, in
> handle_setup_error
> raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
> 
> 2016-01-13T17:28:19Z DEBUG   [error] RuntimeError: CA configuration
> failed.
> 2016-01-13T17:28:19Z DEBUG   File "/usr/lib/python2.7/site-
> packages/ipapython/admintool.py", line 171, in execute
> return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
> 
> 
> 
> It looks to me that the original, first install version 3.0 system is
> generating a bad gpg file.  Will a reinstall of the orginal cert file
> solve this? If so, where and what is the best procedure? Is there a
> way to add CA capability to an existing master replicant by reusing
> it's original replica.gpg file?
> 
> Background: the old v3.0 system runs on a virtual machine (ovirt).
> The physical host had a series of "bad days" that involved multiple
> crashes and lock-ups that were ultimately attributed to insufficient
> cooling of the RAID card. It is suspected that the data was scrambled
> on the drive. The original cert is backed up but the remaining
> machine backups are of dubious quality (long story - bad week at the
> datacenter).
> 
> This is the last system on old hardware that was hit when the
> datacenter cooling totally failed and erased all the backups. Some
> days your're the pigeon, some days you're the statue.
> 
> 
> -- 
> 
> 
> 
> Jim Kinney
> Senior System Administrator
> 36 Eagle Row Suite 588
> Department of Biomedical Informatics
> Emory Unive

[Freeipa-users] IPA 4.2 - installer changes for --external-ca

[James Masson]

IPA 4.2 hit the Centos 7 mirrors a day or two ago.

It looks like the behaviour of the installer has changed somewhat with 
regards to the 2 phase --external-ca install


Previously, we ran:

command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p 
'${ipa_admin_pwd}' --hostname='${::fqdn}' -r '${ipa_realm}' -n 
'${::domain}' --mkhomedir --setup-dns --forwarder=8.8.8.8 --external-ca",



then

command => "/sbin/ipa-server-install -p ${ipa_admin_pwd} 
--external-cert-file=/root/ipa.crt 
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt",



this worked fine.

The behaviour on IPA 4.2 is different - it will leave you without a DNS 
server if you use the above commands. It doesn't seem to pass some 
options through to the 2nd phase installer, one of which is the DNS 
configuration.


We've now switched to this.

  $ipa_install_command = "/sbin/ipa-server-install -U -a 
'${ipa_admin_pwd}' -p '${ipa_admin_pwd}' -r '${ipa_realm}'"


command => "${ipa_install_command} --hostname='${::fqdn}' -n 
'${::domain}' --external-ca",


command => "${ipa_install_command} --external-cert-file=/root/ipa.crt 
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt 
--mkhomedir --setup-dns --forwarder=8.8.8.8 ",



It seems you have to supply more information to the phase2 installer 
than in IPA 4.1.


We do more than 10 installs of IPA per day as part of CI, I think now 
we're back to a working configuration again.


Hopefully this will help others who come along this path.

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA with external CA signed certs

[James Masson]

On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a 
red herring.


##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'

certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'root.com'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'subsystemCert cert-pki-ca'

certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'auditSigningCert cert-pki-ca'

certutil: certificate is valid
#

regards

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA with external CA signed certs

[James Masson]

On 12/11/15 15:21, Rob Crittenden wrote:

James Masson wrote:



On 30/10/15 13:52, Rob Crittenden wrote:

James Masson wrote:



On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream
Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA -
Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't
pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault.
Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert -
the IPAs
python-based install code is happy with the cert chain, but the Java
based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like
to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and
should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?


I cc'd one of the dogtag guys to see if he knows.

You might also try using certutil to validate the certificates, it might
give you some hints to what is going on.

I'm assuming your certdb (it can vary by version) is in
/var/lib/pki/pki-tomcat/alias

certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
certificates installed. You can verify each one to see what is going on.
The -u flag specfies usage. See the certutil man page for a full set of
options.

For example:

# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca'
certutil: certificate is valid

rob



Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a
red herring.

##
[root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
root.com CT,c,
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'root.com'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for
application.
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#


That's why I pointed you to the certutil man page to find out the
differnet usages to test. The C usage is SSL client usage. Depending on
the cert the usage may be different.

rob


Missed that. Here are those commands again with different certusage checking

In short, they're all superficially valid.

##
[root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'

certutil: certificate is valid

[root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n 
'root.com'

certutil: certificate is valid


[root@foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n 
'ocspSigningCert cert-pki-ca'

certutil: certificate is valid

Re: [Freeipa-users] IPA with external CA signed certs

[James Masson]

On 26/10/15 16:11, Martin Kosek wrote:

On 10/26/2015 04:05 PM, James Masson wrote:



On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the IPAs
python-based install code is happy with the cert chain, but the Java based
dogtag code chokes on it.

OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like to know
exactly what Dogtag doesn't like about the certificate.

thanks

James M


Let me CC at least Jan Ch. and David, they may be able to help and should also
make sure FreeIPA gets better in validating the certs, as appropriate.



Any thoughts guys?

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA with external CA signed certs

[James Masson]

On 19/10/15 21:06, Rob Crittenden wrote:

James Masson wrote:


Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.


I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob




Hi Rob,

Thanks for the reply.

I do present the IPA installer with both the CA and the IPA cert - the 
IPAs python-based install code is happy with the cert chain, but the 
Java based dogtag code chokes on it.


OpenSSL is happy with it too.

#
[root@foo ~]# openssl verify ipa.crt
ipa.crt: O = LOCAL, CN = Certificate Authority
error 20 at 0 depth lookup:unable to get local issuer certificate

[root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
ipa.crt: OK
###

Any hints on how to reproduce this with more debug output? I'd like to 
know exactly what Dogtag doesn't like about the certificate.


thanks

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA with external CA signed certs

[James Masson]

Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with 
upstream Dogtag. I've also tried the external-ca-type option.


Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

Errors below.

thanks

James M

###
-BEGIN CERTIFICATE-
MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL
BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx
MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1
MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/
NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR
6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4
SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT
IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6
Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE
FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8
X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3
DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+
XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1
lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw
Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH
pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg
uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh
-END CERTIFICATE-
###

###
  [19/27]: restarting certificate server
ipa : CRITICAL Failed to restart the certificate server. See the 
installation log for details.

  [20/27]: requesting RA certificate from CA
  [error] RuntimeError: Unable to submit RA cert request
###


###
2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:31Z DEBUG Waiting for CA to start...
2015-10-15T14:44:32Z DEBUG request 
'https://foo.local:8443/ca/admin/ca/getStatus'

2015-10-15T14:44:32Z DEBUG request body ''
2015-10-15T14:44:32Z DEBUG request status 404
2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found'
2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015 
14:44:32 GMT', 'content-length': '993', 'content-type': 
'text/html;charset=utf-8', 'content-language': 'en', 'server': 
'Apache-Coyote/1.1'}
2015-10-15T14:44:32Z DEBUG request body 'Apache 
Tomcat/7.0.54 - Error report<!--H1 
</tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} 
</tt><tt>H2 {font-family:Tahoma,Arial,
</tt><tt>sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 
</tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} 
</tt><tt>BODY 
</tt><tt>{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
</tt><tt> B 
</tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
</tt><tt>P 
</tt><tt>{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A 
</tt><tt>{color : black;}A.name {color : black;}HR {color : #525D76;}-->
HTTP Status 404 - /ca/admin/ca/getStatussize="1" noshade="noshade">type Status 
reportmessage 
/ca/admin/ca/getStatusdescription The requested 
resource is not availa
ble.Apache 
Tomcat/7.0.54'

2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:32Z DEBUG Waiting for CA to start...
2015-10-15T14:44:33Z DEBUG Traceback (most recent call last):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
840, in __restart_instance

self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 282, in restart
self.service.restart(instance_name, capture_output=capture_output, 
wait=wait)
  File 
"/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
209, in restart

self.wait_until_running()
  File 
"/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
197, in wait_until_running

raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s

2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server. 
See the installation log for details.

2015-10-15T14:44:33Z DEBUG   duration: 303 seconds
2015-10-15T14:44:33Z DEBUG   [20/27]: requesting RA certificate from CA
2015-10-15T14:44:33Z DEBUG Starting external process
2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/httpd/alias' '-f'  '-R' '-k' 'rsa' '-g' '2048' '-s' 
'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb'

Re: [Freeipa-users] Automatic IPA CA cert generation

[James Masson]

On 24/09/15 01:20, Fraser Tweedale wrote:

On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote:


On 23/09/15 11:03, Fraser Tweedale wrote:

On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:

On 22/09/15 17:02, James Masson wrote:


Hi,

we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
setup process.

We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.

The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"

Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.

thanks

James M



Hello James,
currently it's not possible but making installation with externally signed
CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the first
step of installation. Certmonger is also able to send certificate to
external CA for signing.

I'm not sure if we could combine these two cermonger's abilities right now
but if not it shouldn't be difficult to add functionality to certmonger to
send the CSR to preconfigured CA instead of just storing it in file.

This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one command
(getcert-add-ca).

Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?


There are two sides to this - one is using Certmonger for automatic
signing of intermediate CA certificate to be used by IPA, the other
is simply using a CA cert that the administrator already possesses,
e.g. in a PKCS #12 file.  These should be separate tickets.

Cheers,
Fraser


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Done -

https://fedorahosted.org/freeipa/ticket/5317
https://fedorahosted.org/freeipa/ticket/5318

Would it be possible to use Certmonger to help the 2 step process used at
the moment?

ie. run 'ipa-server-install' the first time - get the CSR
use local Certmonger to handle the CSR submission to upstream CA
use the resulting Cert in the second 'ipa-server-install'

Any pointers?

regards

James M


I don't see an option for certmonger to use an existing CSR but you
could ask it to create and track a new CSR for the same key.  See
getcert-request(1) for full details.

Cheers,
Fraser



Any hints of how to make a request via Certmonger that would keep IPA happy?

Looking at the CSR, the awkward bits are...

###
Requested Extensions:
  X509v3 Basic Constraints: critical
  CA:TRUE
  X509v3 Key Usage: critical
  Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
###

I presume this is done with...
  -U EXTUSAGE   set requested extended key usage OID

How do I convert the IPA CSR text output for use with Certmonger?

thanks

James M


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Automatic IPA CA cert generation

[James Masson]

On 23/09/15 11:03, Fraser Tweedale wrote:

On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:

On 22/09/15 17:02, James Masson wrote:


Hi,

we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
setup process.

We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.

The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"

Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.

thanks

James M



Hello James,
currently it's not possible but making installation with externally signed
CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the first
step of installation. Certmonger is also able to send certificate to
external CA for signing.

I'm not sure if we could combine these two cermonger's abilities right now
but if not it shouldn't be difficult to add functionality to certmonger to
send the CSR to preconfigured CA instead of just storing it in file.

This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one command
(getcert-add-ca).

Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?


There are two sides to this - one is using Certmonger for automatic
signing of intermediate CA certificate to be used by IPA, the other
is simply using a CA cert that the administrator already possesses,
e.g. in a PKCS #12 file.  These should be separate tickets.

Cheers,
Fraser


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Done -

https://fedorahosted.org/freeipa/ticket/5317
https://fedorahosted.org/freeipa/ticket/5318

Would it be possible to use Certmonger to help the 2 step process used 
at the moment?


ie. run 'ipa-server-install' the first time - get the CSR
use local Certmonger to handle the CSR submission to upstream CA
use the resulting Cert in the second 'ipa-server-install'

Any pointers?

regards

James M





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Automatic IPA CA cert generation

[James Masson]

Hi,

we're building IPAs in an automated fashion, for environments that get 
created and destroyed a lot. At the moment, the CA certs used inside 
these IPAs are self-signed, as part of the normal "ipa-server-install" 
setup process.


We would like to switch to issuing signed intermediate CA certs to the 
IPAs we deploy.


The documentation lists the two part process necessary for this. First 
"--external-ca" - and then "--external-cert-file"


Are there any ways to skip this, and give the setup process a known 
public/private key+cert up front? I'm hoping to avoid the need to have 
to use/send this automatically generated CSR every time.


thanks

James M

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] PKI-CAD service fails, IPA won't start

[Cassidy, James M.]

 line 
101: log_success_msg: command not found
Sep 10 14:41:13 [IPA server] systemd[1]: Started PKI Certificate Authority 
Server pki-ca.
Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 2
Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:46:06 [IPA server] ipactl[545]: Failed to start pki-cad Service
Sep 10 14:46:06 [IPA server] ipactl[545]: Shutting down

Not entirely sure what the issue is here, the server config wasn't modified at 
all. Most of the logfiles in /var/log/pki-ca are completely empty. The dirsrv 
access logs for the slapd-PKI-IPA directory cut off around the time that I 
attempted the client install. The dirsrv error log contains:

[10/Sep/2015:14:40:44 +] - 389-Directory/1.3.1.22.a1 B2014.073.1751 
starting up
[10/Sep/2015:14:40:46 +] NSMMReplicationPlugin - ruv_compare_ruv: RUV 
[changelog max RUV] does not contain element [{replica 96 ldap://[IPA 
server]:7389} 5022b7490060 5493118400010060] which is present in 
RUV [database RUV]
[10/Sep/2015:14:40:46 +] NSMMReplicationPlugin - 
replica_check_for_data_reload: Warning: for replica o=ipaca there were some 
differences between the changelog max RUV and the database RUV.  If there are 
obsolete elements in the database RUV, you should remove them using the 
CLEANALLRUV task.  If they are not obsolete, you should check their status to 
see why there are no changes from those servers in the changelog.
[10/Sep/2015:14:40:46 +] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[10/Sep/2015:14:40:46 +] - Listening on All Interfaces port 7390 for LDAPS 
requests
[10/Sep/2015:14:40:48 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is 
not connected)

That last message repeats a few more times until the ipactl process kills the 
directory services. I'm at a complete loss. Has anyone else seen this or could 
point out what exactly happened? I can start the individual services, but the 
IPA service always fails, due to either the PKI-CAD service failing or the 
timeout. Sorry for the wall of text.

James Cassidy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issues

[James Benson]

Hi all,
I'm a fairly advanced user, however, having issues with setting up 
freeIPA.  I've started with Fedora 22 server (both with minimal install 
and basic install), modified the hosts and hostname file respectively to

xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the 
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to 
increase the timeout value, but no luck.


Suggestions?

Thanks,

James



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[James Benson]

Freeipa 4.1.4

On 06/18/2015 10:28 AM, Simo Sorce wrote:

On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote:

Hi all,
I'm a fairly advanced user, however, having issues with setting up
freeIPA.  I've started with Fedora 22 server (both with minimal install
and basic install), modified the hosts and hostname file respectively to
xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
increase the timeout value, but no luck.

Suggestions?


What pki-base package version do you have installed ?

Simo.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

[James Benson]

This is a virtual machine,  rng-tools-5-4.fc22.x86_64 is installed  ... 
I did just try to create a gpg key and it seemed to have entropy 
issues... I did however run the command

$ rngd -W 4096
$ cat /proc/sys/kernel/random/entropy_avail
to fill the entropy up again (previously reporting around 3081), now it 
is at 4094.  gpg works now with no issues, redid the install but still 
failed at the same step.



On 06/18/2015 10:53 AM, Alexander Bokovoy wrote:



- Original Message -

Hi all,
I'm a fairly advanced user, however, having issues with setting up
freeIPA.  I've started with Fedora 22 server (both with minimal install
and basic install), modified the hosts and hostname file respectively to
xx.xx.xx.xx ipa.cloud.local ipa
cloud.local
and began the install options selected were:
no
ipa.cloud.local
cloud.local
CLOUD.LOCAL
Directory Manager Password: set
IPA admin password: set
yes

But I always get this error:
CA did not start in 300.0s


I've modified the
/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py  to
increase the timeout value, but no luck.

Suggestions?

Is this a VM? Do you have a driver for random number generator added to it? 
like virtio-rng for libvirtd/kvm.
It might well be that the VM struggles to get enough entropy to generate 
certificates.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Is something.local hostname possible

[James Benson]

Hi all,
I'm trying to duplicate freeIPA on a local host but I keep on getting 
errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). 
Has anyone tried this before and succeeded or have suggestions?

Thanks

James



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 83, Issue 65

[James Benson]

I've tried increasing the timeout limit but no dice (the exact number 
was 30 seconds I think for the error.). I'm not running avahi but just a 
straight up Ubuntu federa server with nothing else but this.  Eventually 
we'll try to tie this into either a Hortonworks, MapR, Cloudera server 
as authentication, but I can't tie it to our domain since I'm not in 
charge of it and frankly I tried and just goes to oblivion since I'm 
inside the firewall and the domain is outside and not going to punch 
those holes.


Anyone else have thoughts?

James

On 06/12/2015 11:00 AM, freeipa-users-requ...@redhat.com wrote:

Send Freeipa-users mailing list submissions to
freeipa-users@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-requ...@redhat.com

You can reach the person managing the list at
freeipa-users-ow...@redhat.com

When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeipa-users digest...


Today's Topics:

1. Is something.local hostname possible (James Benson)
2. Re: Is something.local hostname possible (Tamas Papp)


--

Message: 1
Date: Fri, 12 Jun 2015 10:40:12 -0500
From: James Benson james.ben...@utsa.edu
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Is something.local hostname possible
Message-ID: 557afd5c.5000...@utsa.edu
Content-Type: text/plain; charset=utf-8; Format=flowed

Hi all,
I'm trying to duplicate freeIPA on a local host but I keep on getting
errors, primarily a RuntimeError('CA did not start in %%ss' %timeout).
Has anyone tried this before and succeeded or have suggestions?
Thanks

James

-- next part --
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3706 bytes
Desc: S/MIME Cryptographic Signature
URL: 
https://www.redhat.com/archives/freeipa-users/attachments/20150612/025ae655/attachment.bin

--

Message: 2
Date: Fri, 12 Jun 2015 17:48:47 +0200
From: Tamas Papp tom...@martos.bme.hu
To: James Benson james.ben...@utsa.edu, freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Is something.local hostname possible
Message-ID:
14de8758b18.2774.b4c2854741c50caf28b8595b5e98f...@martos.bme.hu
Content-Type: text/plain; charset=us-ascii; format=flowed

I can't answer you, but don't use .local, it conflicts with avahi.
--
Sent from mobile



On June 12, 2015 17:45:52 James Benson james.ben...@utsa.edu wrote:


Hi all,
I'm trying to duplicate freeIPA on a local host but I keep on getting
errors, primarily a RuntimeError('CA did not start in %%ss' %timeout).
Has anyone tried this before and succeeded or have suggestions?
Thanks

James




--
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





--

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 83, Issue 65
*





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Yes,

as soon as 389-ds-base-1.2.11.15-56.el6 will be available, I will update
the master.

Rich Megginson says that  389-ds-base-1.2.11.15-56.el6 will be shipped with
rhel 6.7.

Thus I will wait for 6.7 before trying to update the master and create a
rhel 7 replica.

Many thanks.



2015-06-08 14:56 GMT+02:00 thierry bordaz tbor...@redhat.com:

  Hi,

 Would you update your master to 389-ds-base-1.2.11.15-56.el6, before
 attempting the upgrade to 7 ?

 thanks
 thierry

 On 06/08/2015 12:30 PM, James James wrote:

 My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 .

  Thanks.



 2015-06-08 10:25 GMT+02:00 thierry bordaz tbor...@redhat.com:

  Hello James,

 The fact that the master is more powerfull than the replica increase the
 possibility to hit that bug.
 The bug fix is on the master side. The master is made smarter to adapt
 its replication flow to the speed of the consumer.
 The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and
 389-ds-base-1.2.11.15-56.el6.

 What is the current version of your master ?

 thanks
 thierry

 On 06/08/2015 09:49 AM, James James wrote:

 Hi Thierry,

  thanks for you answer.

  I was away for a long time, this is why my post comes later .

  This timing issue is coming when you try to upgrade from rhel 6
 (ipa-3.0) to rhel7 (ipa4.xx) ?

  I have a physical machine for the master and a VM as replica. The
 solution is to use a physical machine for the replica ?

  How can I limit the cpu/memory in the physical machine (with cgroups
 ??).

  Any  hints will be appreciated ..

  Regards

  James

 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com:

  On 05/15/2015 05:11 PM, James James wrote:

  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7
 .


  Hi James,

 Unfortunately there is no workaround. This is a timing issue mostly seen
 when the master is more powerful than the consumer.
 If you are using VM you may try to get master/replica with nearly the
 same cpu/memory.

 thanks
 thierry


  Best.

  James

 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:46 AM, James James wrote:

 [root@ipa ~]#  rpm -q 389-ds-base
 389-ds-base-1.2.11.15-50.el6_6.x86_64


  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
 389-ds-base-1.2.11.15-56.el6

 I don't know if there are any workarounds.





 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:22 AM, James James wrote:

  I think that :

 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress


  looks like a time error :
 https://fedorahosted.org/freeipa/ticket/4756


  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
 version of 389-ds-base?  rpm -q 389-ds-base



 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of
 this timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389]
 timeout 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636
 from SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
 382,
 in start_creation
 run_step(full_msg, method)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
 372,
 in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, 
 line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if
 replication completed successfully

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Hi Thierry,

thanks for you answer.

I was away for a long time, this is why my post comes later .

This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0)
to rhel7 (ipa4.xx) ?

I have a physical machine for the master and a VM as replica. The solution
is to use a physical machine for the replica ?

How can I limit the cpu/memory in the physical machine (with cgroups ??).

Any  hints will be appreciated ..

Regards

James

2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com:

  On 05/15/2015 05:11 PM, James James wrote:

  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .


 Hi James,

 Unfortunately there is no workaround. This is a timing issue mostly seen
 when the master is more powerful than the consumer.
 If you are using VM you may try to get master/replica with nearly the same
 cpu/memory.

 thanks
 thierry


  Best.

  James

 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:46 AM, James James wrote:

 [root@ipa ~]#  rpm -q 389-ds-base
 389-ds-base-1.2.11.15-50.el6_6.x86_64


  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
 389-ds-base-1.2.11.15-56.el6

 I don't know if there are any workarounds.





 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:22 AM, James James wrote:

  I think that :

 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress


  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756


  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
 version of 389-ds-base?  rpm -q 389-ds-base



 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of
 this timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389]
 timeout 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382,
 in start_creation
 run_step(full_msg, method)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372,
 in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if
 replication completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install
 not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson 
 rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking
 for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 .

Thanks.



2015-06-08 10:25 GMT+02:00 thierry bordaz tbor...@redhat.com:

  Hello James,

 The fact that the master is more powerfull than the replica increase the
 possibility to hit that bug.
 The bug fix is on the master side. The master is made smarter to adapt its
 replication flow to the speed of the consumer.
 The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and
 389-ds-base-1.2.11.15-56.el6.

 What is the current version of your master ?

 thanks
 thierry

 On 06/08/2015 09:49 AM, James James wrote:

 Hi Thierry,

  thanks for you answer.

  I was away for a long time, this is why my post comes later .

  This timing issue is coming when you try to upgrade from rhel 6
 (ipa-3.0) to rhel7 (ipa4.xx) ?

  I have a physical machine for the master and a VM as replica. The
 solution is to use a physical machine for the replica ?

  How can I limit the cpu/memory in the physical machine (with cgroups ??).

  Any  hints will be appreciated ..

  Regards

  James

 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com:

  On 05/15/2015 05:11 PM, James James wrote:

  ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .


  Hi James,

 Unfortunately there is no workaround. This is a timing issue mostly seen
 when the master is more powerful than the consumer.
 If you are using VM you may try to get master/replica with nearly the
 same cpu/memory.

 thanks
 thierry


  Best.

  James

 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:46 AM, James James wrote:

 [root@ipa ~]#  rpm -q 389-ds-base
 389-ds-base-1.2.11.15-50.el6_6.x86_64


  Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
 389-ds-base-1.2.11.15-56.el6

 I don't know if there are any workarounds.





 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:22 AM, James James wrote:

  I think that :

 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress


  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756


  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
 version of 389-ds-base?  rpm -q 389-ds-base



 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of
 this timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389]
 timeout 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636
 from SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
 382,
 in start_creation
 run_step(full_msg, method)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
 372,
 in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if
 replication completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can
 I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the
 ipa-replica-install not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg

[Freeipa-users] Successful Install on VB...

[James Benson]

Dear all,
I recently install Fedora Server 22 on a virtualbox with the ethernet 
bridged (can successfully ping it, ssh, etc) and I can do a kinit admin 
and ipa user-add as the instructions detail in the next steps, however, 
I cannot access the webui.  Has anyone else ran into this issue? I've 
tried to check the services, however, they don't seem to want to start 
(no errors, just don't see them in the service status menu)  Any help 
would be great as I would greatly like to use the website over commands 
if possible.


Thank you,

James



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 .

Best.

James

2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:46 AM, James James wrote:

 [root@ipa ~]#  rpm -q 389-ds-base
 389-ds-base-1.2.11.15-50.el6_6.x86_64


 Ok.  Looks like this is planned to be fixed in RHEL 6.7 with version
 389-ds-base-1.2.11.15-56.el6

 I don't know if there are any workarounds.





 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:22 AM, James James wrote:

  I think that :

 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress


  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756


  That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
 version of 389-ds-base?  rpm -q 389-ds-base



 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of
 this timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if
 replication completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install
 not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking
 for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
  Starting replication, please wait until this has
 completed.
  Update in progress, 127 seconds elapsed
  Update in progress yet not in progress
 
  Update in progress yet not in progress
 
 
  in progress yet not in progress  The error log below clearly
 shows
  that replica init succeeded after 127 seconds.
 
  IPA-ers - wasn't there some bug about checking replica status
 properly?
 

 The loop looks at nsds5BeginReplicaRefresh,
 nsds5replicaUpdateInProgress
 and nsds5ReplicaLastInitStatus.

 It loops looking for nsds5BeginReplicaRefresh. If there is no value it
 prints Update in progress, %d seconds elapsed. Once it gets a status

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Is it possible to change the nsds5ReplicaTimeout value to get rid of this
timeout error ?

2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


 Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()
   File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py,
 line 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

 2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

 I don't know why setup_replication is reporting an error if replication
 completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
  Starting replication, please wait until this has completed.
  Update in progress, 127 seconds elapsed
  Update in progress yet not in progress
 
  Update in progress yet not in progress
 
 
  in progress yet not in progress  The error log below clearly shows
  that replica init succeeded after 127 seconds.
 
  IPA-ers - wasn't there some bug about checking replica status properly?
 

 The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
 and nsds5ReplicaLastInitStatus.

 It loops looking for nsds5BeginReplicaRefresh. If there is no value it
 prints Update in progress, %d seconds elapsed. Once it gets a status,
 the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
 isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
 then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
 ir prints Update in progress yet not in progress and tries the loop again.

 AFAICT this part of a replica install doesn't restart 389-ds.

 /var/log/ipareplica-install.log may hold some details.

 rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

[root@ipa ~]#  rpm -q 389-ds-base
389-ds-base-1.2.11.15-50.el6_6.x86_64



2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 08:22 AM, James James wrote:

  I think that :

 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress


  looks like a time error : https://fedorahosted.org/freeipa/ticket/4756


 That issue should have been fixed in 389-ds-base-1.3.3 branch.  What
 version of 389-ds-base?  rpm -q 389-ds-base



 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of
 this timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if replication
 completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install
 not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
  Starting replication, please wait until this has completed.
  Update in progress, 127 seconds elapsed
  Update in progress yet not in progress
 
  Update in progress yet not in progress
 
 
  in progress yet not in progress  The error log below clearly shows
  that replica init succeeded after 127 seconds.
 
  IPA-ers - wasn't there some bug about checking replica status
 properly?
 

 The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
 and nsds5ReplicaLastInitStatus.

 It loops looking for nsds5BeginReplicaRefresh. If there is no value it
 prints Update in progress, %d seconds elapsed. Once it gets a status,
 the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
 isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
 then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
 ir prints Update in progress yet not in progress and tries the loop
 again.

 AFAICT this part of a replica install doesn't restart 389-ds

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

I think that :

Starting replication, please wait until this has completed.
Update in progress, 127 seconds elapsed
Update in progress yet not in progress


looks like a time error : https://fedorahosted.org/freeipa/ticket/4756

2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 05/15/2015 07:55 AM, James James wrote:

 Is it possible to change the nsds5ReplicaTimeout value to get rid of this
 timeout error ?


 What timeout error?


 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 10:44 PM, James James wrote:

 The ipareplica-install.log file in attachment ...


  Here are the pertinent bits:

 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout
 300
 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x484f4d0
 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from
 SchemaCache
 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=
 ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject
 instance at 0x4170290
 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line
 368, in __setup_replica
 r_bindpw=self.dm_password)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line
 969, in setup_replication
 raise RuntimeError(Failed to start replication)
 RuntimeError: Failed to start replication

  2015-04-15T15:08:44Z DEBUG   [error] RuntimeError: Failed to start
 replication

 The times are a little off, but I believe this corresponds to
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

  I don't know why setup_replication is reporting an error if replication
 completed successfully.



 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
  Starting replication, please wait until this has completed.
  Update in progress, 127 seconds elapsed
  Update in progress yet not in progress
 
  Update in progress yet not in progress
 
 
  in progress yet not in progress  The error log below clearly shows
  that replica init succeeded after 127 seconds.
 
  IPA-ers - wasn't there some bug about checking replica status properly?
 

 The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
 and nsds5ReplicaLastInitStatus.

 It loops looking for nsds5BeginReplicaRefresh. If there is no value it
 prints Update in progress, %d seconds elapsed. Once it gets a status,
 the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
 isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
 then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
 ir prints Update in progress yet not in progress and tries the loop
 again.

 AFAICT this part of a replica install doesn't restart 389-ds.

 /var/log/ipareplica-install.log may hold some details.

 rob






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

The ipareplica-install.log file in attachment ...

2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 Rich Megginson wrote:
  On 04/15/2015 02:58 PM, James James wrote:
  Nothing on the replica .. maybye a process on the master. How can I
  check that ?
 
  I have no idea.  But it seems highly unlikely that a process on the
  master is able to shutdown a process on the replica . . .
 
  I would say that there is some problem with the ipa-replica-install not
  properly checking the status - see below:
 
 
  2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 12:43 PM, James James wrote:
  Here the log
 
  2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com
  mailto:rmegg...@redhat.com:
 
  On 04/15/2015 09:46 AM, James James wrote:
  Hello,
 
  I have been looking to solve my problem but I 'm asking for
  some help.
 
  The replication begins but cannot be completed 
 
  I want to install a new fresh replica but I've always got
  this error :
 
  [21/35]: configure dirsrv ccache
[22/35]: enable SASL mapping fallback
[23/35]: restarting directory server
[24/35]: setting up initial replication
  Starting replication, please wait until this has completed.
  Update in progress, 127 seconds elapsed
  Update in progress yet not in progress
 
  Update in progress yet not in progress
 
 
  in progress yet not in progress  The error log below clearly shows
  that replica init succeeded after 127 seconds.
 
  IPA-ers - wasn't there some bug about checking replica status properly?
 

 The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress
 and nsds5ReplicaLastInitStatus.

 It loops looking for nsds5BeginReplicaRefresh. If there is no value it
 prints Update in progress, %d seconds elapsed. Once it gets a status,
 the update is done, and it looks at nsds5ReplicaLastInitStatus. If it
 isn't empty, doesn't include 'replica busy' or 'Total update succeeded'
 then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is,
 ir prints Update in progress yet not in progress and tries the loop again.

 AFAICT this part of a replica install doesn't restart 389-ds.

 /var/log/ipareplica-install.log may hold some details.

 rob


2015-04-15T15:06:11Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument /var/lib/ipa/replica-info-ipa1.example.com.gpg and options: {'no_forwarders': False, 'conf_ssh': True, 'skip_schema_check': False, 'ui_redirect': True, 'trust_sshfp': False, 'unattended': False, 'ip_addresses': [], 'no_host_dns': False, 'mkhomedir': False, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'conf_sshd': True, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'setup_ca': False, 'skip_conncheck': False, 'reverse_zones': []}
2015-04-15T15:06:11Z DEBUG IPA version 4.1.0-18.el7.centos.3
2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-04-15T15:06:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2015-04-15T15:06:11Z DEBUG Starting external process
2015-04-15T15:06:11Z DEBUG args='/usr/sbin/httpd' '-t' '-D' 'DUMP_VHOSTS'
2015-04-15T15:06:11Z DEBUG Process finished, return code=0
2015-04-15T15:06:11Z DEBUG stdout=VirtualHost configuration:
*:8443 is a NameVirtualHost
 default server ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)
 port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)
 port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86)

2015-04-15T15:06:11Z DEBUG stderr=
2015-04-15T15:06:11Z DEBUG Starting external process
2015-04-15T15:06:11Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service'
2015-04-15T15:06:11Z DEBUG Process finished, return code=1
2015-04-15T15:06:11Z DEBUG stdout=
2015-04-15T15:06:11Z DEBUG stderr=Failed to issue method call: No such file or directory

2015-04-15T15:06:11Z DEBUG Starting external process
2015-04-15T15:06:11Z DEBUG args='/bin/systemctl' 'is-active' 'chronyd.service'
2015-04-15T15:06:11Z DEBUG Process finished, return code=3
2015-04-15T15:06:11Z DEBUG stdout=unknown

2015-04-15T15:06:11Z DEBUG stderr=
2015-04-15T15:06:15Z DEBUG Starting external process
2015-04-15T15:06:15Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmpxNp5r9ipa/ipa-8fobNZ/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmpxNp5r9ipa/ipa-8fobNZ/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmpxNp5r9ipa/files.tar' '-d' '/var/lib/ipa/replica-info-ipa1.example.com.gpg'
2015-04-15T15:06:15Z DEBUG Process finished, return code=0
2015-04-15T15:06:15Z DEBUG Starting external process
2015-04-15T15:06:15Z DEBUG args='tar' 'xf' '/tmp/tmpxNp5r9ipa

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[James James]

Nothing on the replica .. maybye a process on the master. How can I check
that ?

2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 12:43 PM, James James wrote:

 Here the log

 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com:

  On 04/15/2015 09:46 AM, James James wrote:

   Hello,

  I have been looking to solve my problem but I 'm asking for some help.

  The replication begins but cannot be completed 

  I want to install a new fresh replica but I've always got this error :

 [21/35]: configure dirsrv ccache
   [22/35]: enable SASL mapping fallback
   [23/35]: restarting directory server
   [24/35]: setting up initial replication
 Starting replication, please wait until this has completed.
 Update in progress, 127 seconds elapsed
 Update in progress yet not in progress

 Update in progress yet not in progress

 [ipa.example.com] reports: Update failed! Status: [10 Total update
 abortedLDAP error: Referral]

   [error] RuntimeError: Failed to start replication

 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.

 Failed to start replication


  On the master I have this message :
 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task:
 Successfully cleaned rid(19).
 [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt=cn=
 meToipa1.example.com (ipa1:389): Replica has a different generation ID
 than the local data.
 [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total
 update of replica agmt=cn=meToipa1.example.com (ipa1:389).


  What is happening on the consumer (ipa1.example.com) error and access
 log at this time?


 [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going
 offline; disabling replication
 [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with
 nsslapd-db-private-import-mem on; No other process is allowed to access the
 database
 [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries --
 average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0%
 ...
 [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete.
 Processed 1539 entries in 126 seconds. (12.21 entries/sec)
 [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin -
 multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is
 coming online; enabling replication

 So it would appear that initialization finished successfully.  But then .
 . .


  [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt=cn=
 meToipa1.example.com (ipa1:389): Unable to receive the response for a
 startReplication extended operation to consumer (Can't contact LDAP
 server). Will retry later.


 [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack
 objects - freed 2 op stack objects
 [15/Apr/2015:17:41:16 +0200] - slapd stopped.

 So the server is down.  Did someone or some process shutdown the replica
 at this time?

 [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send
 startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
 endpoint is not connected)

 Any hints will be useful.

  Thanks.





 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

It's a little bit more clear. Thanks.

I have created a new ipa 4.1 replica but when I want run :

# ipa-cacert-manage renew --self-signed

I've got this message :

[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system

If I want to install the CA I've got this message :

[root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
CA is already installed.

Should I have to promote the replica to a standalone master before
installing the CA ?

Any hints will be appreciated...


James


2015-04-08 7:27 GMT+02:00 Jan Cholasta jchol...@redhat.com:

 Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):

 On 04/07/2015 02:08 PM, James James wrote:

 I will try to give a better explanation :


 I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
 installed with an external CA about 3 years ago and I will have to renew
 the certificate soon.

   I have created a test server (ipa-dev) with the same configuration
 (centos
 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev
 sever
 to be installed with an external CA.

 In the same time my external CA has changed and wants the emailAddress
 field in the certificate request 's subject.


 CSR during installation with external CA is produced by Dogtag, so you are
 constrained with the options and capabilities provided by
 ipa-server-install.
 Maybe it would be possible to modify the CSR and update the Subject
 manually,
 but I expect it would crash the installer later (JanC may know more
 (CCed))


 The subject name identifies the CA in server (and other) certificates. If
 you change it, you break the trust chain from the CA certificate to the
 server certificates and that will break all SSL in IPA.


  If it is not possible to add emailAddress in the subject, is it possible
 to
 migrate my ipa-master CA system from an external CA to a CA-less or
 self-signed CA ?


 It is, with ipa-cacert-manage - see links below.


 You can change your external CA to self-signed CA in IPA 4.1 or newer by
 running:

 # ipa-cacert-manage renew --self-signed

 You can't change external CA to CA-less.



  Thanks.

 2015-04-07 13:48 GMT+02:00 Martin Kosek mko...@redhat.com:

  On 04/07/2015 01:44 PM, James James wrote:

 ok.

 Is there a way to migrate from an external CA to a CA-less or a

 self-signed

 CA  ?


 Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:

 https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
 https://www.freeipa.org/page/V4/CA_certificate_renewal

 (Although I am still not sure about your use case and if this would help
 you)


 2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com:

  On 04/03/2015 11:39 AM, James James wrote:

 Hello,

 I want to initialize a new replica with an external CA. My
 Certificate
 Authority wants a CSR with the field emailAddress in the subject
 like :

 /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com


 I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
 with own
 CA signed by external CA?

 FreeIPA supports these kinds of setups right now:
 http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure

How can I do with the ipa-server-install command ?  I have been
 trying

 for

 few days but I still can't.

 Thanks for your help.


 CCing Honza who should know the definitive answer. However, FreeIPA
 was

 not

 very flexible in configuring special subjects for it's CA certificate

 (i.e.

 cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.








 --
 Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

ok.

Is there a way to migrate from an external CA to a CA-less or a self-signed
CA  ?

2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com:

 On 04/03/2015 11:39 AM, James James wrote:
  Hello,
 
  I want to initialize a new replica with an external CA. My Certificate
  Authority wants a CSR with the field emailAddress in the subject like :
 
  /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com

 I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
 with own
 CA signed by external CA?

 FreeIPA supports these kinds of setups right now:
 http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure

   How can I do with the ipa-server-install command ?  I have been trying
 for
  few days but I still can't.
 
  Thanks for your help.

 CCing Honza who should know the definitive answer. However, FreeIPA was not
 very flexible in configuring special subjects for it's CA certificate (i.e.
 cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

I will try to give a better explanation :


I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
installed with an external CA about 3 years ago and I will have to renew
the certificate soon.

 I have created a test server (ipa-dev) with the same configuration (centos
6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever
to be installed with an external CA.

In the same time my external CA has changed and wants the emailAddress
field in the certificate request 's subject.

If it is not possible to add emailAddress in the subject, is it possible to
migrate my ipa-master CA system from an external CA to a CA-less or
self-signed CA ?

Thanks.

2015-04-07 13:48 GMT+02:00 Martin Kosek mko...@redhat.com:

 On 04/07/2015 01:44 PM, James James wrote:
  ok.
 
  Is there a way to migrate from an external CA to a CA-less or a
 self-signed
  CA  ?

 Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:

 https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
 https://www.freeipa.org/page/V4/CA_certificate_renewal

 (Although I am still not sure about your use case and if this would help
 you)

 
  2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com:
 
  On 04/03/2015 11:39 AM, James James wrote:
  Hello,
 
  I want to initialize a new replica with an external CA. My Certificate
  Authority wants a CSR with the field emailAddress in the subject like :
 
  /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com
 
  I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
  with own
  CA signed by external CA?
 
  FreeIPA supports these kinds of setups right now:
  http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
 
   How can I do with the ipa-server-install command ?  I have been trying
  for
  few days but I still can't.
 
  Thanks for your help.
 
  CCing Honza who should know the definitive answer. However, FreeIPA was
 not
  very flexible in configuring special subjects for it's CA certificate
 (i.e.
  cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica with external ca + custom subject in certificate

[James James]

Hello,

I want to initialize a new replica with an external CA. My Certificate
Authority wants a CSR with the field emailAddress in the subject like :

/C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com


 How can I do with the ipa-server-install command ?  I have been trying for
few days but I still can't.

Thanks for your help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa and external ca

[James James]

Hi everybody, sorry to repost my original question but this time my problem
is better described.

I want to install a ipa sever on centos 6 with an external ca. My problem
is to add emailAddress in the subject field when I type the command :


[root@ipa-dev ~]# ipa-server-install --external_ca
--subject=O=orga,C=FR,OU=MyOU

Does somebody knows how to do ?

Best.

James
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password entry through Trust not correct

[McEvoy, James]

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Saturday, March 21, 2015 10:42 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password entry through Trust not correct

On 03/20/2015 08:56 PM, McEvoy, James wrote:
When I look at the password entries for my rfc2307 account in Active directory 
I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the 
last one ).  Do I need to configure
rfc2307?  When I configured the server to join AD directly I use the option 
--enablerfc2307bis when I run authconfig.

from a freeipa client:
$ getent passwd jemce...@enas.netmailto:jemce...@enas.net
jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoyUrlBlockedError.aspx:

from the ipa server:
[root@ipa ~]# getent passwd jemce...@enas.netmailto:jemce...@enas.net
jemce...@enas.net:*:10001:10004:JamesUrlBlockedError.aspx 
McEvoy:/home/enas.net/jemcevoy:/bin/bash

from a server that joined AD directly using sssd:
$ getent passwd jemce...@enas.netmailto:jemce...@enas.net
jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash


Hi,

Let us step back.
What versions of the server and of the client and on what platforms?

When you set trust, how did you set it?
It might be that IPA server did not detect that you have Posix extensions in AD.
There is some heuristics involved so probably you should use explicit 
parameters to tell IPA whether you have posix in AD or not.



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


Hi Dmitri,

My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64

The freeipa server has a trust with a Windows 2008R2 Active Directory
domain named ENAS.Net.

The client is in an LXC container with both the hosting server and the
LXC guest running Fedora 20.
The client is running freeipa-client-3.3.5-1.fc20.x86_64.

This is at the top of the file /var/log/ipaclient-install.log in the client:

2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options
: {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary
': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c
onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_
cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname': 'ctn
017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp
': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join'
: False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, '
debug': False, 'preserve_sssd': False, 'uninstall': False}


The client is getting the correct POSIX uid/gid from Active Directory, it is the
home directory which looks samba style to me and the shell is completely 
missing.

Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
results when it joins freeipa and uses the trust.  I will try both directly and
from an LXC guest to see if the correct POSIX attributes get passed through from
the Active Directory Identity Management for Unix plugin.

  -- jim



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password entry through Trust not correct

[McEvoy, James]

When I look at the password entries for my rfc2307 account in Active directory 
I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the 
last one ).  Do I need to configure
rfc2307?  When I configured the server to join AD directly I use the option 
--enablerfc2307bis when I run authconfig.

from a freeipa client:
$ getent passwd jemce...@enas.net
jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy:

from the ipa server:
[root@ipa ~]# getent passwd jemce...@enas.net
jemce...@enas.net:*:10001:10004:James McEvoy:/home/enas.net/jemcevoy:/bin/bash

from a server that joined AD directly using sssd:
$ getent passwd jemce...@enas.net
jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Firewalld rules to allow AD Join

[McEvoy, James]

Hi FreeIPA Users:

I can only get my new Fedora 21 freeipa to server to setup a trust with Active 
Directory if I turn off the firewall on the ipa server.   I have looked through 
all the doc on which ports to open but have had no luck getting the join to 
work with firewalld running...  Can someone tell me what firewalld is blocking 
on me?   

  --jim

These are my open services:

# firewall-cmd --zone=public --list-all
public (default)
interfaces: 
sources: 
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https 
kerberos kpasswd ldap ldaps mdns ntp samba ssh
ports: 
masquerade: no
forward-ports: 
icmp-blocks:

[root@ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it 
is a DNS or firewall issue

As soon as I turn off the firewall it works:

[root@ipa ~]# systemctl stop firewalld
[root@ipa ~]#  ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
Active Directory domain administrator's password: 
-
Re-established trust to domain enas.net
-
  Realm name: enas.net
  Domain NetBIOS name: ENAS
  Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, 
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, 
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


The only error the I have found is in the samba logs where lsasd has the 
following:

[2015/03/19 18:19:22.792043,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 
'krbPrincipalName=krbtgt/enas@lnx.lab'.
[2015/03/19 18:19:23.080328,  1] ipa_sam.c:1671(search_krb_princ)
  get_trusted_domain_int: no object found with filter 
'krbPrincipalName=krbtgt/lnx@enas.net'.


and winbindd-imap has this in it:

[2015/03/20 14:21:14.966125,  1] 
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/03/20 14:21:14.968671,  1] 
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Web UI customization

[James James]

Hello,

I am with a ipa 3.3 server on centos 7.

I want to customize the web ui user add page (to include
krbprincipalexpiration field with a jquery calendar... ). I have read

http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf ,
https://pvoborni.fedorapeople.org/api/#!/guide/Phases and

http://fossies.org/dox/freeipa-4.1.3/classipalib_1_1plugins_1_1user_1_1user__add.html
http://fossies.org/dox/freeipa4.1.3/classipalib_1_1plugins_1_1user_1_1user__add.html

 but I can't figure out how to do what I want 

Can somebody give me clues or examples 

Thanks ...
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with secondary groups? (sssd)

[James Shubin]

On Mon, 2015-03-02 at 13:25 +0100, Jakub Hrozek wrote:
 On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote:
  That was the point. The clients were not installed with IPA client install.
  I have 2000 clients and still working on a simple way to automate the 
  client install with ansible or puppet. Currently just trying to get it 
  working with simple sssd/ldap only auth.
 
 I would recommend against enrolling clients in any other way than with
 ipa-client-install.
 
 I've CC-ed James Shubin, who worked on automating client installs with
 Puppet (and Puppet-iting IPA in general), I wonder if there's some howto
 we can link to?

The Puppet-IPA module has documentation:
https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md

It has a client section too.

HTH,
James



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.0.4 now in Debian unstable!

[James]

On Sun, Oct 26, 2014 at 2:29 PM, Timo Aaltonen tjaal...@ubuntu.com wrote:

 Hi!

   Sooo.. as a followup to last weeks announcement about Dogtag 10.2
 getting in Debian, today marks the day that FreeIPA finally made it to
 the distro! And unless release critical bugs are found it'll migrate to
 the testing branch after spending 10 days on unstable, just in time
 before the freeze of the next release.

 The past week was spent on fixing the remaining issues around client 
 server install. Thanks to everyone on #freeipa-devel that helped me on
 times of despair :)

 It'll take some time to wrap the distro patches into something that
 upstream could accept with a straight face.. In the meantime, feel free
 to kick the tires by installing 'freeipa-server' or 'freeipa-client' and
 report bugs if you find any!

 The packages will also get in the next Ubuntu release, and I'll backport
 them to 14.04 later this year.


 ps. special thanks to Benjamin Drung who joined the ranks of
 pkg-freeipa-devel earlier this year, reviewed all the new packages with
 attention to detail, sponsored them for me before I got upload rights,
 and most importantly stuck around all this time :)


 --
 t

 --

Awesome news! If someone is willing to test, I'm willing to write the
patches to puppet-ipa [1] so that it works on Debian.

Let me know.

Cheers,
James

[1] https://github.com/purpleidea/puppet-ipa

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sysctl and/or limits.conf?

[James]

On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote:
 On 10/12/2014 08:07 PM, James wrote:

 On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote:

 Hi again,

 I was wondering if there were any suggestions for performance of IPA and
 settings to sysctl and maybe limits.conf? I tried the website, but did
 not
 see anything.  Have about 3000 servers that will be talking to 3-4
 masters/replicas. Are there any formulas to follow?

 thanks


 If you get an answer to this, or if you know of any other performance
 tuning params, let me know and I'll build it in to puppet-ipa.

 Thanks,
 James

 I do not think it is easy automatable.
You underestimate me ;)

 Please see http://www.freeipa.org/page/Deployment_Recommendations and part
 about replicas.
 If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP
 heavy (some applications are like Jira for example).
 If you have 2 data center I would go for 2+2.

OP (and myself) were also curious on if there were any machine
specific optimizations to add? Eg: sysctl, /proc tuning, etc...

Anything out there?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sysctl and/or limits.conf?

[James]

On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote:
 Hi again,

 I was wondering if there were any suggestions for performance of IPA and
 settings to sysctl and maybe limits.conf? I tried the website, but did not
 see anything.  Have about 3000 servers that will be talking to 3-4
 masters/replicas. Are there any formulas to follow?

 thanks


If you get an answer to this, or if you know of any other performance
tuning params, let me know and I'll build it in to puppet-ipa.

Thanks,
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

[James]

On 7 October 2014 05:58, Alexander Bokovoy aboko...@redhat.com wrote:
 Hi!

 As Andrea Veri describes in the blog[1], GNOME Project's infrastructure
 is now powered by FreeIPA. While GNOME was already using SSSD since very
 early days of SSSD project, move to FreeIPA on the server side took more
 time.

Yup :) I wonder who convinced him to look at FreeIPA... Hrmm ;)


 [1]
 https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

 --
 / Alexander Bokovoy

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enrolling with multiple IPA servers

[James]

On 6 October 2014 14:43, Alexander Bokovoy aboko...@redhat.com wrote:
 If you have some masters that are accessible by these isolated nodes,
 enroll isolated nodes against these masters. Nobody prevents you to
 select your deployment strategy and manipulate configuration files
 afterwards. Purpleidea's puppet module even allows you to define IPA
 masters' topology right in puppet scripts, if puppet is in use.

To elaborate on this, you can specify an algorithm to define the
shape of the cluster. There are two built-in POC algorithms
provided, but more will be accepted.

Shape means how do I algorithmically define who is neighbours with who.

The two provided are flat and ring:
[1] 
https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md#topology
[2] 
https://github.com/purpleidea/puppet-ipa/tree/master/lib/puppet/parser/functions

HTH
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

[James]

On 7 October 2014 19:54, Dmitri Pal d...@redhat.com wrote:
 On 10/07/2014 09:27 AM, James wrote:

 On 7 October 2014 05:58, Alexander Bokovoy aboko...@redhat.com wrote:

 Hi!

 As Andrea Veri describes in the blog[1], GNOME Project's infrastructure
 is now powered by FreeIPA. While GNOME was already using SSSD since very
 early days of SSSD project, move to FreeIPA on the server side took more
 time.

 Yup :) I wonder who convinced him to look at FreeIPA... Hrmm ;)


 Motherland should know its heros! ;-)


Your team are the heros. I'm just an integrator who likes your code...
and maybe has a few feature requests :)


 [1]

 https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

 --
 / Alexander Bokovoy

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

[James]

On 7 October 2014 21:55, Fraser Tweedale ftwee...@redhat.com wrote:
 This is great.  Can we use the GNOME project's experience as a story
 or case study in promoting FreeIPA to other projects/communities?
 IMO we need a couple of examples like this on the freeipa.org front
 page.


I would recommend waiting a little bit to let them get more familiar
with the tool...

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

[James James]

My IPA version is 3.0.0 .
Thanks

2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com:

  On 09/08/2014 06:52 PM, James James wrote:

   Hi everybody,

  I want a user to be able to do ipa-getkeytab to retrieve the keys from
 any host in the realm.

  How can I do this ?

 Where I can find an ACI example (
 https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
 which can helps me ?


  Thanks for your help.




  Which version of IPA?
 There reason for the question is because in FreeIPA 4.0 the ACIs were
 significantly reworked.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

[James James]

SOLVED.

realm-proxy has to be indirect member of :
memberofindirect: cn=manage host
keytab,cn=privileges,cn=pbac,dc=example,dc=com

Thanks for your help.

2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 James James wrote:
  My user : realm-proxy is in a group (Smart Proxy Host Management) which
  has the Manager host  keytab permission :
 
Permission name: Manage host keytab
Permissions: write
Attributes: krbprincipalkey, krblastpwdchange
Type: host
Granted to Privilege: Host Administrators, Host Enrollment, Smart
  Proxy Host Management
 
 
  When I try to retreive a keytab from another host when my principal is
  the realm-proxy :
 
 
  [root@client1 ~]#  kinit realm-pr...@example.com
  mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab
 
  [root@client1 ~]# klist
 
  Ticket cache: KEYRING:persistent:0:0
  Default principal: realm-pr...@example.com mailto:
 realm-pr...@example.com
 
  Valid starting   Expires  Service principal
  09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
  mailto:example@example.com
 
  [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
  http://ipa.example.com --principal=host/client1.example.com
  http://client1.example.com --keytab=/etc/krb5.keytab
  Operation failed! Insufficient access rights
 
 
  I can't retrieve the key ..

 I'd need to see the smart-proxy user, show --all --raw would be best.

 I just tested this on a RHEL-6 instance I had handy and it worked fine:

 # ipa user-add --first=test --last=user tuser1 --password
 # ipa role-add 'host keytab' --desc 'manage host keytabs'
 # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
 # ipa privilege-add-permission 'manage host keytab'
 --permissions='manage host keytab'
 # ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
 # ipa role-add-member --users=tuser1 'host keytab'
 # kinit tuser1
 # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
 Keytab successfully retrieved and stored in: /tmp/test.keytab

 rob

 
  2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com:
 
  James James wrote:
   My IPA version is 3.0.0 .
   Thanks
 
  The permission 'Manage host keytab' should do the trick.
 
  rob
 
  
   2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto:
 d...@redhat.com
   mailto:d...@redhat.com mailto:d...@redhat.com:
  
   On 09/08/2014 06:52 PM, James James wrote:
   Hi everybody,
  
   I want a user to be able to do ipa-getkeytab to retrieve the
 keys
   from any host in the realm.
  
   How can I do this ?
  
   Where I can find an ACI example
  
   (
 https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
   which can helps me ?
  
  
   Thanks for your help.
  
  
  
  
   Which version of IPA?
   There reason for the question is because in FreeIPA 4.0 the
 ACIs
   were significantly reworked.
  
   --
   Thank you,
   Dmitri Pal
  
   Sr. Engineering Manager IdM portfolio
   Red Hat, Inc.
  
  
   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go To http://freeipa.org for more info on the project
  
  
  
  
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ACI for ipa-getkeytab

[James James]

Hi everybody,

I want a user to be able to do ipa-getkeytab to retrieve the keys from any
host in the realm.

How can I do this ?

Where I can find an ACI example (
https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
which can helps me ?


Thanks for your help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos 7 and 4.0

[James]

On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote:
 I'm trying to install the repo from
 https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to
 install I get

  yum install freeipa-server

 Loaded plugins: fastestmirror, langpacks

 Repository pviktori-freeipa is listed more than once in the configuration


 http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml:
 [Errno 14] HTTP Error 404 - Not Found

 Trying other mirror.

 Loading mirror speeds from cached hostfile

  * base: mirror-centos.hostingswift.com

  * extras: centos.host-engine.com

  * updates: centos.arvixe.com

 No package freeipa-server available.

 Error: Nothing to do


 Am I missing something?  I remember that there was a thread about Centos 7
 and FreeIPA 4 but for the life of me I can't find it.

 Thanks
Just a guess but it's probably called ipa-server.
You can use yum search too.
Eg: 'yum search freeipa' to find it.

Cheers,
James


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Multi-OS FreeIPA in puppet-ipa

[James]

I've just pushed out a WIP feature branch for multi-os puppet-ipa. This
is an elegant way to create a multi-os compatible puppet module. It can
be useful for managing differences between RHEL and Debian, but also
between CentOS and RHEL, and even RHEL 6.x and RHEL 7, etc...

Some background on the technique when I did this for puppet-gluster:
https://ttboj.wordpress.com/2014/06/04/hiera-data-in-modules-and-os-independent-puppet/

Since I'm only currently testing CentOS/RHEL 6.x, please report any
issues with other versions or OS's, and I'll patch them ASAP.

WIP branch:
https://github.com/purpleidea/puppet-ipa/tree/feat/yamldata

I'll rebase this branch as new patches are added, and I'll usually keep
it current against git master. Once someone ACK's that it is working
against another OS or version, then I'll maintain it in git master.

Thank you,
James



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Minimal permissions for joiner account?

[James]

On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich
mlasev...@lasevich.net wrote:
 Sorry, I did not intend to belittle your efforts - just misread the code
Didn't take it that way, no worries :)

 (saw you pass in $admin and $password and made wrong assumption that $admin
 was admin username) as well as trying to avoid puppet as I find Salt much
 quicker and much simpler (and already established in my setup)

 I sat down tonight and threw together a quick salt reactor that does same
 thing as your module - creates the host account in IPA with a generated OTP
 password and joins the host to the domain using that generated OTP (and
 while at it, validates the host against AWS and populates the metadata into
 IPA) Ended up having to join the salt master to the domain, which I was
 avoiding doing for security reasons, but I can just disable IPA logins in
 PAM and call it a day. The nice bit is that it is using the host's keytab
 for authentication, so I do not need any extra credentials sitting around.
 Seems to be working just fine. :-). I ended up granting the salt-master host
 the Host Administrators privilege. It seems that Host Enrollment
 privilege is not sufficient to enroll hosts -  go figure.
Great!


 The only thing that bugs me is that I am calling IPA python code from my
 salt reactor python code via subprocess - there has got to be a better, more
 direct way -  but I found documentation too confusing to follow at 1 am -
 will be a project for another day.
There is the python ipa API, not sure how stable or official it is,
but if you look in my code I use it occasionally.



 Thanks for your help.
Cheers,
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Minimal permissions for joiner account?

[James]

On Thu, Aug 14, 2014 at 7:29 PM, Michael Lasevich
mlasev...@lasevich.net wrote:
 Not that much. For one, I am using Salt instead if Puppet, but more
 importantly, if I am reading this correctly it seems to be just using full
 admin account. I can already do that. By orchestration I meant setting up
 the OTP for client join on the server, then passing that OTP to the client
 to join it. It is not that hard to throw together, but timing in this
 process can be problematic. I prefer to avoid it for the moment if I can and
 just create a non-admin account for this.


The point I was trying to make is that the puppet module I linked you
to does all of this automatically for you.

HTH,
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Minimal permissions for joiner account?

[James]

On Thu, Aug 14, 2014 at 8:29 PM, Michael Lasevich
mlasev...@lasevich.net wrote:
 I appreciate it. Maybe I did not read it close enough, but it seemed to send
 the admin password to every client, which is what I am trying to avoid.
Oh no!! Definitely not :) I went to great pains to specifically avoid
this actually. If you're interested in how the DM and admin passwords
are managed, read:
https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/

If you're interested in how the clients auth, they do so via
getkeytab, and in order for that to work, puppet passes a temporary
one-time password to the client, uses it, and verifies that _that_
client auth-ed. If the password isn't used by that client, then a new
OTP is generated, and the original is discarded (as it was probably
used by the wrong client, or maliciously in that rare scenario).

All of this to say, that this was quite complex to write, so I would
consider using the module as is (and even extending it as needed!).
Secondly, I'd like to point out that I'm not doing any orchestration,
only config management. Which means this can actually scale!



 I will take a closer look, maybe I can bite the bullet and implement the few
 lines of code that are required to make this work in Salt (it would take way
 too much work and be generally counterproductive to switch to Puppet).

Of course I can only help with the puppet case, but if you don't
switch (this module is a winning module, in the same way that rails
saved ruby, so I would take a closer look) you can at least use it as
a reference architecture when writing a salt module. That;s the beauty
of Free Software!

Good luck! HTH,
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt

[James James]

Thanks a lot for your answer. I will switch to RHEL 7 to use 3.3 ..
Best regards.

James


2014-08-11 17:05 GMT+02:00 Martin Kosek mko...@redhat.com:

 On 08/10/2014 01:58 PM, James James wrote:
  Hello,
 
 
  Is there a way to patch my ipa .3.0.0 with this patch:
  https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ?
 
  The DateTime data type will be very useful !
 
  Regards

 It would be quite difficult, if not only because of the API versioning
 problem
 we have with parallel branches of FreeIPA, like RHEL-6.x/CentOS-6.x is
 (judging
 based on your version).

 There is an upstream ticket filed:
 https://fedorahosted.org/freeipa/ticket/4427

 But I do not think it would help in your case. Especially as this is just a
 convenience fix, the best advise I can give is either to
 a) Hack this around in your IPA codebase, making sure that the capability
 API
 version is correct
 b) Live with old string variant
 c) Upgrade to newer IPA, like 3.3 in RHEL-7.0 or 4.0 in Fedora 20! :-)

 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] WebUI krbprincipal expiration calendar widegt

[James James]

Hello,


Is there a way to patch my ipa .3.0.0 with this patch:
https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ?

The DateTime data type will be very useful !

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + Chef

[James]

On Thu, Jul 31, 2014 at 11:55 AM, Ash Alam a...@paperlesspost.com wrote:
 Hi

 I am currently deploying CentOS and FreeIPA and i am looking for some
 recommendation on chef cookbooks. I have googled around but haven't found
 anything that is current. I found a git repo from Sean OMeara but last
 contribution was 3 years ago.

 If anyone can point me in the right direction i would very grateful.

 Thank You


I've got a puppet module that I'm actively working on...
https://github.com/purpleidea/puppet-ipa

If you don't find a ready chef module, you can consider using puppet
instead, or start porting it to chef. A lot of the code can be
re-used, since my module contains a good amount of puppet.

HTH,
James

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA replica topologies

[James]

Hi there,

Is the following correct or incorrect?

Say I want to build a triangle of ipa replicas. A - B - C - (back to A)

I do ipa-server-install on A
I do ipa-replica-prepare on A ... transfer files to B
I do ipa-replica-install on B
then:

Option ONE:
I do ipa-replica-prepare on B ... transfer files to C

Option TWO:
I do ipa-replica-prepare on A ... transfer files to C

Continuing on...
I do ipa-replica-install on C

Since all three hosts are now installed, to close the loop, I do :

Option ONE:
ipa-replica-manage connect C A

Option TWO:
ipa-replica-manage connect B C

Is this all correct? Is option ONE or option TWO preferable and why?
Is the closing of the loop the correct interpretation and method?
Can the closing of the loop be done from any host in the cluster ?
If there's a large cluster can it be done from someone not directly
connected to the two peers we want to connect?

Thanks again!
James



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA replica topologies

[James]

On Thu, Jul 3, 2014 at 3:39 AM, Simo Sorce sso...@redhat.com wrote:
 Option TWO is preferable if you have the CA only on A.
 You should be able to run the connect command on any administrative host
 IIRC.


Thanks for the reply!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

[James Scollard]

That makes absolute perfect sense.  Thanks for the clarification. 
Unfortunately I have an new issue now.  Globalsign has issued me a pkcs7 
certificate.  FreeIPA does not recognize the format:


[root@ldapm6x00 ~]# ipa-server-install 
--dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 
--http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 
--root-ca-file=/root/STAR_CA-2048.crt

Usage: ipa-server-install [options]

ipa-server-install: error: no such option: --dirsrv_pkcs7

I need to convert it to pkcs12 using the converter here (awesome free tool):

https://www.sslshopper.com/ssl-converter.html

I need the server's private key file to convert from pkcs7 to pkcs12, 
but cant find it anywhere.  Is there a command to export it or does it 
live in /var/lib or /etc somewhere?


Thanks.

On 1/6/14 4:09 AM, Jan Cholasta wrote:

ipa-server-install --dirsrv_pkcs


--
James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com

View my profile on LinkedIn

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

[James Scollard]

I have it now.  The --dirsrv_pkcs12 option seems to like pkcs7 formatted 
certificates, but the person who issued it did not set a password, so 
FreeIPA will not let me install it to know if it works for sure.  I am 
having the certificate reissued again with a password in pkcs12 format 
and all should be well with the world again.


Thanks for your help and guidance on this.  Your level of support is 
better than I could have expected.


On 1/6/14 11:01 AM, Rob Crittenden wrote:

James Scollard wrote:

That makes absolute perfect sense.  Thanks for the clarification.
Unfortunately I have an new issue now.  Globalsign has issued me a pkcs7
certificate.  FreeIPA does not recognize the format:

[root@ldapm6x00 ~]# ipa-server-install
--dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7
--http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7
--root-ca-file=/root/STAR_CA-2048.crt
Usage: ipa-server-install [options]

ipa-server-install: error: no such option: --dirsrv_pkcs7

I need to convert it to pkcs12 using the converter here (awesome free
tool):

https://www.sslshopper.com/ssl-converter.html

I need the server's private key file to convert from pkcs7 to pkcs12,
but cant find it anywhere.  Is there a command to export it or does it
live in /var/lib or /etc somewhere?


The private exists wherever you generated the CSR. If you used openssl 
then it would be in a flat file somewhere. If you used NSS then it 
would be in that database.


rob


--
James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com

View my profile on LinkedIn

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Globalsign External CA Certificate Import Failure

[James Scollard]

When attempting to run the second part of the installation with an 
external CA (Globalsign) using my signed certificate and CA certificate 
chain I get the following;


[root@ldapm6x00 ~]# ipa-server-install 
--external_cert_file=/root/ldapm6x00.sun.weather.com.crt 
--external_ca_file=/root/sun.weather.com.crt


The log file for this installation can be found in 
/var/log/ipaserver-install.log

Directory Manager password:

Subject of the external certificate is not correct (got 
CN=*.sun.weather.com,O=The Weather Channel Interactive\, 
Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate 
Authority,O=SUN.WEATHER.COM).


CN= and O= are correct, so why is IPA refusing to use the certificate?  
It appears to be expecting bogus data instead of using the provided 
identity.  This doesnt appear to be an issue with the certificate, 
although I have never installed FreeIPA with a Globalsign certificate.  
I did nto see this problem with Network Solutions wildcard certificates 
though.  Any suggestions would be appreciated.


Thanks.

--
James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com

View my profile on LinkedIn

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

[James Scollard]

Thanks for the reply,

Version:

Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest 
version...


I'm not sure I understand the answer.

I created the CSR and they signed it using their automation, and 
returned the new ones to me for installation, which failed. 
SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=.  
The node itself is x.sun.weather.com, we have a wildcard certificate 
for sun.weather.com, and this domain controller needs the certificate 
for the domain for setup to complete.


What am I doing wrong here?

On 1/3/14 3:58 PM, Rob Crittenden wrote:

James Scollard wrote:

When attempting to run the second part of the installation with an
external CA (Globalsign) using my signed certificate and CA certificate
chain I get the following;

[root@ldapm6x00 ~]# ipa-server-install
--external_cert_file=/root/ldapm6x00.sun.weather.com.crt
--external_ca_file=/root/sun.weather.com.crt

The log file for this installation can be found in
/var/log/ipaserver-install.log
Directory Manager password:

Subject of the external certificate is not correct (got
CN=*.sun.weather.com,O=The Weather Channel Interactive\,
Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
Authority,O=SUN.WEATHER.COM).

CN= and O= are correct, so why is IPA refusing to use the certificate?
It appears to be expecting bogus data instead of using the provided
identity.  This doesnt appear to be an issue with the certificate,
although I have never installed FreeIPA with a Globalsign certificate. I
did nto see this problem with Network Solutions wildcard certificates
though.  Any suggestions would be appreciated.


This isn't related to the external CA, it just can't modify the 
subject of the IPA CA, which it did in this case. I'm not even 
entirely sure what it would mean to have the CA certificate itself be 
a wildcard cert. Doesn't seem to be a valid use-case though.


Looks like this validation was added in in v3.

rob



--
James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com

View my profile on LinkedIn

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian

[James]

Jumping in here, if someone is organizing a TODO list to get freeipa
on debian, feel free to add porting/testing puppet-ipa to this. I'm
the puppet-ipa [1] guy. I'm happy to work on that part whenever
someone has a working debian freeipa install for me to use. Once it
works or at least mostly, feel free to ping me somehow.

HTH,
James

[1] https://github.com/purpleidea/puppet-ipa

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Providing minimal permissions to read replication status

[James Hogarth]

On 1 August 2013 09:36, Martin Kosek mko...@redhat.com wrote:


 The patch for this would do basically this:
 - remove the following aci:
 (targetattr != aci)(version 3.0; aci replica admins read access; allow
 (read,
 search, compare) groupdn = ldap:///cn=Modify Replication
 Agreements,cn=permissions,cn=pbac,$SUFFIX;)
 ... from installer and from LDAP as it is too general
 - add new permission ACI like this:

 (targetattr=*)(targetfilter=(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree)))(version
 3.0; acl permission:Read Replication Agreements; allow (read, search,
 compare) groupdn = ldap:///cn=Read Replication
 Agreements,cn=permissions,cn=pbac,$SUFFIX;)
 - make sure that Replication Administrators privilege has it assigned.

 I created an upstream ticket to track this effort:
 https://fedorahosted.org/freeipa/ticket/3829


Reading the upstream documentation I'm wondering if it'd be sensible to
include an additional ACI in replica-acis.ldif of:
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr=dn nsDS5ReplConflict
nsUniqureID)(targetfilter=(|(objectclass=nsTombstone)(nsDS5ReplConflict=*)))((version
3.0; aci conflict read access; allow (read, search, compare) groupdn =
ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;)

From the upstream documentation here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig

This would allow a user with Read Replication Agreements permission to be
able to search for conflicts or tombstone records which would seem sane
from a monitoring point of view...

What do you think?

Also just to confirm the only thing I need to do with ACIs like this is to
update the ldif (delegation.ldif and replica-acis.ldif) with the new
role/privilege/permission and acis in install/share for the new installs
and add an appropriate entry (not quite ldif) in install/updates to update
the default schema of those updating in future, given no new attributes -
right?

Cheers,

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Providing minimal permissions to read replication status

[James Hogarth]

On 1 August 2013 15:55, Rob Crittenden rcrit...@redhat.com wrote:

 James Hogarth wrote:




 On 1 August 2013 09:36, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:


 The patch for this would do basically this:
 - remove the following aci:
 (targetattr != aci)(version 3.0; aci replica admins read access;
 allow (read,
 search, compare) groupdn = ldap:///cn=Modify Replication
 Agreements,cn=permissions,cn=**pbac,$SUFFIX;)
 ... from installer and from LDAP as it is too general
 - add new permission ACI like this:
 (targetattr=*)(targetfilter=(**|(objectclass=nsds5Replica)(**
 objectclass=**nsds5replicationagreement)(**objectclass=**
 nsDSWindowsReplicationAgreemen**t)(objectClass=nsMappingTree))**
 )(version
 3.0; acl permission:Read Replication Agreements; allow (read,
 search,
 compare) groupdn = ldap:///cn=Read Replication
 Agreements,cn=permissions,cn=**pbac,$SUFFIX;)
 - make sure that Replication Administrators privilege has it
 assigned.

 I created an upstream ticket to track this effort:
 
 https://fedorahosted.org/**freeipa/ticket/3829https://fedorahosted.org/freeipa/ticket/3829


 Reading the upstream documentation I'm wondering if it'd be sensible to
 include an additional ACI in replica-acis.ldif of:
 dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr=dn nsDS5ReplConflict
 nsUniqureID)(targetfilter=(|(**objectclass=nsTombstone)(**
 nsDS5ReplConflict=*)))((**version
 3.0; aci conflict read access; allow (read, search, compare) groupdn =
 ldap:///cn=Read Replication Agreements,cn=permissions,cn=**
 pbac,$SUFFIX;)

  From the upstream documentation here:
 https://access.redhat.com/**site/documentation/en-US/Red_**
 Hat_Directory_Server/9.0/html-**single/Configuration_Command_**
 and_File_Reference/index.html#**Replication_Attributes_under_**
 cnreplica_cnsuffixName_**cnmapping_tree_cnconfighttps://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig

 This would allow a user with Read Replication Agreements permission to
 be able to search for conflicts or tombstone records which would seem
 sane from a monitoring point of view...

 What do you think?


 I think this would be a separate issue. Being able to find the conflicting
 issues leads directly to the question what do I do with them? That is
 ticket 
 https://fedorahosted.org/**freeipa/ticket/1025https://fedorahosted.org/freeipa/ticket/1025


Thanks Rob - I think it worthwhile adding the permissions in place to at
least find them as a 'quick win' as it were ...

What to do after that is an interesting question and would probably take a
fair chuck of work to make it nicely visible plus show ways to resolve it.



  Also just to confirm the only thing I need to do with ACIs like this is
 to update the ldif (delegation.ldif and replica-acis.ldif) with the new
 role/privilege/permission and acis in install/share for the new installs
 and add an appropriate entry (not quite ldif) in install/updates to
 update the default schema of those updating in future, given no new
 attributes - right?


 You'll need to create a .update file in install/updates to modify an
 existing installation.


That's great - I had a look through the README in there and looking at
other similar bits appears to be fairly simple.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Providing minimal permissions to read replication status

[James Hogarth]

Hi,

We're looking to add monitoring to our IPA replicas and want to provide a
user with the minimum possible permissions to do so.

Allowing the user to have the Replication Administrators role works but for
monitoring the ability to add/modify/remove is overkill by a long shot.

There's no existing permission for Read Replication Agreements - only add,
remove and modify.

I've tried to use ipa perimssion-add with --filter to allow access to
objectClass=nsds5replicationagreement but checking the status via:

ldapsearch -Y GSSAPI -h c6test2.c6ipa.local  -b cn=config
'(objectclass=nsds5replicationagreement)'

Does not show anything unless the account being tested with gets
replication administrator privileges...

I've tried using subtree as well but the ipa command errors that the base
of cn=config is not $SUFFIX ... and out of scope.

What am I missing to set this up - or is this not possible with the
role/privilege/permission mechanism within IPA? I can see how the
replication administration permissions are added in replica-acis.ldif but
I'm concerned that if I manually add an ACI via pure LDIF commands it will
cause issues with future IPA upgrades due to schema differences - so was
hoping to remain within the IPA command side of things...

1) Is this even possible with the ipa command?
2) If I use ldapmodify to add a new permission by hand via ldif for Read
Replication Agreements will this likely break on IPA upgrades in future?

Cheers,

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Question about design of ldap dns

[James Hogarth]

 Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail.
 We need to coordinate, because bind-dyndb-ldap is undergoing heavy
 refactoring right now.

 Also, remember that modification in bind-dyndb-ldap will require
 modification on FreeIPA side (CLI/WebUI/API).


Sure - I'm usually in #freeipa as JHogarth when I'm about ...

Yes indeed .. I've been doing quite a bit of work in dns.js the past week
or so to expose TTL in general anyway...


 We can't do this, because definition of *Record attributes is outside of
 our control. Definitions of these attributes come from
 http://drift.uninett.no/nett/**ip-nett/dnsattributes.schemahttp://drift.uninett.no/nett/ip-nett/dnsattributes.schema
 and it is used by BIND DLZ LDAP driver.


Ah that's a shame ... it would have been quite a smooth way to handle it
but compatibility is of course critical.


Could you post some real world examples, please? I would love to see some
 real world records with real TTLs and statistics.
 How many names with different TTLs have you?
 How many names and records have you in total?


As one example TXT record and SSHFP to describe a system (and it's
fingerprint) having a long TTL since they are unlikely to change and an A
record with a shorter TTL for a dynamic DNS scenario with a non-sticky
lease.

There was a specific issue I was bumping into with this in the past (but
not a major one) and became an itch to scratch... especially since BIND
zone files would support such a setup but the bind-dyndb-ldap won't ... the
disparity was something that niggled at me.

In all honesty this is an edge case and since I was planning to dive in
anyway I thought I might as well take a look given I have some free time at
the moment... The default TTL in bind-dyndb-ldap and the exposing/modifying
TTL in the Web UI is not dependent on such behaviour in any way.


This could work, but it has significant overhead. At least indexes in LDAP
 server could grow rapidly.


That is a legitimate concern for sure...


 The other problem is that you will lost the uniqueness-check on LDAP side.
 DNS doesn't allow one record with same name and data to appear multiple
 times and current attribute-based design prevents this 'for free'.


But you would still be limited to this since there could only be one
arecord, txtrecord, etc for a given idnsname with that structure.



 The other problem is that records in single RRset can't have multiple TTL
 values. I.e. (under single name) all A records have to have the same TTL,
 all  records has to have same TTL etc.


Hmm I'll have to check BIND again but I thought that when doing round robin
A records (as an example) differing TTL was possible ... but admittedly
I've not verified this and this would be an inconsistency if so.


 Of course, all of these can be handled in bind-dyndb-ldap, but doing so on
 database side is much more elegant.


Agreed on this



 dn: idnsName=bar+dNSTTL=3600,**idnsName=example.com
 idnsName: bar
 dNSTTL: 3600
 aRecord: 5.6.7.8

 This way you don't have to change the format of existing attributes nor
 add
 new attributes.


 This one is my favourite, but again: It will require refactoring on
 FreeIPA side. Also, I'm not sure if this could work with BIND DLZ LDAP...


I do like the compound RDN idea but it sounds like it would potentially be
a lot of upheaval...



 To summarize it: Is it worth to spend time on this? I would love to see
 some real numbers.


Good question! It's an itch I have a couple of weeks to scratch at the
moment so there's no 'cost' on my time right now associated with it
(although I recognise it increases complexity for the maintainers and QA of
course as an after-effect)... but the complexity is fairly high and could
potentially touch a lot of areas...

The more basic bit of work I was doing (just the exposure and modification
of TTL in the UI) would have a far improved cost-benefit ratio and only
touches dns.js and dns.py (the latter I propose exposing TTL by default
rather than needing --all for it in the API ... it makes the dns.js changes
cleaner).

Adding the ability to configure default TTL in bind-dyndb-ldap also doesn't
need any of the per RRtype stuff so avoids complexity there...


 Thank you for your time and passion!


Well it's about time the linux world had something like this (rather than
the old mish-mash of kerberos, openldap, etc and associated scripts to sort
of glue users together that was the previous situation) so I champion it
wherever I can!

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Question about design of ldap dns

[James Hogarth]

Hi guys,

I'm just picking up the nice to have ticket of configure the default TTL as
part of my general TTL refactor work seeing as the exposing and
modification of TTL in the UI is unlikely to be complete before 3.3 freeze
(mostly working but a few bugs remaining) :

https://fedorahosted.org/bind-dyndb-ldap/ticket/70

https://fedorahosted.org/freeipa/ticket/2956

The approach I'm considering is to make the record capable of an individual
TTL by just appending the TTL to the record so it would look like:
dn: idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com
idnsName: bar
ARecord: 192.168.1.100 7200

This is an approach that matches how things like MX and SRV are dealt with
(except those have numbers at the front) and would require much simpler
modifications.

Then there would be a precedence to the actual TTL used in this order:
1) If a TTL is in the record data use that
2) If a TTL is in the idnsName data (the current dnsTTL attribute) then use
that
3) If a TTL is in the zone data (as per the ticket name to be decided) then
use that
4) If a TTL is specified in the named.conf configuration for the
bind-dyndb-ldap plugin then use that.

Although potentially not as nice as making each data entry a first class
citizen as an object in LDAP such as for an example:
dn: aRecord=192.168.1.100,idnsName=bar, idnsName=example.com, cn=dns,
dc=example, dc=com
aRecordName: bar
aRecordData: 192.168.1.100
aRecordTTL: 7200

It'd require far less upheaval in terms of migrations and testing...

What are your thoughts on this before I start digging into this part of the
code base?

Cheers,

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudo rules user and host group bugs?

[James Hogarth]

 Did anyone find a solution for this?  I am having the same experience.




Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the
IPA domain.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] named seg faulting

[James Hogarth]

 I meanwhile I recommend you to build version 2.6:

https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2

 It includes some fixes not-yet accepted for RHEL.


Interesting... I might build and test but generally I prefer to keep to
packages accepted to rhel...

As an FYI to other CentOS users the srpm was published yesterday and was
built and pushed to the CentOS repositories last night.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] named seg faulting

[James Hogarth]

 Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.


 Thanks Petr ... looks like that's not in the CentOS repositories ... I'll
 give those guys a heads up ...





A quick look and it appears that the SRPM isn't in the public FTP server
... opened bug https://bugzilla.redhat.com/show_bug.cgi?id=980046 to get
this corrected.

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sudo Commands and groups confusion

[James Hogarth]

 I believe that at one point we included a configuration very similar to
 the snippet above in man sssd-sudo. It should be there in 6.4, not 100%
 sure now.


Just checked the man page and indeed that minimal snippet is there ...

I really need to spend more time going through new man pages etc at each
point release!

My quick testing has it working a treat though and it's a lot more
lightweight with the caching going on than it was before

I've just let a couple of my colleagues know who were struggling a bit with
the ldap-sudo and binding stuff ... this is just so much simpler.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Syncing with AD

[James A]

On Tue, May 14, 2013 at 5:07 PM, Rich Megginson rmegg...@redhat.com wrote:

 On 05/14/2013 07:57 AM, Rob Crittenden wrote:

 James A wrote:

 Hello all,

 I have been playing with trying to set up synchronization between
 windows AD -- IPA  following the instructions at
 https://access.redhat.com/**site/documentation/en-US/Red_**
 Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**index.htmlhttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

 A few questions arise;

 1.) The documentation (specifically on
 https://access.redhat.com/**site/documentation/en-US/Red_**
 Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
 managing-sync-agmt.htmlhttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html),

 (under table 9.2) talks about options to the ipa-replica-manage
 connect command. Among others, --bindpw and --passsync.  With --binddn
 we specify the full user DN of the synchronization identity (and it's
 password with --bindpw ... but I fail to understand which users password
 should be used for --passsync??  Is it the same user?


 No, a special IPA system account user is needed so the PassSync service
 running in AD can bind to the IPA LDAP server to make password changes.
 This entry needs to be created in IPA regardless of whether you are using
 the PassSync service or not.

 So binddn/bindpw is for the AD user we use to bind from IPA to AD, and
 passsync is the password set on the IPA passsync account.

  2.) The documentation says that the synchronization identity (see also
 above) must exist in the AD domain and must have replicator, read,
 search and write permissions on the AD subtree.  What I am trying to do
 is create a one way sync from AD -- IPA  and I would really like to
 avoid using a user (for synching) that has write permissions (in the
 AD).  All my tries in setting up synchronization fails unless I add the
 synch-user to the group Administrators. I have tried (and failed)
 using account admins etc.   Any pointers here would be great. Sorry
 for my ignorance when it comes to Windows. I am sure I am missing
 something obvious.

 3.) I follow the instructions under 9.4.5
 (https://access.redhat.com/**site/documentation/en-US/Red_**
 Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**
 managing-sync-agmt.html#**unidirectional-synchttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync)

 to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to
 remove an account in IPA it gets removed also in the AD.  (This I really
 want to avoid, thus the need for a read-only user to do the
 synchronization - see question 2).


 I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs will
 chime in with some suggestions.


 Write access is not required if you are only doing one way sync.
 Here is the information about adding the specific rights to the windows
 sync user
 http://port389.org/wiki/Howto:**WindowsSync#Creating_AD_User_**
 with_Replication_Rightshttp://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights


BINGO :)  Thank you!  Now I am very close!

The instructions read In the 'Permissions for Windows Sync' list, make
sure Read is checked under the Allow column.   This I don't have (I can't
find this setting where the instructions say it should be) I do have
replicate directory changes, replicating directory changes all,
replication synchronization and monitor active directory replication.
When I set Replication Synchronization and Replicate Directory Changes
permissions on the user, I can sync new accounts using this useraccount.

But...

When I delete a user on the IPA server, then sync again the user doesn't
show up in IPA.
The good news is that the user doesn't get deleted in the AD, but I can't
sync it back to the IPA.

If I create a new user in the AD it gets synced ok. (to IPA).



I realize some of these are more windows/AD-centric issues, but given that
I use IPA for syncing from the AD I hope maybe someone can shed some (more)
light on this on this maillist

thanks,

//James.










  All in all I think the FreeIPA project is amazing and it really gives us
 in the Linux community something we haven't had before.   If I can iron
 out the problems above I am sure it will become a great tool for me and
 my client.


 Glad you like it!

 cheers

 rob

 __**_
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users