Re: [Freeipa-users] Funny Looking Records

[Martin Babinsky]

On Thu, Mar 23, 2017 at 10:10:04PM -0700, Ian Harding wrote:
>I have some funny looking records left over from a deleted replica.  I
>think this is why I see it in the list of servers and can't delete the
>server.
>
>ldapsearch -D 'cn=Directory Manager' -W -b
>'cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks' dn
>
>## These records have the name of the deleted server in them ##
>
>
>dn:
>cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=CA+nsuniqueid=5148cf38-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=KDC+nsuniqueid=5148cf40-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=KPASSWD+nsuniqueid=5148cf41-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=MEMCACHE+nsuniqueid=5148cf42-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=HTTP+nsuniqueid=5148cf45-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=OTPD+nsuniqueid=5148cf46-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>dn:
>cn=DNS+nsuniqueid=9cfb790e-6a5111e6-a4bad0d8-a4feaa1b,cn=freeipa-dal.bpt.rocks+nsuniqueid=f0b9918f-6a5011e6-a4bad0d8-a4feaa1b,cn=masters,cn=ipa,cn=etc,dc=bpt,dc=rocks
>
>How can I make them go away?
>
>-- 
>Ian Harding
>IT Director
>Brown Paper Tickets
>1-800-838-3006 ext 7186
>http://www.brownpapertickets.com
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

These are replication conflicts, please consult
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
on how to handle them.

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] consumer replica which does not show up in ruv list

[Martin Babinsky]

On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote:
>hi,
>
>I presume I need to use ldapmodify/delete?
>I found this(obfuscated by me):
>
>cn=dzien.priv.xx.xx.priv.xx.xx.x+nsuniqueid=9e47680e-296e11e6-83a59f45-6ec26a1e,cn=masters,cn=ipa,cn=etc,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
>
>To confirm? Would removing it fix the problem? I'm probably missing something
>else, aren't I?
>
>many thank,
>L

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


That seems like a replication conflict. Consult the following guide to solve
it:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

Just a side question, how did you end up with such entry? Did you happen to 
upgrade
multiple IPA masters at once?

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

[Martin Babinsky]

On 02/21/2017 09:10 PM, Hanoz Elavia wrote:

Hello,

I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.

The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.

The query my storage is using is as follows:

ldapsearch -x -W -z 10 -H ldap://ipa.server.com 
-b 'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'

The following command will obtain all the IDs for the native FreeIPA
users / groups but don't return any results for AD users. Is there a way
to get this done? I can't install any clients on the Isilon as it uses a
BSD based proprietary software. I can manually map FreeIPA assigned uids
/ gids but that's tedious and error prone. Any help would be appreciated.

Regards,

H.




Hi Hanoz,

please bear in mind that in AD trust scenario the AD users are *not* 
stored on IPA server so you have to query AD DC directly for AD user 
attributes.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot enter $ character in "group name" of "user groups"

[Martin Babinsky]

On 02/15/2017 10:57 AM, Dimitris Beletsiotis wrote:

Hello,

Despite the documentation that says that we can use $ in "group names"
the web gui does not allow it, pls see attached.
Is there some option to enable this?

Thanks,
Dimitris Beletsiotis




The IdM documentation states that dollar sign at the end of user/group 
name is due to Samba 3.x support[1]. I an yet to find a reason why $ is 
forbidden in all other positions.


[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-users-life-cycle.html#username-format


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lost master master and soa

[Martin Babinsky]

On 02/13/2017 10:12 PM, Aaron Young wrote:

hello

So, I recently took over this site and a couple days into it, the first
ipa server died because of disk corruption.

Right now, I've built another ipa server to step into the topology as a
replica, but I keep getting strange dns errors during update

Looking at it closer, it appears that when nsupdate runs, it fails updating

looking closer, I notice that the SOA comes back with the name of the
missing server

So, it seems like I should change that. So far I've been unable to

I get messages back from nsupdate like

"response to SOA query was unsuccessful"

I'm not sure what information I should send to help with this

My main question is, is there a way to force the change of the SOA?

aaron
--
Aaron Young
MarketFactory, Manager of Site Reliability Engineering
425 Broadway, 3FL
New  York, NY 10013
Office: +1 212 625 9988
Direct +1 646 779 3710
US Support: +1 (212) 625-0688  | UK
Support: +44 (0) 203 695-7997 




Hi Aaron,

there may be some stale NS record on other IPA masters which serve your 
DNS zone. you can verify this by running:


# ipa dnsrecord-show  @

and check the list of nameservers returned.

To remove the record of the old master run

# ipa dnsrecord-del   @ --ns-rec 

Also, make sure you cleaned up old agreements, services, etc. of the old 
master by running `ipa-replica-manage del --force --cleanup 
` on some other IPA master.


You will also probably have to stand-up a new CA renewal/CRL master[1] 
on one of remaining replicas if the first server died and you have CA 
configured.


[1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Hope this helps

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica install - Insufficient 'add' privilege ?

[Martin Babinsky]

On 02/10/2017 01:29 PM, lejeczek wrote:

hi everyone,

I'm trying something mundane(can't think why, how my setup would be
special/different) - replica installation - but I hit this:

 [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORInsufficient
access: Insufficient 'add' privilege to add the entry
'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information

$and logs tail:

2017-02-10T12:20:46Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-WHALE-PRIVATE.socket
conn=
2017-02-10T12:20:47Z DEBUG Destroyed connection context.ldap2_84192272
2017-02-10T12:20:47Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
318, in run
cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 310, in run
self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 332, in execute
for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 586, in _configure
next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
for nothing in self._installer(self.parent):
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1714, in main
promote(self)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 364, in decorated
func(installer)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1425, in promote
remote_api.env.realm)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ntpinstance.py",
line 43, in ntp_ldap_enable
ntp.ldap_enable('NTP', fqdn, None, base_dn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 512, in ldap_enable
self.admin_conn.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1492, in add_entry
self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
971, in error_handler
raise errors.ACIError(info=info)

2017-02-10T12:20:47Z DEBUG The ipa-replica-install command failed,
exception: ACIError: Insufficient access: Insufficient 'add' privilege
to add the entry
'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'.
2017-02-10T12:20:47Z 

Re: [Freeipa-users] Trust between freeipa servers of different domains

[Martin Babinsky]

On 02/03/2017 03:49 PM, ivan lago wrote:

Hello,

Is it possible to configure 2 freeipa servers, serving different domains
(let’s sal dom1.com  and dom2.com ) to
estabilish a trust so that users form one domain can use resources under
the control of the other one?
And if it is possible, would it be doable to estabilish cross-servers
user groups, with users from both the servers?

Initially I would be in control of both of servers, so I would be able
to do any needed “hack” on the configuration.

Thanks,

Ivan




Hi Ivan,

there is no IPA-IPA trust functionality implemented. It is on the 
roadmap but the work on the feature won't start anytime soon.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Gateway_timeout Error

[Martin Babinsky]

On 02/01/2017 04:26 PM, deepak dimri wrote:

Yes, Martin - i do see requests hitting
replica.. /var/log/httpd/error_log shows:

[Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO:
ad...@xxx.xyz.com <mailto:ad...@xxx.xyz.com>: batch:
host_show(u'xxx.abx.xyz <http://xxx.abx.xyz>', rights=True, all=True):
SUCCESS

I used ansible playbook to build the replica server. ran
ipa-replica-prepare on the primary:
ipa-replica-prepare {{ replica_dns }} --password={{ipa_password}}
--no-wait-for-dns

copied the replica file over to replica server:
scp -oStrictHostKeyChecking=no -i ~/.ssh/{{ssh_keyname}}.pem
/var/lib/ipa/replica-info-{{ replica_dns }}.gpg root@{{
replica_dns }}:/var/lib/ipa/

ran the replica install on the replica server:
ipa-replica-install /var/lib/ipa/replica-info-{{  replica_dns }}.gpg
--password={{ipa_password}} --admin-password={{ipa_password}}

I have notices that if i directly use the replica (bypassing proxy)  URL
then the objects shows after waiting for over a minute or so. When i use
proxy pass then it just times out after few seconds.

No clue why its behaving like this

Many Thanks,
Deepak

On Wed, Feb 1, 2017 at 6:45 PM, Martin Babinsky <mbabi...@redhat.com
<mailto:mbabi...@redhat.com>> wrote:

On 02/01/2017 11:17 AM, deepak dimri wrote:

Hello Martin, Thank you so much for your reply.

I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary
server and
its pointing to its own hostname and not to primary server
hostname :(

any other clue, Martin?

I have tried without proxy and again to luck either its throwing
same
gateway_error

Regards,
Deepak

On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky
<mbabi...@redhat.com <mailto:mbabi...@redhat.com>
<mailto:mbabi...@redhat.com <mailto:mbabi...@redhat.com>>> wrote:

On 02/01/2017 10:22 AM, deepak dimri wrote:

Hi All,

I have two IPA servers - primary and secondary running. the
secondary
ipa server is installed using ipa replica image of primary.
While doing
the testing i realised that when i manually shut down my
primary ipa
server making my secondary server to serve the UI. And
now when
i try to
access user or hosts details using my secondary server
then i am
getting
below error in the UI. I am able to login fine though; it is
just that
when i double click on host objects then i get the error.


  An error has occurred (GATEWAY_TIMEOUT)


I am still trying to troubleshoot as why i am getting
timeout
error but
thought of asking the group here to see if some one can
share
some pointers

Many Thanks,
Deepak


Hi Deepak,

please check /etc/ipa/default.conf on the secondary server
and check
the value of 'xmlrpc_uri'. Maybe it points to the URL of primary
server and that's why you get timeouts when it is down.

Re-setting it to the secondary server itself should fix it.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
Go to http://freeipa.org for more info on the project



Adding freeipa-users back to loop.

That is strange, how did you stand up the replica?

You can also inspect /var/log/http/error_log on the replica to see
whether the commands from the WebUI reach the local HTTP server at all.

--
Martin^3 Babinsky




Deepak,

please keep replying to freeipa-users mailing list, otherwise other 
members do not get updates on your problem.


As for the issues with replica, I did not notice before that you are 
connecting to WebUI through a proxy, what kind of proxy is that and how 
is it configured?


Nevertheless waiting for over a minute to display entries does not sound 
right. I would investigate the root cause of this performance regression 
by checking DS access and error logs on the replica 
(/var/log/dirsrv/slapd-$YOUR_REALM/{access,errors}).


Does the master also take so long time to respond? What are the IPA 
versions of master/replica?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Gateway_timeout Error

[Martin Babinsky]

On 02/01/2017 11:17 AM, deepak dimri wrote:

Hello Martin, Thank you so much for your reply.

I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary server and
its pointing to its own hostname and not to primary server hostname :(

any other clue, Martin?

I have tried without proxy and again to luck either its throwing same
gateway_error

Regards,
Deepak

On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky <mbabi...@redhat.com
<mailto:mbabi...@redhat.com>> wrote:

On 02/01/2017 10:22 AM, deepak dimri wrote:

Hi All,

I have two IPA servers - primary and secondary running. the
secondary
ipa server is installed using ipa replica image of primary.
While doing
the testing i realised that when i manually shut down my primary ipa
server making my secondary server to serve the UI. And now when
i try to
access user or hosts details using my secondary server then i am
getting
below error in the UI. I am able to login fine though; it is
just that
when i double click on host objects then i get the error.


  An error has occurred (GATEWAY_TIMEOUT)


I am still trying to troubleshoot as why i am getting timeout
error but
thought of asking the group here to see if some one can share
some pointers

Many Thanks,
Deepak


Hi Deepak,

please check /etc/ipa/default.conf on the secondary server and check
the value of 'xmlrpc_uri'. Maybe it points to the URL of primary
server and that's why you get timeouts when it is down.

Re-setting it to the secondary server itself should fix it.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
Go to http://freeipa.org for more info on the project




Adding freeipa-users back to loop.

That is strange, how did you stand up the replica?

You can also inspect /var/log/http/error_log on the replica to see 
whether the commands from the WebUI reach the local HTTP server at all.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Gateway_timeout Error

[Martin Babinsky]

On 02/01/2017 10:22 AM, deepak dimri wrote:

Hi All,

I have two IPA servers - primary and secondary running. the secondary
ipa server is installed using ipa replica image of primary.  While doing
the testing i realised that when i manually shut down my primary ipa
server making my secondary server to serve the UI. And now when i try to
access user or hosts details using my secondary server then i am getting
below error in the UI. I am able to login fine though; it is just that
when i double click on host objects then i get the error.


  An error has occurred (GATEWAY_TIMEOUT)


I am still trying to troubleshoot as why i am getting timeout error but
thought of asking the group here to see if some one can share some pointers

Many Thanks,
Deepak



Hi Deepak,

please check /etc/ipa/default.conf on the secondary server and check the 
value of 'xmlrpc_uri'. Maybe it points to the URL of primary server and 
that's why you get timeouts when it is down.


Re-setting it to the secondary server itself should fix it.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica installation help

[Martin Babinsky]

On 01/04/2017 07:21 AM, Ben .T.George wrote:

HI

while trying to create ipa replica, i am getting below error,

Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.

The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.

To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified

'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.


i have IPA master server without AD integration and DNS is managed by
3rd party appliances.



Regards,
Ben




Hi Ben,

If you installed IPA 4.4 server then domain level 1 is the default. This 
domain level uses different mechanism to stand up replicas. See the 
latest IdM documentation[1] for more details.


[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Martin Babinsky]

On 01/02/2017 11:22 PM, Alan Latteri wrote:

I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa 
to 4.4.  On some clients they failed to re-authenticate post upgrade.  I then 
did an
ipa-client-install —uninstall , and then tried re-joining to IPA server with
ipa-client-install --mkhomedir --force-ntpd --force-join.

Now I am getting the below error, and I have no idea how to recover.  Firewall 
is disabled.

Thanks,
Alan

User authorized to enroll computers: admin
Password for admin@XXX.LOCAL:
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be 
read while initializing Kerberos 5 library

Installation failed. Rolling back changes.
IPA client is not configured on this system.


[root@troll ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor 
preset: enabled)
   Active: inactive (dead)

Installed Packages
ipa-client.x86_64
4.4.0-14.el7.centos @updates
ipa-client-common.noarch 
4.4.0-14.el7.centos @updates
ipa-common.noarch
4.4.0-14.el7.centos @updates



Hi Alan,

it would be nice if you could post the client install log 
(/var/log/ipaclient-install.log). It is hard to tell what happens 
without seeing it.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Martin Babinsky]

On 12/21/2016 07:22 PM, Brian J. Murrell wrote:

On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote:

Okay, I believe that this is the problem:

On 21.12.2016 15:53, Brian J. Murrell wrote:

[21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107
connection from local to /var/run/slapd-EXAMPLE.COM.socket


...

[21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI
[21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT
err=49 tag=97 nentries=0 etime=0 - SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Permission denied)
[21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
[21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107
closed - U1


I have no idea why it is returning Permission denied.

Is it reproducible when you run this?
$ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/server.example.com
$ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
?


# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
21/12/16 13:05:16  22/12/16 13:02:12  ldap/server.example@example.com
21/12/16 13:02:12  22/12/16 13:02:12  krbtgt/example@example.com

# ldapsearch -Y GSSAPI -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE.COM.socket
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)



We need to find out why it is blowing up on GSSAPI negotiation.

Wild guess is that /etc/dirsrv/ds.keytab could have wrong
permissions. It
should have
-rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0


# ls -lZ /etc/dirsrv/ds.keytab
-rw---. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 
/etc/dirsrv/ds.keytab


If you manage to reproduce it, you can attach strace to the running
dirsrv


By that I assume you mean the ns-slapd.

The strace (minus poll/select/futex noise) is attached.




process and see what call is failing (if it is a system call)...

Perhaps this one:

[pid 13449] open("/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)

# ls -lZ /etc/krb5.keytab
-rw---. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

But looking into the backup of this system, even a week and a month
ago, that file had the same permissions/ownership.  And changing it to
644 temporarily doesn't fix the "ldap_sasl_interactive_bind_s: Invalid
credentials (49)" from ldapsearch.

Cheers,
b.





Hi Brian,

DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env variable 
to /etc/dirsrv/ds.keytab. I guess that it cannot get this info from the 
file, thus it falls back to Kerberos library default which is 
/etc/krb5.keytab. That obviosuly fails because it is accesible only to 
root and contains keys only to host/, nfs/, and cifs/ (if you have 
Samba) principals.


Can you please verify that /etc/sysconfig/dirsrv file exists and that it 
contains the following lines?:


KRB5_CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab


If not, please add this line to the file, restart dirsrv and try IPA 
commands again.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

[Martin Babinsky]

On 12/22/2016 09:31 AM, Georgijs Radovs wrote:

Hello everyone!

Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4.

Both of these servers are Masters and CAs, both are replicating between
each other.

But, when I run

*ipa topologysegment-find* to view replication agreements for *domain*
and *ca* suffixes

it returns zero results.

Web UI also does not show any agreements, but when I try to create a
replication agreement between both servers, I get error that agreement
already exists.

Also, when viewing directory using ldap browser, I found these containers:

DN:
cn=ca+nsuniqueid=7252d047-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com


DN:
cn=domain+nsuniqueid=7252d000-c76611e6-a1fcaefe-5d4473a3,cn=topology,cn=ipa,cn=etc,dc=example,dc=com


Both of them contain topology segments, which I'm trying to create, but
they do not show up anywhere.

How do I remove nsuniqueid attribute or delete those containers?



Hi Georgijs,

these entries come from replication conflicts, please see the following 
guide on how to solve them:


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

Also as a side note, such conflicts may come from upgrading IPA masters 
at once which is not recommended. Make sure that when you upgrade the 
topology you only upgrade one master at time.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Confirming no extra/special ports need to be opened for replication traffic?

[Martin Babinsky]

On 12/14/2016 05:50 PM, Chris Dagdigian wrote:


Been reading various generations of documentation to find out if I need
additional TCP or UDP ports opened for IPA replication between
VPN-connected dataceners.

I think the modern answer is no? We just need the standard IPA ports
open between all of the IPA master/replicas that chat to each other?

TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
  * 53: bind
UDP Ports:
  * 88, 464: kerberos
  * 53: bind
  * 123: ntp


-Chris



Hi Chris,

IIRC in IPA v3.0 there was 7389 port used for CA replication, but in 
more recent versions this is not required anymore.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] new IPA Servers

[Martin Babinsky]

On 12/01/2016 05:50 PM, Outback Dingo wrote:

trying to deploy new ipa servers so i can take down the old ones prior
to a move however the install is failing with.

zone optimcloud.com. already exists in DNS and is handled by
server(s): ipa.optimcloud.com., ipa2.optimcloud.com.


so how can i get around this... note the old servers are going away
forever. but i need them alive until the new ones are ready



The error message says that you are trying to install DNS server for a 
zone that is already managed by old masters.


You should rather create replicas of the old servers, move CA 
renewal/CRL/DNSSec master from them to new replicas and then disconnect 
and decommission the old masters.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Loss of initial master in multi master setup

[Martin Babinsky]

On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:

Hi IPA Gurus,


I had a 3 site multi master IPA replication setup (1 office and 2
datacentres) with 2 IPA servers at each site. Each server was
replicating successfully to 3 other servers (the other local site server
and one server at each of the two remote sites). Everything is running
on the default packages from CentOS 7.2 and each server is a full
replica (ipa-replica-install
/var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
--setup-dns --mkhomedir --forwarder 8.8.8.8)


Everything was ticking over nicely until we had notice that the
office site was moving on short notice.


I successfully created IPA servers at the new site, setup replication
again between the new office and the two datacentres that were to remain
online, tested and everything worked as expected - unfortunately in the
rush I did not have time to properly retire the IPA servers in the old
office.


The problem this has caused is that I only ever created users in one of
the IPA servers in the original office - so only those servers have a
DNA range and I am now unable to create new users on the active servers.
The original office servers are still in the IPA replication and powered
on but offline so potential split brain?


I now have two things I would like to know before proceeding:

  * Is the best fix here to force remove the original IPA servers and
manually add a new dna range significantly different from the
original to avoid overlaps?
  * Is there anything else I should check? I can't see any issues
however did not notice the DNA range until I tried to create a user.

Any pointers greatly appreciated.


Thanks,

Neal.








Hi Neal,

If you already disconnected/decomissioned the old masters then I thnk 
the best you can do is option a, i.e. re-set DNA ranges on replicas to 
new values while avioding overlap with old ranges.


We have an upstream document[1] describing the procedure. Hope it helps.

Also make sure that you migrated CA renewal and CRL master 
responsibilities to the new replicas, otherwise you may get problems 
with expiring certificates which are really hard to solve. See the 
following guide for details. [2]


[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
[2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails

[Martin Babinsky]

On 11/27/2016 11:38 PM, Jochen Hein wrote:

Jochen Hein  writes:


2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 
406 Client Error: Failed to validate message: No recipient matched the provided 
key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If 
you are seeing this error when trying to use default_backend() please try uninstalling 
and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No recipient 
matched the provided key["Failed: [ValueError('Multibackend cannot be initialized 
with no backends. If you are seeing this error when trying to use default_backend() 
please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

Any idea what's wrong?


Around that time the pki on the old master has this:

0.Thread-17 - [27/Nov/2016:22:06:47 MEZ] [8] [3] Publishing: Could not
publish certificate serial number 0x1a. Error Failed to publish using
rule: No rules enabled

Debug has:
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:: Queue: 1 noSingleRequest
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=1 
mSearchForRequests=false
[27/Nov/2016:22:06:47][Thread-17]: getRequest  getting request: 29
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: getRequest  request 29 found
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=0 
mSearchForRequests=false done
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateIssuedListener
[27/Nov/2016:22:06:47][Thread-17]: CertificateIssuedListener: accept 29
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cmscore.ldap.LdapRequestListener
[27/Nov/2016:22:06:47][Thread-17]: LdapRequestListener handling publishing for 
enrollment request id 29
[27/Nov/2016:22:06:47][Thread-17]: Checking publishing for request 29
[27/Nov/2016:22:06:47][Thread-17]: In  PublisherProcessor::publishCert
[27/Nov/2016:22:06:47][Thread-17]: Publishing: can't find publishing 
rule,exiting routine.
[27/Nov/2016:22:06:47][Thread-17]: PublishProcessor::publishCert : Failed to 
publish using rule: No rules enabled
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateRevokedListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: mRequest = 29
[27/Nov/2016:22:06:47][Thread-17]: updatePublishingStatus 
mSavePublishingCounter: 3 mSavePublishingStatus: 200
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:  noQueue  SingleRequest
[27/Nov/2016:22:06:47][Thread-17]: RequestRepository: setPublishingStatus  
mBaseDN: ou=ca,ou=requests,o=ipaca  status: -1
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: Number of publishing threads: 0

Maybe something in dogtag is missing?

Jochen



Hi Jochen,

can you please check the version of python-cryptography on master and 
replica? I remember there used to be problem with pre-0.9 versions 
breaking Custodia.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error; Allocation of a new value

[Martin Babinsky]

On 11/25/2016 12:48 PM, lejeczek wrote:



On 25/11/16 07:52, Martin Babinsky wrote:

On 11/24/2016 07:30 PM, lejeczek wrote:



On 24/11/16 17:14, lejeczek wrote:

hi

I see this:

2 ranges matched

  Range name: xx.id_range
  First Posix ID of the range: 195240
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
S-1-5-21-1144915091-2252175215-702530032
  Range type: Active Directory domain range

  Range name: xx.xx.xx.xx.x_id_range
  First Posix ID of the range: 187500
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2

some time ago when I first set up IPA I migrated users from samba3's
ldap backend. Since then until today there was no new users I needed
to add but now I do.
First on the list range I think it is a remnant of AD trust which does
not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing I notice is that
UIDs from migration are probably between 500 & 2000 and now if I
supply uid manually to user-add and gid (which is old Samba's domain
users group) then creation of new user succeeds.
Is this normal, expected?

mthx,
L


ok, solution(ldapmodify) to the problem:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html

but could some experts shed more light on it - I see that some time
ago(after migration/import) I actually created manually a user:
$ id netdevadmin
uid=187506(netdevadmin) gid=187506(netdevadmin)
groups=187506(netdevadmin)

today, after ldapmodify I create a new user but uids seem to come from
(what?) a different range??
$ id appmgr
uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)

what's is happening?
regards
L



You are seeing this because you probably set s too low (5000 or so)
and, as tha name of the attribute implies, it sets the maximum UID/GID
for the range assigned by the plugin.

By default, the local IPA ID ranges are set to huge numbers (on my
test VMs I have dnaMaxValue 24179) to aviod collisions with
UIDs/GIDs of local users which are typically in the range of
thousands/tens of thousands).

However, the changes done directly in the DNA plugin configuration are
not reflected in ID range objects, that's why you may observe the
disparity between ID range characteristics and actual UIDs/GIDs
provisioned.


can you guess what changed those dnaMaxValue after initial
setup/installation (soon after I created 187506(netdevadmin), UID
was assigned by IPA)? It certainly was not me.

Well, you wrote:

> ok, solution(ldapmodify) to the problem:
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html

so I guess you indeed changed the value by running ldapmodify?

Should I worry about these disparities? Should I be setting
dnaMaxValue(and any relavent) to correspond to idrange(s)?
I general, I would not meddle with DNA plugin settings unless something 
is seriously wrong (like a replica that did not receive any DNA range 
block before the master was decomissioned, se [1]), and even then I 
would be extra careful to set the DNA plugin ranges to correspond to the 
actual IPA ID ranges to avoid any UID/GID collisions (which can get 
nasty very quickly).



Lastly, I see my IPA has two ranges, one is from AD trust which has been
removed, is it ok to leave/keep that range?



The leftover range from AD does no harm, you can safely remove it just 
to avoid confusion.

mthx,
L.





[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error; Allocation of a new value

[Martin Babinsky]

On 11/24/2016 07:30 PM, lejeczek wrote:



On 24/11/16 17:14, lejeczek wrote:

hi

I see this:

2 ranges matched

  Range name: xx.id_range
  First Posix ID of the range: 195240
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
S-1-5-21-1144915091-2252175215-702530032
  Range type: Active Directory domain range

  Range name: xx.xx.xx.xx.x_id_range
  First Posix ID of the range: 187500
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2

some time ago when I first set up IPA I migrated users from samba3's
ldap backend. Since then until today there was no new users I needed
to add but now I do.
First on the list range I think it is a remnant of AD trust which does
not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing I notice is that
UIDs from migration are probably between 500 & 2000 and now if I
supply uid manually to user-add and gid (which is old Samba's domain
users group) then creation of new user succeeds.
Is this normal, expected?

mthx,
L


ok, solution(ldapmodify) to the problem:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
but could some experts shed more light on it - I see that some time
ago(after migration/import) I actually created manually a user:
$ id netdevadmin
uid=187506(netdevadmin) gid=187506(netdevadmin)
groups=187506(netdevadmin)

today, after ldapmodify I create a new user but uids seem to come from
(what?) a different range??
$ id appmgr
uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)

what's is happening?
regards
L



You are seeing this because you probably set dnaMaxValue too low (5000 
or so) and, as tha name of the attribute implies, it sets the maximum 
UID/GID for the range assigned by the plugin.


By default, the local IPA ID ranges are set to huge numbers (on my test 
VMs I have dnaMaxValue 24179) to aviod collisions with UIDs/GIDs of 
local users which are typically in the range of thousands/tens of 
thousands).


However, the changes done directly in the DNA plugin configuration are 
not reflected in ID range objects, that's why you may observe the 
disparity between ID range characteristics and actual UIDs/GIDs provisioned.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.4 replica installation failing

[Martin Babinsky]

On 11/17/2016 03:51 PM, Baird, Josh wrote:

Hi all,

In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, 
and I seem to be hitting something similar to #5412 [1].

The 'ipa-replica-install' is getting stuck on:

  [4/26]: creating installation admin user

Dirsrv error logs on the new replica:

[17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - 
agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to acquire 
replica: permission denied. The bind dn "" does not have permission to supply replication 
updates to the replica. Will retry later.

Dirsrv access logs on existing master:

[17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 
nentries=0 etime=0

Dirsrv logs on the existing master:

[17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied

Has anyone else experienced this issue?

Thanks,

Josh

[1] https://fedorahosted.org/freeipa/ticket/5412



Hi Josh,

in the original ticket the issue was occuring when creating CA replica 
against 7.2 master upgraded to 7.3 with domain level raised to 1. Do you 
have the same scenario?


Also, during the stuck installation can you check for the presence of 
replica's LDAP principal in 'nsds5replicabinddn' attribute on master's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry?


I would also check for the reverse, i.e. if the master's LDAP principal 
is in the 'nsds5replicabinddn' attribute on replica's 
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config' entry.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

[Martin Babinsky]

On 11/16/2016 05:56 PM, Sean Hogan wrote:

Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails


*Klists*

[root@server1 read]# klist -e
Ticket cache: KEYRING:persistent:1:111
Default principal: admin@ipa.local

Valid starting Expires Service principal
11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96


[root@server1 read]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1)
1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac)



*Kinits *

[root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local

Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local'


Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X [=]] [principal]

options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X [=]

[root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
[root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Program lacks support for encryption type while getting initial
credentials


Sean Hogan







Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On
11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky
---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: >
Hi Jakub,

From: Martin Babinsky <mbabi...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com>
Cc: freeipa-users@redhat.com
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server





On 11/16/2016 05:14 PM, Sean Hogan wrote:

Hi Jakub,

Thanks... here is output


*klist -ke*
[root@server1 rusers]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1)
1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac)



*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*

[root@server1 pam.d]# kinit -k server1
kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while
getting initial credentials
[root@server1 pam.d]# kinit -k server1.IPA.LOCAL
kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL
while getting initial credentials

You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local


[root@server1 pam.d]# kinit admin
Password for admin@ipa.local:
[root@server1 pam.d]#
[root@server1 pam.d]# klist
Ticket cache: KEYRING:persistent:11:11
Default principal: admin@IPA.LOCAL

Valid starting Expires Service principal
11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL

[root@server1 pam.d]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
 
-
1 1 host/server1.ipa.local@IPA.LOCAL
2 1 host/server1.ipa.local@IPA.LOCAL
3 1 host/server1.ipa.local@IPA.LOCAL
4 1 host/server1.ipa.local@IPA.LOCAL



*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
[root@server1 sssd]# cat ldap_child.log
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

[Martin Babinsky]

On 11/16/2016 05:14 PM, Sean Hogan wrote:

Hi Jakub,

Thanks... here is output


*klist -ke*
[root@server1 rusers]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96)
1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1)
1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac)



*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*

[root@server1 pam.d]# kinit -k server1
kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while
getting initial credentials
[root@server1 pam.d]# kinit -k server1.IPA.LOCAL
kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL
while getting initial credentials
You need to specify full principal name as printed from klist command, 
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local



[root@server1 pam.d]# kinit admin
Password for admin@ipa.local:
[root@server1 pam.d]#
[root@server1 pam.d]# klist
Ticket cache: KEYRING:persistent:11:11
Default principal: admin@IPA.LOCAL

Valid starting Expires Service principal
11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL

[root@server1 pam.d]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
 
-
1 1 host/server1.ipa.local@IPA.LOCAL
2 1 host/server1.ipa.local@IPA.LOCAL
3 1 host/server1.ipa.local@IPA.LOCAL
4 1 host/server1.ipa.local@IPA.LOCAL



*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
[root@server1 sssd]# cat ldap_child.log
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type




*Additonal:*

[root@server1 rusers]# systemctl -l status sssd.service
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
├─3042 /usr/sbin/sssd -D -f
├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
└─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
[root@server1 rusers]#

Seeing this in /var/log/sssd/sssd_ipa.local.log

(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!

Re: [Freeipa-users] minimise impact compromised host

[Martin Babinsky]

On 11/16/2016 03:10 PM, Sumit Bose wrote:

On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote:

On 11/16/2016 02:33 PM, Petr Spacek wrote:

On 16.11.2016 14:01, Stijn De Weirdt wrote:

hi all,

we are looking how to configure whatever relevant policy to minimise the
impact of compromised IPA hosts (ie servers with a valid host keytab).

in particular, it looks like it possible to retrieve any user token once
you have access to a valid host keytab.

we're aware that the default IPA policies are wide open, but we are
looking how to limit this. for us, there's no need that a hostkeytab can
retrieve tokens for anything except the services on that host.


What "token" do you have in mind?


We discussed this in another thread.

In the case that the host is compromised/stolen/hijacked, you can
host-disable it to invalidate the keytab stored there but this does not
prevent anyone logged on that host to bruteforce/DOS user accounts by trying
to guess their Kerberos keys by repeated kinit.


But the password policy should at least mitigate this by blocking the
account for some time after a number of wrong password are used.

bye,
Sumit



Yes after (by default 6 IIRC) failed attempts it should lock out the 
account making brute-forcing the credentials highly impractical. It 
will, however, prevent a legitimate authentication of that user against 
the IPA master where the lockout is in place.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] minimise impact compromised host

[Martin Babinsky]

On 11/16/2016 02:33 PM, Petr Spacek wrote:

On 16.11.2016 14:01, Stijn De Weirdt wrote:

hi all,

we are looking how to configure whatever relevant policy to minimise the
impact of compromised IPA hosts (ie servers with a valid host keytab).

in particular, it looks like it possible to retrieve any user token once
you have access to a valid host keytab.

we're aware that the default IPA policies are wide open, but we are
looking how to limit this. for us, there's no need that a hostkeytab can
retrieve tokens for anything except the services on that host.


What "token" do you have in mind?


We discussed this in another thread.

In the case that the host is compromised/stolen/hijacked, you can 
host-disable it to invalidate the keytab stored there but this does not 
prevent anyone logged on that host to bruteforce/DOS user accounts by 
trying to guess their Kerberos keys by repeated kinit.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password

[Martin Babinsky]

On 11/16/2016 10:41 AM, rajat gupta wrote:


I am using FreeIPA  version 4.4.0 and Active Directory trust setup.  on
Active Directory side I am using UPN suffix.

Following are my  setup.

AD DOMANIN :- corp.addomain.com 
UPN suffix :- usern...@mydomain.com 
IPA DOMAIN :- ipa.ipadomain.local
IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local


I am able to login with AD user on IPA server. But on IPA clinet i am
not able to login i am getting the login message "Access denied". I have
enabled the debug_level on sssd.conf on ipa client.

below are some logs..

/var/log/secure

Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=x.x.x.x user=rg1989
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for
user e600336: 6 (Permission denied)
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting
password (0x0010)
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth):
pam_get_item returned a password
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal
module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989')
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for rg1989 from
x.x.x.x. port 48842 ssh2



krb5_child.log

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer]
(0x1000): total buffer size: [159]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer]
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [false] UPN
[rajat.gu...@mydomain.com ]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
[KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds]
(0x0200): Switch user to [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[k5c_check_old_ccache] (0x4000): Ccache_file is
[KEYRING:persistent:1007656917] and is not active and TGT is  valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[find_principal_in_keytab] (0x4000): Trying to find principal
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [match_principal]
(0x1000): Principal matched to the sample
(host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL).
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400):
Will perform online auth
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MYDOMAIN.COM ]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting
initial credentials for rajat.gu...@mydomain.com


(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL

Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

[Martin Babinsky]

On 11/16/2016 10:04 AM, Paessens, Daniel wrote:

Currently am I looking for a workable solution for the following situation:
Let's say that an ipa client has been stolen (or compromised). What
can we do to block all access from it, towards IPA (and rest)
For example if we use the command "ipa host-disable" it's noticed
that IPA users are no longer able to login into the system. But if you
log into the system as root. Then you can still run (successfully) the
command kinit, and optain a ticket for it.
Even if you delete the host from the directory, the behavior remains
the same.
Can this anyhow be blocked.
Regards,
Daniel





Hi Daniel,

host-disable removes the host kerberos keys and certificates from LDAP 
as you correctly observer. This means that all services on the 
compromised host stop working. SSSD will also stop working since it uses 
the now invalid host keytab to perform user lookup, that's why ssh'ing 
to host as IPA user stops working.


However, there is nothing preventing the attacker to try to kinit as 
admin directly without sssd on the machine, which can potentialy lead to 
DoS attack on the admin user. So if you realize that the host was 
compromised it is best to first run hist-disable and then block all 
traffic from that host on ports 88 tcp/udp (Kerberos), 464 tcp/udp 
(kadmin), 749 tcp/udp (kpasswd IIRC) and LDAP(S) ports (389, 636 tcp).


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong timestamp on ipaclient-install.log file and authentication problem

[Martin Babinsky]

On 11/15/2016 03:45 PM, Tamer Ataol wrote:

Hi,

I am trying to make ipa-client-install work on Ubuntu 14.04.5.
Everything works except it doesn't get ldap users from IPA Master. I dig
issue a little bit and found out that ipaclient-install.log under
/var/log/ directory uses wrong timestamp. Ubuntu's date is correct, it
is set to Istanbul time. But in the log file UTC is used. 3 hours behind
the servers time. I am thinking this issue is the cause of not getting
the ldap users from the FreeIPA Master. IPA client cannot synchronize
with the master because it uses UTC. I couldn't find any other issue.

What can make FreeIPA Client use a different time than the server's?
Java and Python gives Istanbul time in the server. So they are correct.
Also I restarted rsyslogd. Nothing changed.

Another thing I want to mention is that I installed Ubuntu form netboot
image and installed ubuntu-desktop, freeipa-client and ssh on top of
that. And Ubuntu is set to Turkish. Strangely when I install Ubuntu from
Live CD in English this issue never happens and FreeIPA Client works
perfectly. But I need to use netboot and Turkish as I need to install
many computers for Turkish users.

Thanks.





IIRC the IPA logs always have UTC timestamps because it makes debugging 
issues across different timezones easier. Also the timestamp format used 
in the logging module should not influence the client function.


If you suspect that timesync is an issue you need to compare the client 
and server time directly, not based on logs. If your master has NTP 
running and is configured as NTP server (that should be always the case 
unless you gave '--no-ntp' option during master install), the client 
will use it as a source of time.


I would inspect ipaclient-install logs for errors and also look into 
https://fedorahosted.org/sssd/wiki/Troubleshooting because user lookup 
on the client is mainly done by sssd unless configured otherwise.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

[Martin Babinsky]

On 11/08/2016 05:13 PM, Ask Stack wrote:

I thought /etc/krb5.conf controls which kerberos server the clients talk
to.

As a test, I removed /etc/krb5.conf and rebooted the client. After
reboot, I can still log in and "kinit user" .
Removing /etc/krb5.keytab, however would stop user from logging in and
sssd to start.





/etc/krb5.conf configures Kerberos client library: it instructs the 
client about which realm it should use, whether to use dns discovery or 
use static list of KDC and mapping between DNS domains and realms.


Read `man krb5.conf' for more info.

sssd stores plenty of information about Kerberos realm in its own 
configuration (realm, DNS discovery etc.) so it can authenticate the 
user even without valid krb5.conf (as you observed).


However, to pull in user info from authoritative source (IPA LDAP), sssd 
authenticates against IPA as the host principal using /etc/krb5.keytab, 
that's why it stopped working and refused to start after you removed it.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Remove AD domain in auth commands

[Martin Babinsky]

On 11/07/2016 09:11 PM, James Harrison wrote:

Hello
Sorry didn't explain. The ipa is the default domain, but I also want to
use the Windows domain to authenticate, but I want the OS to detect what
realm to use in the ssh command.

Thanks

On Mon, 7 Nov, 2016 at 11:48, Martin Basti
 wrote:

AFAIK Jakub already answered that
https://www.redhat.com/archives/freeipa-users/2016-November/msg00031.html

On 07.11.2016 12:05, James Harrison wrote:

Anyone ?

Sent from Yahoo Mail on Android


On Fri, 4 Nov, 2016 at 11:04, James Harrison
 wrote:
Hello,

I've installed FreeIPA 4.2 master using Centos and I have a
Windows 2012R2 with its AD schema emulating a Windows 2012 system

I have established a trust between the two and it appears to
work. I can reference a user on the AD domain, but the only
way is to add the AD domain.

The only way to ssh to the master IPA server is like this:

ssh "x_@IPAWIN.LOCAL"@10.10.10.10

Another example is using kinit:

I have to do the following to get a credential:
kinit x_@IPAWIN.LOCAL

Ideally I would not need or use the "@IPAWIN.LOCAL".

Can anyone help?

Best regards,
James Harrison









Hi James,

as Jakub pointed out you may have to wait for the next release of SSSD 
for this to work.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

[Martin Babinsky]

On 11/07/2016 04:45 PM, Alessandro De Maria wrote:

Hi Martin,

I tried from the host I am executing the script from, and I get:
certutil -L -d /etc/httpd/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.


From the FreeIPA server, as I said previously, I get:

certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  u,u,u
PROD.X.COM <http://prod.x.com/> IPA CA
 CT,C,C


From the FreeIPA server, I seem to be able to run the script, so we are
definitely on the right track.
How do I get the /etc/httpd/alias/ in sync across these hosts? can I
copy it, or is there a way to regenerate it?

Regards
Alessandro

On 7 November 2016 at 15:36, Alessandro De Maria
<alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>> wrote:

Hi Martin, this is the output from the id1 host:

certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  u,u,u
PROD.X.COM <http://PROD.X.COM> IPA CA
 CT,C,C


looks just like you suggested. Any other suggestion?

On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com
<mailto:mbabi...@redhat.com>> wrote:

On 11/04/2016 04:52 PM, Alessandro De Maria wrote:

Hello,

I have a FreeIPA installation that is working very nicely,
we already
have configured many hosts and so far we are quite happy
with it.

I was trying to connect Ansible to fetch hosts from FreeIPA
using the
freeipa.py script

(https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py

<https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>)

Unfortunately when I run it, I get the following:

*ipa: ERROR: cert validation failed for
"CN=id1.prod.****.com,O=PROD..COM
<http://PROD..COM>
<http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*ipa: ERROR: cert validation failed for
"CN=id2.prod.****.com,O=PROD..COM
<http://PROD..COM>
<http://PROD..COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*Traceback (most recent call last):*
*  File "./freeipa.py", line 82, in *
*api = initialize()*
*  File "./freeipa.py", line 17, in initialize*
*api.Backend.rpcclient.connect()*
*  File
"/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
in connect*
*conn = self.create_connection(*args, **kw)*
*  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
line 939, in
create_connection*
*error=', '.join(urls))*
*ipalib.errors.NetworkError: cannot connect to 'any of the
configured
servers': https://id1.prod.****.com/ipa/json,
https://id2.prod.****.com/ipa/json*


If I curl the URL, it works just fine ( I imported the CA
Certificate in
the system directory /etc/ssl/certs).

I have run `openssl s_client` connect and downloaded the remote
certificate locally, then I run:

# openssl verify cert.pem
# *id1.prod.****.com.pem*: OK


Would you help me figure out what's going on?



--
Alessandro De Maria
alessandro.dema...@gmail.com
<mailto:alessandro.dema...@gmail.com>
<mailto:alessandro.dema...@gmail.com
<mailto:alessandro.dema...@gmail.com>>



Hi Alessandro,

this error can mean that the CA certificate in IPA NSS database
has wrong trust flags set. Please make sure that there is IPA CA
certificate present on /etc/httpd/alias and it has trust flags
CT,C,C like this:

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

[Martin Babinsky]

On 11/04/2016 04:52 PM, Alessandro De Maria wrote:

Hello,

I have a FreeIPA installation that is working very nicely, we already
have configured many hosts and so far we are quite happy with it.

I was trying to connect Ansible to fetch hosts from FreeIPA using the
freeipa.py script
(https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py)

Unfortunately when I run it, I get the following:

*ipa: ERROR: cert validation failed for
"CN=id1.prod.****.com,O=PROD..COM
" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*ipa: ERROR: cert validation failed for
"CN=id2.prod.****.com,O=PROD..COM
" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*Traceback (most recent call last):*
*  File "./freeipa.py", line 82, in *
*api = initialize()*
*  File "./freeipa.py", line 17, in initialize*
*api.Backend.rpcclient.connect()*
*  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
in connect*
*conn = self.create_connection(*args, **kw)*
*  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in
create_connection*
*error=', '.join(urls))*
*ipalib.errors.NetworkError: cannot connect to 'any of the configured
servers': https://id1.prod.****.com/ipa/json,
https://id2.prod.****.com/ipa/json*


If I curl the URL, it works just fine ( I imported the CA Certificate in
the system directory /etc/ssl/certs).

I have run `openssl s_client` connect and downloaded the remote
certificate locally, then I run:

# openssl verify cert.pem
# *id1.prod.****.com.pem*: OK


Would you help me figure out what's going on?



--
Alessandro De Maria
alessandro.dema...@gmail.com 




Hi Alessandro,

this error can mean that the CA certificate in IPA NSS database has 
wrong trust flags set. Please make sure that there is IPA CA certificate 
present on /etc/httpd/alias and it has trust flags CT,C,C like this:


# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert  u,u,u
<$REALM> IPA CA  CT,C,C

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3

[Martin Babinsky]

On 11/07/2016 01:31 AM, Prasun Gera wrote:

Getting this in yum check all after update to 7.3

ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client:
ipa-client-4.4.0-12.el7.x86_64
ipa-client-common-4.4.0-12.el7.noarch has installed conflicts
freeipa-client-common: ipa-client-common-4.4.0-12.el7.noarch
ipa-common-4.4.0-12.el7.noarch has installed conflicts freeipa-common:
ipa-common-4.4.0-12.el7.noarch
ipa-python-compat-4.4.0-12.el7.noarch has installed conflicts
freeipa-python-compat: ipa-python-compat-4.4.0-12.el7.noarch





Hi Prasun,

That is a false positive caused by a bug in yum, see 
https://bugzilla.redhat.com/show_bug.cgi?id=1370134


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start

[Martin Babinsky]

On 10/27/2016 10:48 AM, Jochen Demmer wrote:



Am 27.10.2016 um 10:21 schrieb Martin Basti:




On 27.10.2016 10:02, Jochen Demmer wrote:



Am 26.10.2016 um 17:31 schrieb Martin Basti:




On 26.10.2016 17:25, Jochen Demmer wrote:



Am 26.10.2016 um 16:48 schrieb Martin Basti:




On 26.10.2016 16:42, Jochen Demmer wrote:



Am 26.10.2016 um 16:27 schrieb Martin Basti:




On 26.10.2016 16:10, Jochen Demmer wrote:

Hi,

my answers also inline.

Am 26.10.2016 um 15:38 schrieb Martin Basti:


Hi, comments inline


On 26.10.2016 14:28, Jochen Demmer wrote:

Hi,

I've been running and using a single FreeIPA server
successfully, i.e.:
Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get
public lPv4 addresses no more.

Now I want to setup a FreeIPA replica at another site also
running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname
*hostname.mydoma.in* using DNS. Clients may not function
properly. Please check your DNS setup. (Note that this check
queries IPA DNS directly and ignores /etc/hosts.)
LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server
*hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1',
'2a01:f11:1:1::1']) for *hostname.mydoma.in*


Can you check with dig or host command if the hostname is
really resolvable on that machine? do you have proper resolver
in /etc/resolv.conf?

There is a resolver given in /etc/resolv.conf. When I do "host
<>" I get the right IPv6 back.

That is weird because IPA is doing basically the same.





*hostname.mydoma.in* is actually the DNS entry for the old
FreeIPA server, which actually resolves, but only to an IPv6
address of course.
I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it
doesn't accept but infinitely asks this question instead.


Have you pressed enter twice? It should end prompt and
continue with installation

Enter without an IP -> No usable IP address provided nor resolved.
Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4
cannot use IP network address 2a02:1:2:3::4


How do you have configured IP address on your interface? Does it
have prefix /128?

Yes, that's right. It's an IP being assigned statefully by a
DHCPv6 server.
There is also another dynamic IP within the same prefix having
/64. I don't want to use this one of course, because its IID changes.


Could you set (temporarily) prefix for that address to /64 and
re-run installer? IPA 4.3 has check that prevents you to use /128
prefix

Well now I don't even get asked for the IP. The setup wizard
continues, but I now get this error:

  [27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server
(Command '/bin/systemctl restart dirsrv@MY-REALM.service' returned
non-zero exit status 1). See the installation log for details.
  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused

LOG:
2016-10-26T15:14:46Z DEBUG Process finished, return code=1
2016-10-26T15:14:46Z DEBUG stdout=
2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv@MY-REALM.service
failed because the control process exited with error code. See
"systemctl status dirsrv@MY-REALM.service" and "journalctl -xe" for
details.
2016-10-26T15:14:46Z CRITICAL Failed to restart the directory
server (Command '/bin/systemctl restart dirsrv@MY-REALM.service'
returned non-zero exit status 1). See the installation log for details.
2016-10-26T15:14:46Z DEBUG   duration: 1 seconds
2016-10-26T15:14:46Z DEBUG   [28/43]: setting up initial replication
2016-10-26T15:14:56Z DEBUG Traceback (most recent call last):

When I try to restart manually with, "/bin/systemctl restart
dirsrv@MY-REALM.service"
 this is what systemd logs:
https://paste.fedoraproject.org/461439/raw/




Could you please check /var/log/dirsrv/slapd-*/errors  there might
be more details.

Did you reused an old IPA server for this installation?

Martin

This is what the logfile says:
https://paste.fedoraproject.org/461685/raw/

I tried to install this server as a replica a couple of times, but I
even reinstalled all of the software and I keep using
ipa-client-install --uninstall and
ipa-server-install --uninstall


It looks that DS database is somehow corrupted, is possible that there
might be some leftovers from previous installations

start: Failed to start databases, err=-1 BDB0092 Unknown error: -1

I'm not sure what that error means, maybe DS guys will know

Can you run server uninstall twice? It should remove all leftovers,
and then check /var/lib/dirsrv/ if there are any slapd-* directories,
if yes please remove them

Martin

I uninstalled freeipa-*, deleted /etc/dirsrv and 

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

[Martin Babinsky]

On 10/25/2016 10:27 AM, bahan w wrote:

Hello everyone !

I have an ipa server and an ipa client both in 3.0.0-47.

In order to connect via SSH to the host of the ipa-client, I use root.
When I'm connected to the ipa-client via ssh being root, I do a kinit of
a user with a keytab :
###
kinit -kt /etc/security/keytabs/.headless.keytab 
###

And sometimes, once I have the TGT, when I do just an ipa user-show, I
got the following error :
###
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Ticket expired)
###

When I check the ticket, it is not expired :
###
# klist
Ticket cache: FILE:/tmp/krb5cc_root_
Default principal: @

Valid starting ExpiresService principal
10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
###

Do you know from where it can come and how I can solve this error please ?

Here is more information with the debug option :
###
ipa -d user-show 
###

Result :
###
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: DEBUG: 

Re: [Freeipa-users] Promote CA-less replica

[Martin Babinsky]

On 10/19/2016 11:35 AM, James Harrison wrote:

Hi James,


Hi,
Were using FreeIPA on Ubuntu Xenial. We lost the Master server.

I have some questions:
1. Do DNS replicate among other replicas is we change/add DNS records?
If not can this behaviour be changed?
IPA-intergrated DNS stores records in the replicated LDAP subtree so any 
added/removed DNS record will replicate to other IPA DNS servers.



2. How do we promote a replica to become a master? We have not
configured our servers to become a CA. Our CA is Comodo and we have
configured FreeIPA to use a certificate, key and interim certificates
from Comodo. using the options:

--http_pkcs12=
--http_pin=
--dirsrv_pkcs12=...
--dirsrv_pin=

Hope someone can help. Quite urgent.

The terms FreeIPA master/replica are quite arbitrary as all replicas are 
equal peers and can be considered masters. The only notion of 'master' 
is when you use a Dogtag CA (then one of the CA replicas is designated a 
renewal master and does renew certificates in the topology and one is 
CRL master generating certificate revocation lists) and/or DNSSec (then 
one of DNS replica is designated a key master generating zone signing 
keys and other DNS replicas pull these keys).


As you are using CA-less replicas then there should be no loss in the 
fact that the one designated 'master' is down (unless it was e.g. the 
only DNS server). As long as the others have valid CA and server certs 
they should be working just fine.


You can just install a new replica in place of the master by generating 
replica file on another replicaa nd supplying the required certificates 
through options.



Regards,
James Harrison





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

[Martin Babinsky]

On 10/18/2016 11:22 PM, Bertrand Rétif wrote:

Hello,

I had an issue with pki-tomcat.
I had serveral certificate that was expired and pki-tomcat did not start
anymore.

I set the dateon the server before certificate expiration and then
pki-tomcat starts properly.
Then I try to resubmit the certificate, but I get below error:
  "Profile caServerCert Not Found"

Do you have any idea how I could fix this issue.

Please find below output of commands:


# getcert resubmit -i 20160108170324

# getcert list -i 20160108170324
Number of certificates and requests being tracked: 7.
Request ID '20160108170324':
status: MONITORING
ca-error: Server at
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit; replied:
Profile caServerCert Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=A.SKINFRA.EU
subject: CN=IPA RA,O=A.SKINFRA.EU
expires: 2016-06-28 15:25:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes


Thanksby advance for your help.
Bertrand






Hi Betrand,

what version of FreeIPA and Dogtag are you running?

Also perform the following search on the IPA master and post the result:

"""
ldapsearch -D "cn=Directory Manager" -W -b 
'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'

"""

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Martin Babinsky]

On 10/18/2016 04:59 PM, Deepak Dimri wrote:

Hi Martin, Before running ipa-replica-install do i need to run
ipa-server-install script on the replica?


I am installing ipa-server-install script on the replica and  then If i
install ipa-replica-install without uninstalling ipa server then i get
below errors:



No there should be *no* IPa server neither client installed on the 
replica machine, there just needs to be *some* IPA master in some other 
machine to prepare a replica file.


Just run ipa-replica-install on the replica and make sure that *no* 
ipa-server-install/ipa-client-install were run before that.



 [root@ip-172-31-23-230 ipa]#
ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg
 ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA
client is already configured on this system.
Please uninstall it first before configuring the replica,
using 'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow

ipa-client-install --uninstall IPA client is configured as a part of
IPA server on this system. Refer to ipa-server-install for uninstallation


Thanks,

Deepak




*From:* Martin Basti <mba...@redhat.com>
*Sent:* Tuesday, October 18, 2016 8:40 AM
*To:* Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7




On 18.10.2016 13:52, Deepak Dimri wrote:


Thanks Martin, I had to run ipa-server-install --uninstall -U to get
rid of IPA client error message on the replica server and then re run
ipa-replica-install script to run it ok. But it does not look clean
through - as i understand we do need to run ipa-server-install script
( same as master) on the replica server but that script by default
installs the ipa client which then cause replica install to fail.  Is
there any way i can avoid IPA client installation on replica?




You need to run ipa-replica-install installer and client is required
part of any server. Can you be more specific what kind of errors are you
getting? Logs?

Martin^2


Thanks,

Deepak




*From:* Martin Babinsky <mbabi...@redhat.com>
*Sent:* Monday, October 17, 2016 1:29 AM
*To:* Deepak Dimri; Martin Basti; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7

On 10/15/2016 12:41 PM, Deepak Dimri wrote:
> Thanks Martin for the reply.
>
> when i try 'ipa-client-install --uninstall' then i am getting bellow
> message:
>
>
> ipa-client-install --uninstall
> IPA client is configured as a part of IPA server on this system.
> Refer to ipa-server-install for uninstallation.
>
>
> How can i raise domain level to 1 in v4? i tried
>
> ipa *domainlevel-set* 1
>
> but i am getting ipa: ERROR: unknown command 'domainlevel-set'
>
> Thanks again for your help on this.
>
> Best Regards,
> Deepak
>
>

Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica
promotion and domain levels other than 0.

The error from ipa-replica-install comes probably from a leftovers of
previous client enrollment.

Just run `ipa-client-install --uninstall -U` and then re-run replica
installation as usual.

> 
> *From:* Martin Basti <mba...@redhat.com>
> *Sent:* Saturday, October 15, 2016 4:54 AM
> *To:* Deepak Dimri; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Not able to pass through
> ipa-replica-install on centos 7
>
>
>
>
> On 14.10.2016 18:58, Deepak Dimri wrote:
>>
>> Hi All,
>>
>>
>> I am trying to configure replication between two FreeIPA centos 7
>> servers.  As per the document i need  same FreeIPA version running on
>> both the machines, which i have, and run ipa-replica-prepare on the
>> master and then simply run ipa-replica-install on the replica server
>> along with replica file.  But i am unable to get pass the below error
>> message:
>>
>>
>> [root@ip-172-31-23-230 ipa]# ipa-replica-install
>> /var/lib/ipa/replica-info-replica.ipa.com.gpg
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
>> is already configured on this system.
>>
>> Please uninstall it first before configuring the replica, using
>> 'ipa-client-install --uninstall'.
>>
>>
>> What should i be doing to get around this error? the error looks
>> missleading as i am trying to install replica and not ipa client
>>
>>
>> Thanks,
>>
>> Deepak
>>
>>
>>
> Hi,
>
> have you tried ipa-client-install --uninstall?
>
> Replica cannot be installed on system where client is already installed
> (with domain level 0, your case)
>
> Martin
>
>


--
Martin^3 Babinsky





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

[Martin Babinsky]

On 10/18/2016 12:30 AM, Matt . wrote:

Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?

Thanks,

Matt


2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
load_certificate
return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin


016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information



Hmmm strange,

looks like your DS certificate got lost or has some strange nickname in 
your directory server's NSS database.


Is this CA-less install, externally signed CA or 'self-signed' CA? 
Master or replica?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

[Martin Babinsky]

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?

Thanks for a answer and help,


Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:

On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
for this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,


Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.




See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you 
can use LDIF like this (untested, hopefully I got it right from the top 
of my head):


"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)

"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries 
in the subtree.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] help

[Martin Babinsky]

On 10/17/2016 02:44 AM, 郑磊 wrote:

Hello everyone,
I'm using freeipa, and having a test and research with the function
of freeipa. At the same time, I have carried on the chinese translation
to the web interface, also added own function module in web interface.
However, For these changes I don't know how to interact with the
community, please help me. Thank you very much!




That depends on what are you trying to achieve.

If you wish to contribute your translations to the upstream, you may 
have a look at our Zanata project page:


https://fedora.zanata.org/project/view/freeipa/

We periodically push our message strings there so the community can 
translate them. We then pull the changes into the upstream repo. You may 
wish to read http://zanata.org/help/ for more information about this 
workflow.


If you would like to contribute your code to the upstream, make sure you 
read our Contribution guide: http://www.freeipa.org/page/Contribute


Otherwise feel free to ask questions on this list, we will try our best 
to help you out.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best and Secure Way for a System Account

[Martin Babinsky]

On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for
this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,



Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the 
system account to see the 'mailAlternaleAddress' attribute.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

[Martin Babinsky]

On 10/15/2016 12:41 PM, Deepak Dimri wrote:

Thanks Martin for the reply.

when i try 'ipa-client-install --uninstall' then i am getting bellow
message:


ipa-client-install --uninstall
IPA client is configured as a part of IPA server on this system.
Refer to ipa-server-install for uninstallation.


How can i raise domain level to 1 in v4? i tried

ipa *domainlevel-set* 1

but i am getting ipa: ERROR: unknown command 'domainlevel-set'

Thanks again for your help on this.

Best Regards,
Deepak




Hi Deepak,

IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica 
promotion and domain levels other than 0.


The error from ipa-replica-install comes probably from a leftovers of 
previous client enrollment.


Just run `ipa-client-install --uninstall -U` and then re-run replica 
installation as usual.




*From:* Martin Basti 
*Sent:* Saturday, October 15, 2016 4:54 AM
*To:* Deepak Dimri; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Not able to pass through
ipa-replica-install on centos 7




On 14.10.2016 18:58, Deepak Dimri wrote:


Hi All,


I am trying to configure replication between two FreeIPA centos 7
servers.  As per the document i need  same FreeIPA version running on
both the machines, which i have, and run ipa-replica-prepare on the
master and then simply run ipa-replica-install on the replica server
along with replica file.  But i am unable to get pass the below error
message:


[root@ip-172-31-23-230 ipa]# ipa-replica-install
/var/lib/ipa/replica-info-replica.ipa.com.gpg

ipa.ipapython.install.cli.install_tool(Replica): ERRORIPA client
is already configured on this system.

Please uninstall it first before configuring the replica, using
'ipa-client-install --uninstall'.


What should i be doing to get around this error? the error looks
missleading as i am trying to install replica and not ipa client


Thanks,

Deepak




Hi,

have you tried ipa-client-install --uninstall?

Replica cannot be installed on system where client is already installed
(with domain level 0, your case)

Martin





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS ceases on both Master & Replica after several days

[Martin Babinsky]

On 10/04/2016 06:25 AM, Richard Harmonson wrote:

After successful installation and use of DNS with forwarding first on a
Master and Replica, several days pass then it stops. Using 'ipactl
status' shows named service stopped. Using 'ipactl restart' services,
DNS is running but stops again several days later. Rinse and repeat.

All other services show running with using 'ipactl status.' Interesting,
both the Master and Replica fail. It is never just one.

Suggestions on where to begin looking? and how?




There should be some information in the journal log. Try to issue 
`journalctl -u named-pkcs11.service` and look into the output for errors.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Port and protocol for winsync

[Martin Babinsky]

On 09/23/2016 01:09 PM, malo wrote:

Hello,


I am currently trying to setup the winsyncagreement  between my AD and
my FreeIPA servers. The network topology allows me to only connect the
FreeIPA server to the 636 port of AD, using TLS.

It seems that FreeIPA wants to connect to the port 389 using StartTLS
when I run the ipa-replica-manage command to create the winsync agreement.

I know that I can modify the parameters of the winsync agreement once it
is established, by modifying the cn=replica,cn=com,cn=mapping
tree,cn=config elements.


But is there a way to specify the port as well as the protocol to use on
the first configuration of the winsync agreement ?


Thank you for your help,

Best regards,


Nathan M.

I am afraid that this is hardcoded in ipa-replica-manage and there is no 
way to force the command to use LDAPS connection.


Is there any particular reason why incoming connections on AD DC's port 
389 are blocked in your network?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Martin Babinsky]

On 09/20/2016 08:33 AM, Alexander Bokovoy wrote:

On Tue, 20 Sep 2016, Martin Babinsky wrote:

On 09/20/2016 12:17 AM, Simpson Lachlan wrote:

-Original Message-

On 09/19/2016 03:12 AM, Lachlan Musicman wrote:

Hi

Sometimes when I visit the ID Views page in the webgui, it is
crushingly slow, and often it times out.

Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

Is there a reason, can I do something to fix this?



What kind of ID Views do you use? Do you use them to  override AD
users?
Is there any useful info in '/var/log/httpd/error_log'?


There is the single ID View Name, Default Trust View, and in that we
have a number of users over riding the AD usernames and home dirs.

The httpd error log is relatively large, tbh, but there's nothing in
there that looks like an obvious reason. In fact, for an error log,
there is a hell of a lot of "SUCCESS" messages? The most obvious
culprit in the error log is jsonserver_session...

Next time I see it (I only see it intermittently), I'll grab the logs
and have a look.

Cheers
L.



This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee.  If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email.  Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.



One thing that crossed my mind is to check the connectivity to the AD
domain controllers. To resolve AD user overrides, FreeIPA uses SSSD to
contact AD DCs to do the username -> SID translation. If there is some
problem contacting them, then there may be hangs/timeouts when
resolving override anchors.

Internally IPA framework attempts to resolve ID override anchors. We can
actually optimize this code as ipaOriginalUID attribute contains
normalized name already, written their when the override is created and
never changed afterwards. This should speed up the resolution of large
overrides.

Martin, can you file a ticket for that? The code in question is
baseidoverride.convert_anchor_to_human_readable_form() which could
benefit from passing in entry_attrs and checking ipaoriginaluid there.
If 'ipaoriginaluid' is missing, do analysis of ipaanchoruuid like it is
done now.



Done: https://fedorahosted.org/freeipa/ticket/6339

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Martin Babinsky]

On 09/20/2016 12:17 AM, Simpson Lachlan wrote:

-Original Message-

On 09/19/2016 03:12 AM, Lachlan Musicman wrote:

Hi

Sometimes when I visit the ID Views page in the webgui, it is
crushingly slow, and often it times out.

Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

Is there a reason, can I do something to fix this?



What kind of ID Views do you use? Do you use them to  override AD users?
Is there any useful info in '/var/log/httpd/error_log'?


There is the single ID View Name, Default Trust View, and in that we have a 
number of users over riding the AD usernames and home dirs.

The httpd error log is relatively large, tbh, but there's nothing in there that looks 
like an obvious reason. In fact, for an error log, there is a hell of a lot of 
"SUCCESS" messages? The most obvious culprit in the error log is 
jsonserver_session...

Next time I see it (I only see it intermittently), I'll grab the logs and have 
a look.

Cheers
L.



This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee.  If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email.  Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.



One thing that crossed my mind is to check the connectivity to the AD 
domain controllers. To resolve AD user overrides, FreeIPA uses SSSD to 
contact AD DCs to do the username -> SID translation. If there is some 
problem contacting them, then there may be hangs/timeouts when resolving 
override anchors.


Thus you may also want to to check SSSD logs (see
https://fedorahosted.org/sssd/wiki/Troubleshooting) to see whether this 
is not the case.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Martin Babinsky]

On 09/19/2016 03:12 AM, Lachlan Musicman wrote:

Hi

Sometimes when I visit the ID Views page in the webgui, it is crushingly
slow, and often it times out.

Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

Is there a reason, can I do something to fix this?

cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper




What kind of ID Views do you use? Do you use them to  override AD users? 
Is there any useful info in '/var/log/httpd/error_log'?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[Martin Babinsky]

On 09/19/2016 09:49 AM, Martin Babinsky wrote:

On 09/17/2016 12:43 PM, lejeczek wrote:



On 15/09/16 22:37, Rob Crittenden wrote:

What do you mean control? If you don't want ipactl to manage the smb
service, look for an entry in
cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it.

rob

all I find there is:

objectClass: nsContainer
objectClass: top
cn: masters



You must perform subtree search and search for the entry named
'cn=ADTRUST', like so:

"""
ldapsearch -Y GSSAPI -b 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test'
'(cn=ADTRUST)'
SASL/GSSAPI authentication started
SASL username: ad...@ipa.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] AD cross-realm

[Martin Babinsky]

On 07/27/2016 11:35 AM, Abu Haris wrote:

sir/madame,

I am in great trouble in choosing FreeIPA for identity management. I
want to know more about AD cross-realm trust and how it works.

--
A.H



Hi Abu,

there is quite an extensive upstream documentation of IPA-AD trust 
workings and setup. You can start by looking at 
http://www.freeipa.org/page/Trusts


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] named-pkcs11 fails to start on new replica

[Martin Babinsky]

On 07/13/2016 09:56 PM, Bob Hinton wrote:

Hi,

We are trying to create a new replica on RHEL 7.2

This completes but named-pkcs11 fails to start -

 systemctl status named-pkcs11.service
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native
PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST;
51min ago
  Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
(code=exited, status=1/FAILURE)
  Process: 25910 ExecStartPre=/bin/bash -c if [ !
"$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z
/etc/named.conf; else echo "Checking of zone files is disabled"; fi
(code=exited, status=0/SUCCESS)

Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation.
Support and training for BIND 9 are
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at
https://www.isc.org/support
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]:

Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on
open files from 4096 to 1048576
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU,
using 1 worker thread
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP
listener per interface
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service:
control process exited, code=exited status=1
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service
entered failed state.
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed.

# /usr/sbin/named-pkcs11 -d 9 -g
13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g
13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6'
'--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--enable-exportlib'
'--with-export-libdir=/usr/lib64'
'--with-export-includedir=/usr/include'
'--includedir=/usr/include/bind9' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
'--disable-isc-spnego' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
13-Jul-2016 19:31:01.283

13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems
Consortium,
13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit
13-Jul-2016 19:31:01.284 corporation.  Support and training for BIND 9 are
13-Jul-2016 19:31:01.284 available at https://www.isc.org/support
13-Jul-2016 19:31:01.284

13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576
13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread
13-Jul-2016 19:31:01.284 using 1 UDP listener per interface
13-Jul-2016 19:31:01.284 using up to 4096 sockets
13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver
13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen'
13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen'
13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed
13-Jul-2016 19:31:01.287 exiting (due to fatal error)

# tail -2 /var/log

Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]:
ObjectStore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/

Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456):
Could not load the object store

I've tried "ipa-server-upgrade" and

mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD

ipa-dns-install

But I haven't managed to fix it.

Using "ipactl start -f" means the rest of the ipa services seem to work
properly, but without named.

Is there a way to fix the named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?

Thanks

Bob Hinton





Hi Bob,

If your SElinux is in enforcing mode I would check for AVCs, maybe the 
token 

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

[Martin Babinsky]

On 07/04/2016 10:23 AM, Roderick Johnstone wrote:

Hi

I installed my first master ipa server (server1) many months ago (Redhat
7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64,
but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed


If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info
has been anonymised):

Generating key.  This may take a few moments...


ipa: DEBUG: request POST
https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient
ipa: DEBUG: request body
'profileId=caIPAserviceCert_name=IPA+Installer_request=...CU24QyOEd%0A_request_type=pkcs10=true'

ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT',
'content-length': '161', 'content-type': 'application/xml', 'server':
'Apache-Coyote/1.1'}
ipa: DEBUG: response body '1Server Internal
Error  3'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 337, in run
self.copy_ds_certificate()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 382, in copy_ds_certificate
self.export_certdb("dscert", passwd_fname)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 589, in export_certdb
db.create_server_cert(nickname, hostname, ca_db)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 418, in issue_server_cert
raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: RuntimeError: Certificate
issuance failed
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Certificate issuance failed

If its of relevance I did change the directory manager password on both
server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.

Thanks

Roderick Johnstone


Hi Roderick,

try to look in the logs of the pki-ca subsystem. They should be located 
in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and 
"debug" logs mainly.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ?

[Martin Babinsky]

On 05/26/2016 12:12 PM, lejeczek wrote:

hi people

I've noticed that --uninstall leaves httpd unable to restart.

I think it's what was not cleaned up in /etc/httpd/alias

I logs I see:

[Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization
failed. Certificate database: /etc/httpd/alias.
[Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error:
-8177 The security password entered is incorrect

am I correct? Should the process not take care of that db?

regards

L.


Hi,

this is a known issue and we have a ticket for it:

https://fedorahosted.org/freeipa/ticket/4639

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

[Martin Babinsky]

On 05/23/2016 02:42 PM, Ben .T.George wrote:

Hi LIst,

my Windows domain Admin is not giving domain admin user password.

in this case how can i proceed ipa trust-add

regards,
Ben




Hi Ben,

You can ask your AD domain admin to create a shared secret for 
establishing trust. See the corresponding chapter in the guide for 
creating trusts[1] for more details.


[1] 
http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available 



--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't set nsslapd-sizelimit

[Martin Babinsky]

On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:

Hello,

I am new to freeIPA and I am recently working on a project to integrate
freeIPA with some legacy application which uses LDAP for user management.

I have initially created our own ldap structure and I tried to run the
code against freeIPA/389DS. While running this example I noticed that
389DS takes quite some time to load profile data from the different ldap
nodes (~2000 entries). In a previous prototype using OpenDJ we had to
increase the parameter ds-cfg-size-limit: to ~1000 with good results. I
am wondering now whether we can do the same for the freeIPA/389DS
server. I found the following pages but I could not work out what the
exact command should be to modify those parameters.



https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html



I attempted the following but received a ObjectClass violation:



[centos@ldap-389ds-ireland ~]$ ldapmodify  -h ldap-389ds-ip -D
"cn=Directory Manager" -w '' -f slimit

modifying entry "dc=ldap,dc=adeptra,dc=com"

ldap_modify: Object class violation (65)

additional info: attribute "nsslapd-sizelimit" not allowed



slimit:

dn: dc=ldap,dc=example,dc=com

changetype: modify

add:nsslapd-sizelimit

nsslapd-sizelimit: 1000



I also attempted using a user dn but with the same result.



Can anybody help ?



Thanks,

Giuseppe.





Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra)
Limited (Co. No. 03295455) are registered in England and Wales and have
a registered office address of Cottons Centre, 5th Floor, Hays Lane,
London, SE1 2QP.

This email and any files transmitted with it are confidential,
proprietary and intended solely for the individual or entity to whom
they are addressed. If you have received this email in error please
delete it immediately.




Hi Guiseppe,

the best way to tweak directory server configuration is this:

1.) stop directory server (systemctl stop dirsrv@EXAMPLE-COM

2.) edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file:
locate the nsslapd-sizelimit entry and change the value

3.) start directory server (systemctl start dirsrv@EXAMPLE-COM)

You should see the new value if you search for it in the 'cn=config' 
subtree which hosts the configuration (not the dc=example,dc=com suffix 
you use).


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Automatic consistency checking

[Martin Babinsky]

On 05/05/2016 03:54 PM, Andrew Holway wrote:

Hello,

We've been using Freeipa on Centos for a while and found one day that
the replication stuff was broken and that the LDAP database on our pair
of IPA servers was inconsistent. We didn't know how long this had been
broken for but we were not able to repair it either.

We use AWS so we've now deployed RHEL AMI's and are now using IdM so we
can get support when this is breaking but I am a bit stuck how to
monitor that the replication is still working.

So is there some monitoring mechanisms in FreeIPA?

Cheers,

Andrew




Hi Andrew,

to check the status of a replica you can use the following command:

"""
ipa-replica-manage list -v replica1.ipa.test
master1.ipa.test: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: 0 Replica acquired successfully: Incremental 
update succeeded

  last update ended: 2016-05-05 14:29:01+00:00
"""

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

[Martin Babinsky]

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service not
starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
vendor preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT;
41min ago

  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5
KDC...

Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
initialize realm IPA.DOMAIN.LOCAL- see log file for details

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service
entered failed state.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

[root@cd-ipa1 log]#



Errors in /var/log/krb5kdc.log



krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL



[root@cd-ipa1 log]# systemctl status httpd -l

● httpd.service - The Apache HTTP Server

   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT;
39min ago

 Docs: man:httpd(8)

   man:apachectl(8)

  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=1/FAILURE)



Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in
__wait_for_connection

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
wait_for_open_socket(lurl.hostport, timeout)

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in
wait_for_open_socket

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
error: [Errno 2] No such file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
ipa : ERRORUnknown error while retrieving setting from
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
control process exited, code=exited status=1

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The
Apache HTTP Server.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service
entered failed state.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.

[root@cd-ipa1 log]#





DNS Result for dig redhat.com



; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;redhat.com.IN  A



;; ANSWER SECTION:

redhat.com. 60  IN  A   209.132.183.105



;; AUTHORITY SECTION:

.   849 IN  NS  f.root-servers.net.

.   849 IN  NS  e.root-servers.net.

.   849 IN  NS  k.root-servers.net.

.   849 IN  NS  m.root-servers.net.

.   849 IN  NS  b.root-servers.net.

.   849 IN  NS  g.root-servers.net.

.   849 IN  NS  c.root-servers.net.

.   849 IN  NS  h.root-servers.net.

.   849 IN  NS  l.root-servers.net.

.   849 IN  NS  a.root-servers.net.

.   849 IN  NS  j.root-servers.net.

.   849 IN  NS  i.root-servers.net.

.   849 IN  NS  d.root-servers.net.



;; ADDITIONAL SECTION:

j.root-servers.net. 3246IN  A   192.58.128.30



;; Query time: 79 msec

;; SERVER: 10.20.10.41#53(10.20.10.41)

;; WHEN: Tue Apr 26 09:02:43 EDT 2016

;; MSG SIZE  rcvd: 282



Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
416.818.4797 | 

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

[Martin Babinsky]

On 04/21/2016 11:14 PM, Ask Stack wrote:

Half the time ipa-client-install will fail at getting the TGT.  Google
showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
TGT . I reduced
_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
'_kerberos._udp' to one server entry only. But it didn't help to reduce
the failure rate. Thanks for your help.


cleint
ipa-client-3.0.0-47.el6_7.2.x86_64

server
ipa-server-3.0.0-47.el6_7.1.x86_64

ipa-client-install --hostname=client1.example.com
--server=ipa-server.example.com --domain=example.com -N --mkhomedir
--unattended -p ipa...@example.com -w 'password1'
--ca-cert-file=/etc/ipa/ca.crt -d
...
...
Enrolled in IPA realm EXAMPLE.COM
args=kdestroy
stdout=
stderr=
args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

Failed to obtain host TGT.







Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab ?

[Martin Babinsky]

On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:

Hello,

I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.

Now I have a Problem to get the Keytab on the second Server

On the first Server I run.

kinit admin
ipa-getkeytab  -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
dovecot.keytab

This is working

but on the second Server when I start

kinit admin
ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/
dovecot/dovecot.keytab

for the same keytab,
I become a Error with not access is possible ?

is this a Bug or a mistake from me ?



AFAIK reading Kerberos keys is a protected operation reserved for 
root/directory manager only, so you will have to use your Directory 
manager credentials for that:


"""
 ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k 
/etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD

"""
alternatively you can permit your admin user to retrieve the keytab 
using the following command:


"""
ipa service-allow-retrieve-keytab imap/mail.example.com --users admin

"""

and then run ipa-getkeytab as admin

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Martin Babinsky]

On 04/20/2016 07:12 PM, Gady Notrica wrote:

Please find attached the install log

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have "/Installation failed. Rolling back changes."/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall
settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
exit status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady




We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

It looks like the log is truncated. Are you sure that this is the full 
version?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install errors

[Martin Babinsky]

On 04/20/2016 06:00 PM, Gady Notrica wrote:

Hello World,

I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly

Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library

Then I have “/Installation failed. Rolling back changes.”/

I have tried everything I know with no luck. Any idea on how to FIX
this? Below is the full log.

---

/Continue to configure the system with these values? [no]: yes/

/Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/

/Skipping synchronizing time with NTP server./

/User authorized to enroll computers: admin/

/Password for ad...@ipa.domain.com:/

/Please make sure the following ports are opened in the firewall settings:/

/ TCP: 80, 88, 389/

/ UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/

/Also note that following ports are necessary for ipa-client working
properly after enrollment:/

/ TCP: 464/

/ UDP: 464, 123 (if NTP enabled)/

/Kerberos authentication failed: kinit: Improper format of Kerberos
configuration file while initializing Kerberos 5 library/

//

/Installation failed. Rolling back changes./

/Failed to list certificates in /etc/ipa/nssdb: Command
''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit
status 255/

/Disabling client Kerberos and LDAP configurations/

/Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted/

/Restoring client configuration files/

/nscd daemon is not installed, skip configuration/

/nslcd daemon is not installed, skip configuration/

/Client uninstall complete./

/---/

Gady



We would need to see the whole log, it should be located in 
'/var/log/ipaclient-install.log'


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

[Martin Babinsky]

On 03/15/2016 08:39 AM, Alessandro De Maria wrote:

Hello,

I would like to have authenticated users to upload a csr request and
have their certificate automatically signed. Their certificate would
expire in x days.

Given the short life of the certificate, I would then like them to be
able to easily download the certificate.

Any suggestion on how to do it?
I would prefer the shell script approach but also having it self
serviced on the web ui would be great.

Regards


--
Alessandro De Maria
alessandro.dema...@gmail.com 




Hi Alessandro,

for FreeIPA 4.2+ you can use the following links as a guide to set up a 
custom profile and CA ACL rules so that users can request certificates 
for themselves:


http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

The user then can generate CSR request e.g. using OpenSSL and use 'ipa 
cert-request' to send it to IPA CA. If you specify 'store=True' when 
adding the custom certificate profile, the certificate will be added to 
the user entry as 'usercertificate;binary' attribute which he can view 
from CLI/WebUI as PEM and save it to a file by copy-pasting it (The 
functionality to save the certificate directly to a file is under 
development).


It should be possible to modify the certificate profile to restrict the 
maximum validity of the issued certificate but I have no knowledge about 
that. I have CC'ed Fraser Tweedale (the blog post author), he may help 
you with this.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.2.0 httpd errors

[Martin Babinsky]

On 02/19/2016 03:12 PM, Daryl Fonseca-Holt wrote:

Hello,

Doing a bulk load of 150,000+ users to an IPA 4.2.0 server running
RedHat Enterprise Linux 7.

Running 25 parallel ipa user-add at once, waiting for completion, then
starting another 25, and so on.

The httpd error_log is filling with many of these messages (457,189 in
four days):

[Fri Feb 19 07:41:08.100903 2016] [:error] [pid 76505] [remote
10.0.1.177:40] mod_wsgi (pid=76505): Exception occurred processing WSGI
script '/usr/share/ipa/wsgi.py'.
[Fri Feb 19 07:41:08.100989 2016] [:error] [pid 76505] [remote
10.0.1.177:40] Traceback (most recent call last):
[Fri Feb 19 07:41:08.101018 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File "/usr/share/ipa/wsgi.py", line 49, in application
[Fri Feb 19 07:41:08.101073 2016] [:error] [pid 76505] [remote
10.0.1.177:40] return api.Backend.wsgi_dispatch(environ,
start_response)
[Fri Feb 19 07:41:08.101087 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 258, in
__call__
[Fri Feb 19 07:41:08.101109 2016] [:error] [pid 76505] [remote
10.0.1.177:40] return self.route(environ, start_response)
[Fri Feb 19 07:41:08.101120 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 270, in
route
[Fri Feb 19 07:41:08.101140 2016] [:error] [pid 76505] [remote
10.0.1.177:40] return app(environ, start_response)
[Fri Feb 19 07:41:08.101152 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 447, in
__call__
[Fri Feb 19 07:41:08.101169 2016] [:error] [pid 76505] [remote
10.0.1.177:40] response = super(jsonserver, self).__call__(environ,
start_response)
[Fri Feb 19 07:41:08.101180 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 647, in
__call__
[Fri Feb 19 07:41:08.101198 2016] [:error] [pid 76505] [remote
10.0.1.177:40] 'xmlserver', user_ccache, environ, start_response,
headers)
[Fri Feb 19 07:41:08.101210 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 593, in
finalize_kerberos_acquisition
[Fri Feb 19 07:41:08.101229 2016] [:error] [pid 76505] [remote
10.0.1.177:40] session_data['ccache_data'] =
load_ccache_data(ccache_name)
[Fri Feb 19 07:41:08.101240 2016] [:error] [pid 76505] [remote
10.0.1.177:40]   File
"/usr/lib/python2.7/site-packages/ipalib/session.py", line 1231, in
load_ccache_data
[Fri Feb 19 07:41:08.101259 2016] [:error] [pid 76505] [remote
10.0.1.177:40] src = open(name)
[Fri Feb 19 07:41:08.101294 2016] [:error] [pid 76505] [remote
10.0.1.177:40] IOError: [Errno 2] No such file or directory:
'/var/run/httpd/ipa/clientcaches/admin@UOFMT1'
[Fri Feb 19 07:41:09.788839 2016] [auth_gssapi:error] [pid 75336]
[client 10.0.1.177:42610] failed to store delegated creds: [Unspecified
GSS failure.  Minor code may provide more information (Internal
credentials cache error)], referer: https://mork.cc.umanitoba.ca/ipa/xml
[Fri Feb 19 07:41:09.788844 2016] [auth_gssapi:error] [pid 78642]
[client 10.0.1.177:42621] failed to store delegated creds: [Unspecified
GSS failure.  Minor code may provide more information (Internal
credentials cache error)], referer: https://mork.cc.umanitoba.ca/ipa/xml
[Fri Feb 19 07:41:09.788961 2016] [auth_gssapi:error] [pid 78643]
[client 10.0.1.177:42613] failed to store delegated creds: [Unspecified
GSS failure.  Minor code may provide more information (Internal
credentials cache error)], referer: https://mork.cc.umanitoba.ca/ipa/xml
[Fri Feb 19 07:41:09.789154 2016] [auth_gssapi:error] [pid 77367]
[client 10.0.1.177:42615] KRB5CCNAME file
(/var/run/httpd/ipa/clientcaches/admin@UOFMT1) lookup failed!, referer:
https://mork.cc.umanitoba.ca/ipa/xml


When the batches are first started there are no errors.
Started batch script at 11:34:54. First error at 12:17:31 after 48
batches of 25 users.

The 25 users are each added concurrently by separate processes using ipa
user-add  ...
When the script gets the authentication error it simply retries the
user-add so the user are added anyway.

I think there was a similiar incident, Subject: Client-Install failures
in January 2016 but the thread seemed to fade away without an answer
AFAICT.

Thanks, Daryl


Hi Daryl,

it looks like you ran into https://fedorahosted.org/freeipa/ticket/5653

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA inaccessable after adding service principle

[Martin Babinsky]

On 02/15/2016 04:41 PM, Sumit Bose wrote:

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:

Hi guys

I've just installed a RHEL7 server with ipa-server 4.2.0...

Everything seems to work fine, until I add a service principle:

(Running on a client, after a kinit)

[root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p 
HTTP/naboo.outerrim@outerrim.lan -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab


ipa-getkeytab will always create a new key unless you use the --retrieve
option.

It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.

Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.

HTH

bye,
Sumit




You will also need to regenerate apache keytab since by using the 
command you regenerate kerberos keys of HTTP service while leaving old 
keys in IPA HTTP service keytab, hence the decrypt integrity check error 
when using cli/webui.


on naboo.outerrim.lan, run:

"""
ipa-getkeytab -s naboo.outerrim.lan -p 
HTTP/naboo.outerrim@outerrim.lan -k /etc/httpd/conf/ipa.keytab

"""

and then either restart httpd service or run:

"""
kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache
"""

That should make webui and cli work again.





After running the command, the web-interface returns:

The password or username you entered is incorrect.

when I try to login, and the "ipa" command has stopped working as well (both on 
the server and client):


[root@dantooine ~]# ipa user-show admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (KDC returned 
error string: 2ND_TKT_SERVER)
[root@dantooine ~]#
[root@dantooine ~]# kdestroy
[root@dantooine ~]# kinit admin
Password for ad...@outerrim.lan:
[root@dantooine ~]# ipa user-show admin
ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': 
Unauthorized


/var/log/httpd/error_log on the server gives me:

ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353, 
'Decrypt integrity check failed')"


What did I do wrong here???

Regards

Martin Juhl

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Setup of freeipa 4.2.3 failed

[Martin Babinsky]

On 01/08/2016 01:06 PM, Markus Roth wrote:

Hi all,

I tried to install freeipa server (freeipa-server.armv7hl
  4.2.3-1.1.fc23), but the installation failed.

-
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
   [1/43]: creating directory server user
   [2/43]: creating directory server instance
   [3/43]: adding default schema
   [4/43]: enabling memberof plugin
   [5/43]: enabling winsync plugin
   [6/43]: configuring replication version plugin
   [7/43]: enabling IPA enrollment plugin
   [8/43]: enabling ldapi
   [9/43]: configuring uniqueness plugin
   [10/43]: configuring uuid plugin
   [11/43]: configuring modrdn plugin
   [12/43]: configuring DNS plugin
   [13/43]: enabling entryUSN plugin
   [14/43]: configuring lockout plugin
   [15/43]: creating indices
   [16/43]: enabling referential integrity plugin
   [17/43]: configuring certmap.conf
   [18/43]: configure autobind for root
   [19/43]: configure new location for managed entries
   [20/43]: configure dirsrv ccache
   [21/43]: enable SASL mapping fallback
   [22/43]: restarting directory server
   [23/43]: adding default layout
   [24/43]: adding delegation layout
   [25/43]: creating container for managed entries
   [26/43]: configuring user private groups
   [27/43]: configuring netgroups from hostgroups
   [28/43]: creating default Sudo bind user
   [29/43]: creating default Auto Member layout
   [30/43]: adding range check plugin
   [31/43]: creating default HBAC rule allow_all
   [32/43]: creating default CA ACL rule
   [33/43]: adding entries for topology management
   [34/43]: initializing group membership
   [35/43]: adding master entry
   [36/43]: initializing domain level
   [37/43]: configuring Posix uid/gid generation
   [38/43]: adding replication acis
   [39/43]: enabling compatibility plugin
   [40/43]: activating sidgen plugin
   [41/43]: activating extdom plugin
   [42/43]: tuning directory server
   [43/43]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
   [1/25]: creating certificate server user
   [2/25]: configuring certificate server instance
   [3/25]: stopping certificate server instance to update CS.cfg
   [4/25]: backing up CS.cfg
   [5/25]: disabling nonces
   [6/25]: set up CRL publishing
   [7/25]: enable PKIX certificate path discovery and validation
   [8/25]: starting certificate server instance
   [9/25]: creating RA agent certificate database
   [10/25]: importing CA chain to RA certificate database
   [11/25]: fixing RA database permissions
   [12/25]: setting up signing cert profile
   [13/25]: setting audit signing renewal to 2 years
   [14/25]: restarting certificate server
   [15/25]: requesting RA certificate from CA
   [16/25]: issuing RA agent certificate
   [17/25]: adding RA agent as a trusted user
   [18/25]: authorizing RA to modify profiles
   [19/25]: configure certmonger for renewals
   [20/25]: configure certificate renewals
   [21/25]: configure RA certificate renewal
   [22/25]: configure Server-Cert certificate renewal
   [23/25]: Configure HTTP to proxy connections
   [24/25]: restarting certificate server
   [25/25]: Importing IPA certificate profiles
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
   [1/3]: configuring ssl for ds instance
   [error] RuntimeError: Certificate issuance failed
ipa.ipapython.install.cli.install_tool(Server): ERRORCertificate
issuance failed

---

The last messages in the log file (/var/log/ipaserver-install.log):

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
637, in __enable_ssl
 self.nickname, self.fqdn, cadb)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 337, in create_server_cert
 cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 419, in issue_server_cert
 raise RuntimeError("Certificate issuance failed")

2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Certificate issuance failed
2016-01-08T09:33:47Z ERROR Certificate issuance failed

any ideas about this error?

Markus




Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I 
can not be sure without seeing installation log 
(/var/log/ipaserver-install.log).


As a workaround, you can try to re-run the installation in verbose mode 
using '-v' option and see if it succeeds. Be prepared for a lot of 
garbage spouted on the output, though.


--
Martin^3 Babinsky

--
Manage your subscription for the 

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

[Martin Babinsky]

On 12/01/2015 07:56 PM, Marc Boorshtein wrote:

Great.  Doesn't look like its made it into CentOS yet (still at 7.1).
OK, going to go ahead and get it running on Fedora 23.

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902


On Tue, Dec 1, 2015 at 1:42 PM, Rob Crittenden  wrote:

Marc Boorshtein wrote:


IPA 4.2 has an experimental API browser in the GUI, IPA Server -> API
browser.



has 4.2 made it into centos 7 yet?  or only in fedora?



It is in RHEL 7.2 and Fedora 23.

rob




Hi Marc,

the FreeIPA public demo also features an API browser for you to inspect. 
See http://www.freeipa.org/page/Demo and then go to 
https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/type=command


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

[Martin Babinsky]

On 11/20/2015 04:44 PM, Karl Forner wrote:

Hello,

My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1.
The freeipa server runs inside a docker (an adelton/freeipa-server), and
the docker host pretends to be the freeIPA server by forwarding the
appropriate ports.

This works very fine.
But when I reboot my server (which is in a locked server room. r), I
struggle to connect to it.

I'm unable to connect using ssh onto it, using any kind of local or
freeIPA accounts onto it.
The DNS server (provided by freeIPA) works kine though (i.e. nslookup
server server works).

Fortunately, I have the monit web app running on the server that allows
to restart the ssh service.

After restarting ssh remotely. I am now able to connect to the server.
It seems that all works fine again once I restart sssd on the server.

I know this is a pretty complex setup, but do you have hints that could
help me have a usable server after reboot ?

Thanks,
Karl Forner





We will need some more information to help you out. Is the ssh daemon 
running right after the reboot? Is there anything in sshd logs? We may 
also need sssd logs, see https://fedorahosted.org/sssd/wiki/Troubleshooting.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

[Martin Babinsky]

On 11/20/2015 04:08 PM, Ash Alam wrote:

Most of the clients in my env are centos 6.6 with ipa 3.0.0 client
installed. I if bring up a replica on centos 7.2 with ipa 4.2.3 server
and then start phasing out the older 3.0.0 servers. Will the client that
are still running the older client software still work?


Yes older clients should be able to talk to newer masters.


On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek > wrote:

On 11/19/2015 11:03 PM, Ash Alam wrote:

Hello All

I am looking for some advice on upgrading. Currently our FreeIPA
servers are
3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This
upgrade path
is not possible per IPA documentation. Minimum version required
is 3.3.x. I
have also found that cenos6 does not provide anything past 3.0.0.


And it won't. There are no plans in updating FreeIPA version in
RHEL/CentOS-6.x, we encourage people who want the new features to
migrate to RHEL-7.x:


http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

If you want to wait on CentOS-7.2, it should be in works now:
http://seven.centos.org/2015/11/rhel-7-2-released-today/

One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3
on centos7.
This is harder since centos does not provide this. The other
issue is if
3.0/3.3 client will be supported with 4.2.3 server.


The right way is to migrate via creating replicas in RHEL/CentOS-7.x
and slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the
links above.







--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

[Martin Babinsky]

On 11/10/2015 08:14 PM, Gronde, Christopher (Contractor) wrote:

Removed the bad mapping.  Krb5kdc service still will not start.  Here is the 
access log.

[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="ou=Netscape Directory 
Team,cn=monitor"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=SNMP,cn=config" scope=0 
filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=uniqueid 
generator,cn=config" scope=0 filter="objectclass=*" attrs=ALL
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 MOD dn="cn=uniqueid 
generator,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=tasks,cn=config" scope=2 
filter="(objectclass=*)" attrs=ALL
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 
nentries=15 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=upgradedb,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=syntax 
validate,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=schema reload 
task,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=restore,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=index,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=import,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=fixup linked 
attributes,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=export,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=cleanallruv,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL 
dn="cn=backup,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=automember rebuild 
membership,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=automember map 
updates,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=automember export 
updates,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 DEL dn="cn=abort 
cleanallruv,cn=tasks,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Binary 
Syntax,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Bit String 
Syntax,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Bitwise 
Plugin,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Boolean 
Syntax,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Case Exact String 
Syntax,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="cn=Case Ignore String 
Syntax,cn=plugins,cn=config"
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=68 tag=48 
nentries=0 etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD 

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

[Martin Babinsky]

On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote:

Neither came back with anything

# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b 
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

[Martin Babinsky]

On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote:

# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

[Martin Babinsky]

On 10/02/2015 02:52 PM, Fujisan wrote:

More info:

I can initiate a ticket:
$ kdestroy
$ kinit admin

but cannot view user admin:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized

$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

/var/log/messages:
Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check failed. Unable to create GSSAPI-encrypted LDAP connection.



On Fri, Oct 2, 2015 at 2:26 PM, Fujisan > wrote:

Hello,

I cannot login to the web UI anymore.

The password or username you entered is incorrect.

Log says:

Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
{18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA,
Additional pre-authentication required
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
{18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
PREAUTH_FAILED: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA,
Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12


I have no idea what went wrong.

What can I do?

​Regards,
Fuji​





What version of FreeIPA are you running?

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Martin Babinsky]

On 08/28/2015 05:46 PM, Alexandre Ellert wrote:



Le 28 août 2015 à 17:41, Alexander Bokovoy  a écrit :

On Fri, 28 Aug 2015, Alexandre Ellert wrote:



Le 28 août 2015 à 17:09, Alexander Bokovoy  a écrit :

On Wed, 26 Aug 2015, Alexandre Ellert wrote:



Le 28 juil. 2015 à 05:59, Alexander Bokovoy  a écrit :

If the problem is too hard to solve, maybe I should try to deploy another
replica ?

You may try that. Sorry for not responding, I have some other tasks that
occupy my time right now.




Can you please tell me the procedure to decommission and re-create a new 
replica ?
Are "ipa-server-install —uninstall" then "ipa-server-install" the only things 
to do ?

No, you need also to remove the server from the replication topology.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html

--
/ Alexander Bokovoy


I can’t remove the node on which I have problem with pki-tomcatd :

# ipa-replica-manage del .example.com
Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica file
and re-install.
Continue to delete? [no]: yes
Deleting this server is not allowed as it would leave your installation without 
a CA

I seem that it’s the only node where CA is installed. What should I do now ?

Add a replica with CA using ipa-ca-install on existing replica.

Read the guide, it has detailed coverage of these situations.
--
/ Alexander Bokovoy


On the first node (which is working and without pki-tomcatd service)
# ipa-ca-install
Directory Manager (existing master) password:

CA is already installed.

How is it possible ?


You must provide a replica file as an argument to ipa-ca-install if you 
want to setup CA on another replica.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipactl start fails for no apparent reason

[Martin Babinsky]

On 04/01/2015 09:20 AM, Traiano Welcome wrote:

Some information from the dirsrv error log (sanitized: XYZ = realm):

[01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up
[01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no
entries set up under cn=computers, cn=compat,dc=idm,dc=local
[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which
should be added before the CoS Definition.
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
cleanAllRUV task found, resuming the cleaning of rid(6)...
[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which
should be added before the CoS Definition.
[01/Apr/2015:11:01:49 +0300] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636
for LDAPS requests
[01/Apr/2015:11:01:49 +0300] - Listening on
/var/run/slapd-IDM-LOCAL.socket for LDAPI requests
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No Kerberos
credentials available)) errno 0 (Success)
[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -2 (Local error)
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin -
agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389):
Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials
available))
[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No Kerberos
credentials available)) errno 0 (Success)
[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -2 (Local error)
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin -
agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389):
Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials
available))
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27
threads to terminate
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down
internal subsystems and plugins
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Cleaning rid (6)...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting to process all the updates from the deleted replica...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting for all the replicas to be online...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Server shutting down.  Process will resume at server startup
[01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed
out)
[01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -1 (Can't contact LDAP server)
[01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin -
agmt=cn=meTokwtospr-idm-slve.idm.local (kwtospr-idm-slve:389):
Replication bind with GSSAPI auth failed: LDAP error -1 (Can't 

Re: [Freeipa-users] ipactl start fails for no apparent reason

[Martin Babinsky]

On 04/01/2015 10:14 AM, Traiano Welcome wrote:

Hi Martin

  Thanks for the response. Check results inline:


On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote:

On 04/01/2015 09:20 AM, Traiano Welcome wrote:


Some information from the dirsrv error log (sanitized: XYZ = realm):

[01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139
starting up
[01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no
entries set up under cn=computers, cn=compat,dc=idm,dc=local
[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which
should be added before the CoS Definition.
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
cleanAllRUV task found, resuming the cleaning of rid(6)...
[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which
should be added before the CoS Definition.
[01/Apr/2015:11:01:49 +0300] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636
for LDAPS requests
[01/Apr/2015:11:01:49 +0300] - Listening on
/var/run/slapd-IDM-LOCAL.socket for LDAPI requests
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial
credentials for principal [ldap/kwtpr-idm-mstr@] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found)
[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No Kerberos
credentials available)) errno 0 (Success)
[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -2 (Local error)
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin -
agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389):
Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials
available))
[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No Kerberos
credentials available)) errno 0 (Success)
[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -2 (Local error)
[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin -
agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389):
Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials
available))
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation
threads
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27
threads to terminate
[01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down
internal subsystems and plugins
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Cleaning rid (6)...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting to process all the updates from the deleted replica...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting for all the replicas to be online...
[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task:
Server shutting down.  Process will resume at server startup
[01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed
out)
[01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not
perform interactive bind for id [] authentication mechanism [GSSAPI]:
error -1 (Can't contact LDAP