Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
It works!
Thanks for your support.

Anyway, I will try to update againt mod_nss package! :D
Bye!


2016-11-18 15:21 GMT+01:00 Morgan Marodin <mor...@marodin.it>:

> A little good news.
>
> Downgrading the *mod_nss* RPM package, and restoring the original
> */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished
> well:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
> [2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
> DS global lock  [5/10]: starting directory server  [6/10]: updating schema
> [7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
> restoring configuration  [10/10]: starting directory serverDone.Update
> completeUpgrading IPA servicesUpgrading the configuration of the IPA
> services[Verifying that root certificate is published][Migrate CRL publish
> directory]CRL tree already moved[Verifying that CA proxy configuration is
> correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
> database]RA cert already removed[Enable sidgen and extdom plugins by
> default][Updating HTTPD service IPA configuration][Updating mod_nss
> protocol versions]Protocol versions already updated[Updating mod_nss cipher
> suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
> processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
> self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
> configuration files][Checking for deprecated backups of Samba configuration
> files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
> records already processed[Removing deprecated DNS configuration
> options][Ensuring minimal number of connections][Enabling serial
> autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
> pid-file configuration in DNS][Checking global forwarding policy in
> named.conf to avoid conflicts with automatic empty zones]Global forward
> policy in named.conf will be changed to "only" to avoid conflicts with
> automatic empty zones[Adding server_id to named.conf]Changes to named.conf
> have been made, restart namedCustodia service is being
> configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
> file  [2/5]: Making sure custodia container exists  [3/5]: Generating
> ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
> ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
> schema]CA schema update complete[Verifying that CA audit signing cert has 2
> year validity][Update certmonger certificate renewal configuration to
> version 5]Configuring certmonger to stop tracking system certificates for
> CACertmonger certificate renewal configuration updated to version 5[Enable
> PKIX certificate path discovery and validation]PKIX already
> enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
> manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
> database][Adding default OCSP URI configuration]pki-tomcat configuration
> changed, restart pki-tomcat[Ensuring CA is using
> LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
> presence of included profiles][Add default CA ACL]Default CA ACL already
> added[Set up lightweight CA key retrieval]Creating principalRetrieving
> keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
> upgradedThe ipa-server-upgrade command was successful*
>
> And Apache has started, BUT there is a problem with the web certificate:
>
>
>
>
> *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
> [:info] [pid 18673] Connection to child 2 established (server
> mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>,
> client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
> SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
> [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
> necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
> 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)*
>
> How do you suggest to go on with my issue?
>
> Thanks, Morgan
>
> 2016-11-18 12:11 GMT+01:00 Mor

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
A little good news.

Downgrading the *mod_nss* RPM package, and restoring the original
*/etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well:


















































































*# ipa-server-upgradeUpgrading IPA:  [1/10]: stopping directory server
[2/10]: saving configuration  [3/10]: disabling listeners  [4/10]: enabling
DS global lock  [5/10]: starting directory server  [6/10]: updating schema
[7/10]: upgrading server  [8/10]: stopping directory server  [9/10]:
restoring configuration  [10/10]: starting directory serverDone.Update
completeUpgrading IPA servicesUpgrading the configuration of the IPA
services[Verifying that root certificate is published][Migrate CRL publish
directory]CRL tree already moved[Verifying that CA proxy configuration is
correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
database]RA cert already removed[Enable sidgen and extdom plugins by
default][Updating HTTPD service IPA configuration][Updating mod_nss
protocol versions]Protocol versions already updated[Updating mod_nss cipher
suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
configuration files][Checking for deprecated backups of Samba configuration
files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
records already processed[Removing deprecated DNS configuration
options][Ensuring minimal number of connections][Enabling serial
autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
pid-file configuration in DNS][Checking global forwarding policy in
named.conf to avoid conflicts with automatic empty zones]Global forward
policy in named.conf will be changed to "only" to avoid conflicts with
automatic empty zones[Adding server_id to named.conf]Changes to named.conf
have been made, restart namedCustodia service is being
configuredConfiguring ipa-custodia  [1/5]: Generating ipa-custodia config
file  [2/5]: Making sure custodia container exists  [3/5]: Generating
ipa-custodia keys  [4/5]: starting ipa-custodia  [5/5]: configuring
ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
schema]CA schema update complete[Verifying that CA audit signing cert has 2
year validity][Update certmonger certificate renewal configuration to
version 5]Configuring certmonger to stop tracking system certificates for
CACertmonger certificate renewal configuration updated to version 5[Enable
PKIX certificate path discovery and validation]PKIX already
enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
database][Adding default OCSP URI configuration]pki-tomcat configuration
changed, restart pki-tomcat[Ensuring CA is using
LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
presence of included profiles][Add default CA ACL]Default CA ACL already
added[Set up lightweight CA key retrieval]Creating principalRetrieving
keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
upgradedThe ipa-server-upgrade command was successful*

And Apache has started, BUT there is a problem with the web certificate:




*# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
[:info] [pid 18673] Connection to child 2 established (server
mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>,
client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
[pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
<http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)*

How do you suggest to go on with my issue?

Thanks, Morgan

2016-11-18 12:11 GMT+01:00 Morgan Marodin <mor...@marodin.it>:

> I've tried to add it to a new test folder, with a new certificate
> nickname, and then to replace it to *nss.conf*.
>
> But the problem persists:
>
> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
> is valid*
>
>
> *# tail -f /var/log/httpd/error_log*
>
>
>
>
>
>
>
> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
> 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
> deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880
&

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
I've tried to add it to a new test folder, with a new certificate nickname,
and then to replace it to *nss.conf*.

But the problem persists:

*# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is
valid*


*# tail -f /var/log/httpd/error_log*







*[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880
2016] [:error] [pid 11552] The server key database has not been
initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016]
[:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678
2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'*

I've found this guide:






*Combine the server cert and key into a single file# cp localhost.crt >
Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server
cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out
Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys
into the database at the same time.#pk12util -i
/tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert*

Where is stored the key certificate file?

Thanks, Morgan

2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>
>> Hi Florence.
>>
>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
>> and with this Apache started.
>> So I think the problem is in the /Server-Cert/ stored in
>> //etc/httpd/alias/, even if all manul checks are ok.
>>
>> These are logs with the wrong certificate test:
>> /# tail -f /var/log/httpd/error_log/
>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
>>
>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
>> for SSL protocol
>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>> nss_engine_init.c(906): Disabling TLS Session Tickets
>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>> nss_engine_init.c(916): Enabling DHE key exchange
>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
>> ciphers
>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>> ...
>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname
>> ipaCert.
>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>> as virtual name.
>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
>> AH01757: generating secret for digest authentication ...
>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
>> AH02282: No slotmem from mod_hear

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-18 Thread Morgan Marodin 
 2016] [:debug]
[pid 7716] nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)[Fri
Nov 18 09:34:33.372513 2016] [:debug] [pid 7716] nss_engine_init.c(866):
NSSProtocol:  [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.372534 2016] [:debug]
[pid 7716] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18
09:34:33.372553 2016] [:debug] [pid 7716] nss_engine_init.c(916): Enabling
DHE key exchange[Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.372627 2016] [:debug] [pid 7716] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.373712 2016] [:debug]
[pid 7716] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.373734 2016] [:info] [pid
7716] Using nickname ipaCert.[Fri Nov 18 09:34:33.374652 2016] [:error]
[pid 7716] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration of certificate's
CN and virtual name. The certificate CN has IPA RA. We expected
mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual
name.[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring
server for SSL protocol[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid
7719] nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0[Fri Nov 18
09:34:33.412803 2016] [:debug] [pid 7719] nss_engine_init.c(775):
NSSProtocol:  Enabling TLSv1.1[Fri Nov 18 09:34:33.412807 2016] [:debug]
[pid 7719] nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2[Fri Nov
18 09:34:33.412812 2016] [:debug] [pid 7719] nss_engine_init.c(839):
NSSProtocol:  [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.412817 2016] [:debug]
[pid 7719] nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.412828 2016] [:debug]
[pid 7719] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18
09:34:33.412840 2016] [:debug] [pid 7719] nss_engine_init.c(1077):
NSSCipherSuite:  Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.413159 2016] [:debug]
[pid 7719] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.413164 2016] [:info] [pid
7719] Using nickname ipaCert.[Fri Nov 18 09:34:33.414462 2016] [:error]
[pid 7719] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING: session memcached
servers not running[Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714]
ipa: WARNING: session memcached servers not running[Fri Nov 18
09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: *** PROCESS START
***[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
PROCESS START ***[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]
Connection to child 1 established (server mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)[Fri Nov 18
09:34:51.510292 2016] [:info] [pid 7717] SSL input filter read failed.[Fri
Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error: -12285
Unable to find the certificate or key necessary for authentication[Fri Nov
18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child 1 closed
(server mlv-ipa01.ipa.mydomain.com:443
<http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)[Fri Nov 18
09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709] AH00170: caught
SIGWINCH, shutting down gracefully*

Is possible to delete *Server-Cert* from */etc/httpd/alias* and reimport it
from the original certificates of *mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>*?
Where are stored the original certificates?

Please let me know, thanks.
Bye, Morgan

2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 11/17/2016 04:51 PM, M

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi.

I've tried to delete and reimport only the *Server-Cert* certificate (I've
a copy of the original folder).
But it happened a strange behaviour:






















*# certutil -L -d /etc/httpd/alias -n Server-Cert -a >
/tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#
certutil -L -d .Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA
CACT,C,C# certutil -A -d
/etc/httpd/alias -n Server-Cert -t u,u,u -a -i /tmp/Server-Cert.crtNotice:
Trust flag u is set automatically if the private key is present.p11-kit:
objects of this type cannot be created# certutil -L -d
/etc/httpd/aliasCertificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA
CA
CT,C,CServer-Cert  Pu,u,u*

What's the error message in bold?
And why trust flags are set different from ones specified?

Thanks, Morgan

2016-11-17 17:36 GMT+01:00 Morgan Marodin <mor...@marodin.it>:

> Hi.
>
> I've upgraded all packages of my distribution, not only ipa packages.
> There were a lot of packages.
>
> *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*
>
> All other checks seem ok:
>
>
>
>
>
>
>
>
>
>
>
> *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
> Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
> getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
> /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
> "NSS Certificate DB" in slot "NSS User Private Key and Certificate
> Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
> a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
> Certificate DB:ipaCert*
>
>
> *[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
> egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
> 2015Not After : Thu Sep 07 10:15:34 2017*
>
> Could it be a good idea to export and re-import all certs from
> */etc/httpd/alias* folder?
>
> Thanks
>
> 2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>
>> Morgan Marodin wrote:
>> > Hi Rob.
>> >
>> > I've just tried to remove the group write to the *.db files, but it's
>> > not the problem.
>>
>> I didn't expect it to be but you don't want Apache having write access
>> to your certs and keys.
>>
>> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>> > NSSNickname Server-Cert/
>>
>> Ok.
>>
>> >
>> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
>> > works, services went up.
>> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>> > /winbind.service/, /kadmin.service/, /memcached.service/ and
>> > /pki-tomcatd.target/.
>>
>> Good, so you can limp along for a while then.
>>
>> > Any other ideas?
>>
>> So you upgraded. What did you actually upgrade? Only the IPA packages or
>> a lot more?
>>
>> What version is running now, and what version of mod_nss?
>>
>> $ rpm -q mod_nss
>>
>> Let's see if the NSS tools can find the cert:
>>
>> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>>
>> Should come back with: certutil: certificate is valid
>>
>> rob
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi.

I've upgraded all packages of my distribution, not only ipa packages.
There were a lot of packages.

*[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*

All other checks seem ok:











*[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
"NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
Certificate DB:ipaCert*


*[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
2015Not After : Thu Sep 07 10:15:34 2017*

Could it be a good idea to export and re-import all certs from
*/etc/httpd/alias* folder?

Thanks

2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Morgan Marodin wrote:
> > Hi Rob.
> >
> > I've just tried to remove the group write to the *.db files, but it's
> > not the problem.
>
> I didn't expect it to be but you don't want Apache having write access
> to your certs and keys.
>
> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> > NSSNickname Server-Cert/
>
> Ok.
>
> >
> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> > works, services went up.
> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> > /winbind.service/, /kadmin.service/, /memcached.service/ and
> > /pki-tomcatd.target/.
>
> Good, so you can limp along for a while then.
>
> > Any other ideas?
>
> So you upgraded. What did you actually upgrade? Only the IPA packages or
> a lot more?
>
> What version is running now, and what version of mod_nss?
>
> $ rpm -q mod_nss
>
> Let's see if the NSS tools can find the cert:
>
> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>
> Should come back with: certutil: certificate is valid
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi Rob.

I've just tried to remove the group write to the *.db files, but it's not
the problem.

*[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname
Server-Cert*

I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it
works, services went up.
The same for *ntpd*, *named-pkcs11.service*, *smb.service*,
*winbind.service*, *kadmin.service*, *memcached.service* and
*pki-tomcatd.target*.

But if I try to start *httpd.service*:








*[root@mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 16:46:06 mlv-ipa01
systemd[1]: Starting The Apache HTTP Server...Nov 17 16:46:06 mlv-ipa01
ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov 17 16:46:07
mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited,
status=1/FAILURENov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process
""Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to
start The Apache HTTP Server.Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
httpd.service entered failed state.Nov 17 16:46:07 mlv-ipa01 systemd[1]:
httpd.service failed.*

Any other ideas?

Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Morgan Marodin wrote:
> > Hi Florence.
> >
> > Thanks for your support.
> >
> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> > permissions and certificates are good:
> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> > total 184
> > -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> > -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> > -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> > -rw---. 1 root root4833 Sep  4  2015 install.log
> > -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> > lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> > /usr/lib64/libnssckbi.so
> > -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> > -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/
>
> Eventually you'll want to remove group write on the *.db files.
>
> > And password validations seems ok, too:
> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> > /etc/httpd/alias/pwdfile.txt
> good
>
> > Enabling mod-nss debug I can see these logs:
> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> > NSSSessionCacheTimeout is deprecated. Ignoring.
> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com> -> Server-Cert
> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> > for SSL protocol
> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> > nss_engine_init.c(906): Disabling TLS Session Tickets
> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> > nss_engine_init.c(916): Enabling DHE key exchange
> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> > nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> > ciphers
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> > Server-Cert.
> [snip]
> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> > found: '

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
v 17 15:05:11
mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.361826680 +0100] slapd shutting
down - closing down internal subsystems and pluginsNov 17 15:05:13
mlv-ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_996))Nov 17 15:05:13 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:13.811837199 +0100] Waiting for 4 database threads to
stopNov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.000534924
+0100] All database threads now stoppedNov 17 15:05:14 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:14.015405431 +0100] slapd shutting down - freed 1 work q
stack objects - freed 1 op stack objectsNov 17 15:05:14 mlv-ipa01 ns-slapd:
[17/Nov/2016:15:05:14.437288197 +0100] slapd stopped.Nov 17 15:05:14
mlv-ipa01 systemd[1]: Stopped 389 Directory Server IPA-MYDOMAIN-COM..Nov 17
15:05:14 mlv-ipa01 ipactl: Hint: You can use --ignore-service-failure
option for forced start in case that a non-critical service failedNov 17
15:05:14 mlv-ipa01 ipactl: Aborting ipactlNov 17 15:05:14 mlv-ipa01 ipactl:
Starting Directory ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting
krb5kdc ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting kadmin ServiceNov
17 15:05:14 mlv-ipa01 ipactl: Starting named ServiceNov 17 15:05:14
mlv-ipa01 ipactl: Starting ipa_memcached ServiceNov 17 15:05:14 mlv-ipa01
ipactl: Starting httpd ServiceNov 17 15:05:14 mlv-ipa01 systemd[1]:
ipa.service: main process exited, code=exited, status=1/FAILURENov 17
15:05:14 mlv-ipa01 systemd[1]: Failed to start Identity, Policy, Audit.Nov
17 15:05:14 mlv-ipa01 systemd[1]: Unit ipa.service entered failed state.Nov
17 15:05:14 mlv-ipa01 systemd[1]: ipa.service failed*.

Do you think there is a kerberos problem?

Please let me know, thanks.
Bye, Morgan

2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>
>> Hello.
>>
>> This morning I've tried to upgrade my IPA server, but the upgrade
>> failed, and now the service doesn't start! :(
>>
>> If I try lo launch the upgrade manually this is the output:
>> /[root@mlv-ipa01 download]# ipa-server-upgrade
>>
>> Upgrading IPA:
>>   [1/8]: saving configuration
>>   [2/8]: disabling listeners
>>   [3/8]: enabling DS global lock
>>   [4/8]: starting directory server
>>   [5/8]: updating schema
>>   [6/8]: upgrading server
>>   [7/8]: stopping directory server
>>   [8/8]: restoring configuration
>> Done.
>> Update complete
>> Upgrading IPA services
>> Upgrading the configuration of the IPA services
>> [Verifying that root certificate is published]
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Enable sidgen and extdom plugins by default]
>> [Updating HTTPD service IPA configuration]
>> [Updating mod_nss protocol versions]
>> Protocol versions already updated
>> [Updating mod_nss cipher suite]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Exporting KRA agent PEM file]
>> KRA is not enabled
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>> command ipa-server-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> CalledProcessError: Command '/bin/systemctl start httpd.service'
>> returned non-zero exit status 1
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>> more information/
>>
>> These are error logs of Apache:
>> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
>> found: 'Server-Cert'/
>>
>> The problem seems to be the /Server-Cert /that could not be found.
>> But if I try to execute the certutil command manually I can see it:/
>> [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>> Signing-Cert u,u,u
>> ipaCert  u,u,u
>> Server-Cert  Pu,u,u
>> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> I

[Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hello.

This morning I've tried to upgrade my IPA server, but the upgrade failed,
and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:



































*[root@mlv-ipa01 download]# ipa-server-upgradeUpgrading IPA:  [1/8]: saving
configuration  [2/8]: disabling listeners  [3/8]: enabling DS global lock
[4/8]: starting directory server  [5/8]: updating schema  [6/8]: upgrading
server  [7/8]: stopping directory server  [8/8]: restoring
configurationDone.Update completeUpgrading IPA servicesUpgrading the
configuration of the IPA services[Verifying that root certificate is
published][Migrate CRL publish directory]CRL tree already moved[Verifying
that CA proxy configuration is correct][Verifying that KDC configuration is
using ipa-kdb backend][Fix DS schema file syntax]Syntax already
fixed[Removing RA cert from DS NSS database]RA cert already removed[Enable
sidgen and extdom plugins by default][Updating HTTPD service IPA
configuration][Updating mod_nss protocol versions]Protocol versions already
updated[Updating mod_nss cipher suite][Fixing trust flags in
/etc/httpd/alias]Trust flags already processed[Exporting KRA agent PEM
file]KRA is not enabledIPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.Unexpected error - see /var/log/ipaupgrade.log for
details:CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information*

These are error logs of Apache:


*[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17
11:48:45.499220 2016] [:warn] [pid 5664] NSSSessionCacheTimeout is
deprecated. Ignoring.[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
Certificate not found: 'Server-Cert'*

The problem seems to be the *Server-Cert *that could not be found.
But if I try to execute the certutil command manually I can see it:






*[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uServer-Cert
Pu,u,uIPA.MYDOMAIN.COM  IPA
CACT,C,C*

Could you help me?
What could I try to do to restart my service?

Thanks, Morgan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-30 Thread Morgan Marodin 
I've found the problem, using DEBUG3 into SSH service:
-
Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure.
Minor code may provide more information\nClock skew too great\n
Nov 30 08:52:47 myserver sshd[9639]: debug1: Got no client credentials
Nov 30 08:52:47 myserver sshd[9639]: debug3: mm_request_send entering: type
45
Nov 30 08:52:47 myserver sshd[9639]: debug3: userauth_finish: failure
partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password"
[preauth]
Nov 30 08:52:47 myserver sshd[9639]: debug1: Received
SSH2_MSG_UNIMPLEMENTED for 7 [preauth]

My client was 4 minutes early than IPA server. After syncing time via
ntpdate kerberos ticket authentication works correctly.

Thanks for your support, bye.
Morgan

2015-11-27 18:38 GMT+01:00 Sumit Bose <sb...@redhat.com>:

> On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> > Yes:
> > --
> > # ls -l /var/lib/sss/pubconf/krb5.include.d/
> > total 8
> > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
> >
> > So what could I try to do?
>
> 'getent passwd' should return the same entry for the user name you use
> at the login prompt and the Kerberos principal (its the name shown by
> klist in the 'Default principal:' line) e.g.:
>
> # getent passwd tu1@ad.devel
> tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
> # getent passwd tu1@AD.DEVEL
> tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
>
> From the logs I guess you used the name 'morgan.maro...@mydomain.com' at
> the login prompt.
>
> I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
> client with klist if you got a service ticket for your linux client
> principal which should look like host/linux.client.name@IPA.DOMAIN. On
> Windows there is klist for the cmd shell as well.
>
> Additionally if there is a service ticket for the linux host sshd debug
> logs from the linux host would be useful. For this please set LogLevel to
> DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
> confidential keys or passwords).
>
> bye,
> Sumit
>
> > Thanks, Morgan
> >
> > 2015-11-27 17:47 GMT+01:00 Sumit Bose <sb...@redhat.com>:
> >
> > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > > Hi Sumit.
> > > >
> > > > I don't know why, but now kerberos ticket authentication is working
> on
> > > 6.7
> > > > clients.
> > > > On 7.2 clients now password authetications with Active Directory
> > > > credentials is working ... but not with kerberos ticket.
> > >
> > > This is most likely due to some issues while mapping the Kerberos
> > > principal to the local user name.
> > >
> > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > > the beginning of you krb5.conf file? Does
> > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> > >
> > > bye,
> > > Sumit
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin 
sssd] [sbus_dispatch] (0x4000): Dispatching.
(Fri Nov 27 17:12:52 2015) [sssd] [ping_check] (0x0100): Service pac
replied to ping
---

Anything else to enable debug mode?

Please let le know, thanks.
Bye, Morgan

2015-11-27 16:44 GMT+01:00 Sumit Bose <sb...@redhat.com>:

> On Fri, Nov 27, 2015 at 04:31:49PM +0100, Morgan Marodin wrote:
> > Hi everyone.
> >
> > After updating my FreeIPA server to 7.2 OS version (it's a RHEL like
> > distribution) I've some problems authenticating with Active Directory
> > credentials.
> >
> > Testing it on 6.7 OS clients it works using Windows password, but using
> > ticket kerberos it doesn't work.
> >
> > Testing it on 7.2 client it doesn't work either with password and
> kerberos
> > tickets.
>
> Let's first start with password authentication. For this we need SSSD
> logs. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting how
> to change the debug levels. The pam and domains logs would be useful. If
> you prefer you can send the logs to me directly.
>
> bye,
> Sumit
>
> >
> > What could be the problem?
> >
> > Please let me know, thanks.
> > Bye, Morgan
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin 
Yes:
--
# ls -l /var/lib/sss/pubconf/krb5.include.d/
total 8
-rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
-rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin

So what could I try to do?
Thanks, Morgan

2015-11-27 17:47 GMT+01:00 Sumit Bose <sb...@redhat.com>:

> On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > Hi Sumit.
> >
> > I don't know why, but now kerberos ticket authentication is working on
> 6.7
> > clients.
> > On 7.2 clients now password authetications with Active Directory
> > credentials is working ... but not with kerberos ticket.
>
> This is most likely due to some issues while mapping the Kerberos
> principal to the local user name.
>
> Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> the beginning of you krb5.conf file? Does
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
>
> bye,
> Sumit
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin 
Hi everyone.

After updating my FreeIPA server to 7.2 OS version (it's a RHEL like
distribution) I've some problems authenticating with Active Directory
credentials.

Testing it on 6.7 OS clients it works using Windows password, but using
ticket kerberos it doesn't work.

Testing it on 7.2 client it doesn't work either with password and kerberos
tickets.

What could be the problem?

Please let me know, thanks.
Bye, Morgan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin 
Now is working, with the same configuration ...
Could it be possibile some delay on the trust if the AD group was a new one?

Thanks, Morgan

2015-09-14 11:35 GMT+02:00 Sumit Bose <sb...@redhat.com>:

> On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote:
> > Ok, but now I've an other problem :)
> >
> > If I disable the default allow_all HBAC rule creating one custom HBAC
> rule
> > that enable ad_admins to access any host any service, kerberos ticket via
> > ssh does not works.
> > Username/password authentication with the same custom HBAC rules works.
> >
> > SSH logs with kerberos authentication:
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
> > administra...@mydomain.com, krb5 principal administra...@mydomain.com
> > (krb5_kuserok)
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
> > denied for user administra...@mydomain.com: 6 (Permission denied)
> > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
> > administra...@mydomain.com by PAM account configuration
> >
> > SSH logs with username/password authentication:
> > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=192.168.0.252  user=administra...@mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth):
> authentication
> > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
> > administra...@mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
> > administra...@mydomain.com from 192.168.0.252 port 49590 ssh2
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
> > opened for user administra...@mydomain.com by (uid=0)
> >
> > If I enable allow_all HBAC rule kerberos authentication works.
> > Maybe is there something else to configure?
>
> no, HBAC result should not change depending on the authentication
> method. Can you send me the SSSD logs with a high debug level (10) for
> both cases? If you prefer you can send them to me directly.
>
> bye,
> Sumit
>
> >
> > Thanks, Morgan
> >
> > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
> >
> > > On Mon, 14 Sep 2015, Morgan Marodin wrote:
> > >
> > >> The Pro edition.
> > >>
> > >> I've solved my connection problem, I have to specify manually the
> > >> username (
> > >> name.surname@ad_domain.com) with Microsoft SSPI.
> > >> In this mode is ok, but using Putty "Use system username" do not
> works for
> > >> me.
> > >>
> > >>
> > >> I don't know why :)
> > >>
> > > A problem is in the fact that when you use PuTTY's 'use system
> > > username', it does only provide unqualified name there, e.g.
> > > Administrator, not AD\Administrator or administra...@ad.test. On IPA
> > > client side AD users are fully qualified and thus a user you are trying
> > > to login to (Administrator) is not the same as the user you are
> > > (adminsitra...@ad.test).
> > > --
> > > / Alexander Bokovoy
> > >
> >
> >
> >
> > --
> > Morgan Marodin
> > email: mor...@marodin.it
> > mobile: +39.3477829069
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>


-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin 
The Pro edition.

I've solved my connection problem, I have to specify manually the username (
name.surname@ad_domain.com) with Microsoft SSPI.
In this mode is ok, but using Putty "Use system username" do not works for
me.


I don't know why :)
Bye, Morgan

2015-09-11 22:24 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Fri, 11 Sep 2015, Morgan Marodin wrote:
>
>> Hi everyone.
>>
>> I've seen these guides:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html
>>
>> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html
>>
>> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/
>>
>> But I've not been able to access via ssh to a freeipa client with kerberos
>> tickets.
>> I've also tried to install MIT kerberos to my windows 8.1, but doesn't
>> works too.
>>
> This is not required.
>
> What Windows 8.1 version you have? Is it a Pro edition (the other
> editions don't join AD)?
>
> The target freeipa client is a RHEL 6.7 like distribution.
>>
>> Naturally trying with AD username (name.surn...@mydomain.com) and
>> password
>> is ok.
>>
>> Do you have any suggestions for this problem?
>>
> Enable DEBUG3 level logging in sshd_config for SSH server, attempt to
> login from Windows client and show the logs around 'userok' in the
> resulting debug output.
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin 
Ok, but now I've an other problem :)

If I disable the default allow_all HBAC rule creating one custom HBAC rule
that enable ad_admins to access any host any service, kerberos ticket via
ssh does not works.
Username/password authentication with the same custom HBAC rules works.

SSH logs with kerberos authentication:
Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
administra...@mydomain.com, krb5 principal administra...@mydomain.com
(krb5_kuserok)
Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
denied for user administra...@mydomain.com: 6 (Permission denied)
Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
administra...@mydomain.com by PAM account configuration

SSH logs with username/password authentication:
Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.252  user=administra...@mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
administra...@mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
administra...@mydomain.com from 192.168.0.252 port 49590 ssh2
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
opened for user administra...@mydomain.com by (uid=0)

If I enable allow_all HBAC rule kerberos authentication works.
Maybe is there something else to configure?

Thanks, Morgan

2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Mon, 14 Sep 2015, Morgan Marodin wrote:
>
>> The Pro edition.
>>
>> I've solved my connection problem, I have to specify manually the
>> username (
>> name.surname@ad_domain.com) with Microsoft SSPI.
>> In this mode is ok, but using Putty "Use system username" do not works for
>> me.
>>
>>
>> I don't know why :)
>>
> A problem is in the fact that when you use PuTTY's 'use system
> username', it does only provide unqualified name there, e.g.
> Administrator, not AD\Administrator or administra...@ad.test. On IPA
> client side AD users are fully qualified and thus a user you are trying
> to login to (Administrator) is not the same as the user you are
> (adminsitra...@ad.test).
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-11 Thread Morgan Marodin 
Hi everyone.

I've seen these guides:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html
https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/

But I've not been able to access via ssh to a freeipa client with kerberos
tickets.
I've also tried to install MIT kerberos to my windows 8.1, but doesn't
works too.

The target freeipa client is a RHEL 6.7 like distribution.

Naturally trying with AD username (name.surn...@mydomain.com) and password
is ok.

Do you have any suggestions for this problem?

Thanks, bye.
Morgan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin 
Now all is ok :)

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
---
Added Active Directory trust for realm "mydomain.com"
---
  Realm name: mydomain.com
  Domain NetBIOS name: MYDOMAIN
  Domain Security Identifier: S-x-x-xx-xx-xx-x
  SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Thanks for your support.
Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.
>>>>
>>>> Ok, after enabling debugging I have these logs:
>>>> ---
>>>> ==> /var/log/httpd/error_log <==
>>>> INFO: Current debug levels:
>>>>  all: 100
>>>>  tdb: 100
>>>>  printdrivers: 100
>>>>  lanman: 100
>>>>  smb: 100
>>>>  rpc_parse: 100
>>>>  rpc_srv: 100
>>>>  rpc_cli: 100
>>>>  passdb: 100
>>>>  sam: 100
>>>>  auth: 100
>>>>  winbind: 100
>>>>  vfs: 100
>>>>  idmap: 100
>>>>  quota: 100
>>>>  acls: 100
>>>>  locking: 100
>>>>  msdfs: 100
>>>>  dmapi: 100
>>>>  registry: 100
>>>>  scavenger: 100
>>>>  dns: 100
>>>>  ldb: 100
>>>> pm_process() returned Yes
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>>>> 0x7f8a3c224990
>>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>>>> s4_tevent: Added timed event "compos

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin 
Sorry, I've read ipv6.disable=1 in this article
http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I
understood wrong this prerequisite and went directly to the next chapter,
in my mind I was conviced that IPv6 must be disabled :)

I will try with IPv6 enabled, and then I will tell you if it is ok.

Thanks, Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.
>>>>
>>>> Ok, after enabling debugging I have these logs:
>>>> ---
>>>> ==> /var/log/httpd/error_log <==
>>>> INFO: Current debug levels:
>>>>  all: 100
>>>>  tdb: 100
>>>>  printdrivers: 100
>>>>  lanman: 100
>>>>  smb: 100
>>>>  rpc_parse: 100
>>>>  rpc_srv: 100
>>>>  rpc_cli: 100
>>>>  passdb: 100
>>>>  sam: 100
>>>>  auth: 100
>>>>  winbind: 100
>>>>  vfs: 100
>>>>  idmap: 100
>>>>  quota: 100
>>>>  acls: 100
>>>>  locking: 100
>>>>  msdfs: 100
>>>>  dmapi: 100
>>>>  registry: 100
>>>>  scavenger: 100
>>>>  dns: 100
>>>>  ldb: 100
>>>> pm_process() returned Yes
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>>>> 0x7f8a3c224990
>>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>>>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>>>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>>>> Mapped to DCERPC endpoint \pipe\lsarpc
>>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>>> netmask=255.255.255.0
>>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>>> netmask=255.255.255.0
>>>>
>>>> Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
>>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>>>  s3_tevent: Schedule immediate event

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Morgan Marodin 
Hi Alexander

IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
WIndows 2012.
I have read in a freeipa article to disable IPv6.

I've 2 Domain Controller with Windows Server 2012 and (at this time) one
new freeipa server, just installed, in the same network.
AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
I've installed bind in IPA that contains only ipa.mydomain.com zone.
In AD servers is configured mydomain.com zone, with ipa.mydomain.com
delegation to linux server (192.168.0.65).

Do you have other question of my setup?
Let me know, thanks.
Morgan


2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander.
>>
>> Ok, after enabling debugging I have these logs:
>> ---
>> ==> /var/log/httpd/error_log <==
>> INFO: Current debug levels:
>>  all: 100
>>  tdb: 100
>>  printdrivers: 100
>>  lanman: 100
>>  smb: 100
>>  rpc_parse: 100
>>  rpc_srv: 100
>>  rpc_cli: 100
>>  passdb: 100
>>  sam: 100
>>  auth: 100
>>  winbind: 100
>>  vfs: 100
>>  idmap: 100
>>  quota: 100
>>  acls: 100
>>  locking: 100
>>  msdfs: 100
>>  dmapi: 100
>>  registry: 100
>>  scavenger: 100
>>  dns: 100
>>  ldb: 100
>> pm_process() returned Yes
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>> 0x7f8a3c224990
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>> Mapped to DCERPC endpoint \pipe\lsarpc
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>>
> Do you have IPv6 stack enabled?
>
> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
>> 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>  pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
>> [2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
>> 21740), real(21740, 0), class=rpc_srv]
>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
>>  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
>> user IPA\admin failed: No such file or directory
>>
> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
> has to be there.
>
> Can you explain what is your setup in detail?
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin 
I've solved this error, reading this forum:
https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html

But now when I try to trust to my Active Directory I see these errors:

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741258",
  message "The connection was refused" (both may be "None")

Here my logs:

==> /var/log/httpd/error_log <==
Failed to connect host 192.168.0.65 on port 135 -
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
all=False, raw=False, version=u'2.112'): RemoteRetrieveError

==> /var/log/samba/log.192.168.0.65 <==
[2015/09/08 15:01:50.833128,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.833200,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.833236,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED
[2015/09/08 15:01:50.852169,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.85,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.852256,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED


I don't see any 135 TCP listening port, doing tcpdump I see that it tryes
to do a connection in its 135 port.
What am I missing?

Thanks, Morgan


> Subject: [Freeipa-users] freeipa cert validation failed,
> SEC_ERROR_UNTRUSTED_ISSUER Date: Tue, 08 Sep 2015 11:00:49 +0200
>
> To: 
> Hi everyone.
>
> I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like
> distribution.
>
> The installation was ok, but now I've some problems operating via CLI:
> # ipa user-show admin
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> I've got the same problem connectiong via curl, but after doing these
> command for curl now it works, but not for ipa cli operations:
> --
> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
> # certutil -L -d /etc/pki/nssdb
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> IPA CA   CT,C,C
> # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/
> # update-ca-trust extract
> --
>
> And also this command doesn't work:
> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> So ... what's the problem?
>
> Let me know, thanks.
> Morgan
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin 
Also doing trust manually (as explained here
http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail
in the same mode:
# ipa trust-add --type=ad MYDOMAIN.COM --trust-secret
Shared secret for the trust:
ipa: ERROR: Cannot find specified domain or server name

==> /var/log/httpd/access_log <==
192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json
HTTP/1.1" 200 185

==> /var/log/httpd/error_log <==
[Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO:
[jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'MYDOMAIN.COM',
trust_type=u'ad', trust_secret=u'', all=False, raw=False,
version=u'2.112'): NotFound

==> /var/log/samba/log.winbindd-idmap <==
[2015/09/08 17:50:22.178007,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.178984,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.179771,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.179863,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *

:( Morgan

2015-09-08 15:21 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Tue, 08 Sep 2015, Morgan Marodin wrote:
>
>> I've solved this error, reading this forum:
>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html
>>
>> But now when I try to trust to my Active Directory I see these errors:
>> 
>> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: CIFS server communication error: code "-1073741258",
>>  message "The connection was refused" (both may be "None")
>>
>> Here my logs:
>> 
>> ==> /var/log/httpd/error_log <==
>> Failed to connect host 192.168.0.65 on port 135 -
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135
>> -
>> NT_STATUS_CONNECTION_REFUSED.
>> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
>> [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
>> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
>> all=False, raw=False, version=u'2.112'): RemoteRetrieveError
>>
>> ==> /var/log/samba/log.192.168.0.65 <==
>> [2015/09/08 15:01:50.833128,  1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>  Username IPA\admin is invalid on this system
>>
> This is your problem. Does your system have SSSD actually running?
>
>
> List of ports that smbd should be listening on on IPA master:
> # netstat -nltup|grep smbd
> tcp0  0 0.0.0.0:135 0.0.0.0:* LISTEN
> 12420/smbd  tcp0  0 0.0.0.0:139 0.0.0.0:*
> LISTEN  12417/smbd  tcp0  0 0.0.0.0:445
>0.0.0.0:* LISTEN  12417/smbd  tcp0  0
> 0.0.0.0:10240.0.0.0:* LISTEN  12422/smbd  tcp6
>0  0 :::135  :::*  LISTEN  12420/smbd
>   tcp6   0  0 :::139  :::*  LISTEN
> 12417/smbd  tcp6   0  0 :::445  :::*
> LISTEN  12417/smbd  tcp6   0  0 :::1024
>  :::*  LISTEN  12422/smbd
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin 
  h.root-servers.net.
.   78287   IN  NS  a.root-servers.net.
.   78287   IN  NS  j.root-servers.net.
.   78287   IN  NS  l.root-servers.net.
.   78287   IN  NS  k.root-servers.net.

;; ADDITIONAL SECTION:
dc01.mydomain.com. 2702   IN  A   192.168.0.31
dc02.mydomain.com. 2702   IN  A   192.168.0.15
d.root-servers.net. 78287   IN  A   199.7.91.13

;; Query time: 1203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 08 15:33:12 CEST 2015
;; MSG SIZE  rcvd: 399


I've noticed idmap range error in logs, could be a Samba/Winbind problem?

Thanks, Morgan

2015-09-08 15:21 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Tue, 08 Sep 2015, Morgan Marodin wrote:
>
>> I've solved this error, reading this forum:
>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html
>>
>> But now when I try to trust to my Active Directory I see these errors:
>> 
>> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: CIFS server communication error: code "-1073741258",
>>  message "The connection was refused" (both may be "None")
>>
>> Here my logs:
>> 
>> ==> /var/log/httpd/error_log <==
>> Failed to connect host 192.168.0.65 on port 135 -
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135
>> -
>> NT_STATUS_CONNECTION_REFUSED.
>> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
>> [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
>> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
>> all=False, raw=False, version=u'2.112'): RemoteRetrieveError
>>
>> ==> /var/log/samba/log.192.168.0.65 <==
>> [2015/09/08 15:01:50.833128,  1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>  Username IPA\admin is invalid on this system
>>
> This is your problem. Does your system have SSSD actually running?
>
>
> List of ports that smbd should be listening on on IPA master:
> # netstat -nltup|grep smbd
> tcp0  0 0.0.0.0:135 0.0.0.0:* LISTEN
> 12420/smbd  tcp0  0 0.0.0.0:139 0.0.0.0:*
> LISTEN  12417/smbd  tcp0  0 0.0.0.0:445
>0.0.0.0:* LISTEN  12417/smbd  tcp0  0
> 0.0.0.0:1024    0.0.0.0:* LISTEN  12422/smbd  tcp6
>0  0 :::135  :::*  LISTEN  12420/smbd
>   tcp6   0  0 :::139  :::*  LISTEN
> 12417/smbd  tcp6   0  0 :::445  :::*
> LISTEN  12417/smbd  tcp6   0  0 :::1024
>  :::*  LISTEN  12422/smbd
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project