Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Help ? Best regards. Bahan On Tue, Oct 25, 2016 at 1:00 PM, bahan w <bahanw042...@gmail.com> wrote: > Re. > > There is no time difference between client and server. > > I checked the httpd error log and saw no errors. > Same with the dirsrv error logs. > > Any other idea ? > > By looking at the log, I'm wondering if this is a question of session ? > > See there : > ### > ipa: DEBUG: args=keyctl pipe 44063864 > ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for principal > '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=26a7252e4853374fc7439eae5926c584;' > ### > > At that time, it was not yet expired but there was only a few minuts > before expiration (something like 10 minuts). > What is this persistent storage which is mentioned in the logs ? > > Best regards. > > Bahan > > > > On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabi...@redhat.com> > wrote: > >> On 10/25/2016 10:27 AM, bahan w wrote: >> >>> Hello everyone ! >>> >>> I have an ipa server and an ipa client both in 3.0.0-47. >>> >>> In order to connect via SSH to the host of the ipa-client, I use root. >>> When I'm connected to the ipa-client via ssh being root, I do a kinit of >>> a user with a keytab : >>> ### >>> kinit -kt /etc/security/keytabs/.headless.keytab >>> ### >>> >>> And sometimes, once I have the TGT, when I do just an ipa user-show, I >>> got the following error : >>> ### >>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: Unspecified GSS failure. Minor code may provide more information >>> (Ticket expired) >>> ### >>> >>> When I check the ticket, it is not expired : >>> ### >>> # klist >>> Ticket cache: FILE:/tmp/krb5cc_root_ >>> Default principal: @ >>> >>> Valid starting ExpiresService principal >>> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >>> ### >>> >>> Do you know from where it can come and how I can solve this error please >>> ? >>> >>> Here is more information with the debug option : >>> ### >>> ipa -d user-show >>> ### >>> >>> Result : >>> ### >>> ipa: DEBUG: importing all plugin modules in >>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >>> ipa: DEBUG: importing plugin module >
Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Re. There is no time difference between client and server. I checked the httpd error log and saw no errors. Same with the dirsrv error logs. Any other idea ? By looking at the log, I'm wondering if this is a question of session ? See there : ### ipa: DEBUG: args=keyctl pipe 44063864 ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session= 26a7252e4853374fc7439eae5926c584;' ### At that time, it was not yet expired but there was only a few minuts before expiration (something like 10 minuts). What is this persistent storage which is mentioned in the logs ? Best regards. Bahan On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 10/25/2016 10:27 AM, bahan w wrote: > >> Hello everyone ! >> >> I have an ipa server and an ipa client both in 3.0.0-47. >> >> In order to connect via SSH to the host of the ipa-client, I use root. >> When I'm connected to the ipa-client via ssh being root, I do a kinit of >> a user with a keytab : >> ### >> kinit -kt /etc/security/keytabs/.headless.keytab >> ### >> >> And sometimes, once I have the TGT, when I do just an ipa user-show, I >> got the following error : >> ### >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> When I check the ticket, it is not expired : >> ### >> # klist >> Ticket cache: FILE:/tmp/krb5cc_root_ >> Default principal: @ >> >> Valid starting ExpiresService principal >> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >> ### >> >> Do you know from where it can come and how I can solve this error please ? >> >> Here is more information with the debug option : >> ### >> ipa -d user-show >> ### >> >> Result : >> ### >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/
[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab ### And sometimes, once I have the TGT, when I do just an ipa user-show, I got the following error : ### ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ### When I check the ticket, it is not expired : ### # klist Ticket cache: FILE:/tmp/krb5cc_root_ Default principal: @ Valid starting ExpiresService principal 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ ### Do you know from where it can come and how I can solve this error please ? Here is more information with the debug option : ### ipa -d user-show ### Result : ### ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: args=keyctl search @s user
[Freeipa-users] Problem with a filer and FreeIPA
Hello ! I contact you because I have a problem with a filer mounted on a server on which I installed freeipa client. I'm using FreeIPA 3.0.0-47 for both client and servers. The filer is mounted on /myfiler I have a user defined in freeipa : User1 I have a group defined in freeipa : Group1 I have another user defined in freeipa : User2 User2 belongs to group Group1. Test 1 : I create a folder Folder1 outside of the filer, in /usr for example. /usr/folder1 I set the posix permissions 750 and owner = user1 and group=group1. I connect with user2 and tries to read the content of the folder /usr/folder1. It works fine. Test 2 : I create a folder Folder2 inside the filer, in /myfiler for example. /myfiler/folder2 I set the posix permissions 750 and owner = user1 and group=group1. I connect with user2 and tries to read the content of the folder /usr/folder1. It does not work with the following error : permission denied. Is there something to do from filer side to plugin with FreeIPA server ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Here is what I found : In the catalina.out : ### May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:722) ### In the selftests.log in /var/log/pki-ca : ### 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence: CA is present 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification: system certs verification failure 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemC ertsVerification running at startup FAILED! ### But nothing else. Best regards. Bahan On Wed, Sep 14, 2016 at 7:27 PM, bahan w <bahanw042...@gmail.com> wrote: > I tried also the following commands : > ### > # ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > # service ipa status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > ### > > I'm checking the /var/log/pki-ca logs to see if I find something. > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Sorry Martin, >> >> This is not the first time I forgot to add back freeipa users. >> I have problems with gmail, again sorry. >> >> Indeed I figured out that I had to restart the ipa server. >> So I tried to restart ipa server. >> But it was not working yet. >> >> So I thought it was maybe due to the configuration I performed in the >> nss.conf. >> So I rollbacked this conf and restarted ipa-server. >> Then I retried your commands but it is still the same error. >> >> ### >> Request ID '20140528064145': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: Unable to communicate >> with CMS (Not Found)). >> stuck: yes >&g
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
I tried also the following commands : ### # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ### I'm checking the /var/log/pki-ca logs to see if I find something. Best regards. Bahan On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042...@gmail.com> wrote: > Sorry Martin, > > This is not the first time I forgot to add back freeipa users. > I have problems with gmail, again sorry. > > Indeed I figured out that I had to restart the ipa server. > So I tried to restart ipa server. > But it was not working yet. > > So I thought it was maybe due to the configuration I performed in the > nss.conf. > So I rollbacked this conf and restarted ipa-server. > Then I retried your commands but it is still the same error. > > ### > Request ID '20140528064145': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found)). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O= > subject: CN=,O= > expires: 2016-05-28 06:41:44 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ### > > Do you know what is the CMS ? > ### > (RPC failed at server. Certificate operation cannot be completed: Unable > to communicate with CMS (Not Found)). > ### > > Best regards. > > Bahan > > > > > > On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mba...@redhat.com> wrote: > >> did you restart IPA when you moved time? Is there are more detailed error >> description in output of getcert list? >> >> On 14.09.2016 18:45, bahan w wrote: >> >> I set the date-time when the certificates were valid : >> ### >> # date -s '2016-05-27 10:00:00' >> Fri May 27 10:00:00 CEST 2016 >> >> # date >> Fri May 27 10:00:02 CEST 2016 >> ### >> >> Then I try to renew them : >> ### >> # getcert resubmit -i 20140528063919 >> Resubmitting "20140528063919" to "IPA". >> >> # getcert resubmit -i 20140528064145 >> Resubmitting "20140528064145" to "IPA". >> >> # getcert resubmit -i 20140528063953 >> Resubmitting "20140528063953" to "IPA". >> ### >> >> But when I do the getcert list after, the result is the same. >> >> I guess it is because of this ? >> CA_UNREACHABLE >> >> Any idea ? >> >> Best regards. >> >> Bahan >> >> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: >> >>> Ok, I managed to restart the IPA service by adding this line in the file >>> /etc/httpd/conf.d/nss.conf : >>> ### >>> NSSEnforceValidCerts off >>> ### >>> >>> But when I do the getcert now I got the following result : >>> >>> ### >>> # getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20140528063903': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O= >>> subject: CN=CA Audit,O= >>> expires: 2018-04-09 11:39:16 UTC >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063904': >>> status: MONITORING >>> stuck: no >>> key pa
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Sorry Martin, This is not the first time I forgot to add back freeipa users. I have problems with gmail, again sorry. Indeed I figured out that I had to restart the ipa server. So I tried to restart ipa server. But it was not working yet. So I thought it was maybe due to the configuration I performed in the nss.conf. So I rollbacked this conf and restarted ipa-server. Then I retried your commands but it is still the same error. ### Request ID '20140528064145': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:41:44 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes ### Do you know what is the CMS ? ### (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mba...@redhat.com> wrote: > did you restart IPA when you moved time? Is there are more detailed error > description in output of getcert list? > > On 14.09.2016 18:45, bahan w wrote: > > I set the date-time when the certificates were valid : > ### > # date -s '2016-05-27 10:00:00' > Fri May 27 10:00:00 CEST 2016 > > # date > Fri May 27 10:00:02 CEST 2016 > ### > > Then I try to renew them : > ### > # getcert resubmit -i 20140528063919 > Resubmitting "20140528063919" to "IPA". > > # getcert resubmit -i 20140528064145 > Resubmitting "20140528064145" to "IPA". > > # getcert resubmit -i 20140528063953 > Resubmitting "20140528063953" to "IPA". > ### > > But when I do the getcert list after, the result is the same. > > I guess it is because of this ? > CA_UNREACHABLE > > Any idea ? > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Ok, I managed to restart the IPA service by adding this line in the file >> /etc/httpd/conf.d/nss.conf : >> ### >> NSSEnforceValidCerts off >> ### >> >> But when I do the getcert now I got the following result : >> >> ### >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20140528063903': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O= >> subject: CN=CA Audit,O= >> expires: 2018-04-09 11:39:16 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063904': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O= >> subject: CN=OCSP Subsystem,O= >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063905': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',t
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016 # date Fri May 27 10:00:02 CEST 2016 ### Then I try to renew them : ### # getcert resubmit -i 20140528063919 Resubmitting "20140528063919" to "IPA". # getcert resubmit -i 20140528064145 Resubmitting "20140528064145" to "IPA". # getcert resubmit -i 20140528063953 Resubmitting "20140528063953" to "IPA". ### But when I do the getcert list after, the result is the same. I guess it is because of this ? CA_UNREACHABLE Any idea ? Best regards. Bahan On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: > Ok, I managed to restart the IPA service by adding this line in the file > /etc/httpd/conf.d/nss.conf : > ### > NSSEnforceValidCerts off > ### > > But when I do the getcert now I got the following result : > > ### > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20140528063903': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=CA Audit,O= > expires: 2018-04-09 11:39:16 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063904': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=OCSP Subsystem,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063905': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=CA Subsystem,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063906': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=IPA RA,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140528063907': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: >
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64 ### When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 14.09.2016 17:59, bahan w wrote: > > Hello ! > > I send you this mail because I cannot restart my test IPA server. > > When I try to start it with service ipa start, I got the following error > message : > ### > # service ipa start > Starting Directory Service > Starting dirsrv: > ...[14/Sep/2016:17:57:23 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) >[ OK ] > PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) >[ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached:[ OK ] > Starting HTTP Service > Starting httpd:[FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping ipa_memcached:[ OK ] > Stopping httpd:[FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > ...[ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > # service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > ### > > Do you know how to renew the SSL certificate used for the IPA Server ? > > Best regards. > > Bahan > > > > > > Hello, > > please run > > # ipactl start --force > # getcert list (to detect which certificate is outdated, I suspect DS cert > (or to get more info why it has not been renewed)) > > If getcert does work (I'm not sure if ti is able to work without httpd), > you probable need to move time back to past where cert is valid, start IPA > and try again. > > Please find ID outdated certificate and try resubmit it (CA and DS must be > running) > > # getcert resubmit -i 20160914122036 (use you ID :) ) > > This should renew cert, check status with getcert list > > Move time back to future (if needed) > > Try to restart IPA > > Martin^2 > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: ...[ OK ] PKI-IPA... [ OK ] Aborting ipactl # service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped ### Do you know how to renew the SSL certificate used for the IPA Server ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Two masters and one of them is desynchronized
Hello everyone. Could you explain to me about this field Sent/Skipped please ? I checked the doc and found this : ### Sent/Skipped : The number of changes that were sent from the supplier and the number skipped in the replication update. The numbers are kept in suppliers’ memory only and are cleared if the supplier is restarted. ### If I check the first part : ### Master: :389 ldap://:389/ Replica ID: 4 Replica Root: dc= Max CSN: 57bdcd3600010004 (08/24/2016 18:37:10 1 0) Receiver: :389 ldap://:389/ Type: master Time Lag: 0:00:00 Max CSN: 57bdcd3600010004 (08/24/2016 18:37:10 1 0) Last Modify Time: 8/24/2016 18:36:32 Supplier: :389 Sent/Skipped: 182110 / 1054 Update Status: 0 Replica acquired successfully: Incremental update succeeded Update Started: 08/24/2016 18:36:32 Update Ended: 08/24/2016 18:36:34 Schedule: always in sync SSL: SASL/GSSAPI ### This is the replication from the MASTER OK (the supplier) to the MASTER UNSYNC (the receiver), right ? So, the MASTER OK sent 182110 changes. And in addition to these 182110 changes, 1054 changes were sent to the MASTER UNSYNC but skipped by the MASTER UNSYNC, right ? Why are they skipped ? In the other side, if I take the second part : ### Master: :389 ldap://:389/ Replica ID: 3 Replica Root: dc= Max CSN: 57bdbda10003 (08/24/2016 17:30:41) Receiver: :389 ldap://:389/ Type: master Time Lag: - 0:22:29 Max CSN: 57bdb85c0003 (08/24/2016 17:08:12) Last Modify Time: 8/24/2016 17:07:34 Supplier: :389 Sent/Skipped: 3 / 9048655 Update Status: 0 Replica acquired successfully: Incremental update succeeded Update Started: 08/24/2016 18:36:33 Update Ended: 08/24/2016 18:36:34 Schedule: always in sync SSL: SASL/GSSAPI ### The supplier is the MASTER UNSYNC and the receiver is the MASTER OK. In this case I have only 3 changes sent. And in addition to these 3 changes, 9 048 655 changes were sent but skipped on the MASTER OK, right ? I ask these questions just to be sure I understand right the return of the pl script. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Two masters and one of them is desynchronized
Le 24 août 2016 18:42, "bahan w" <bahanw042...@gmail.com> a écrit : > Hey guys. > > I rechecked and in fact I also have the same message on the multi master > setup with one master unsynchronized : > ### > Master: :389 ldap://:389/ > Replica ID: 4 > Replica Root: dc= > Max CSN: 57bdcd3600010004 (08/24/2016 18:37:10 1 0) > Receiver: :389 ldap://:389/ > Type: master > Time Lag: 0:00:00 > Max CSN: 57bdcd3600010004 (08/24/2016 18:37:10 1 0) > Last Modify Time: 8/24/2016 18:36:32 > Supplier: :389 > Sent/Skipped: 182110 / 1054 > Update Status: 0 Replica acquired successfully: Incremental update > succeeded > Update Started: 08/24/2016 18:36:32 > Update Ended: 08/24/2016 18:36:34 > Schedule: always in sync > SSL: SASL/GSSAPI > > Master: :389 ldap://:389/ > Replica ID: 3 > Replica Root: dc= > Max CSN: 57bdbda10003 (08/24/2016 17:30:41) > Receiver: :389 ldap://:389/ > Type: master > Time Lag: - 0:22:29 > Max CSN: 57bdb85c0003 (08/24/2016 17:08:12) > Last Modify Time: 8/24/2016 17:07:34 > Supplier: :389 > Sent/Skipped: 3 / 9048655 > Update Status: 0 Replica acquired successfully: Incremental update > succeeded > Update Started: 08/24/2016 18:36:33 > Update Ended: 08/24/2016 18:36:34 > Schedule: always in sync > SSL: SASL/GSSAPI > ### > > So even the synchronization looks good no ? > > And even with that, this master really is unsynchronized and don't have > all the users the other master has. > > Best regards. > > Bahan > > On Wed, Aug 24, 2016 at 6:33 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Hey guys. >> >> I performed it : >> ### >> # /usr/bin/repl-monitor.pl -f /tmp/checkconf -s >> Directory Server Replication Status (Version 1.1) >> >> Time: Wed Aug 24 2016 18:16:50 >> >> Master: :389 ldap://:389/ >> Replica ID: 4 >> Replica Root: dc= >> Max CSN: 57bdc89700030004 (08/24/2016 18:17:27 3 0) >> Receiver: :389 ldap://:389/ >> Type: master >> Time Lag: 0:00:00 >> Max CSN: 57bdc89700030004 (08/24/2016 18:17:27 3 0) >> Last Modify Time: 8/24/2016 18:16:50 >> Supplier: :389 >> Sent/Skipped: 179031 / 1037 >> Update Status: 0 Replica acquired successfully: Incremental update started >> Update Started: 08/24/2016 18:16:50 >> Update Ended: n/a >> Schedule: always in sync >> SSL: SASL/GSSAPI >> >> Master: :389 ldap://:389/ >> Replica ID: 3 >> Replica Root: dc= >> Max CSN: 57bdbda10003 (08/24/2016 17:30:41) >> Receiver: :389 ldap://:389/ >> Type: master >> Time Lag: - 0:22:29 >> Max CSN: 57bdb85c0003 (08/24/2016 17:08:12) >> Last Modify Time: 8/24/2016 17:07:34 >> Supplier: :389 >> Sent/Skipped: 3 / 9045345 >> Update Status: 0 Replica acquired successfully: Incremental update started >> Update Started: 08/24/2016 18:16:50 >> Update Ended: n/a >> Schedule: always in sync >> SSL: SASL/GSSAPI >> ### >> >> Do you see something strange in there ? >> I have another environment where I have two replicated master and they >> are OK. >> And when I check the same command, the result is a little bit different : >> ### >> Master: :389 ldap://:389/ >> Replica ID: 4 >> Replica Root: dc= >> Max CSN: 57bdc88d00030004 (08/24/2016 18:17:17 3 0) >> Receiver: :389 ldap://:389/ >> Type: master >> Time Lag: 0:00:00 >> Max CSN: 57bdc88d00030004 (08/24/2016 18:17:17 3 0) >> Last Modify Time: 8/24/2016 18:16:00 >> Supplier: :389 >> Sent/Skipped: 343515 / 0 >> Update Status: 0 Replica acquired successfully: Incremental update >> succeeded >> Update Started: 08/24/2016 18:15:59 >> Update Ended: 08/24/2016 18:16:08 >> Schedule: always in sync >> SSL: SASL/GSSAPI >> >> Master: :389 ldap://:389/ >> Replica ID: 3 >> Replica Root: dc= >> Max CSN: 57bdc88700080003 (08/24/2016 18:17:11 8 0) >> Receiver: :389 ldap://:389/ >> Type: master >> Time Lag: - 390:51:38 >> Max CSN: 57a8500d00040003 (08/08/2016 11:25:33 4 0) >> Last Modify Time: 8/8/2016 11:24:28 >> Supplier: :389 >> Sent/Skipped: 5 / 2596073 >> Update Status: 0 Replica acquired successfully: Incremental update >> succeeded >> Update Started: 08/24/2016 18:16:00 >> Update Ended: 08/24/2016 18:16:12 >> Schedule: always in sync >> SSL: SASL/GSSAPI >> ### >> >> Best regards. >> >> Bahan >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Two masters and one of them is desynchronized
Hey guys. I performed it : ### # /usr/bin/repl-monitor.pl -f /tmp/checkconf -s Directory Server Replication Status (Version 1.1) Time: Wed Aug 24 2016 18:16:50 Master: :389 ldap://:389/ Replica ID: 4 Replica Root: dc= Max CSN: 57bdc89700030004 (08/24/2016 18:17:27 3 0) Receiver: :389 ldap://:389/ Type: master Time Lag: 0:00:00 Max CSN: 57bdc89700030004 (08/24/2016 18:17:27 3 0) Last Modify Time: 8/24/2016 18:16:50 Supplier: :389 Sent/Skipped: 179031 / 1037 Update Status: 0 Replica acquired successfully: Incremental update started Update Started: 08/24/2016 18:16:50 Update Ended: n/a Schedule: always in sync SSL: SASL/GSSAPI Master: :389 ldap://:389/ Replica ID: 3 Replica Root: dc= Max CSN: 57bdbda10003 (08/24/2016 17:30:41) Receiver: :389 ldap://:389/ Type: master Time Lag: - 0:22:29 Max CSN: 57bdb85c0003 (08/24/2016 17:08:12) Last Modify Time: 8/24/2016 17:07:34 Supplier: :389 Sent/Skipped: 3 / 9045345 Update Status: 0 Replica acquired successfully: Incremental update started Update Started: 08/24/2016 18:16:50 Update Ended: n/a Schedule: always in sync SSL: SASL/GSSAPI ### Do you see something strange in there ? I have another environment where I have two replicated master and they are OK. And when I check the same command, the result is a little bit different : ### Master: :389 ldap://:389/ Replica ID: 4 Replica Root: dc= Max CSN: 57bdc88d00030004 (08/24/2016 18:17:17 3 0) Receiver: :389 ldap://:389/ Type: master Time Lag: 0:00:00 Max CSN: 57bdc88d00030004 (08/24/2016 18:17:17 3 0) Last Modify Time: 8/24/2016 18:16:00 Supplier: :389 Sent/Skipped: 343515 / 0 Update Status: 0 Replica acquired successfully: Incremental update succeeded Update Started: 08/24/2016 18:15:59 Update Ended: 08/24/2016 18:16:08 Schedule: always in sync SSL: SASL/GSSAPI Master: :389 ldap://:389/ Replica ID: 3 Replica Root: dc= Max CSN: 57bdc88700080003 (08/24/2016 18:17:11 8 0) Receiver: :389 ldap://:389/ Type: master Time Lag: - 390:51:38 Max CSN: 57a8500d00040003 (08/08/2016 11:25:33 4 0) Last Modify Time: 8/8/2016 11:24:28 Supplier: :389 Sent/Skipped: 5 / 2596073 Update Status: 0 Replica acquired successfully: Incremental update succeeded Update Started: 08/24/2016 18:16:00 Update Ended: 08/24/2016 18:16:12 Schedule: always in sync SSL: SASL/GSSAPI ### Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Two masters and one of them is desynchronized
Hello ! I am using IPA 3.0.0 on RedHat 6.6 servers. I have two masters and this evening, I realized that one of them was desynchronized, some users and groups were missing. I was wondering if there was an ipa command to resynchronize replica which are not sync with the other ? Thank you in advance for your help. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] A question related to ipa webui
Hello ! I'm using ipa 3.0.0.47. I have an architecture where the IPA server is located on a secure zone, not accessible from anyone. The IPA server has 2 network interfaces : - IP1 - IP2 In the secure zone, the IP1 network is used for the communication between the servers. The IP2 is used for administrators to connect to the servers inside the secure zone. The only way to connect to the IPA server for external users is a proxy which allows us to connect to the IP2. I installed the ipa-server using the IP1 network interface. When I try to connect through proxy to the IPA webui, I use the IP2 network interface. My problem is the following : I type the following URL : https:// It redirects me to the following URL : https:///ipa/ui When I try https:///ipa/ui, it redirects me to https:///ipa/ui. And unfortunately, this IP1 is not reachable from outside of the secure zone. When I check from the server, I can see the service is listening on all network interfaces. ### # lsof -i :443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd2427 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2428 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2429 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2430 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2431 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2432 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2433 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd2434 apache4u IPv4 xx 0t0 TCP *:https (LISTEN) httpd 30861 root4u IPv4 xx 0t0 TCP *:https (LISTEN) ### Is there something I am missing in the IPA configuration for the WebUI please ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved
Hello everyone. I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). Today I tried to restart the IPA service with the commande ### service ipa restart ### And I got the following warning concerning the pkica service : ### Since the file '/var/lib/pki-ca/conf/CS.cfg.bak.saved' exists, a previous backup attempt has failed! Backups will be discontinued until this issue has been resolved! ### And then the service get KO. I wanted to know, may you tell me when this file CS.cfg.bak.saved is created ? Also, do you know why the presence of this file prevent the ipa service to start ? Thank you in advance for your help. BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] A question related the passwords in the ldap
Hello ! I'm running ipa 3.0.0.47 and I have a question related to the password stored in the ldap. I was wondering if the users password were natively encrypted ? if yes, do you know by which mechanism ? Thank you in advance for your help. BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to deactivate automatic kinit at ssh login ?
Hello ! I'm using freeipa 3.0.0-47. I send you this mail concerning the automatic kinit at ssh login ? I wanted to know if it was possible to deactivate it on a specific server ? The reason is that I have some of my users who often use another ticket that their own and this feature can be annoying for them. BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa user-add, two entries in the ldap
Please ignore the character "-" in . On Fri, May 13, 2016 at 4:09 PM, bahan w <bahanw042...@gmail.com> wrote: > Hello ! > > I performed recently an ipa user-add for a new user and when I check in > the ldap, I can see two entries for it : > - One in uid=,cn=users,cn=compat,dc= > - One in uid=,cn=users,cn=accounts,dc= > > Is it normal ? > I know that my user is the one defined in the tree > cn=users,cn=accounts,dc=. > > What is exactly the entry in cn=users,cn=compat,dc= please ? > > BR. > > Bahan > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa user-add, two entries in the ldap
Hello ! I performed recently an ipa user-add for a new user and when I check in the ldap, I can see two entries for it : - One in uid=,cn=users,cn=compat,dc= - One in uid=,cn=users,cn=accounts,dc= Is it normal ? I know that my user is the one defined in the tree cn=users,cn=accounts,dc=. What is exactly the entry in cn=users,cn=compat,dc= please ? BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] About ipa passwd and kpasswd
Hello everyone. I send you this mail because I have sometimes a problem when using ipa passwd to generate a One Time Password and then using kpasswd to set a strong random password using a password policy. When I perform the ipa passwd command and just after the kpasswd command, I got an error message. Here is the command (I have an admin TGT) : echo "onetimepwd\nonetimepwd\n" | ipa passwd ; echo "onetimepwd\n\n\n" | kpasswd And here is the result : ### -- Changed password for "@" -- Password for @: kpasswd: Preauthentication failed getting initial ticket ### When I perform a sleep 5, then the sucession of these commands complete successfully. I tried to sleep 1s or 2s, but sometimes I got the error message, and sometimes not. So I extended the sleep duration to 5s. I was wondering if it was normal behaviour from ipa-server/client 3.0.0-47 ? If yes, do you know what the minimum duration in seconds that I have to wait after setting a one time password before setting a more definitive password (a password respecting the password policy) ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Logging configuration for ipa server
Hello ! I send you this mail for a question about the kerberos logs on the ipa server. On the server, there are two configuration files : - kdc.conf : for the server - krb5.conf : for the client In both of these files, we can put a logging section. In this section, there is 3 parameters : - default - kdc - admin May I put the same values for both client and server or is it better to put different values for the server part ? BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Incremental update failed and requires administrator action
Hello ! I recently installed a replica (master2) in addition of my master (master1) with IPA 3.0.0-47 on RHEL6.6. I don't know from when exactly, but the dirsrv (and the whole ipa service) on master1 crashes regularly with the following logs. ### [22/Jan/2016:15:38:20 +0100] - 389-Directory/1.2.11.15 B2015.279.183 starting up [22/Jan/2016:15:38:20 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc= [22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc= [22/Jan/2016:15:38:21 +0100] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc= [22/Jan/2016:15:38:21 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jan/2016:15:38:21 +0100] - Listening on All Interfaces port 636 for LDAPS requests [22/Jan/2016:15:38:21 +0100] - Listening on /var/run/slapd-.socket for LDAPI requests [22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=56a252ef0004) failed (rc=-30994 (DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) [22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (56a252ef0004); db error - -30994 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock [22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=,cn=users,cn=accounts,dc= (uniqid: a7ebd403-c12111e5-9c84c092-9a5deb81, optype: 16) to changelog csn 56a252ef0004 [22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (:389): Missing data encountered [22/Jan/2016:17:04:03 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (:389): Incremental update failed and requires administrator action ### Then the dirsrv, I mean the whole ipa server, is down. When I restart the service, here is what is see : ### [22/Jan/2016:17:06:18 +0100] - 389-Directory/1.2.11.15 B2015.279.183 starting up [22/Jan/2016:17:06:18 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [22/Jan/2016:17:06:18 +0100] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc= [22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc= [22/Jan/2016:17:06:19 +0100] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc= [22/Jan/2016:17:06:20 +0100] set_krb5_creds - Could not get initial credentials for principal [ldap/@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [22/Jan/2016:17:06:20 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jan/2016:17:06:20 +0100] - Listening on All Interfaces port 636 for LDAPS requests [22/Jan/2016:17:06:20 +0100] - Listening on /var/run/slapd-.socket for LDAPI requests [22/Jan/2016:17:06:20 +0100] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_244' not found)) errno 0 (Success) [22/Jan/2016:17:06:20 +0100] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [22/Jan/2016:17:06:20 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_244' not found)) [22/Jan/2016:17:06:23 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (:389): Replication bind with GSSAPI auth resumed ### It seems that there is a problem to write an entry in the DB ? Do you know how I can solve this problem please ? Furthermore, it seems that there is a second problem with the keytab /etc/dirsrv/ds.keytab. The keytab is good for me : ### #ls -l /etc/dirsrv/ds.keytab -rw--- 1 dirsrv dirsrv 362 Jan 21 14:12 /etc/dirsrv/ds.keytab # kinit -kt /etc/dirsrv/ds.keytab ldap/@ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ldap/@ Valid starting ExpiresService principal 01/25/16 11:54:23 01/26/16 11:54:23 krbtgt/@ ### I wonder if this second problem does not come from the user dirsrv who would not be able to use this keytab. I cannot test this because this user dirsrv has been created with nologin. ### # su - dirsrv -c "kinit -kt /etc/dirsrv/ds.keytab ldap/@" This account is currently not available. # grep dirsrv /etc/passwd dirsrv:x:244:497::/var/lib/dirsrv:/sbin/nologin pkisrv:x:246:497::/var/lib/dirsrv:/sbin/nologin ### Just for my information, is it normal that these users are created with nologin ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Re Martin.
Here we are for the ipaclient-install.log :
###
2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': '', 'force': False, 'realm_name':
'', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': 'admin', 'hostname': '', 'no_ac':
False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
False, 'force_join': False, 'ca_cert_file': None, 'server': [''], 'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
2016-01-20T14:55:48Z DEBUG missing options might be asked for interactively
later
2016-01-20T14:55:48Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2016-01-20T14:55:48Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2016-01-20T14:55:48Z DEBUG [IPA Discovery]
2016-01-20T14:55:48Z DEBUG Starting IPA discovery with domain=,
servers=[''], hostname=
2016-01-20T14:55:48Z DEBUG Server and domain forced
2016-01-20T14:55:48Z DEBUG [Kerberos realm search]
2016-01-20T14:55:48Z DEBUG Search DNS for TXT record of
_kerberos..
2016-01-20T14:55:48Z DEBUG No DNS record found
2016-01-20T14:55:48Z DEBUG [LDAP server check]
2016-01-20T14:55:48Z DEBUG Verifying that (realm None) is
an IPA server
2016-01-20T14:55:48Z DEBUG Init LDAP connection with: ldap://:389
2016-01-20T14:55:48Z DEBUG LDAP Error: Anonymous access not allowed
2016-01-20T14:55:48Z DEBUG Assuming realm is the same as domain:
2016-01-20T14:55:48Z DEBUG Generated basedn from realm:
dc=
2016-01-20T14:55:48Z DEBUG Discovery result: NO_ACCESS_TO_LDAP;
server=None, domain=, kdc=None, basedn=
2016-01-20T14:55:48Z DEBUG Validated servers:
2016-01-20T14:55:48Z DEBUG will use discovered domain:
2016-01-20T14:55:48Z DEBUG Using servers from command line, disabling DNS
discovery
2016-01-20T14:55:48Z DEBUG will use provided server:
2016-01-20T14:55:48Z DEBUG will use discovered realm:
2016-01-20T14:55:48Z ERROR The provided realm name [] does not
match discovered one []
2016-01-20T14:55:48Z DEBUG (: Assumed same as domain)
2016-01-20T14:55:48Z ERROR Installation failed. Rolling back changes.
2016-01-20T14:55:48Z ERROR IPA client is not configured on this system.
###
Best regards.
Bahan
On Wed, Jan 20, 2016 at 1:52 PM, Martin Kosek <mko...@redhat.com> wrote:
> Adding freeipa-users back, so that others can benefit from the answer.
>
> Can you please attach a full ipaclient-install.log DEBUG log somewhere so
> that
> we can get the full context of the bug? You may also want to open a RHEL-6
> Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
> maintained
> in RHEL-6.x.
>
> Thanks,
> Martin
>
> On 01/20/2016 01:39 PM, bahan w wrote:
> > Hello Martin !
> >
> > Thanks for your answer, Martin !
> >
> > I uninstalled the 3.0.0.25 and installed the 3.0.0.47, but unfortunately
> I
> > still have the same error message.
> >
> > # rpm -qa | grep ipa-client
> > ipa-client-3.0.0-47.el6.x86_64
> >
> > And in ipa-client-install.log :
> > ###
> > 2016-01-20T12:38:14Z DEBUG [LDAP server check]
> > 2016-01-20T12:38:14Z DEBUG Verifying that (realm None)
> is
> > an IPA server
> > 2016-01-20T12:38:14Z DEBUG Init LDAP connection with: ldap:// > server>:389
> > 2016-01-20T12:38:14Z DEBUG LDAP Error: Anonymous access not allowed
> > ###
> >
> > Best regards.
> >
> > Bahan
> >
> >
> > On Wed, Jan 20, 2016 at 1:26 PM, Martin Kosek <mko...@redhat.com> wrote:
> >
> >> On 01/20/2016 12:08 PM, bahan w wrote:
> >>> Hello !
> >>>
> >>> I send you this mail because of the following topic.
> >>>
> >>> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> >>> access for security reasons.
> >>>
> >>> But now, I have a problem when I try to enroll a new host.
> >>>
> >>> Here is the command I try :
> >>> ###
> >>> ipa-client-install --domain= --realm= --server= >>> ipaserver> --principal=admin --password=
> >>> --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd
> >>> --unattended
> >>> ###
> >>>
> >>> And here is the error message :
> >>> ###
> >>> 2016-01-20T11:06:44Z DEBUG Verifying that (realm None)
> >> is
> >>> an IPA server
> >>> 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap:// >>> server>:389
> >>> 2016-01-2
Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated servers: will use discovered domain: Using servers from command line, disabling DNS discovery will use provided server: will use discovered realm: The provided realm name [] does not match discovered one [] (: Assumed same as domain) Installation failed. Rolling back changes IPA client is not configured on this system. ### Is it more clear ? Sorry again for the confusion. I use a realm which is different than the domain. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off
Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm= --server= --principal=admin --password= --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd --unattended ### And here is the error message : ### 2016-01-20T11:06:44Z DEBUG Verifying that (realm None) is an IPA server 2016-01-20T11:06:44Z DEBUG Init LDAP connection with: ldap://:389 2016-01-20T11:06:44Z DEBUG LDAP Error: Anonymous access not allowed ### Is there a way with IPA 3.0.0.25 to enroll host with the anonymous acces disabled ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to migrate from freeipa distribution to separate components
Hello ! I send you this mail because I have a question relative to the migration from the IPA distribution to the separate components. With FreeIPA, we are using only : - MIT Kerberos - DS389 - The PKI CA is installed but not used from our side Is it possible to migrate to the following separate components : - MIT Kerberos (we keep the same) - OpenLDAP I often found documentation to migrate from MIT Kerberos and OpenLDAP to FreeIPA but not the opposite. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to migrate from freeipa distribution to separate components
Re ! Thank both of you again for your answers, guys. Simo, I would be very interested in this feature list in fact. Do you know if there is a way to find it ? I would really need it, it would help a lot. Best regards. Bahan On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek <mko...@redhat.com> wrote: > On 01/13/2016 03:57 PM, bahan w wrote: > > Re. > > > > Thanks both of you for your answers. > > > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the > same > > kind of service that we want from IPA, even if it is not embedded in > > integrated solution like IPA. > > > > I totally agree that IPA provides a lot of things but I am quite sure the > > isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and > a > > cache client like sssd or nscd/nslcd can work. > > It "can" work. But home grown solutions like that require non-trivial > effort to > even get started. > > As soon as you have more requests on such home grown infrastructure, you > will > need to implement enhancements (like something cert or DNS related). At > that > moment, you may realize you are re-implementing what FreeIPA may support > already. FreeIPA project was started for a reason :-) > > > Alexander, when I mention migration, I think of the following actions : > > 1. Take the principals that we have for the KDC and recreate them in an > MIT > > Kerberos KDC architecture > > 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an > > openLDAP architecture > > > > Do you know if there is other things necessary to recreate in the LDAP or > > in the KDC ? > > > > Additionnaly, do you have a list of points which could help to convince > to > > keep the freeipa architecture ? > > > > Best regards. > > > > Bahan > > > > On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <aboko...@redhat.com> > > wrote: > > > >> On Wed, 13 Jan 2016, bahan w wrote: > >> > >>> Hello Simo ! > >>> > >>> For the reason : > >>> The production team wants to use only the two components openLDAP and > MIT > >>> Kerberos, possibily on different servers. > >>> > >>> For the explanation : > >>> They want to install only MIT Kerberos and openLDAP. > >>> We already have an existing FreeIPA installation, with users, groups, > >>> principals, pwpolicies. > >>> We would like to migrate this to an openLDAP for the users, groups and > >>> pwpolicies, and to another MIT Kerberos for the principals (hope I'm > not > >>> forgetting anything). > >>> > >> FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA > >> LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA > >> schema. > >> > >> Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two > >> dozen additional plugins. These plugins either don't exist for OpenLDAP > >> at all or have different behavior and rely on different LDAP schema. > >> > >> In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be > >> used by MIT Kerberos LDAP driver because it doesn't know about that > >> data, and OpenLDAP server will not have the same behavior as expected by > >> IPA clients (SSSD) for IPA-specific mode. > >> > >> Whatever your production team is thinking about this move, it is most > >> certainly not properly thought out. > >> > >> -- > >> / Alexander Bokovoy > >> > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to migrate from freeipa distribution to separate components
Hello Simo ! For the reason : The production team wants to use only the two components openLDAP and MIT Kerberos, possibily on different servers. For the explanation : They want to install only MIT Kerberos and openLDAP. We already have an existing FreeIPA installation, with users, groups, principals, pwpolicies. We would like to migrate this to an openLDAP for the users, groups and pwpolicies, and to another MIT Kerberos for the principals (hope I'm not forgetting anything). Best regards. Bahan On Wed, Jan 13, 2016 at 2:58 PM, Simo Sorce <s...@redhat.com> wrote: > On Wed, 2016-01-13 at 14:54 +0100, bahan w wrote: > > Hello ! > > > > I send you this mail because I have a question relative to the migration > > from the IPA distribution to the separate components. > > > > With FreeIPA, we are using only : > > - MIT Kerberos > > - DS389 > > - The PKI CA is installed but not used from our side > > > > Is it possible to migrate to the following separate components : > > - MIT Kerberos (we keep the same) > > - OpenLDAP > > > > I often found documentation to migrate from MIT Kerberos and OpenLDAP to > > FreeIPA but not the opposite. > > Can you explain what you mean by "migrate to the following separate > components" ? And why you want to do so ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to migrate from freeipa distribution to separate components
Re. Thanks both of you for your answers. Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same kind of service that we want from IPA, even if it is not embedded in integrated solution like IPA. I totally agree that IPA provides a lot of things but I am quite sure the isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for LDAP and a cache client like sssd or nscd/nslcd can work. Alexander, when I mention migration, I think of the following actions : 1. Take the principals that we have for the KDC and recreate them in an MIT Kerberos KDC architecture 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an openLDAP architecture Do you know if there is other things necessary to recreate in the LDAP or in the KDC ? Additionnaly, do you have a list of points which could help to convince to keep the freeipa architecture ? Best regards. Bahan On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 13 Jan 2016, bahan w wrote: > >> Hello Simo ! >> >> For the reason : >> The production team wants to use only the two components openLDAP and MIT >> Kerberos, possibily on different servers. >> >> For the explanation : >> They want to install only MIT Kerberos and openLDAP. >> We already have an existing FreeIPA installation, with users, groups, >> principals, pwpolicies. >> We would like to migrate this to an openLDAP for the users, groups and >> pwpolicies, and to another MIT Kerberos for the principals (hope I'm not >> forgetting anything). >> > FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA > LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA > schema. > > Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two > dozen additional plugins. These plugins either don't exist for OpenLDAP > at all or have different behavior and rely on different LDAP schema. > > In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be > used by MIT Kerberos LDAP driver because it doesn't know about that > data, and OpenLDAP server will not have the same behavior as expected by > IPA clients (SSSD) for IPA-specific mode. > > Whatever your production team is thinking about this move, it is most > certainly not properly thought out. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to secure the access to ldap with IPA
Hello ! I configured my IPA server 3.0.0.42 without SSL/TLS access to the LDAP and I would like to enable this for the ldap. Is there something specific to use with FreeIPA or may I follow the DS389 doc http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#configuring-tlsssl-enabled-389-directory-server ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
Re. Thank you for your answer, I forgot to re-add Freeipa-users mailing list. So I cannot modify the userPassword only and when I generate a keytab with ipa-getkeytab it doesn't update the userPassword. Do you know if it is normal behaviour for ipa-getkeytab ? If not, was it solved in a newer version of IPA ? Best regards. Bahan On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 08 Jan 2016, bahan w wrote: > >> Hello Alexander. >> >> Thank you for your answer. >> > Please don't ask in private, use freeipa-users@ mailing list. > > Is there a way to modify the field userPassword only ? >> Do you know if ldappasswd modify something else ? >> > There is no way to modify userPassword attribute only. When you are > modifying userPassword attribute in FreeIPA, IPA's password plugin will > update all other password attributes, if there are any. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to secure the access to ldap with IPA
Re. I installed the server like this : ### ipa-server-install -r -n --hostname= -p '' -a '' --no-ntp --no-ssh --no-sshd -U ### And for the clients : ### ipa-client-install --domain= --realm= --fixed-primary --server= --principal=admin --password='' --mkhomedir --hostname= --no-ntp --no-ssh --no-sshd --unattended --force-join ### And when I check the /etc/openldap/ldap.conf, indeed : ### #File modified by ipa-client-install URI ldaps:// BASE dc= TLS_CACERT /etc/ipa/ca.crt ### So yes it is already enabled ^_^. Thank you for your answer. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd
Hello ! I send you this mail, because I have a problem with a user who needs keytab and password. I already sent a mail some time ago, and the answer was to use the option -P of the ipa-getkeytab command. I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I cannot move to earlier versions unfortunately. Here is what do : I create the user test001 ### ipa user-add --first=test --last=test test001 ### Initiate an OTP for user test001 ### ipa passwd test001 pwd001 ### Then I set a permanent password ### kinit test001 Password for test001@MYREALM: Password expired. You must change it now. Enter new password: pwd002pwd002 Enter it again: pwd002pwd002 ### Then I perform an ldapsearch : ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### It worked. Then I generated a keytab for this user with a password : ### ipa-getkeytab -s -p test001 -k /etc/security/keytabs/test001.headless.keytab -P New Principal Password: pwd003pwd003 Verify Principal Password: pwd003pwd003 Keytab successfully retrieved and stored in: /etc/security/keytabs/test001.headless.keytab ### Then I perform a new ldapsearch ### ldapsearch -x -D "uid=test001,cn=users,cn=accounts,dc=myrealm" -h -p 389 -W uid=test001 Enter LDAP Password: ### When I enter the password pwd003pwd003, it does not work with the following result : ### Enter LDAP Password:pwd003pwd003 ldap_bind: Invalid credentials (49) ### When i use the old password pwd002pwd002, it works. So my question : When I create the ipa-getkeytab, how can I also set the password in the ldap ? May I use ldappasswd ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others
Hello ! I send you this mail because I am using this topology : - FreeIPA 3.0.0-42 - RHEL6.6 - Two masters (replicated) - n clients My question is the following : May I use for some clients sssd and for others the couple nscd/nslcd ? I would like to perform tests to compare both and I wondering if I can do that ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4
Hello. I have some questions related to this point : 1. On a RHEL6.6, may I install the package ipa-client 4.x and enroll to an ipa server 4.x located on a RHEL7 ? May you remind me the version of sssd embedded with ipa-client 4.x ? 2. The ipa-server 4.x can only be installed on RHEL7+, true/false ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4
Thanks. And for the ipa-client package ? Is it installable on Redhat 6.6 ? Or is it only installable on Redhat 7.x ? Best regards. Bahan On Tue, Jan 5, 2016 at 3:31 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (05/01/16 15:11), bahan w wrote: > >Hello. > > > >I have some questions related to this point : > >1. On a RHEL6.6, may I install the package ipa-client 4.x and enroll to an > >ipa server 4.x located on a RHEL7 ? May you remind me the version of sssd > >embedded with ipa-client 4.x ? > rhel6.6 has ipa-client-3.0.0-47.el6 and sssd-1.11.x > rhel6.7 has ipa-client-3.0.0-47.el6 and sssd-1.12.x > > and sssd-1.11+ works well with ipa-server 4.x > > >2. The ipa-server 4.x can only be installed on RHEL7+, true/false ? > > > true ( +fedora :-) > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA availability, what to do client side ?
Hello ! I contact you because I have a question relative to high availbility with FreeIPA and replications. In the documentation, we can see information about what to do server side. But I can't find any information about what to do client side. Imagine one of the master server crash, how the client knows where to switch ? What is the configuration to perform to allow this switch. Thank you in advance for these informations ! Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] User, keytab, password and ldap
Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server with the following command, I cannot find any "userpassword" field for this user. ldapsearch -v -x -D 'cn=Directory Manager' -W -h -p ### # user3, users, accounts, myrealm dn: uid=user3,cn=users,cn=accounts,dc=myrealm displayName: user3 user3 cn: user3 user3 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh sn: user3 gecos: user3 user3 homeDirectory: /home/user3 krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm krbPrincipalName: user3@MYREALM givenName: user3 uid: user3 initials: uu ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7 uidNumber: gidNumber: memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm krbLastPwdChange: 20150923134438Z krbPrincipalKey:: krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA== krbLastSuccessfulAuth: 20150923120752Z krbLastFailedAuth: 20150923132257Z krbLoginFailedCount: 1 ### Then, with an admin ticket, I performed an ipa passwd user3 and I set a one time password. Then I connected with user3 and he was able to change its one time password into something else. And when I retried the ldapsearch command, the field userpassword was there. But the keytab is not working anymore. So here is my question : How can I generate a user with a keytab, a password and the userpassword field in the ldap ? The ipa-getkeytab -P option allows me to have both keytab and the password, but as the field userpassword is missing in the ldap, some other tools using ldapbackend authentication does not work for this user. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] GID, groups and ipa group-show
Hello !
I contact you because I notice something strange with IPA environment.
I created a group :
ipa group-add g1 --desc=my first group
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf(%s,$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1 --shell=/bin/bash
--gidnumber=${GID1} u1
Then when I perform ipa group-show g1 command, I got the following result :
###
Group name: g1
Description: my first group
GID: gid1
###
Same for ipa user-show u1 :
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
Email address: u1@MYDOMAIN
UID: uid1
GID: gid1
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
When I try the command id u1, I can see the group :
###
id u1
uid=uid1(u1) gid=gid1(g1) groups=gid1(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Service and Headless Keytabs
Hello ! I send you this mail because I have a noobish question about keytabs. What is the difference between a service keytab and a headless keytab. In which keytab do we use a service keytab ? What is the definition of a service ? Is that a daemon running on a specific host ? When we perform a service-add in FreeIPA, what is this service exactly ? Why not just use headless keytabs for everything ? Sorry for this noobish question ^_^ Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to modify the logging dir
Hello. I send you this mail because I'm looking for a way to modify the logging dir of the different components embedded with FreeIPA. I already check here : http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html But I cannot see how to modify the logging dir of sssd ? Is that possible ? I checked lighlty the man of sssd.conf but didn't find a way to modify the logging dir. Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cannot uninstall ipa-server
Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services ### It hangs forever. Anyway to perform the uninstallation manually ? I throught I saw a method somewhere concerning the removal of the files contained in the following folders : ### /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore ### Is it true ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Concerning the krb5.conf
Wow thank you Alexander for this information !
Best regards.
Gwenael Le Barzic
Le 11 août 2015 08:45, Alexander Bokovoy aboko...@redhat.com a écrit :
On Mon, 10 Aug 2015, bahan w wrote:
Hello.
I don't know if you receive my previous mail, but thank you for your
answer.
I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?
I don't think it ever matters as it only used for fallback reasons.
- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.
set KRB5_TRACE=/dev/stderr in the execution environment and all
Kerberos code will start explaining what it does.
For example,
KRB5_TRACE=/dev/stderr kinit
will show which server kinit will contact.
Best regards.
Bahan
On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Fri, 07 Aug 2015, bahan w wrote:
Hello !
We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.
On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :
###
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYREALM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYREALM = {
kdc = host1.mydomain:88
kdc = host2.mydomain:88
kdc = host3.mydomain:88
master_kdc = host2.mydomain:88
admin_server = host2.mydomain:749
default_domain mydomain
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain = MYREALM
mydomain = MYREALM
.myrealm = MYREALM
myrealm = MYREALM
###
host1 is a physical machine
host2 and host3 are VM.
So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to
the
host2, which is a VM instead of the host1 which is a physical machine ?
According to manual page of 'krb5.conf',
---
master_kdc:
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC, in
case the user's password has just been changed, and the updated database
has not been propagated to the slave servers yet.
---
'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
actions in IPA.
Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?
Most likely, yes.
Q3. Does the two last lines make sense ? I mean what is the exact usage
of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact
the
realm associated ?
Since you disabled DNS discovery of realm based on the DNS domain,
Kerberos library will perform some logic to find out which realm
corresponds to the domain. domain_realm section helps here.
krb5.conf manual page has clear explanation how the section is designed
to work.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Concerning the krb5.conf
Hello.
I don't know if you receive my previous mail, but thank you for your answer.
I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?
- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.
Best regards.
Bahan
On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Fri, 07 Aug 2015, bahan w wrote:
Hello !
We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.
On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :
###
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYREALM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYREALM = {
kdc = host1.mydomain:88
kdc = host2.mydomain:88
kdc = host3.mydomain:88
master_kdc = host2.mydomain:88
admin_server = host2.mydomain:749
default_domain mydomain
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mydomain = MYREALM
mydomain = MYREALM
.myrealm = MYREALM
myrealm = MYREALM
###
host1 is a physical machine
host2 and host3 are VM.
So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?
According to manual page of 'krb5.conf',
---
master_kdc:
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC, in
case the user's password has just been changed, and the updated database
has not been propagated to the slave servers yet.
---
'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
actions in IPA.
Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?
Most likely, yes.
Q3. Does the two last lines make sense ? I mean what is the exact usage of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?
Since you disabled DNS discovery of realm based on the DNS domain,
Kerberos library will perform some logic to find out which realm
corresponds to the domain. domain_realm section helps here.
krb5.conf manual page has clear explanation how the section is designed
to work.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install remove the passwordless connection with root
Hello !
I send you this mail because I have a problem linked with SSH and FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on each of them.
On one specific server, I created an rsa key in order to connect
passwordlessly from a specific server to all the others
ssh-keygen -t rsa
I distributed the public key on all the others :
for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
$i:/root/.ssh/authorized_keys; done
Once it was done, I modified the rights on these files :
for i in ${my_server_list}; do scp $i chmod 644
/root/.ssh/authorized_keys; done
And I was able to connect to all these servers without entering a password.
The system was working well.
When I installed ipa-server on a specific server, this connection with the
RSA key was not possible anymore.
Each time I tried to connect to the server through SSH, it keeps asking me
for a password.
I tried to install the ipa-client on another server to just check if I had
the same behaviour and indeed, each time I run ipa-client-install, I can't
connect passwordlessly with root anymore.
Here is the commannd I use for the ipa-client-install :
ipa-client-install -U --realm=MYREALM --domain=mydomain.com --server=
myipaserver.mydomain.com --principal=admin --password=X --mkhomedir -N
--ca-cert=/tmp/ca.crt --hostname=myipaclient1.mydomain.com
When I add the option --no-sshd, the ssh passwordless connection is still
operationnal, but if I don't put this option, then my ssh passwordless
connection does not work anymore.
Here is the content of the sshd_config file before (ssh pubkey connection
working) and after (ssh pubkey connection not working) :
Before :
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes
After, when it does not work :
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes
A quick diff -u shows me that the only difference between these
configurations is the following parameter in the new file (when it does not
work) :
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Here is the log of the SSH connection when it works :
ssh -vvv myipaclient1.mydomain.com
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 myipaclient1.mydomain.com
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing
Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4
Hello everyone. I modified the /etc/selinux/config file : # # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # Then I rebooted. # reboot # Here is the result of getenforce : # Permissive # I removed the ipa-server that I had and I tried te 3.0.0-42 : # yum install ipa-server-3.0.0-42.el6.x86_64 Loaded plugins: security Setting up Install Process Resolving Dependencies -- Running transaction check --- Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed -- Processing Dependency: ipa-client = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 -- Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 -- Processing Dependency: ipa-python = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 -- Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 -- Running transaction check --- Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed --- Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed --- Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed --- Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed -- Finished Dependency Resolution Dependencies Resolved == Package Arch VersionRepository Size == Installing: ipa-serverx86_64 3.0.0-42.el6 standard1.1 M Installing for dependencies: ipa-admintoolsx86_64 3.0.0-42.el6 standard 67 k ipa-clientx86_64 3.0.0-42.el6 standard145 k ipa-pythonx86_64 3.0.0-42.el6 standard928 k ipa-server-selinuxx86_64 3.0.0-42.el6 standard 66 k Transaction Summary == Install 5 Package(s) Total download size: 2.3 M Installed size: 9.2 M Is this ok [y/N]: y Downloading Packages: (1/5): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00 (2/5): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00 (3/5): ipa-python-3.0.0-42.el6.x86_64.rpm | 928 kB 00:00 (4/5): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00 (5/5): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00 -- Total 6.8 MB/s | 2.3 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ipa-python-3.0.0-42.el6.x86_64 1/5 Installing : ipa-client-3.0.0-42.el6.x86_64 2/5 Installing : ipa-admintools-3.0.0-42.el6.x86_64 3/5 Installing : ipa-server-3.0.0-42.el6.x86_64 4/5 Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 5/5 libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : ipa-server-3.0.0-42.el6.x86_64 1/5 Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/5 Verifying : ipa-python-3.0.0-42.el6.x86_64 3/5 Verifying : ipa-client-3.0.0-42.el6.x86_64 4/5 Verifying : ipa-admintools-3.0.0-42.el6.x86_64 5/5 Installed: ipa-server.x86_64 0:3.0.0-42.el6 Dependency Installed: ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6 ipa-server-selinux.x86_64 0:3.0.0-42.el6 Complete! # The errors linked with dogtag is still there. Now, when I
Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4
Hm. @Jakub : I cannot upgrade, because I am not the hosting provider managing this VM unfortunately. I need to make it work with RHEL 6.4. @Sam : Selinux is deactivated : cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Best regards. Bahan On Fri, May 29, 2015 at 6:39 PM, s...@zy.io wrote: Seem to be a fair few things implicating selinux there. Have you got it set to enforcing mode? If so, have you set any particular policy that may be angered by this? Sam May 29 2015 5:37 PM, bahan w bahanw042...@gmail.com %22bahan%20w%22%20%3cbahanw042...@gmail.com%3E wrote: Hello everyone. I send you this mail because I have a problem with the installation of FreeIPA Server 3.0 on a VM running on RHEL 6.4. First, when I performed the yum install ipa-server, I got an error but the installation finished finally with a complete. Here it is : === Install 4 Package(s) Total download size: 1.4 M Installed size: 4.6 M Is this ok [y/N]: y Downloading Packages: (1/4): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00 (2/4): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00 (3/4): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00 (4/4): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00 --- Total 7.3 MB/s | 1.4 MB 00:00 Total 7.3 MB/s | 1.4 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ipa-client-3.0.0-42.el6.x86_64 1/4 Installing : ipa-admintools-3.0.0-42.el6.x86_64 2/4 Installing : ipa-server-3.0.0-42.el6.x86_64 3/4 Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 4/4 libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : ipa-server-3.0.0-42.el6.x86_64 1/4 Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/4 Verifying : ipa-client-3.0.0-42.el6.x86_64 3/4 Verifying : ipa-admintools-3.0.0-42.el6.x86_64 Installed: ipa-server.x86_64 0:3.0.0-42.el6 Dependency Installed: ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6 ipa-server-selinux.x86_64 0:3.0.0-42.el6 Complete! Are these two errors blocking in order to use FreeIPA Server ? Or is it fine ? libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Furthermore, when I try a ipa-server-install, I got also an error message during step Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ setup-ds.pl --silent --logfile - -f /tmp/tmpPamNs8' returned non-zero exit status 1 And when I checked in the log, here is what I see Here is the message I see : 2015-05-29T15:56:49Z DEBUG calling setup-ds.pl 4944 2015-05-29T15:56:49Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpkCAtzh 4945 2015-05-29T15:56:49Z DEBUG stdout=[15/05/29:17:56:49] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 32256. Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission denied 4946 4947 Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 32256. Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission denied 4948 4949 [15/05/29:17:56:49] - [Setup] Fatal Error: Could not create directory server instance 'MyRealm'. 4950 Error: Could not create directory server instance 'MyRealm'. 4951 [15/05/29:17:56:49] - [Setup] Fatal Exiting . . . When I check the perm on the folders, everything is fine : ls -ld /var/lib/dirsrv/ drwxrwxr-x 5 root dirsrv 4096 May 29 18:19 /var/lib
[Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4
Hello everyone. I send you this mail because I have a problem with the installation of FreeIPA Server 3.0 on a VM running on RHEL 6.4. First, when I performed the yum install ipa-server, I got an error but the installation finished finally with a complete. Here it is : === Install 4 Package(s) Total download size: 1.4 M Installed size: 4.6 M Is this ok [y/N]: y Downloading Packages: (1/4): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00 (2/4): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00 (3/4): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00 (4/4): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00 --- Total 7.3 MB/s | 1.4 MB 00:00 Total 7.3 MB/s | 1.4 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ipa-client-3.0.0-42.el6.x86_64 1/4 Installing : ipa-admintools-3.0.0-42.el6.x86_64 2/4 Installing : ipa-server-3.0.0-42.el6.x86_64 3/4 Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 4/4 libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : ipa-server-3.0.0-42.el6.x86_64 1/4 Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/4 Verifying : ipa-client-3.0.0-42.el6.x86_64 3/4 Verifying : ipa-admintools-3.0.0-42.el6.x86_64 Installed: ipa-server.x86_64 0:3.0.0-42.el6 Dependency Installed: ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6 ipa-server-selinux.x86_64 0:3.0.0-42.el6 Complete! Are these two errors blocking in order to use FreeIPA Server ? Or is it fine ? libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Furthermore, when I try a ipa-server-install, I got also an error message during step Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ setup-ds.pl --silent --logfile - -f /tmp/tmpPamNs8' returned non-zero exit status 1 And when I checked in the log, here is what I see Here is the message I see : 2015-05-29T15:56:49Z DEBUG calling setup-ds.pl 4944 2015-05-29T15:56:49Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpkCAtzh 4945 2015-05-29T15:56:49Z DEBUG stdout=[15/05/29:17:56:49] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 32256. Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission denied 4946 4947 Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 32256. Output: sh: /var/lib/dirsrv/scripts-MyRealm/ldif2db: Permission denied 4948 4949 [15/05/29:17:56:49] - [Setup] Fatal Error: Could not create directory server instance 'MyRealm'. 4950 Error: Could not create directory server instance 'MyRealm'. 4951 [15/05/29:17:56:49] - [Setup] Fatal Exiting . . . When I check the perm on the folders, everything is fine : ls -ld /var/lib/dirsrv/ drwxrwxr-x 5 root dirsrv 4096 May 29 18:19 /var/lib/dirsrv/ ls -l /var/lib/dirsrv/ drwxrwx--- 2 dirsrv dirsrv 4096 May 29 18:19 scripts-MYREALM drwxrwx--- 5 dirsrv dirsrv 4096 May 29 18:19 slapd-MYREALM drwxrwx--- 5 pkisrv dirsrv 4096 May 29 18:18 slapd-PKI-IPA ls -l /var/lib/dirsrv/scripts-MYREALM/ -r-xr-x--- 1 dirsrv dirsrv 1212 May 29 18:19 bak2db -r-xr-x--- 1 dirsrv dirsrv 5661 May 29 18:19 bak2db.pl -r-xr-x--- 1 dirsrv dirsrv 6018 May 29 18:19 cleanallruv.pl -r-xr-x--- 1 dirsrv dirsrv 1134 May 29 18:19 db2bak -r-xr-x--- 1 dirsrv dirsrv 5397 May 29 18:19 db2bak.pl -r-xr-x--- 1 dirsrv dirsrv 759 May 29 18:19 db2index -r-xr-x--- 1 dirsrv dirsrv 8129 May 29 18:19 db2index.pl -r-xr-x--- 1 dirsrv dirsrv 2053 May 29 18:19 db2ldif -r-xr-x--- 1 dirsrv dirsrv 10093 May 29 18:19 db2ldif.pl -r-xr-x--- 1 dirsrv dirsrv 932 May 29 18:19 dbverify -r-xr-x--- 1 dirsrv dirsrv 499 May 29 18:19 dn2rdn -r-xr-x--- 1 dirsrv dirsrv 5560 May 29 18:19 fixup-linkedattrs.pl -r-xr-x--- 1 dirsrv dirsrv 5896 May 29 18:19 fixup-memberof.pl -r-xr-x--- 1 dirsrv dirsrv 729 May 29 18:19 ldif2db -r-xr-x--- 1 dirsrv dirsrv 8826 May 29 18:19
