subject:"\[Freeipa\-users\] freeipa cert validation failed, SEC_ERROR_UNTRUSTED

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin

Now all is ok :)

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
---
Added Active Directory trust for realm "mydomain.com"
---
  Realm name: mydomain.com
  Domain NetBIOS name: MYDOMAIN
  Domain Security Identifier: S-x-x-xx-xx-xx-x
  SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Thanks for your support.
Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.

 Ok, after enabling debugging I have these logs:
 ---
 ==> /var/log/httpd/error_log <==
 INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
  scavenger: 100
  dns: 100
  ldb: 100
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'sasl-EXTERNAL' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:srv01.ipa.mydomain.com[,]
 s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
 0x7f8a3c224990
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
 s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0

 Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Schedule immediate event "tevent_req_trigger":
 0x7f7118a92cf0
 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0,
 0)]

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin

Sorry, I've read ipv6.disable=1 in this article
http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I
understood wrong this prerequisite and went directly to the next chapter,
in my mind I was conviced that IPv6 must be disabled :)

I will try with IPv6 enabled, and then I will tell you if it is ok.

Thanks, Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.

 Ok, after enabling debugging I have these logs:
 ---
 ==> /var/log/httpd/error_log <==
 INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
  scavenger: 100
  dns: 100
  ldb: 100
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'sasl-EXTERNAL' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:srv01.ipa.mydomain.com[,]
 s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
 0x7f8a3c224990
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
 s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0

 Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Schedule immediate event "tevent_req_trigger":
 0x7f7118a92cf0
 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0,
 0)]
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
 [2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
 21740), real(21740, 0)]
 ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
 [2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
 21740), real(21740, 0), class=rpc_srv]
 ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
 user IPA\admin failed: No such file or directory

 I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
>>> has to be there.
>>>
>>> Can you explain what is your setup in detail?
>>>

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Alexander Bokovoy


On Wed, 09 Sep 2015, Morgan Marodin wrote:

Hi Alexander.

Ok, after enabling debugging I have these logs:
---
==> /var/log/httpd/error_log <==
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
 scavenger: 100
 dns: 100
 ldb: 100
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:srv01.ipa.mydomain.com[,]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7f8a3c224990
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0

Do you have IPv6 stack enabled?


[2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
 pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
[2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
21740), real(21740, 0), class=rpc_srv]
../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
 tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
user IPA\admin failed: No such file or directory

I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
has to be there.

Can you explain what is your setup in detail?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Morgan Marodin

Hi Alexander

IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
WIndows 2012.
I have read in a freeipa article to disable IPv6.

I've 2 Domain Controller with Windows Server 2012 and (at this time) one
new freeipa server, just installed, in the same network.
AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
I've installed bind in IPA that contains only ipa.mydomain.com zone.
In AD servers is configured mydomain.com zone, with ipa.mydomain.com
delegation to linux server (192.168.0.65).

Do you have other question of my setup?
Let me know, thanks.
Morgan


2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander.
>>
>> Ok, after enabling debugging I have these logs:
>> ---
>> ==> /var/log/httpd/error_log <==
>> INFO: Current debug levels:
>>  all: 100
>>  tdb: 100
>>  printdrivers: 100
>>  lanman: 100
>>  smb: 100
>>  rpc_parse: 100
>>  rpc_srv: 100
>>  rpc_cli: 100
>>  passdb: 100
>>  sam: 100
>>  auth: 100
>>  winbind: 100
>>  vfs: 100
>>  idmap: 100
>>  quota: 100
>>  acls: 100
>>  locking: 100
>>  msdfs: 100
>>  dmapi: 100
>>  registry: 100
>>  scavenger: 100
>>  dns: 100
>>  ldb: 100
>> pm_process() returned Yes
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>> 0x7f8a3c224990
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>> Mapped to DCERPC endpoint \pipe\lsarpc
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>> netmask=255.255.255.0
>>
> Do you have IPv6 stack enabled?
>
> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
>> [2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
>> 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>  pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
>> [2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
>> 21740), real(21740, 0), class=rpc_srv]
>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
>>  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
>> user IPA\admin failed: No such file or directory
>>
> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
> has to be there.
>
> Can you explain what is your setup in detail?
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-09 Thread Alexander Bokovoy


On Wed, 09 Sep 2015, Morgan Marodin wrote:

Hi Alexander

IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
WIndows 2012.
I have read in a freeipa article to disable IPv6.

Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
explicitly talks about not disabling IPv6.

Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
You can have a system without IPv6 addresses but do not disable the
infrastructure. All contemporary networking applications are written
with the idea that you can use IPv6-only functions and work on both IPv4
and IPv6 at the same time. See ipv6(7) manual page:


IPv4 connections can be handled with the v6 API by using the
v4-mapped-on-v6 address type; thus a program needs to support only this
API type to support both protocols. This is handled transparently by the
address handling functions in the C library.

IPv4 and IPv6 share the local port space.  When you get an IPv4
connection or packet to a IPv6 socket, its source address will be mapped
to v6 and it will be mapped to v6.




I've 2 Domain Controller with Windows Server 2012 and (at this time) one
new freeipa server, just installed, in the same network.
AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
I've installed bind in IPA that contains only ipa.mydomain.com zone.
In AD servers is configured mydomain.com zone, with ipa.mydomain.com
delegation to linux server (192.168.0.65).




Do you have other question of my setup?
Let me know, thanks.
Morgan


2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :


On Wed, 09 Sep 2015, Morgan Marodin wrote:


Hi Alexander.

Ok, after enabling debugging I have these logs:
---
==> /var/log/httpd/error_log <==
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
 scavenger: 100
 dns: 100
 ldb: 100
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:srv01.ipa.mydomain.com[,]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
0x7f8a3c224990
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
netmask=255.255.255.0


Do you have IPv6 stack enabled?

[2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]

../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
../lib/util/tevent_debug.c:63(samba_tevent_debug)
 s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
[2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
 pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
[2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
21740), real(21740, 0), class=rpc_srv]
../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
 tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
user IPA\admin failed: No such file or directory


I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
has to be there.

Can you explain what is your setup in detail?

--
/ Alexander Bokovoy





--
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread mmarodin

  Hi everyone.

I've a problem with my new freeipa installation,
v4.1.0, over RHEL 7 like distribution.

The installation was ok, but now
I've some problems operating via CLI:
# ipa user-show admin
ipa: ERROR:
cert validation failed for
"CN=srv01.ipa.mydomain.com,O=IPA.MYDOMAIN.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)
ipa: ERROR: cannot connect to
'https://srv01.ipa.mydomain.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the
user.

I've got the same problem connectiong via curl, but after doing
these command for curl now it works, but not for ipa cli
operations:
--
# certutil -A -d /etc/pki/nssdb -n
'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# certutil -L -d
/etc/pki/nssdb
Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI
IPA CA CT,C,C
# cp /etc/ipa/ca.crt
/etc/pki/ca-trust/source/anchors/
# update-ca-trust
extract
--

And also this command doesn't work:
#
ipa trust-add --type=ad mydomain.com --admin Administrator
--password
ipa: ERROR: cert validation failed for
"CN=srv01.ipa.mydomain.com,O=IPA.MYDOMAIN.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)
ipa: ERROR: cannot connect to
'https://srv01.ipa.mydomain.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the
user.

So ... what's the problem?

Let me know, thanks.
Morgan 



Connetti gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le 
video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo!
Scarica subito l’app Vai su https://www.indoona.com/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin

I've solved this error, reading this forum:
https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html

But now when I try to trust to my Active Directory I see these errors:

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741258",
  message "The connection was refused" (both may be "None")

Here my logs:

==> /var/log/httpd/error_log <==
Failed to connect host 192.168.0.65 on port 135 -
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
all=False, raw=False, version=u'2.112'): RemoteRetrieveError

==> /var/log/samba/log.192.168.0.65 <==
[2015/09/08 15:01:50.833128,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.833200,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.833236,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED
[2015/09/08 15:01:50.852169,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.85,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.852256,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED


I don't see any 135 TCP listening port, doing tcpdump I see that it tryes
to do a connection in its 135 port.
What am I missing?

Thanks, Morgan


> Subject: [Freeipa-users] freeipa cert validation failed,
> SEC_ERROR_UNTRUSTED_ISSUER Date: Tue, 08 Sep 2015 11:00:49 +0200
>
> To: <freeipa-users@redhat.com>
> Hi everyone.
>
> I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like
> distribution.
>
> The installation was ok, but now I've some problems operating via CLI:
> # ipa user-show admin
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> I've got the same problem connectiong via curl, but after doing these
> command for curl now it works, but not for ipa cli operations:
> --
> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
> # certutil -L -d /etc/pki/nssdb
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> IPA CA   CT,C,C
> # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/
> # update-ca-trust extract
> --
>
> And also this command doesn't work:
> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> So ... what's the problem?
>
> Let me know, thanks.
> Morgan
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Alexander Bokovoy


On Tue, 08 Sep 2015, Morgan Marodin wrote:

I've solved this error, reading this forum:
https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html

But now when I try to trust to my Active Directory I see these errors:

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741258",
 message "The connection was refused" (both may be "None")

Here my logs:

==> /var/log/httpd/error_log <==
Failed to connect host 192.168.0.65 on port 135 -
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
all=False, raw=False, version=u'2.112'): RemoteRetrieveError

==> /var/log/samba/log.192.168.0.65 <==
[2015/09/08 15:01:50.833128,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
 Username IPA\admin is invalid on this system

This is your problem. Does your system have SSSD actually running?


List of ports that smbd should be listening on on IPA master:
# netstat -nltup|grep smbd
tcp0  0 0.0.0.0:135 0.0.0.0:* LISTEN  12420/smbd  
tcp0  0 0.0.0.0:139 0.0.0.0:* LISTEN  12417/smbd  
tcp0  0 0.0.0.0:445 0.0.0.0:* LISTEN  12417/smbd  
tcp0  0 0.0.0.0:10240.0.0.0:* LISTEN  12422/smbd  
tcp6   0  0 :::135  :::*  LISTEN  12420/smbd  
tcp6   0  0 :::139  :::*  LISTEN  12417/smbd  
tcp6   0  0 :::445  :::*  LISTEN  12417/smbd  
tcp6   0  0 :::1024 :::*  LISTEN  12422/smbd


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin

Also doing trust manually (as explained here
http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail
in the same mode:
# ipa trust-add --type=ad MYDOMAIN.COM --trust-secret
Shared secret for the trust:
ipa: ERROR: Cannot find specified domain or server name

==> /var/log/httpd/access_log <==
192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json
HTTP/1.1" 200 185

==> /var/log/httpd/error_log <==
[Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO:
[jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'MYDOMAIN.COM',
trust_type=u'ad', trust_secret=u'', all=False, raw=False,
version=u'2.112'): NotFound

==> /var/log/samba/log.winbindd-idmap <==
[2015/09/08 17:50:22.178007,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.178984,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.179771,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 17:50:22.179863,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *

:( Morgan

2015-09-08 15:21 GMT+02:00 Alexander Bokovoy :

> On Tue, 08 Sep 2015, Morgan Marodin wrote:
>
>> I've solved this error, reading this forum:
>> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html
>>
>> But now when I try to trust to my Active Directory I see these errors:
>> 
>> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
>> Active Directory domain administrator's password:
>> ipa: ERROR: CIFS server communication error: code "-1073741258",
>>  message "The connection was refused" (both may be "None")
>>
>> Here my logs:
>> 
>> ==> /var/log/httpd/error_log <==
>> Failed to connect host 192.168.0.65 on port 135 -
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135
>> -
>> NT_STATUS_CONNECTION_REFUSED.
>> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
>> [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
>> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
>> all=False, raw=False, version=u'2.112'): RemoteRetrieveError
>>
>> ==> /var/log/samba/log.192.168.0.65 <==
>> [2015/09/08 15:01:50.833128,  1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>  Username IPA\admin is invalid on this system
>>
> This is your problem. Does your system have SSSD actually running?
>
>
> List of ports that smbd should be listening on on IPA master:
> # netstat -nltup|grep smbd
> tcp0  0 0.0.0.0:135 0.0.0.0:* LISTEN
> 12420/smbd  tcp0  0 0.0.0.0:139 0.0.0.0:*
> LISTEN  12417/smbd  tcp0  0 0.0.0.0:445
>0.0.0.0:* LISTEN  12417/smbd  tcp0  0
> 0.0.0.0:10240.0.0.0:* LISTEN  12422/smbd  tcp6
>0  0 :::135  :::*  LISTEN  12420/smbd
>   tcp6   0  0 :::139  :::*  LISTEN
> 12417/smbd  tcp6   0  0 :::445  :::*
> LISTEN  12417/smbd  tcp6   0  0 :::1024
>  :::*  LISTEN  12422/smbd
>
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: mor...@marodin.it
mobile: +39.3477829069
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Alexander Bokovoy


On Tue, 08 Sep 2015, Morgan Marodin wrote:

Also doing trust manually (as explained here
http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail
in the same mode:
# ipa trust-add --type=ad MYDOMAIN.COM --trust-secret
Shared secret for the trust:
ipa: ERROR: Cannot find specified domain or server name

==> /var/log/httpd/access_log <==
192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json
HTTP/1.1" 200 185

==> /var/log/httpd/error_log <==
[Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO:
[jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'MYDOMAIN.COM',
trust_type=u'ad', trust_secret=u'', all=False, raw=False,
version=u'2.112'): NotFound

Enable debugging as instructed on the page you refer above, and provide
me with the output as the pages tells you.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-08 Thread Morgan Marodin

Hi Alexander, thanks for your support.

These are my open ports after running sssd:
# netstat -nltup | grep smbd
tcp0  0 0.0.0.0:139 0.0.0.0:*
LISTEN  3149/smbd
tcp0  0 0.0.0.0:445 0.0.0.0:*
LISTEN  3149/smbd

After running SSD error doing trust changes:
# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: Cannot find specified domain or server name

Logs:
==> /var/log/httpd/error_log <==
[Tue Sep 08 15:14:46.486031 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
realm_server=u'srv01.MYDOMAIN.com', all=False, raw=False,
version=u'2.112'): NotFound

==> /var/log/samba/log.winbindd-idmap <==
[2015/09/08 15:14:46.482578,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *
[2015/09/08 15:14:46.483715,  1]
../source3/winbindd/idmap.c:202(idmap_init_domain)
  idmap range not specified for domain *

But DNS seems ok:

# dig SRV _ldap._tcp.ipa.mydomain.com @dc01.mydomain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._
tcp.ipa.mydomain.com @dc01.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.ipa.mydomain.com. IN  SRV

;; ANSWER SECTION:
_ldap._tcp.ipa.mydomain.com. 83913 IN SRV 0 100 389
srv01.ipa.mydomain.com.

;; ADDITIONAL SECTION:
srv01.ipa.mydomain.com. 3600 IN   A   192.168.0.65

;; Query time: 1 msec
;; SERVER: 192.168.0.31#53(192.168.0.31)
;; WHEN: Tue Sep 08 15:39:03 CEST 2015
;; MSG SIZE  rcvd: 122

# dig SRV _ldap._tcp.ipa.mydomain.com @localhost

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._
tcp.ipa.mydomain.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18190
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ipa.mydomain.com. IN  SRV

;; ANSWER SECTION:
_ldap._tcp.ipa.mydomain.com. 86400 IN SRV 0 100 389
srv01.ipa.mydomain.com.

;; AUTHORITY SECTION:
ipa.mydomain.com. 86400   IN  NS  srv01.ipa.mydomain.com.

;; ADDITIONAL SECTION:
srv01.ipa.mydomain.com. 86400 IN  A   192.168.0.65

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 08 15:32:50 CEST 2015
;; MSG SIZE  rcvd: 136

# dig SRV _ldap._tcp.mydomain.com @dc01.mydomain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @
dc01.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60503
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.mydomain.com. IN  SRV

;; ANSWER SECTION:
_ldap._tcp.mydomain.com. 600  IN  SRV 0 100 389 dc02.mydomain.com.
_ldap._tcp.mydomain.com. 600  IN  SRV 0 100 389 dc01.mydomain.com.

;; ADDITIONAL SECTION:
dc02.mydomain.com. 3600   IN  A   192.168.0.15
dc01.mydomain.com. 3600   IN  A   192.168.0.31

;; Query time: 1 msec
;; SERVER: 192.168.0.31#53(192.168.0.31)
;; WHEN: Tue Sep 08 15:33:27 CEST 2015
;; MSG SIZE  rcvd: 172

# dig SRV _ldap._tcp.mydomain.com @localhost

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com
@localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36890
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mydomain.com. IN  SRV

;; ANSWER SECTION:
_ldap._tcp.mydomain.com. 600  IN  SRV 0 100 389 dc02.mydomain.com.
_ldap._tcp.mydomain.com. 600  IN  SRV 0 100 389 dc01.mydomain.com.

;; AUTHORITY SECTION:
.   78287   IN  NS  c.root-servers.net.
.   78287   IN  NS  g.root-servers.net.
.   78287   IN  NS  f.root-servers.net.
.   78287   IN  NS  e.root-servers.net.
.   78287   IN  NS  i.root-servers.net.
.   78287   IN  NS  b.root-servers.net.
.   78287   IN  NS  d.root-servers.net.
.   78287   IN  NS  m.root-servers.net.
.   78287   IN  NS  h.root-servers.net.
.   78287   IN  NS  a.root-servers.net.
.   78287   IN  NS

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

11 matches

Site Navigation

Mail list logo

Footer information