Re: [Freeipa-users] (no subject)

[Fraser Tweedale]

On Thu, Apr 13, 2017 at 04:49:59PM +0200, Tiemen Ruiten wrote:
> Hello!
> 
> As I understand from this
> 
> thread,
> it should be possible to setup a trust between FreeIPA and Samba4. My AD
> domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain,
> i.rdmedia.com. Therefore I added a global forwarder on the Samba AD DC to
> one of the FreeIPA replica's and lookup of SRV records in both domains
> appears to work.
> 
> However when I try to add the trust I get "ipa: ERROR an internal error has
> occurred". I ran the trust-add command with full debug logging as described
> on https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust,
> so I can provide these logs privately upon request.
> 
We do not yet support trusts to Samba 4 AD DC.  It is an open
ticket: https://pagure.io/freeipa/issue/4866

I do not think it is a priority at this time.  Alexander (Cc) could
possibly provide an update.

Thanks,
Fraser

> I suspect some DNS-issue, as right after I try to setup the trust, dynamic
> updates stop working on the AD Domain Controller with this error:
> 
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
> code may provide more information, Minor = Server DNS/
> fluorine.clients.i.rdmedia@i.rdmedia.com not found in Kerberos database.
> Failed nsupdate: 1
> update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com fluorine.clients.i.rdmedia.com
> 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._
> sites.ForestDnsZones.clients.i.rdmedia.com. 900 IN SRV 0 100 389
> fluorine.clients.i.rdmedia.com.
> 
> Many thanks in advance for your assistance.
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R Media

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Youenn PIOLET]

Hi Adrian,

You can use basic_ldap_auth to connect to FreeIPA using LDAP instead of
negotiate_kerberos_auth :

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \

-b "cn=accounts,dc=example,dc=com" \

-f uid=%s -h  -ZZ
auth_param basic children 10

auth_param basic realm infra.msv

auth_param basic credentialsttl 30 second



Regards,

--
Youenn Piolet
piole...@gmail.com


2016-12-21 17:53 GMT+01:00 Ing. Adrian Hernández Yeja :

> Hi folks, I need authenticate my users against a squid proxy server using
> FreeIPA. I know is possible (https://www.freeipa.org/page/
> Squid_Integration_with_FreeIPA_using_Single_Sign_On) but my users are not
> necessarily authenticated in a FreeIPA domain, so my question is if it's
> possible to allow this requirement either a third application or a specific
> configuration.
>
> Regards.
>
> La @universidad_uci es Fidel. Los jóvenes no fallaremos.
> #HastaSiempreComandante
> #HastalaVictoriaSiempre
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[William Muriithi]

Hi Rob,

>
> >> automount --dumpmaps sss auto.projects
> >>
> > Thanks, this indeed is working.  Thanks for clarifying the man page.
> > Its however not listing any keys on map created as child to master
> > using the flag below.
> >  --parentmap=auto.master
> >
> > This seem like a bug.  Could this be a corner case that was missed?
>
> Hard to say without seeing your maps and keys.
>
> You could run `ipa automountlocation-tofiles default` to see what IPA
> thinks things look like.
>
I had checked with the above command a two weeks ago and indeed have a
better result that way.  Also, though I added the maps using a script
(cli interface), I do see them displayed correctly and nicely on the
FreeIPA GUI.  Finally, they do seem to work fine as I haven't heard
issue with the maps for the last 4 weeks we have been using this
setup.  We had them initially on the file and only migrated then to
LDAP recently.

Its after this migration that I noticed that some script that used to
parse the auto maps as a files are now broken and have been attempting
to fix then since.

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

William Muriithi wrote:
> Hello Rob,
> 
> Thanks
> 
>>> After reading the above map page, I was hoping the below command would
>>> list keys on one of the projects map.  It doesn't work though.
>>>
>>> automount --dumpmaps map autofs map tercel
>>>
>>> The info page isn't also any better.  I wonder if someone can explain
>>> the use of these keys by an example.  Would be very grateful
>>>
>>> " "
>>
>> You don't include "map" in the name of the thing. I think you want:
>>
>> automount --dumpmaps sss auto.projects
>>
> Thanks, this indeed is working.  Thanks for clarifying the man page.
> Its however not listing any keys on map created as child to master
> using the flag below.
>  --parentmap=auto.master
> 
> This seem like a bug.  Could this be a corner case that was missed?

Hard to say without seeing your maps and keys.

You could run `ipa automountlocation-tofiles default` to see what IPA
thinks things look like.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[William Muriithi]

Hello Rob,

Thanks

>> After reading the above map page, I was hoping the below command would
>> list keys on one of the projects map.  It doesn't work though.
>>
>> automount --dumpmaps map autofs map tercel
>>
>> The info page isn't also any better.  I wonder if someone can explain
>> the use of these keys by an example.  Would be very grateful
>>
>> " "
>
> You don't include "map" in the name of the thing. I think you want:
>
> automount --dumpmaps sss auto.projects
>
Thanks, this indeed is working.  Thanks for clarifying the man page.
Its however not listing any keys on map created as child to master
using the flag below.
 --parentmap=auto.master

This seem like a bug.  Could this be a corner case that was missed?

Thanks again

Regards,
William
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

William Muriithi wrote:
> Hello
> 
> I have indirect map that I would like to list the keys but from
> command line.  I am able to see every key on the home directories map,
> but it display just names for the rest of the maps.
> 
> Looking at the man page, I believe this would be my solution.
> 
>-m, --dumpmaps [ ]
>   With no parameters, list information about the
> configured automounter maps, then exit.
>   If  the  dumpmaps option is given and is followed by two
> parameters, " " then simple "" pairs
> that would be read in
>   by a map read are printed to stdout if the given map
> type and map name are found in the map configuration.
> 
> 
> 
> My maps looks like this:
> 
> Mount point: /projects
> 
> source(s):
> lookup_nss_read_map: reading map sss auto.projects
> do_init: parse(sun): init gathered global options: (null)
> lookup_nss_read_map: reading map files auto.projects
> 
>   instance type(s): sss
>   map: auto.projects
>   quetzal | -fstype=autofs ldap:auto.projects-quetzal
>   tercel | -fstype=autofs ldap:auto.projects-tercel
> 
> 
> After reading the above map page, I was hoping the below command would
> list keys on one of the projects map.  It doesn't work though.
> 
> automount --dumpmaps map autofs map tercel
> 
> The info page isn't also any better.  I wonder if someone can explain
> the use of these keys by an example.  Would be very grateful
> 
> " "

You don't include "map" in the name of the thing. I think you want:

automount --dumpmaps sss auto.projects

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Iain M Conochie]

On 24/08/16 18:08, Sean Hogan wrote:


Hi All,

Would anyone be able to direct me to some docs regarding NFS automount 
with IPA. We are currently using this setup but to be specific I do 
not want the priv keys to be in the users mounted home. When I did the 
keygen I took the defaults for location and it went into the exported 
home of the user meaning it is mounted on any system the user logs 
onto which is not a good idea. Is there a way to set this up so the 
priv keys stay out of the mounted home or since I have the keys 
uploaded into IPA I do not need the key in home?



The key that is uploaded into IPA is the public key, not the private key.

You still need a private key on the local server the user is logging into.

Cheers

Iain






Sean Hogan







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[David Kupka]

On 24/08/16 19:08, Sean Hogan wrote:



Hi All,

  Would anyone be able to direct me to some docs regarding NFS automount
with IPA.  We are currently using this setup but to be specific I do not
want the priv keys to be in the users mounted home.  When I did the keygen
I took the defaults for location and it went into the exported home of the
user meaning it is mounted on any system the user logs onto which is not a
good idea.  Is there a way to set this up so the priv keys stay out of the
mounted home or since I have the keys uploaded into IPA I do not need the
key in home?




Sean Hogan







Hello Sean,

You can find the documentation here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#automount

But I don't understand what is wrong with the setup. AFAIU NFS, shares 
must be mounted only on machines where you (admin) have full control and 
therefore ownership and access permissions can be enforced. Then ~/.ssh 
directory must have mode 0700 and all files inside it 0600.
If you obey these rules storing ssh keys on NFS share is no less secure 
than storing them locally.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[German Parente]

Hi Danielle,

I think you could recreate the entry. The information can be found in "o=ipaca" 
database.

ldapsearch -D "cn=directory manager" -W -b 
"ou=certificateRepository,ou=ca,o=ipaca" "(subjectname=CN=Certificate 
Authority,o=example.test)" usercertificate

(remember that in RHEL6 you will need to query instance in 7389 port, that is 
to say, add "-p 7389 -h localhost" to the ldapsearch command).

And recreate your entry with this information:



dn: cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary: 



Another possibility. If this deleted entry has not been purged, you could find 
still the information as a tomsbtone. And then, re-create the entry with the 
information in the tombstone:

ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=test" 
"(&(objectclass=nstombstone)(cn=CAcert))"

you will see an entry with a dn of this sort:

dn: 
nsuniqueid=f3b4a182-ae3111e5-a3a1dc9f-3b3599c3,cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test

And you could add a new entry (shown before) with the exact information found 
in the tombstone, changing the dn by the right one, of course.

Regards,

German.


- Original Message -
> From: "Danielle M Witherspoon" 
> To: freeipa-users@redhat.com
> Sent: Wednesday, December 23, 2015 8:08:20 PM
> Subject: [Freeipa-users] (no subject)
> 
> 
> 
> Hello everyone,
> 
> We've run into an issue with our instance of IPA. Our LDAP certificate was
> deleted with the command "ldapdelete -Y GSSAPI
> "cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"". When we now attempt to enroll
> servers as IPA clients, we get the following (sanitized for this email)
> output:
> 
> 
> [root@server1 ~]# ipa-client-install –enable-dns-updates
> Discovery was successful!
> Hostname: server1.SERVER.local
> Realm: SERVER.LOCAL
> DNS Domain: SERVER.local
> IPA Server: ipaserver1.SERVER.local
> BaseDN: dc=server dc=local
> 
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: bob
> Synchronizing time with KDC...
> Password for bob@SERVER.LOCAL:
> Cannot obtain CA certificate
> 'ldap://ipaserver1.SERVER.local' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> Advice on how to remediate this issue would be welcomed with open arms.
> 
> Thank you for your time,
> Danielle Witherspoon
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Martin Štefany]

Hello,

I remember experiencing this, but I'm not sure of solution. I think it's
related to apache (httpd) and his group.

My notes for IPA installation on CentOS 7.x say:

# groupadd -g 48 apache
# yum -y install ipa-server bind bind-dyndb-ldap
# usermod -g apache apache
# ipa-server-install...

CentOS is somehow not creating group apache for apache user and then
assuming root which is then causing problems with apache later. Pre-
creating such group before installing httpd and then usermod-ing user
apache might solve it.

Did you get any warnings while running:
# yum install -y ipa-server bind bind-dyndb-ldap ?


If possible, try installation from scratch with my notes on fresh
system. If not:

# systemctl stop apache   # if it runs
# groupadd -g 48 apache   # I use 48 as apache's UID tends to be also
48, or use 'groupadd -r apache' instead
# usermod -g apache apache
# ipa-server-install...

M.


On Pi, 2015-11-27 at 23:04 +0100, Daniel Guldberg aaes wrote:
> Hello. I am trying to setup FreeIPA but i am getting the following
> error when i do a ipa-server-install, I am trying to set it up on a
> ESXI 6 VM (The vm is a fresh install of Centos)
> 
> ###Installation
> precedure###
> wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.
> noarch.rpm
> rpm -ivh epel-release-7-5.noarch.rpm
> yum install -y haveged
> yum install -y ipa-server bind bind-dyndb-ldap
> ##Version
> 4.1.0, API_VERSION: 2.112 on a CentOs 7.
> Linux version 3.10.0-229.20.1.el7.x86_64 (buil...@kbuilder.dev.centos.
> org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue
> Nov 3 19:10:07 UTC 2015
> #Error 
> [2/27]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYbSmkT'' returned non-
> zero exit status 1
>   [error] RuntimeError: Configuration of CA failed
> Configuration of CA failed
> I can't figure out where the error is or what to correct ? The full
> .log is here : https://owncloud.techknight.eu/index.php/s/wH8TATlPvJOD
> Ieo
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Martin Štefany wrote:
> Hello,
> 
> I remember experiencing this, but I'm not sure of solution. I think it's
> related to apache (httpd) and his group.
> 
> My notes for IPA installation on CentOS 7.x say:
> 
> # groupadd -g 48 apache
> # yum -y install ipa-server bind bind-dyndb-ldap
> # usermod -g apache apache
> # ipa-server-install...
> 
> CentOS is somehow not creating group apache for apache user and then
> assuming root which is then causing problems with apache later. Pre-
> creating such group before installing httpd and then usermod-ing user
> apache might solve it.
> 
> Did you get any warnings while running:
> # yum install -y ipa-server bind bind-dyndb-ldap ?
> 
> 
> If possible, try installation from scratch with my notes on fresh
> system. If not:
> 
> # systemctl stop apache   # if it runs
> # groupadd -g 48 apache   # I use 48 as apache's UID tends to be also
> 48, or use 'groupadd -r apache' instead
> # usermod -g apache apache
> # ipa-server-install...
>

Sounds unlikely to me. If indeed it did happen you'd need to file a bug
against Apache to create its own uid/gid, which I'm pretty certain it
already does.

In any case, dogtag doesn't run in Apache so it would be unlikely to
blow up in the CA installer.

cating the contents of a directory into one log is not at all helpful,
especially given that you missed all the important bits in the
subdirectories beneath it. This is just a mishmash of stuff. We need to
see /var/log/pki/pki-tomcat/ca/debug.

/var/log/ipaserver-install.log might also be useful to see though it
probably just records in a more verbose way the fact that pkispawn failed.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Karl Forner]

Ok, that was it:
sssd Version: 1.12.5-1~trusty1

I inverted the sudoOrders:
sudo -l
Matching Defaults entries for karl on :
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
(ALL) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
/bin/chmod -R g[+-]* *
(ALL) ALL
(ALL) ALL


and I can use sudo less without password.

Thanks a lot.


On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina  wrote:
> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>
>> Hi,
>>
>>
>>> you are prompted for password because (ALL) ALL rule is applied because
>>> of last-match rule. > > > See:
>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>>
>>
>> Ok. I updated the rules to use a sudoorder attribute of 100 for the
>> /usr/bin/less sudo rule.
>> Now, if I type in a terminal:
>> %sudo -l
>> Matching Defaults entries for karl on midgard:
>>  env_reset, mail_badpass,
>>
>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>>
>> User karl may run the following commands on :
>>  (ALL) ALL
>>  (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>>  (ALL) ALL
>>  (ALL) NOPASSWD: /usr/bin/less
>>
>> so my less rule is the last one. So far so good.
>>
>> %sudo -l less
>> /usr/bin/less
>>
>> but if I type in a new terminal:
>> %sudo less .bashrc
>> [sudo] password for karl:
>>
>> I am prompted to type in a password.
>>
>> So there seems to be a problem, right ?
>>
>> Regards,
>> Karl
>>
>
> Hi,
> we have a bug in sssd in versions prior 1.13.1:
> https://fedorahosted.org/sssd/ticket/2682
>
> where sudoOrder attribute is treated the other ways around. Please, try
> inverting the order. What version of sssd do you use?
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Pavel Březina]

On 10/09/2015 01:36 PM, Karl Forner wrote:

Ok, that was it:
sssd Version: 1.12.5-1~trusty1

I inverted the sudoOrders:
sudo -l
Matching Defaults entries for karl on :
 env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
 (ALL) NOPASSWD: /usr/bin/less
 (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
 (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
/bin/chmod -R g[+-]* *
 (ALL) ALL
 (ALL) ALL


and I can use sudo less without password.

Thanks a lot.


Thanks. Please, keep in mind that we changed the default to the correct 
order in sssd 1.13.1. Therefore if you update sssd you will either have 
to invert the order again or set sudo_inverse_order = true in [sudo] in 
/etc/sssd/sssd.conf.





On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina  wrote:

On 10/08/2015 04:26 PM, Karl Forner wrote:


Hi,



you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.



Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
  env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
  (ALL) ALL
  (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
  (ALL) ALL
  (ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less
/usr/bin/less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?

Regards,
Karl



Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682

where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Karl Forner]

> Thanks. Please, keep in mind that we changed the default to the correct
> order in sssd 1.13.1. Therefore if you update sssd you will either have to
> invert the order again or set sudo_inverse_order = true in [sudo] in
> /etc/sssd/sssd.conf.

ok. I don't think there's an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?




>
>
>>
>>
>> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina  wrote:
>>>
>>> On 10/08/2015 04:26 PM, Karl Forner wrote:


 Hi,


> you are prompted for password because (ALL) ALL rule is applied because
> of last-match rule. > > > See:
> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.



 Ok. I updated the rules to use a sudoorder attribute of 100 for the
 /usr/bin/less sudo rule.
 Now, if I type in a terminal:
 %sudo -l
 Matching Defaults entries for karl on midgard:
   env_reset, mail_badpass,


 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User karl may run the following commands on :
   (ALL) ALL
   (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
   (ALL) ALL
   (ALL) NOPASSWD: /usr/bin/less

 so my less rule is the last one. So far so good.

 %sudo -l less
 /usr/bin/less

 but if I type in a new terminal:
 %sudo less .bashrc
 [sudo] password for karl:

 I am prompted to type in a password.

 So there seems to be a problem, right ?

 Regards,
 Karl

>>>
>>> Hi,
>>> we have a bug in sssd in versions prior 1.13.1:
>>> https://fedorahosted.org/sssd/ticket/2682
>>>
>>> where sudoOrder attribute is treated the other ways around. Please, try
>>> inverting the order. What version of sssd do you use?
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Pavel Březina]

On 10/09/2015 01:40 PM, Karl Forner wrote:

Thanks. Please, keep in mind that we changed the default to the correct
order in sssd 1.13.1. Therefore if you update sssd you will either have to
invert the order again or set sudo_inverse_order = true in [sudo] in
/etc/sssd/sssd.conf.


ok. I don't think there's an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?


SSSD will run but some tools that touch sssd.conf may have problems (for 
example I think authconfig will fail).













On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina  wrote:


On 10/08/2015 04:26 PM, Karl Forner wrote:



Hi,



you are prompted for password because (ALL) ALL rule is applied because
of last-match rule. > > > See:
http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.




Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
   env_reset, mail_badpass,


secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
   (ALL) ALL
   (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
   (ALL) ALL
   (ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less
/usr/bin/less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?

Regards,
Karl



Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682

where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Pavel Březina]

On 10/08/2015 04:26 PM, Karl Forner wrote:

Hi,



you are prompted for password because (ALL) ALL rule is applied because of last-match 
rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.


Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a terminal:
%sudo -l
Matching Defaults entries for karl on midgard:
 env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User karl may run the following commands on :
 (ALL) ALL
 (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
 (ALL) ALL
 (ALL) NOPASSWD: /usr/bin/less

so my less rule is the last one. So far so good.

%sudo -l less
/usr/bin/less

but if I type in a new terminal:
%sudo less .bashrc
[sudo] password for karl:

I am prompted to type in a password.

So there seems to be a problem, right ?

Regards,
Karl



Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682

where sudoOrder attribute is treated the other ways around. Please, try 
inverting the order. What version of sssd do you use?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 06/12/2014 11:20 AM, Ken Miller wrote:

Hello,

I'm new to IPA, and was simply trying to change all the
LDAP/Directory Manager password(s).  In following URL

http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

I successfully changed the password used when running 'kinit admin'
and 'ldapsearch -p 7389 -D cn=Directory Manager' but I cannot seem
to get the simple bind ldap password to change (e.g. when running
'ldapsearch -p 389 -D cn=Directory Manager') .  I *suspect* it
involves doing something wth cacert.p12 but I didn't know where to put
it ;(

What do I need to do to change the LDAP bind password?

http://port389.org/wiki/Howto:ResetDirMgrPassword


Thanks in advance,

== k+ ==

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Михаил А]

https://fedorahosted.org/freeipa/ticket/2008
is there a possibility to do the same for the SRV records windows servers?


2013/10/14 Михаил А avdush...@gmail.com



 -- Forwarded message --
 From: Михаил А avdush...@gmail.com
 Date: 2013/10/14
 Subject: Re: [Freeipa-users] (no subject)
 To: d...@redhat.com


 Simplify the circuit. I have a windows server DC, IPA replica server. My
 job is to authenticate the user windows to your account on the client
 fedora and redhat. As I understand it when logging on IPA server running
 windows account - there is a request for vigdovs DC, found on the SRV
 record in DNS. Because the forest I site section in which is1 windows
 server and 1 IPA server, but at the request IPA server is not always refers
 to the neighbor windows dealing center I found this in the log d at
 debug level 5.We do not have network connectivity between sites, there is a
 single point-to-site, where network connectivity is available.
 Trust between the domains windows and IPA available. Log in to the central
 site, where there is network connectivity runs great, for example (ssh -l
 winuser@windomain ipa.client or ipa-replica-server -OK)



 2013/10/12 Dmitri Pal d...@redhat.com

  On 10/11/2013 02:07 PM, Михаил А wrote:

 Maybe I have to explicitly specify the windows server which will address
 my IPA server to authenticate windows user on ipa-client? For example there
 is the IPA server p0129ipa01.ipa.sys local and Win DC
 p0129ad-dc01.sys.local. How do I specify that a request for authorization
 obviously gone to windows server or to any windows in the DC area? Because
 I do not have network connectivity to ports in other regions. A DNS-request
 is sent to all SRV-windows servers in a random order, depending can not
 compute.
 WIN DC in the subnet that corresponds to and authorizes the windows users
 outside of DC who, in a different subnet is not responsible for
 authorization (id winuser@windomain, getent passwd winuser@windomain,
 ssh -l winuser@windomain ipa-client)
 IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x


 The configuration still puzzles me.
 Can you share your sanitized sssd.conf?
 Based on you description you have:

 Windows DCs
 IPAs
 Clients that are configured to use IPA and DC (at the same time? how?)
 Users coming from AD authenticating on the client

 My point is that you need to either:
 * Connect your SSSD to AD directly, then there is no IPA in picture
 * Connect you SSSD to IPA. In this case you can authenticate users that
 are native to IPA, synced to IPA from AD or you can use trusted users from
 AD accessing system if IPA and AD is in trust relationship
 * Connect your SSSD to AD as one domain to allow AD users to authenticate
 and create another domain that would connect SSSD to IPA. This is for non
 overlapping user sets between AD and IPA

 If you running some other configuration it is probably something that we
 do not recommend.

 We know people try to use one configuration to force user authentication
 against AD while other information including user setup comes from IPA, but
 we do not recommend this setup because we can't upgrade from it cleanly.







 2013/10/11 Dmitri Pal d...@redhat.com

  On 10/11/2013 05:22 AM, Михаил А wrote:

 Good afternoon. In each region, I have a couple of controllers (windows
 and ipa). With the authorization server in the logs ipa (sssd log) I find
 that the request is not for the neighbor by location windows server, and
 randomly throughout the forest. Tell me is there a way to explicitly
 specify the IPA server on windows DC. Logs attached.
 there somewhere documentation about?


  I am not quite sure I understand you setup but I will try to give you
 some hints.

 If you want SSSD to access a specific IPA server or servers you can
 define primary and secondary servers explicitly in the SSSD configuration.
 See SSSD man pages.
 This can also be done via ipa-client-install command line starting IPA
 client 3.0 and SSSD 1.9

 But that would sort of override the information coming from DNS.

 If you are looking for SSSD to support DNS sites then this functionality
 is available in SSSD in 1.11 if SSSD is joined directly to AD via AD
 provider. If you are looking for the same functionality when SSSD connects
 to IPA then it is still on the roadmap because IPA does not support sites.
 https://fedorahosted.org/freeipa/ticket/2008



  next to the IPA server pk529ad-dc01.sys.local
 IPA server and knocks pk429ad-dc01.sys.local to another region



  ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https

Re: [Freeipa-users] (no subject)

[Dmitri Pal]

On 10/14/2013 09:52 AM, ?? ? wrote:
 https://fedorahosted.org/freeipa/ticket/2008
 is there a possibility to do the same for the SRV records windows servers?

Yes, if you use latest SSSD against AD without IPA.
If you want to use IPA with AD then SSSD is connected to IPA and IPA
needs to provide this functionality.
It is not implemented yet and not a high priority so far.
Help and patches are definitely welcome.




 2013/10/14 ?? ? avdush...@gmail.com mailto:avdush...@gmail.com



 -- Forwarded message --
 From: *?? ?* avdush...@gmail.com mailto:avdush...@gmail.com
 Date: 2013/10/14
 Subject: Re: [Freeipa-users] (no subject)
 To: d...@redhat.com mailto:d...@redhat.com


 Simplify the circuit. I have a windows server DC, IPA replica
 server. My job is to authenticate the user windows to your account
 on the client fedora and redhat. As I understand it when logging
 on IPA server running windows account - there is a request for
 vigdovs DC, found on the SRV record in DNS. Because the forest I
 site section in which is1 windows server and 1 IPA server, but at
 the request IPA server is not always refers to the neighbor
 windows dealing center I found this in the log d at debug
 level 5.We do not have network connectivity between sites, there
 is a single point-to-site, where network connectivity is available.
 Trust between the domains windows and IPA available. Log in to the
 central site, where there is network connectivity runs great, for
 example (ssh -l winuser@windomain ipa.client or ipa-replica-server
 -OK)



 2013/10/12 Dmitri Pal d...@redhat.com mailto:d...@redhat.com

 On 10/11/2013 02:07 PM, ?? ? wrote:
 Maybe I have to explicitly specify the windows server which
 will address my IPA server to authenticate windows user on
 ipa-client? For example there is the IPA server
 p0129ipa01.ipa.sys local and Win DC
 p0129ad-dc01.sys.local. How do I specify that a request for
 authorization obviously gone to windows server or to any
 windows in the DC area? Because I do not have network
 connectivity to ports in other regions. A DNS-request is sent
 to all SRV-windows servers in a random order, depending can
 not compute.
 WIN DC in the subnet that corresponds to and authorizes the
 windows users outside of DC who, in a different subnet is not
 responsible for authorization (id winuser@windomain, getent
 passwd winuser@windomain, ssh -l winuser@windomain ipa-client)
 IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x

 The configuration still puzzles me.
 Can you share your sanitized sssd.conf?
 Based on you description you have:

 Windows DCs
 IPAs
 Clients that are configured to use IPA and DC (at the same
 time? how?)
 Users coming from AD authenticating on the client

 My point is that you need to either:
 * Connect your SSSD to AD directly, then there is no IPA in
 picture
 * Connect you SSSD to IPA. In this case you can authenticate
 users that are native to IPA, synced to IPA from AD or you can
 use trusted users from AD accessing system if IPA and AD is in
 trust relationship
 * Connect your SSSD to AD as one domain to allow AD users to
 authenticate and create another domain that would connect SSSD
 to IPA. This is for non overlapping user sets between AD and IPA

 If you running some other configuration it is probably
 something that we do not recommend.

 We know people try to use one configuration to force user
 authentication against AD while other information including
 user setup comes from IPA, but we do not recommend this setup
 because we can't upgrade from it cleanly.







 2013/10/11 Dmitri Pal d...@redhat.com mailto:d...@redhat.com

 On 10/11/2013 05:22 AM, ?? ? wrote:
 Good afternoon. In each region, I have a couple of
 controllers (windows and ipa). With the authorization
 server in the logs ipa (sssd log) I find that the
 request is not for the neighbor by location windows
 server, and randomly throughout the forest. Tell me is
 there a way to explicitly specify the IPA server on
 windows DC. Logs attached.
 there somewhere documentation about?

 I am not quite sure I understand you setup but I will try
 to give you some hints.

 If you want SSSD to access a specific IPA server or
 servers you can define primary and secondary servers
 explicitly in the SSSD configuration. See SSSD man pages.
 This can also be done via ipa-client-install command line

Re: [Freeipa-users] (no subject)

[Dmitri Pal]

On 10/11/2013 05:22 AM, ?? ? wrote:
 Good afternoon. In each region, I have a couple of controllers
 (windows and ipa). With the authorization server in the logs ipa (sssd
 log) I find that the request is not for the neighbor by location
 windows server, and randomly throughout the forest. Tell me is there a
 way to explicitly specify the IPA server on windows DC. Logs attached.
 there somewhere documentation about?

I am not quite sure I understand you setup but I will try to give you
some hints.

If you want SSSD to access a specific IPA server or servers you can
define primary and secondary servers explicitly in the SSSD
configuration. See SSSD man pages.
This can also be done via ipa-client-install command line starting IPA
client 3.0 and SSSD 1.9

But that would sort of override the information coming from DNS.

If you are looking for SSSD to support DNS sites then this functionality
is available in SSSD in 1.11 if SSSD is joined directly to AD via AD
provider. If you are looking for the same functionality when SSSD
connects to IPA then it is still on the roadmap because IPA does not
support sites.
https://fedorahosted.org/freeipa/ticket/2008



 next to the IPA server pk529ad-dc01.sys.local
 IPA server and knocks pk429ad-dc01.sys.local to another region



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Guy Matz]

Which version of ubuntu are you using?

On 06/13/2013 04:12 PM, Marcelo Carvalho wrote:
 Hi Folks.

 I have installed an ipa server and a replica on linux CentOS release
 6.4 (Final).  It is using outside DNS.  I have https console access
 authenticating admin user through kerberos, and have migrated
 information on 80+ users and groups to it from a LDAP server.

 Packages related to ipa installed at main server are:

 [root ~]# rpm -qa | grep ipa
 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 libipa_hbac-1.9.2-82.el6.x86_64
 ipa-python-3.0.0-26.el6_4.2.x86_64
 ipa-admintools-3.0.0-26.el6_4.2.x86_64
 ipa-client-3.0.0-26.el6_4.2.x86_64
 python-iniparse-0.3.1-2.1.el6.noarch
 ipa-pki-common-theme-9.0.3-7.el6.noarch
 libipa_hbac-python-1.9.2-82.el6.x86_64
 ipa-server-3.0.0-26.el6_4.2.x86_64
 [root ~]#

 I am now on the process of installing a CentOS 6.4 as IPA client, and
 switch my Ubuntu desktop to use IPA as well.

 1- On the CentOS 6.4 as IPA client:

 Packages installed are:

  $ rpm -qa | grep ipa
 ipa-client-3.0.0-26.el6_4.2.x86_64
 ipa-python-3.0.0-26.el6_4.2.x86_64
 python-iniparse-0.3.1-2.1.el6.noarch
 libipa_hbac-python-1.9.2-82.el6.x86_64
 libipa_hbac-1.9.2-82.el6.x86_64


 I run installation line as follows and

 ipa-client-install --domain=.xxx --server=ipaserver.xx.xxx
 --realm=XX.XXX

 Id did go well and I see output line:

 Client configuration complete.

 Although all of the above I still cannot login into this new node
 using IPA.  It still checks the local users.


 2- On the Ubunto desktop

I am locked out.  It now does not accept my IPA user-passwd not my
 local-user-passwd.

 Please advise on both.

 Many thanks,

 Marcelo

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

Since I needed to make sure I could recover from this if it ever
happened again I went back to an old copy of the VM I'm going through
everything I did on the original. To begin with, it does have the same
issue, the cert won't renew. So I attempted to db2ldif and ldif2db all
of the db's ***WITHOUT*** upgrading FreeIPA, and that didn't work.
Different error than before when running , but I don't have it in
front of me now, so I can't report it. One thing I did notice is that
the exported ldif did not have the extra entries that prevented the
ldif from importing right away last time.

So I rolled back to the original database again, ran the freeipa
upgrade from yum, and then exported the db's and now these entries
show in the db that weren't there before:

http://fpaste.org/jims/

Any idea why the upgrade did this? The ldif2db fails with this error
as long as those 2 entries are in the ldif:

[21/Mar/2012:00:59:14 +] entryrdn-index - _entryrdn_insert_key:
Same DN (dn: ou=profile,dc=abc,dc=xyz) is already in the entryrdn file
with different ID 146.  Expected ID is 311.
[21/Mar/2012:00:59:14 +] - import userRoot: Duplicated DN
detected: ou=profile,dc=abc,dc=xyz: Entry ID: (311)

Sorry for bringing this back up, but it seems odd that the upgrade
duplicates this entry.



Perhaps the database is already corrupted?

The entries are added by the upgrade process only if they can't already 
be found in the database. It does an ldapsearch against the dn and adds 
if it isn't already there. The fact that 389-ds allows the add indicates 
that it doesn't think the entry is there.


rob


Jimmy

On Tue, Mar 20, 2012 at 5:22 PM, Jimmyg17ji...@gmail.com  wrote:

Cool thanks for the awesome help, y'all.

On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.



Glad you are up and running again. You can control the interval by tuning
knobs in certmonger.conf(5). You want to modify ttls.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

When I try to export the db I get this:

 /var/lib/dirsrv/scripts-ABC-XYZ/db2ldif -n ipaca -a /dbexport/ipaca-output.ldif
Exported ldif file: /dbexport/ipaca-output.ldif
[03/Mar/2012:17:27:25 +] - ERROR: Could not find backend 'ipaca'

When I start IPA as it is now these are the logs I get:

debug- http://fpaste.org/ItuZ/
catalina.out- http://fpaste.org/tSyQ/

-Jimmy

On Mon, Mar 19, 2012 at 4:58 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 This is all I see in the /var/log/httpd/error_log file. This issue has
 become critical. The server has been down a week and I have no idea
 why certmonger broke and don't seem to have any indication of how to
 fix it. What would be the best route besides chasing down this
 certmonger issue? Could I export all of my configuration/users/etc,
 install a completely new IPA and import my config?

 [Sat Mar 03 00:05:27 2012] [error] ipa: INFO: sslget
 'https://csp-idm.pdh.csp:443/ca/agent/ca/displayBySerial'
 [Sat Mar 03 00:05:28 2012] [error] ipa: INFO:
 host/csp-idm.pdh@pdh.csp:
 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1

 UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7q

 Ge0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZH

 hmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRM

 BoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaW

 RtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQY

 JKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh

 5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8Q

 IXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
 principal=u'ldap/csp-idm.pdh@pdh.csp', add=True): C
 ertificateOperationError


 I think your CA is still not up and running.

 Things to check:

 /var/log/pki-ca/catalina.out to be see if there are start up errors. The
 debug log in the same directory may contain information as well. If you are
 seeing a bunch of error 32's it means your db is still corrupted.

 The output of ipa-getcert list. This will tell you what certmonger thinks is
 wrong.

 Did you repair the ipaca backend in PKI-IPA? It is different than userRoot.


 rob



 On Fri, Mar 16, 2012 at 5:30 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 I actually shut down IPA to do the export and restarted after I
 imported.

 certutil -L -d /etc/httpd/alias
 Certificate Nickname                                         Trust
 Attributes

  SSL,S/MIME,JAR/XPI
 Server-Cert                                                  u,u,u
 ABC.XYZIPA CA                                               CT,C,C
 ipaCert                                                      u,u,u
 Signing-Cert                                                 u,u,u

 certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
 /etc/httpd/alias/pwdfile.txt
 certutil: certificate is valid

 How's that look?



 That's what it's supposed to look like. Is Apache logging a failure or
 maybe
 that is coming from dogtag through Apache...


 rob



 On Fri, Mar 16, 2012 at 4:34 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/




 Looks pretty similar to what we've been seeing. The invalid credentials
 means that dogtag can't validate RA agent cert. This was due to the
 corrupted database. You'll need to restart the pki-cad process once the
 LDAP
 backend is fixed.

 The trust issues are stranger. To show the certs in those databases:

 # certutil -L -d /etc/httpd/alias

 To verify that the cert in there now has all the CA certs it needs:
 # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
 /etc/httpd/alias/pwdfile.txt

 rob



 On Fri, Mar 16, 2012 at 4:05 PM, Jimmyg17ji...@gmail.com      wrote:



 I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
 that went smoothly but now I see this in /var/log/pki-ca/system:

 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Null
 

Re: [Freeipa-users] (no subject)

[Jimmy]

Here are the http logs:

http://fpaste.org/j7kN/

On Tue, Mar 20, 2012 at 3:16 PM, Jimmy g17ji...@gmail.com wrote:
 I was able to do this:
 /usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif -n ipaca -a 
 /dbexport/ipaca-output.ldif
 /usr/lib64/dirsrv/slapd-PKI-IPA/ldif2db -n ipaca -i 
 /dbexport/ipaca-output.ldif

 The cert still doesn't seem to be renewing, though. Here is the debug
 and catalina.out.

 http://fpaste.org/k0Lz/
 http://fpaste.org/UUnE/

  ipa-getcert list shows this for a couple certs in question:

 Request ID '20110913154314':
        status: MONITORING
        ca-error: Error setting up ccache for local host service
 using default keytab.
        stuck: no
        key pair storage:
 type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
        certificate:
 type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=ABC.XYZ
        subject: CN=xyz-ipa.abc.xyz,O=ABC.XYZ
        expires: 2012-03-11 15:43:13 UTC
        eku: id-kp-serverAuth
        command:
        track: yes
        auto-renew: yes
 Request ID '20110913154337':
        status: MONITORING
        ca-error: Error setting up ccache for local host service
 using default keytab.
        stuck: no
        key pair storage:
 type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
 type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=ABC.XYZ
        subject: CN=xyz-ipa.abc.xyz,O=ABC.XYZ
        expires: 2012-03-11 15:43:37 UTC
        eku: id-kp-serverAuth
        command:
        track: yes
        auto-renew: yes




 On Tue, Mar 20, 2012 at 1:41 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 When I try to export the db I get this:

  /var/lib/dirsrv/scripts-ABC-XYZ/db2ldif -n ipaca -a
 /dbexport/ipaca-output.ldif
 Exported ldif file: /dbexport/ipaca-output.ldif
 [03/Mar/2012:17:27:25 +] - ERROR: Could not find backend 'ipaca']


 The CA uses a different instance of 389-ds. You need to run the scripts
 specific to that instance. dogtag sets things up slightly differently, you
 want something like:

 /usr/lib/dirsrv/slapd-PKI-IPA/db2ldif -n ipaca -a
 /dbexport/ipaca-output.ldif


 When I start IPA as it is now these are the logs I get:

 debug- http://fpaste.org/ItuZ/
 catalina.out- http://fpaste.org/tSyQ/


 Yes, as I suspected it isn't finding any of its data which is why the
 certificate renewal is failing.

 rob



 -Jimmy

 On Mon, Mar 19, 2012 at 4:58 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 This is all I see in the /var/log/httpd/error_log file. This issue has
 become critical. The server has been down a week and I have no idea
 why certmonger broke and don't seem to have any indication of how to
 fix it. What would be the best route besides chasing down this
 certmonger issue? Could I export all of my configuration/users/etc,
 install a completely new IPA and import my config?

 [Sat Mar 03 00:05:27 2012] [error] ipa: INFO: sslget
 'https://csp-idm.pdh.csp:443/ca/agent/ca/displayBySerial'
 [Sat Mar 03 00:05:28 2012] [error] ipa: INFO:
 host/csp-idm.pdh@pdh.csp:
 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1


 UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7q


 Ge0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZH


 hmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRM


 BoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaW


 RtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQY


 JKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh


 5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8Q


 IXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
 principal=u'ldap/csp-idm.pdh@pdh.csp', add=True): C
 ertificateOperationError



 I think your CA is still not up and running.

 Things to check:

 /var/log/pki-ca/catalina.out to be see if there are start up errors. The
 debug log in the same directory may contain information as well. If you
 are
 seeing a bunch of error 32's it means your db is still corrupted.

 The output of ipa-getcert list. 

Re: [Freeipa-users] (no subject)

[Jimmy]

 ipa cert-show 1==

Certificate: MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKEwdQREgu
Q1NQMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTEwOTEzMTU0
MTE4WhcNMTkwOTEzMTU0MTE4WjAyMRAwDgYDVQQKEwdQREguQ1NQMR4wHAYDVQQD
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDRPzyFQbAIgnNLGZQRoMVuHGLIBqANVpJOXiE28PlwVczQ5F14FE5e
d2QZ6CYtY/1RpWph/SaUHqRKW2C2NTlx3Rw6q+aaLzFqqSp4cC9vNwfURT32xn64
wSuHsVPakBp6xDF5QfJTgxXEcO/eJt9KiyIDtOEmk3TBzmalNtVejNe33OfwBx6s
LmVKjH49wUuUGQBvk6/di5vhQ8soquWMRKdZFsTBfepp4BSvscweY0nNk7+iMOEE
ESt0JOhvrQOzEeopqVf7GcDKLEhCC4BRwuGZ6GzWl3w9OiiriH8aLdEGeLuBjYq1
wa/z6pCah4dNmAmV/nf5xocH84DdxRJJAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAU
PiI4ye3VbGZeR6iy37xgdCLgUNcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAcYwHQYDVR0OBBYEFD4iOMnt1WxmXkeost+8YHQi4FDXMD8GCCsGAQUFBwEB
BDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NzcC1pZG0ucGRoLmNzcDo5MTgwL2Nh
L29jc3AwDQYJKoZIhvcNAQELBQADggEBALsg/ivFOv4VmydSZ2q93TwQUtV49Gp+
AJcrCu8aVpd2q9LX2yNxq2EXSZq4+/Afml6zGCSMZ6w/EV2dpwHo4BrVg5HAIWe9
k6zekjDhVGVYRtO09B8PTWoRvt5lgQf4zMoiaVwS8+uE8CWF3Y24CqnAeW4z9vFr
EmCkVEp69xaLfbTBLt1bzyIxIlq4mgb8oE8NDVr2Qo3cdwT4qGNPLEHvb9vCwySN
R3BNarw+LB0GB5g5XkEIXPmgKmxoJuQ3nW578bPxXRvUJ19Yg2/WObAyrfoVL/sc
iEJDnJKWtV/kcN68LhOIkC77w41RII43YxJFQva9NQVY4uT1CApNcPk=
  Subject: CN=Certificate Authority,O=ABC.XYZ
  Issuer: CN=Certificate Authority,O=ABC.XYZ
  Not Before: Tue Sep 13 15:41:18 2011 UTC
  Not After: Fri Sep 13 15:41:18 2019 UTC
  Fingerprint (MD5): 05:d4:89:49:6b:03:0e:9b:06:14:a0:0a:e2:32:dc:e1
  Fingerprint (SHA1):
c4:b7:9f:07:df:5a:9e:36:a6:c3:f4:18:c7:77:1a:29:86:30:41:4f
  Serial number: 1

kvno host/xyz-ipa.abc.xyz -k /etc/krb5.keytab
host/xyz-ipa.abc@abc.xyz: kvno = 2, keytab entry valid

I can do a kinit as the host principal with the keytab /etc/krb5.keytab

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/20/2012 01:16 PM, Jimmy wrote:

I was able to do this:
/usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif -n ipaca -a /dbexport/ipaca-output.ldif
/usr/lib64/dirsrv/slapd-PKI-IPA/ldif2db -n ipaca -i /dbexport/ipaca-output.ldif
ok - let's make sure this step worked - any errors in 
/var/log/dirsrv/slapd-PKI-IPA/errors?


The cert still doesn't seem to be renewing, though. Here is the debug
and catalina.out.

What about /var/log/dirsrv/slapd-PKI-IPA/access?


http://fpaste.org/k0Lz/
http://fpaste.org/UUnE/

  ipa-getcert list shows this for a couple certs in question:

Request ID '20110913154314':
status: MONITORING
ca-error: Error setting up ccache for local host service
using default keytab.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.XYZ
subject: CN=xyz-ipa.abc.xyz,O=ABC.XYZ
expires: 2012-03-11 15:43:13 UTC
eku: id-kp-serverAuth
command:
track: yes
auto-renew: yes
Request ID '20110913154337':
status: MONITORING
ca-error: Error setting up ccache for local host service
using default keytab.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.XYZ
subject: CN=xyz-ipa.abc.xyz,O=ABC.XYZ
expires: 2012-03-11 15:43:37 UTC
eku: id-kp-serverAuth
command:
track: yes
auto-renew: yes




On Tue, Mar 20, 2012 at 1:41 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:

When I try to export the db I get this:

  /var/lib/dirsrv/scripts-ABC-XYZ/db2ldif -n ipaca -a
/dbexport/ipaca-output.ldif
Exported ldif file: /dbexport/ipaca-output.ldif
[03/Mar/2012:17:27:25 +] - ERROR: Could not find backend 'ipaca']


The CA uses a different instance of 389-ds. You need to run the scripts
specific to that instance. dogtag sets things up slightly differently, you
want something like:

/usr/lib/dirsrv/slapd-PKI-IPA/db2ldif -n ipaca -a
/dbexport/ipaca-output.ldif



When I start IPA as it is now these are the logs I get:

debug- http://fpaste.org/ItuZ/
catalina.out- http://fpaste.org/tSyQ/


Yes, as I suspected it isn't finding any of its data which is why the
certificate renewal is failing.

rob



-Jimmy

On Mon, Mar 19, 2012 at 4:58 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

Jimmy wrote:


This is all I see in the /var/log/httpd/error_log file. This issue has
become critical. The server has been down a week and I have no idea
why certmonger broke and don't seem to have any indication of how to
fix it. What would be the best route besides chasing down this
certmonger issue? Could I export all of my configuration/users/etc,
install a completely new IPA and import my config?

[Sat Mar 03 00:05:27 2012] [error] ipa: INFO: sslget
'https://csp-idm.pdh.csp:443/ca/agent/ca/displayBySerial'
[Sat Mar 03 00:05:28 2012] [error] ipa: INFO:
host/csp-idm.pdh@pdh.csp:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1


UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7q


Ge0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZH


hmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRM


BoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaW


RtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQY


JKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh


5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8Q


IXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u'ldap/csp-idm.pdh@pdh.csp', add=True): C
ertificateOperationError



I think your CA is still not up and running.

Things to check:

/var/log/pki-ca/catalina.out to be see if there are start up errors. The
debug log in the same directory may contain information as well. If you
are
seeing a bunch of error 32's it means your db is still corrupted.

The output of ipa-getcert list. 

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

  ipa cert-show 1==

Certificate: MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKEwdQREgu
Q1NQMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTEwOTEzMTU0
MTE4WhcNMTkwOTEzMTU0MTE4WjAyMRAwDgYDVQQKEwdQREguQ1NQMR4wHAYDVQQD
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDRPzyFQbAIgnNLGZQRoMVuHGLIBqANVpJOXiE28PlwVczQ5F14FE5e
d2QZ6CYtY/1RpWph/SaUHqRKW2C2NTlx3Rw6q+aaLzFqqSp4cC9vNwfURT32xn64
wSuHsVPakBp6xDF5QfJTgxXEcO/eJt9KiyIDtOEmk3TBzmalNtVejNe33OfwBx6s
LmVKjH49wUuUGQBvk6/di5vhQ8soquWMRKdZFsTBfepp4BSvscweY0nNk7+iMOEE
ESt0JOhvrQOzEeopqVf7GcDKLEhCC4BRwuGZ6GzWl3w9OiiriH8aLdEGeLuBjYq1
wa/z6pCah4dNmAmV/nf5xocH84DdxRJJAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAU
PiI4ye3VbGZeR6iy37xgdCLgUNcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAcYwHQYDVR0OBBYEFD4iOMnt1WxmXkeost+8YHQi4FDXMD8GCCsGAQUFBwEB
BDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NzcC1pZG0ucGRoLmNzcDo5MTgwL2Nh
L29jc3AwDQYJKoZIhvcNAQELBQADggEBALsg/ivFOv4VmydSZ2q93TwQUtV49Gp+
AJcrCu8aVpd2q9LX2yNxq2EXSZq4+/Afml6zGCSMZ6w/EV2dpwHo4BrVg5HAIWe9
k6zekjDhVGVYRtO09B8PTWoRvt5lgQf4zMoiaVwS8+uE8CWF3Y24CqnAeW4z9vFr
EmCkVEp69xaLfbTBLt1bzyIxIlq4mgb8oE8NDVr2Qo3cdwT4qGNPLEHvb9vCwySN
R3BNarw+LB0GB5g5XkEIXPmgKmxoJuQ3nW578bPxXRvUJ19Yg2/WObAyrfoVL/sc
iEJDnJKWtV/kcN68LhOIkC77w41RII43YxJFQva9NQVY4uT1CApNcPk=
   Subject: CN=Certificate Authority,O=ABC.XYZ
   Issuer: CN=Certificate Authority,O=ABC.XYZ
   Not Before: Tue Sep 13 15:41:18 2011 UTC
   Not After: Fri Sep 13 15:41:18 2019 UTC
   Fingerprint (MD5): 05:d4:89:49:6b:03:0e:9b:06:14:a0:0a:e2:32:dc:e1
   Fingerprint (SHA1):
c4:b7:9f:07:df:5a:9e:36:a6:c3:f4:18:c7:77:1a:29:86:30:41:4f
   Serial number: 1

kvno host/xyz-ipa.abc.xyz -k /etc/krb5.keytab
host/xyz-ipa.abc@abc.xyz: kvno = 2, keytab entry valid

I can do a kinit as the host principal with the keytab /etc/krb5.keytab


Can you make sure the system hostname is right? Check the output of 
/bin/hostname, /etc/hosts and DNS.


You might try restarting the certmonger service.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Nalin Dahyabhai]

On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote:
 I restarted certmonger and it seems to be working. Is there some way
 to change the renewal interval so we can simulate this in the lab? I'd
 like to see it go through a number of renewals to make sure we don't
 keep having this problem.

Attempts to re-enroll are triggered as the not-valid-after date
approaches and you cross a threshold time-left value.

The default (2419200, 604800, 259200, 172800, 86400, which works out
to 28, 7, 3, 2, and 1 day, when you convert from seconds to days) can be
modified by setting the ttls value in the [defaults] section of
/etc/certmonger/certmonger.conf.

To avoid going nuts, the daemon will actually hold off on certificates
with a not-before value that's not at least an hour in the past, so
adding a really high ttls value (say, longer than the certificate's
entire validity period) should force frequent re-enrollments, though I
haven't done this myself.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.


Glad you are up and running again. You can control the interval by 
tuning knobs in certmonger.conf(5). You want to modify ttls.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

Cool thanks for the awesome help, y'all.

On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I restarted certmonger and it seems to be working. Is there some way
 to change the renewal interval so we can simulate this in the lab? I'd
 like to see it go through a number of renewals to make sure we don't
 keep having this problem.


 Glad you are up and running again. You can control the interval by tuning
 knobs in certmonger.conf(5). You want to modify ttls.

 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

This is all I see in the /var/log/httpd/error_log file. This issue has
become critical. The server has been down a week and I have no idea
why certmonger broke and don't seem to have any indication of how to
fix it. What would be the best route besides chasing down this
certmonger issue? Could I export all of my configuration/users/etc,
install a completely new IPA and import my config?

[Sat Mar 03 00:05:27 2012] [error] ipa: INFO: sslget
'https://csp-idm.pdh.csp:443/ca/agent/ca/displayBySerial'
[Sat Mar 03 00:05:28 2012] [error] ipa: INFO:
host/csp-idm.pdh@pdh.csp:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1
UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7q
Ge0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZH
hmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRM
BoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaW
RtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQY
JKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh
5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8Q
IXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u'ldap/csp-idm.pdh@pdh.csp', add=True): C
ertificateOperationError


On Fri, Mar 16, 2012 at 5:30 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I actually shut down IPA to do the export and restarted after I imported.

 certutil -L -d /etc/httpd/alias
 Certificate Nickname                                         Trust
 Attributes

  SSL,S/MIME,JAR/XPI
 Server-Cert                                                  u,u,u
 ABC.XYZIPA CA                                               CT,C,C
 ipaCert                                                      u,u,u
 Signing-Cert                                                 u,u,u

 certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
 /etc/httpd/alias/pwdfile.txt
 certutil: certificate is valid

 How's that look?


 That's what it's supposed to look like. Is Apache logging a failure or maybe
 that is coming from dogtag through Apache...


 rob



 On Fri, Mar 16, 2012 at 4:34 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/



 Looks pretty similar to what we've been seeing. The invalid credentials
 means that dogtag can't validate RA agent cert. This was due to the
 corrupted database. You'll need to restart the pki-cad process once the
 LDAP
 backend is fixed.

 The trust issues are stranger. To show the certs in those databases:

 # certutil -L -d /etc/httpd/alias

 To verify that the cert in there now has all the CA certs it needs:
 # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
 /etc/httpd/alias/pwdfile.txt

 rob



 On Fri, Mar 16, 2012 at 4:05 PM, Jimmyg17ji...@gmail.com    wrote:


 I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
 that went smoothly but now I see this in /var/log/pki-ca/system:

 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
 CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
 the
 internaldb. The internaldb could be down. Error LDAP operation failure
 - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPE
 xception: error result (32); matchedDN = o=ipaca


 catalina.out -- http://fpaste.org/oRQd/

 ca-debug -- http://fpaste.org/zzFL/

 Any ideas?
 On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 The ca_audit problem was caused by me accidentally moving the
 directory to a backup location. I was cleaning up the logs to make
 reading easier. When I moved the directory back 

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

This is all I see in the /var/log/httpd/error_log file. This issue has
become critical. The server has been down a week and I have no idea
why certmonger broke and don't seem to have any indication of how to
fix it. What would be the best route besides chasing down this
certmonger issue? Could I export all of my configuration/users/etc,
install a completely new IPA and import my config?

[Sat Mar 03 00:05:27 2012] [error] ipa: INFO: sslget
'https://csp-idm.pdh.csp:443/ca/agent/ca/displayBySerial'
[Sat Mar 03 00:05:28 2012] [error] ipa: INFO:
host/csp-idm.pdh@pdh.csp:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1
UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7q
Ge0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZH
hmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRM
BoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaW
RtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQY
JKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh
5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8Q
IXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u'ldap/csp-idm.pdh@pdh.csp', add=True): C
ertificateOperationError


I think your CA is still not up and running.

Things to check:

/var/log/pki-ca/catalina.out to be see if there are start up errors. The 
debug log in the same directory may contain information as well. If you 
are seeing a bunch of error 32's it means your db is still corrupted.


The output of ipa-getcert list. This will tell you what certmonger 
thinks is wrong.


Did you repair the ipaca backend in PKI-IPA? It is different than userRoot.

rob




On Fri, Mar 16, 2012 at 5:30 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


I actually shut down IPA to do the export and restarted after I imported.

certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes

  SSL,S/MIME,JAR/XPI
Server-Cert  u,u,u
ABC.XYZIPA CA   CT,C,C
ipaCert  u,u,u
Signing-Cert u,u,u

certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
certutil: certificate is valid

How's that look?



That's what it's supposed to look like. Is Apache logging a failure or maybe
that is coming from dogtag through Apache...


rob




On Fri, Mar 16, 2012 at 4:34 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/




Looks pretty similar to what we've been seeing. The invalid credentials
means that dogtag can't validate RA agent cert. This was due to the
corrupted database. You'll need to restart the pki-cad process once the
LDAP
backend is fixed.

The trust issues are stranger. To show the certs in those databases:

# certutil -L -d /etc/httpd/alias

To verify that the cert in there now has all the CA certs it needs:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt

rob




On Fri, Mar 16, 2012 at 4:05 PM, Jimmyg17ji...@gmail.com  wrote:



I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
that went smoothly but now I see this in /var/log/pki-ca/system:

10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
the
internaldb. The internaldb could be down. Error LDAP operation failure
- cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca 

Re: [Freeipa-users] (no subject)

[Jimmy]

I didn't see a catalina.log on my system, but there is a catalina.out:

http://fpaste.org/KgJn/

-J

On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.


 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/



 If there was an Internal Server Error there should be an error in the
 Apache
 error log or something in the CA debug/transaction log (or both). Can you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:



 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0K

 zH


 IM





 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',



 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError




 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob





 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/





 You need to update certmonger, it isn't setting a Referer HTTP header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 Restarted IPA and now the interface loads, but resubmitting the
 cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012






 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:





 I can now start the upgraded IPA, but now going to the IPA admin
 page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 






 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

I didn't see a catalina.log on my system, but there is a catalina.out:

http://fpaste.org/KgJn/


That's the one. Looks like the CA isn't starting.

Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the 
SELinux context (ls -lZ)?


rob


-J

On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


error log: http://fpaste.org/efyf/

CA debug: http://fpaste.org/LemM/

CA localhost log: http://fpaste.org/q4MU/

That's all I can find the correspond to the time I ran the getcert.



I'd look at the catalina.log, is dogtag coming up ok?

rob




Jimmy
On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



Still shows status: CA_UNREACHABLE

http://fpaste.org/UrTJ/




If there was an Internal Server Error there should be an error in the
Apache
error log or something in the CA debug/transaction log (or both). Can you
check those?

rob



On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



Jimmy wrote:




I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:



cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp

0K


zH



IM






cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',




principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError





What does ipa-getcert list show?

You may now have something in the CA logs too.


rob






On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




Jimmy wrote:





Which error log? the pki-ca error log has nothing and the httpd
error
log has nothing, and the httpd access log has this: (yes, the dates
are set back a few days, bc the current cert expires on 3/11)

192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
+] POST /ipa/xml HTTP/1.1 200 314

here is the ipa-getcert list:

http://fpaste.org/Dzr3/






You need to update certmonger, it isn't setting a Referer HTTP header
in
its
request. That is now required by IPA.


rob



On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:





Jimmy wrote:






Restarted IPA and now the interface loads, but resubmitting the
cert
has this result -

ipa-getcert resubmit -i 20110913154233
192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz
[10/Mar/2012:20:53:13
+] POST /ipa/xml HTTP/1.1 200 314

but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
 Not After : Sun Mar 11 15:43:37 2012







The error log will contain more interesting information.

What does the status show in the output of ipa-getcert list?

rob




On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:






I can now start the upgraded IPA, but now going to the IPA admin
page
I get this:



Not Found

The requested URL /ipa was not found on this server.









___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

















___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

The signedAudit directory had gotten moved by accident when I was
cleaning up the log dir to make the logs easier to read. I moved it
back to the right place and now I have a lot more logs. I'll sanitize
the logs and paste them up.

On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I didn't see a catalina.log on my system, but there is a catalina.out:

 http://fpaste.org/KgJn/


 That's the one. Looks like the CA isn't starting.

 Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
 SELinux context (ls -lZ)?

 rob


 -J

 On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.



 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/




 If there was an Internal Server Error there should be an error in the
 Apache
 error log or something in the CA debug/transaction log (or both). Can
 you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:




 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp

 0K


 zH



 IM







 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',




 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError





 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob






 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the
 dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/






 You need to update certmonger, it isn't setting a Referer HTTP
 header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:





 Jimmy wrote:






 Restarted IPA and now the interface loads, but resubmitting the
 cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012







 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:






 I can now start the upgraded IPA, but now going to the IPA
 admin
 page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 







 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users













___
Freeipa-users mailing list
Freeipa-users@redhat.com

Re: [Freeipa-users] (no subject)

[Jimmy]

Here are the latest logs and info. Thanks. Jimmy

ipagetcert list output- http://fpaste.org/OAra/

pki-ca system log -- http://fpaste.org/Uomy/
catalina.out -- http://fpaste.org/5MR1/
selftests -- http://fpaste.org/CwDF/
debug -- http://fpaste.org/Wy0o/

On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I didn't see a catalina.log on my system, but there is a catalina.out:

 http://fpaste.org/KgJn/


 That's the one. Looks like the CA isn't starting.

 Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
 SELinux context (ls -lZ)?

 rob


 -J

 On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.



 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/




 If there was an Internal Server Error there should be an error in the
 Apache
 error log or something in the CA debug/transaction log (or both). Can
 you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:




 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp

 0K


 zH



 IM







 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',




 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError





 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob






 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the
 dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/






 You need to update certmonger, it isn't setting a Referer HTTP
 header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:





 Jimmy wrote:






 Restarted IPA and now the interface loads, but resubmitting the
 cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012







 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:






 I can now start the upgraded IPA, but now going to the IPA
 admin
 page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 







 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users













___
Freeipa-users mailing list
Freeipa-users@redhat.com

Re: [Freeipa-users] (no subject)

[Jimmy]

When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA logs:

localhost.2012-03-08.log---
Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
INFO: caDisplayBySerial-agent: Invalid Credential.

debug---
[08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
[08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
[08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
[08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
[08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
[08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
certificate to user
[08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
create() 
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=ABC.XYZ] authentication failure



On Fri, Mar 16, 2012 at 12:15 PM, Jimmy g17ji...@gmail.com wrote:
 Here are the latest logs and info. Thanks. Jimmy

 ipagetcert list output- http://fpaste.org/OAra/

 pki-ca system log -- http://fpaste.org/Uomy/
 catalina.out -- http://fpaste.org/5MR1/
 selftests -- http://fpaste.org/CwDF/
 debug -- http://fpaste.org/Wy0o/

 On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I didn't see a catalina.log on my system, but there is a catalina.out:

 http://fpaste.org/KgJn/


 That's the one. Looks like the CA isn't starting.

 Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
 SELinux context (ls -lZ)?

 rob


 -J

 On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.



 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/




 If there was an Internal Server Error there should be an error in the
 Apache
 error log or something in the CA debug/transaction log (or both). Can
 you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:




 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp

 0K


 zH



 IM







 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',




 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError





 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob






 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the
 dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/






 You need to update certmonger, it isn't setting a Referer HTTP
 header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:





 Jimmy wrote:






 Restarted IPA and now the interface loads, but resubmitting the
 cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - 

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA logs:

localhost.2012-03-08.log---
Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
INFO: caDisplayBySerial-agent: Invalid Credential.

debug---
[08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
[08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
[08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
[08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
[08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
[08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
certificate to user
[08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
create() 
message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
RA,O=ABC.XYZ] authentication failure


Right, I think your dogtag 389-ds instance is similarly corrupted to 
your IPA instance so it can't find any entries.


rob





On Fri, Mar 16, 2012 at 12:15 PM, Jimmyg17ji...@gmail.com  wrote:

Here are the latest logs and info. Thanks. Jimmy

ipagetcert list output- http://fpaste.org/OAra/

pki-ca system log -- http://fpaste.org/Uomy/
catalina.out -- http://fpaste.org/5MR1/
selftests -- http://fpaste.org/CwDF/
debug -- http://fpaste.org/Wy0o/

On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


I didn't see a catalina.log on my system, but there is a catalina.out:

http://fpaste.org/KgJn/



That's the one. Looks like the CA isn't starting.

Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
SELinux context (ls -lZ)?

rob



-J

On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



error log: http://fpaste.org/efyf/

CA debug: http://fpaste.org/LemM/

CA localhost log: http://fpaste.org/q4MU/

That's all I can find the correspond to the time I ran the getcert.




I'd look at the catalina.log, is dogtag coming up ok?

rob




Jimmy
On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



Jimmy wrote:




Still shows status: CA_UNREACHABLE

http://fpaste.org/UrTJ/





If there was an Internal Server Error there should be an error in the
Apache
error log or something in the CA debug/transaction log (or both). Can
you
check those?

rob



On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




Jimmy wrote:





I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:




cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2

tsp


0K



zH




IM








cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',





principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError






What does ipa-getcert list show?

You may now have something in the CA logs too.


rob







On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:





Jimmy wrote:






Which error log? the pki-ca error log has nothing and the httpd
error
log has nothing, and the httpd access log has this: (yes, the
dates
are set back a few days, bc the current cert expires on 3/11)

192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz
[10/Mar/2012:21:27:25
+] POST /ipa/xml HTTP/1.1 200 314

here is the ipa-getcert list:

http://fpaste.org/Dzr3/







You need to update certmonger, it isn't setting a Referer HTTP
header
in
its
request. That is now required by IPA.


rob



On Thu, Mar 15, 2012 at 1:33 PM, Rob
Crittendenrcrit...@redhat.com
  wrote:






Jimmy wrote:







Restarted IPA and now the interface loads, but 

Re: [Freeipa-users] (no subject)

[Simo Sorce]

On Fri, 2012-03-16 at 12:51 -0400, Rob Crittenden wrote:
 Jimmy wrote:
  Here are the latest logs and info. Thanks. Jimmy
 
 What did you change to fix the ca_audit problem?
 
 There are two problems that I can see:
 
 1. certmonger is failing because of SSL trust issues. Have you
 changed 
 the NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?
 
 2. Looks like there is some corruption in the dogtag LDAP instance
 based 
 on all the entries not found.
 
 
Maybe the dogtag instance also got problems during the 389ds upgrade ?

Jimmy, maybe you can do the same dump to ldif restore procedure for the
dogtag instance ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I'm up for that. I'm assuming the DogTag db is in
/var/lib/dirsrv/slapd-PKI-IPA/db/userRoot. Correct?

On Fri, Mar 16, 2012 at 1:38 PM, Simo Sorce s...@redhat.com wrote:
 On Fri, 2012-03-16 at 12:51 -0400, Rob Crittenden wrote:
 Jimmy wrote:
  Here are the latest logs and info. Thanks. Jimmy

 What did you change to fix the ca_audit problem?

 There are two problems that I can see:

 1. certmonger is failing because of SSL trust issues. Have you
 changed
 the NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?

 2. Looks like there is some corruption in the dogtag LDAP instance
 based
 on all the entries not found.


 Maybe the dogtag instance also got problems during the 389ds upgrade ?

 Jimmy, maybe you can do the same dump to ldif restore procedure for the
 dogtag instance ?

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

What is the proper way to recover from this? I've been digging and
searching but don't see anything about this in relation to IPA.

On Fri, Mar 16, 2012 at 1:29 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA
 logs:

 localhost.2012-03-08.log---
 Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
 INFO: caDisplayBySerial-agent: Invalid Credential.

 debug---
 [08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
 [08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
 [08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
 [08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
 [08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
 [08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
 certificate to user
 [08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
 create()
 message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
 RA,O=ABC.XYZ] authentication failure


 Right, I think your dogtag 389-ds instance is similarly corrupted to your
 IPA instance so it can't find any entries.

 rob





 On Fri, Mar 16, 2012 at 12:15 PM, Jimmyg17ji...@gmail.com  wrote:

 Here are the latest logs and info. Thanks. Jimmy

 ipagetcert list output- http://fpaste.org/OAra/

 pki-ca system log -- http://fpaste.org/Uomy/
 catalina.out -- http://fpaste.org/5MR1/
 selftests -- http://fpaste.org/CwDF/
 debug -- http://fpaste.org/Wy0o/

 On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 I didn't see a catalina.log on my system, but there is a catalina.out:

 http://fpaste.org/KgJn/



 That's the one. Looks like the CA isn't starting.

 Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
 SELinux context (ls -lZ)?

 rob


 -J

 On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.




 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/





 If there was an Internal Server Error there should be an error in
 the
 Apache
 error log or something in the CA debug/transaction log (or both).
 Can
 you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 I used yum to upgrade cert monger now the access_log has nothing
 new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:





 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2

 tsp


 0K



 zH




 IM









 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',





 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError






 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob







 On Thu, Mar 15, 2012 at 2:07 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:





 Jimmy wrote:






 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the
 dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 

Re: [Freeipa-users] (no subject)

[Jimmy]

The ca_audit problem was caused by me accidentally moving the
directory to a backup location. I was cleaning up the logs to make
reading easier. When I moved the directory back that issue went away.
No changes were made in the NSS database(s) or any other internal
workings of IPA. This system is used for very basic user
authentication, DNS, etc.

I can do the ldif export/import for dogtag. Just from comparing
everything, it looks like the dogtag db is in
/var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?

-J

On Fri, Mar 16, 2012 at 12:51 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 Here are the latest logs and info. Thanks. Jimmy


 What did you change to fix the ca_audit problem?

 There are two problems that I can see:

 1. certmonger is failing because of SSL trust issues. Have you changed the
 NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?

 2. Looks like there is some corruption in the dogtag LDAP instance based on
 all the entries not found.

 rob



 ipagetcert list output- http://fpaste.org/OAra/

 pki-ca system log -- http://fpaste.org/Uomy/
 catalina.out -- http://fpaste.org/5MR1/
 selftests -- http://fpaste.org/CwDF/
 debug -- http://fpaste.org/Wy0o/

 On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 I didn't see a catalina.log on my system, but there is a catalina.out:

 http://fpaste.org/KgJn/



 That's the one. Looks like the CA isn't starting.

 Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
 SELinux context (ls -lZ)?

 rob


 -J

 On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 error log: http://fpaste.org/efyf/

 CA debug: http://fpaste.org/LemM/

 CA localhost log: http://fpaste.org/q4MU/

 That's all I can find the correspond to the time I ran the getcert.




 I'd look at the catalina.log, is dogtag coming up ok?

 rob



 Jimmy
 On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/





 If there was an Internal Server Error there should be an error in the
 Apache
 error log or something in the CA debug/transaction log (or both). Can
 you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




 Jimmy wrote:





 I used yum to upgrade cert monger now the access_log has nothing
 new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:





 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2t

 sp


 0K



 zH




 IM









 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',





 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError






 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob







 On Thu, Mar 15, 2012 at 2:07 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:





 Jimmy wrote:






 Which error log? the pki-ca error log has nothing and the httpd
 error
 log has nothing, and the httpd access log has this: (yes, the
 dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz
 [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/







 You need to update certmonger, it isn't setting a Referer HTTP
 header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob
 Crittendenrcrit...@redhat.com
  wrote:






 Jimmy wrote:







 Restarted IPA and now the interface loads, but resubmitting
 the
 cert
 has this result -

 ipa-getcert resubmit -i 

Re: [Freeipa-users] (no subject)

[Simo Sorce]

On Fri, 2012-03-16 at 14:22 -0400, Jimmy wrote:
 I'm up for that. I'm assuming the DogTag db is in
 /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot. Correct?

Yes.

Simo.

 On Fri, Mar 16, 2012 at 1:38 PM, Simo Sorce s...@redhat.com wrote:
  On Fri, 2012-03-16 at 12:51 -0400, Rob Crittenden wrote:
  Jimmy wrote:
   Here are the latest logs and info. Thanks. Jimmy
 
  What did you change to fix the ca_audit problem?
 
  There are two problems that I can see:
 
  1. certmonger is failing because of SSL trust issues. Have you
  changed
  the NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?
 
  2. Looks like there is some corruption in the dogtag LDAP instance
  based
  on all the entries not found.
 
 
  Maybe the dogtag instance also got problems during the 389ds upgrade ?
 
  Jimmy, maybe you can do the same dump to ldif restore procedure for the
  dogtag instance ?
 
  Simo.
 
  --
  Simo Sorce * Red Hat, Inc * New York
 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I tried it on ipca but this is what it returns:

 /var/lib/dirsrv/scripts-ABC-XYZ/db2ldif -n ipaca -a /dbexport/ipca-output.ldif
Exported ldif file: /dbexport/ipca-output.ldif
[08/Mar/2012:04:19:39 +] - ERROR: Could not find backend 'ipaca'.

userRoot seems to export as expected.

On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 The ca_audit problem was caused by me accidentally moving the
 directory to a backup location. I was cleaning up the logs to make
 reading easier. When I moved the directory back that issue went away.
 No changes were made in the NSS database(s) or any other internal
 workings of IPA. This system is used for very basic user
 authentication, DNS, etc.

 I can do the ldif export/import for dogtag. Just from comparing
 everything, it looks like the dogtag db is in
 /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?


 The ipaca db

 rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
that went smoothly but now I see this in /var/log/pki-ca/system:

10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
 = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
 = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
 = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
the
internaldb. The internaldb could be down. Error LDAP operation failure
- cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPE
xception: error result (32); matchedDN = o=ipaca


catalina.out -- http://fpaste.org/oRQd/

ca-debug -- http://fpaste.org/zzFL/

Any ideas?
On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 The ca_audit problem was caused by me accidentally moving the
 directory to a backup location. I was cleaning up the logs to make
 reading easier. When I moved the directory back that issue went away.
 No changes were made in the NSS database(s) or any other internal
 workings of IPA. This system is used for very basic user
 authentication, DNS, etc.

 I can do the ldif export/import for dogtag. Just from comparing
 everything, it looks like the dogtag db is in
 /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?


 The ipaca db

 rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/

On Fri, Mar 16, 2012 at 4:05 PM, Jimmy g17ji...@gmail.com wrote:
 I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
 that went smoothly but now I see this in /var/log/pki-ca/system:

 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
 CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
 the
 internaldb. The internaldb could be down. Error LDAP operation failure
 - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPE
 xception: error result (32); matchedDN = o=ipaca


 catalina.out -- http://fpaste.org/oRQd/

 ca-debug -- http://fpaste.org/zzFL/

 Any ideas?
 On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 The ca_audit problem was caused by me accidentally moving the
 directory to a backup location. I was cleaning up the logs to make
 reading easier. When I moved the directory back that issue went away.
 No changes were made in the NSS database(s) or any other internal
 workings of IPA. This system is used for very basic user
 authentication, DNS, etc.

 I can do the ldif export/import for dogtag. Just from comparing
 everything, it looks like the dogtag db is in
 /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?


 The ipaca db

 rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/


Looks pretty similar to what we've been seeing. The invalid credentials 
means that dogtag can't validate RA agent cert. This was due to the 
corrupted database. You'll need to restart the pki-cad process once the 
LDAP backend is fixed.


The trust issues are stranger. To show the certs in those databases:

# certutil -L -d /etc/httpd/alias

To verify that the cert in there now has all the CA certs it needs:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f 
/etc/httpd/alias/pwdfile.txt


rob



On Fri, Mar 16, 2012 at 4:05 PM, Jimmyg17ji...@gmail.com  wrote:

I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
that went smoothly but now I see this in /var/log/pki-ca/system:

10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
Operation Error - netscape.ldap.LDAPException: error result (32);
matchedDN
  = o=ipaca
10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
response control
10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
the
internaldb. The internaldb could be down. Error LDAP operation failure
- cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPE
xception: error result (32); matchedDN = o=ipaca


catalina.out -- http://fpaste.org/oRQd/

ca-debug -- http://fpaste.org/zzFL/

Any ideas?
On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


The ca_audit problem was caused by me accidentally moving the
directory to a backup location. I was cleaning up the logs to make
reading easier. When I moved the directory back that issue went away.
No changes were made in the NSS database(s) or any other internal
workings of IPA. This system is used for very basic user
authentication, DNS, etc.

I can do the ldif export/import for dogtag. Just from comparing
everything, it looks like the dogtag db is in
/var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?



The ipaca db

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I actually shut down IPA to do the export and restarted after I imported.

certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI
Server-Cert  u,u,u
ABC.XYZIPA CA   CT,C,C
ipaCert  u,u,u
Signing-Cert u,u,u

certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
certutil: certificate is valid

How's that look?


On Fri, Mar 16, 2012 at 4:34 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 ipa-getcert list shows some ugly output - http://fpaste.org/bV2v/


 Looks pretty similar to what we've been seeing. The invalid credentials
 means that dogtag can't validate RA agent cert. This was due to the
 corrupted database. You'll need to restart the pki-cad process once the LDAP
 backend is fixed.

 The trust issues are stranger. To show the certs in those databases:

 # certutil -L -d /etc/httpd/alias

 To verify that the cert in there now has all the CA certs it needs:
 # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
 /etc/httpd/alias/pwdfile.txt

 rob



 On Fri, Mar 16, 2012 at 4:05 PM, Jimmyg17ji...@gmail.com  wrote:

 I exported/imported the /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot and
 that went smoothly but now I see this in /var/log/pki-ca/system:

 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3]
 Operation Error - netscape.ldap.LDAPException: error result (32);
 matchedDN
  = o=ipaca
 10358.CertStatusUpdateThread - [08/Mar/2012:04:36:29 UTC] [5] [3] Null
 response control
 10358.CRLIssuingPoint-MasterCRL - [08/Mar/2012:04:36:29 UTC] [3] [3]
 CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in
 the
 internaldb. The internaldb could be down. Error LDAP operation failure
 - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPE
 xception: error result (32); matchedDN = o=ipaca


 catalina.out -- http://fpaste.org/oRQd/

 ca-debug -- http://fpaste.org/zzFL/

 Any ideas?
 On Fri, Mar 16, 2012 at 2:39 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 The ca_audit problem was caused by me accidentally moving the
 directory to a backup location. I was cleaning up the logs to make
 reading easier. When I moved the directory back that issue went away.
 No changes were made in the NSS database(s) or any other internal
 workings of IPA. This system is used for very basic user
 authentication, DNS, etc.

 I can do the ldif export/import for dogtag. Just from comparing
 everything, it looks like the dogtag db is in
 /var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?


 The ipaca db

 rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I can now start the upgraded IPA, but now going to the IPA admin page
I get this:



Not Found

The requested URL /ipa was not found on this server.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

Restarted IPA and now the interface loads, but resubmitting the cert
has this result -

ipa-getcert resubmit -i 20110913154233
192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
+] POST /ipa/xml HTTP/1.1 200 314

but the cert still shows these dates-

 Not Before: Tue Sep 13 15:43:37 2011
Not After : Sun Mar 11 15:43:37 2012


On Thu, Mar 15, 2012 at 1:06 PM, Jimmy g17ji...@gmail.com wrote:
 I can now start the upgraded IPA, but now going to the IPA admin page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError


On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 Which error log? the pki-ca error log has nothing and the httpd error
 log has nothing, and the httpd access log has this: (yes, the dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/


 You need to update certmonger, it isn't setting a Referer HTTP header in its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 Restarted IPA and now the interface loads, but resubmitting the cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012



 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com    wrote:


 I can now start the upgraded IPA, but now going to the IPA admin page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIM

cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',

principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError


What does ipa-getcert list show?

You may now have something in the CA logs too.

rob



On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


Which error log? the pki-ca error log has nothing and the httpd error
log has nothing, and the httpd access log has this: (yes, the dates
are set back a few days, bc the current cert expires on 3/11)

192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
+] POST /ipa/xml HTTP/1.1 200 314

here is the ipa-getcert list:

http://fpaste.org/Dzr3/



You need to update certmonger, it isn't setting a Referer HTTP header in its
request. That is now required by IPA.


rob



On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



Restarted IPA and now the interface loads, but resubmitting the cert
has this result -

ipa-getcert resubmit -i 20110913154233
192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
+] POST /ipa/xml HTTP/1.1 200 314

but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
 Not After : Sun Mar 11 15:43:37 2012




The error log will contain more interesting information.

What does the status show in the output of ipa-getcert list?

rob




On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com  wrote:



I can now start the upgraded IPA, but now going to the IPA admin page
I get this:



Not Found

The requested URL /ipa was not found on this server.






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users








___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

Still shows status: CA_UNREACHABLE

http://fpaste.org/UrTJ/

On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:

 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzHIM

 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',

 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError


 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob



 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 Which error log? the pki-ca error log has nothing and the httpd error
 log has nothing, and the httpd access log has this: (yes, the dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/



 You need to update certmonger, it isn't setting a Referer HTTP header in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 Restarted IPA and now the interface loads, but resubmitting the cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012




 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com      wrote:



 I can now start the upgraded IPA, but now going to the IPA admin page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 




 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users







___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

Still shows status: CA_UNREACHABLE

http://fpaste.org/UrTJ/


If there was an Internal Server Error there should be an error in the 
Apache error log or something in the CA debug/transaction log (or both). 
Can you check those?


rob



On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:

cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzH

IM


cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',


principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError



What does ipa-getcert list show?

You may now have something in the CA logs too.


rob




On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



Which error log? the pki-ca error log has nothing and the httpd error
log has nothing, and the httpd access log has this: (yes, the dates
are set back a few days, bc the current cert expires on 3/11)

192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
+] POST /ipa/xml HTTP/1.1 200 314

here is the ipa-getcert list:

http://fpaste.org/Dzr3/




You need to update certmonger, it isn't setting a Referer HTTP header in
its
request. That is now required by IPA.


rob



On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



Jimmy wrote:




Restarted IPA and now the interface loads, but resubmitting the cert
has this result -

ipa-getcert resubmit -i 20110913154233
192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
+] POST /ipa/xml HTTP/1.1 200 314

but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
 Not After : Sun Mar 11 15:43:37 2012





The error log will contain more interesting information.

What does the status show in the output of ipa-getcert list?

rob




On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.comwrote:




I can now start the upgraded IPA, but now going to the IPA admin page
I get this:



Not Found

The requested URL /ipa was not found on this server.







___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

error log: http://fpaste.org/efyf/

CA debug: http://fpaste.org/LemM/

CA localhost log: http://fpaste.org/q4MU/

That's all I can find the correspond to the time I ran the getcert.

Jimmy
On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 Still shows status: CA_UNREACHABLE

 http://fpaste.org/UrTJ/


 If there was an Internal Server Error there should be an error in the Apache
 error log or something in the CA debug/transaction log (or both). Can you
 check those?

 rob


 On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 I used yum to upgrade cert monger now the access_log has nothing new
 when I run the ipa-getcert, but error_log shows this:

 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
 [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
 host/xyz-ipa.abc@abc.xyz:


 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0KzH

 IM



 cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',


 principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
 CertificateOperationError



 What does ipa-getcert list show?

 You may now have something in the CA logs too.


 rob




 On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


 Jimmy wrote:



 Which error log? the pki-ca error log has nothing and the httpd error
 log has nothing, and the httpd access log has this: (yes, the dates
 are set back a few days, bc the current cert expires on 3/11)

 192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
 +] POST /ipa/xml HTTP/1.1 200 314

 here is the ipa-getcert list:

 http://fpaste.org/Dzr3/




 You need to update certmonger, it isn't setting a Referer HTTP header
 in
 its
 request. That is now required by IPA.


 rob


 On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



 Jimmy wrote:




 Restarted IPA and now the interface loads, but resubmitting the cert
 has this result -

 ipa-getcert resubmit -i 20110913154233
 192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
 HTTP/1.1 401 1775
 192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
 +] POST /ipa/xml HTTP/1.1 200 314

 but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
             Not After : Sun Mar 11 15:43:37 2012





 The error log will contain more interesting information.

 What does the status show in the output of ipa-getcert list?

 rob



 On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:




 I can now start the upgraded IPA, but now going to the IPA admin
 page
 I get this:

 

 Not Found

 The requested URL /ipa was not found on this server.

 





 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users









___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

error log: http://fpaste.org/efyf/

CA debug: http://fpaste.org/LemM/

CA localhost log: http://fpaste.org/q4MU/

That's all I can find the correspond to the time I ran the getcert.


I'd look at the catalina.log, is dogtag coming up ok?

rob



Jimmy
On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


Still shows status: CA_UNREACHABLE

http://fpaste.org/UrTJ/



If there was an Internal Server Error there should be an error in the Apache
error log or something in the CA debug/transaction log (or both). Can you
check those?

rob



On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:


Jimmy wrote:



I used yum to upgrade cert monger now the access_log has nothing new
when I run the ipa-getcert, but error_log shows this:

[Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
[Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
host/xyz-ipa.abc@abc.xyz:


cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0K

zH


IM




cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',



principal=u'ldap/xyz-ipa.abc@abc.xyz', add=True):
CertificateOperationError




What does ipa-getcert list show?

You may now have something in the CA logs too.


rob





On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittendenrcrit...@redhat.com
  wrote:



Jimmy wrote:




Which error log? the pki-ca error log has nothing and the httpd error
log has nothing, and the httpd access log has this: (yes, the dates
are set back a few days, bc the current cert expires on 3/11)

192.168.201.102 - - [10/Mar/2012:21:27:24 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:21:27:25
+] POST /ipa/xml HTTP/1.1 200 314

here is the ipa-getcert list:

http://fpaste.org/Dzr3/





You need to update certmonger, it isn't setting a Referer HTTP header
in
its
request. That is now required by IPA.


rob



On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittendenrcrit...@redhat.com
  wrote:




Jimmy wrote:





Restarted IPA and now the interface loads, but resubmitting the cert
has this result -

ipa-getcert resubmit -i 20110913154233
192.168.201.102 - - [10/Mar/2012:20:53:13 +] POST /ipa/xml
HTTP/1.1 401 1775
192.168.201.102 - host/abc-ipa.abc@abc.xyz [10/Mar/2012:20:53:13
+] POST /ipa/xml HTTP/1.1 200 314

but the cert still shows these dates-

  Not Before: Tue Sep 13 15:43:37 2011
 Not After : Sun Mar 11 15:43:37 2012






The error log will contain more interesting information.

What does the status show in the output of ipa-getcert list?

rob




On Thu, Mar 15, 2012 at 1:06 PM, Jimmyg17ji...@gmail.com
  wrote:





I can now start the upgraded IPA, but now going to the IPA admin
page
I get this:



Not Found

The requested URL /ipa was not found on this server.








___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users














___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rob Crittenden]

Jimmy wrote:

I changed the system date and it's functional now. I ran the command `
certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
cert. Looking at `ipa-getcert list` I see this--

Request ID '20110913154233':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)).
 stuck: yes
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=X
 subject: CN=csp-idm.pdh.csp,O=X
 expires: 2012-03-11 15:42:32 UTC
 eku: id-kp-serverAuth
 track: yes
 auto-renew: yes

It says CA_UNREACHABLE, but ipactl status shows the CA running. Any
ideas on why this is occurring?


The Apache error log may hold some clues. You might try:

# ipa-getcert resubmit -i 20110913154233

Then watch the Apache log to see what it is doing. The CA logs are in 
/var/log/pki-ca and may provide some details as well.


rob



On Wed, Mar 14, 2012 at 1:35 PM, Jimmyg17ji...@gmail.com  wrote:

My IPA server just stopped working with this error. I'm looking in to
it, but if anyone knows what the issue is right off I'd appreciate any
pointers you have.

(when trying to do service ipa start)
Starting dirsrv:
PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
   [  OK  ]
PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
   [  OK  ]


I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64.
Thanks.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I can set the date to before 3/12(the cert expiry date) and things
start just fine. The apache logs don't seem to hold much info other
than the cert is expired. CA logs have even less info.

I did find a similar issue on the mailing list -
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
don't see a resolution, I don't see how the cert is supposed to get
renewed.

On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I changed the system date and it's functional now. I ran the command `
 certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
 cert. Looking at `ipa-getcert list` I see this--

 Request ID '20110913154233':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
 at server.  Certificate operation cannot be completed: Unable to
 communicate with CMS (Not Found)).
         stuck: yes
         key pair storage:

 type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt'
         certificate:

 type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
 Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=X
         subject: CN=csp-idm.pdh.csp,O=X
         expires: 2012-03-11 15:42:32 UTC
         eku: id-kp-serverAuth
         track: yes
         auto-renew: yes

 It says CA_UNREACHABLE, but ipactl status shows the CA running. Any
 ideas on why this is occurring?


 The Apache error log may hold some clues. You might try:

 # ipa-getcert resubmit -i 20110913154233

 Then watch the Apache log to see what it is doing. The CA logs are in
 /var/log/pki-ca and may provide some details as well.

 rob



 On Wed, Mar 14, 2012 at 1:35 PM, Jimmyg17ji...@gmail.com  wrote:

 My IPA server just stopped working with this error. I'm looking in to
 it, but if anyone knows what the issue is right off I'd appreciate any
 pointers you have.

 (when trying to do service ipa start)
 Starting dirsrv:
    PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert
 Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
 Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]
    PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert
 Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
 Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]


 I'm running on Fedora15, running IPA --
 freeipa-server-2.1.1-1.fc15.x86_64.
 Thanks.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

I set the date back and ran the command and this is what I see in the
httpd log. The ca directory does not exist, I verified it as missing.
Any idea why this is? Did I miss something in the install of IPA?

[Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget
'https://XX:443/ca/agent/ca/displayBySerial'
[Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does
not exist: /var/www/html/ca
[Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/@XX:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp
c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV
oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc
3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg
f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg
dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u
'ldap/@XXX', add=True): CertificateOperationError


On Wed, Mar 14, 2012 at 3:09 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Jimmy wrote:

 I can set the date to before 3/12(the cert expiry date) and things
 start just fine. The apache logs don't seem to hold much info other
 than the cert is expired. CA logs have even less info.

 I did find a similar issue on the mailing list -
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
 don't see a resolution, I don't see how the cert is supposed to get
 renewed.


 certmonger is supposed to automatically renew it. It apparently tried and
 failed because the CA was unreachable. If you set the date back again and
 execute this command it will resubmit the request and perhaps the logs will
 contain the details we need.


 rob


 On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittendenrcrit...@redhat.com
  wrote:

 Jimmy wrote:


 I changed the system date and it's functional now. I ran the command `
 certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
 cert. Looking at `ipa-getcert list` I see this--

 Request ID '20110913154233':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
 at server.  Certificate operation cannot be completed: Unable to
 communicate with CMS (Not Found)).
         stuck: yes
         key pair storage:


 type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt'
         certificate:


 type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS
 Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=X
         subject: CN=csp-idm.pdh.csp,O=X
         expires: 2012-03-11 15:42:32 UTC
         eku: id-kp-serverAuth
         track: yes
         auto-renew: yes

 It says CA_UNREACHABLE, but ipactl status shows the CA running. Any
 ideas on why this is occurring?



 The Apache error log may hold some clues. You might try:

 # ipa-getcert resubmit -i 20110913154233

 Then watch the Apache log to see what it is doing. The CA logs are in
 /var/log/pki-ca and may provide some details as well.

 rob



 On Wed, Mar 14, 2012 at 1:35 PM, Jimmyg17ji...@gmail.com    wrote:


 My IPA server just stopped working with this error. I'm looking in to
 it, but if anyone knows what the issue is right off I'd appreciate any
 pointers you have.

 (when trying to do service ipa start)
 Starting dirsrv:
    PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert
 Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
 Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]
    PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert
 Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
 Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]


 I'm running on Fedora15, running IPA --
 freeipa-server-2.1.1-1.fc15.x86_64.
 Thanks.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 

Re: [Freeipa-users] (no subject)

[Stephen Ingram]

On Wed, Mar 14, 2012 at 12:22 PM, Jimmy g17ji...@gmail.com wrote:
 I set the date back and ran the command and this is what I see in the
 httpd log. The ca directory does not exist, I verified it as missing.
 Any idea why this is? Did I miss something in the install of IPA?

 [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget
 'https://XX:443/ca/agent/ca/displayBySerial'
 [Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does
 not exist: /var/www/html/ca
 [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/@XX:
 cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp
 c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV
 oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc
 3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg
 f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg
 dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
 principal=u
 'ldap/@XXX', add=True): CertificateOperationError

Are you sure you are not missing some of your config
files?(/etc/httpd/conf.d/ipa-pki-proxy.conf) There is no
/var/www/html/ca. Your httpd config should redirect this to the
certificate server.

Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Stephen Ingram]

On Wed, Mar 14, 2012 at 12:41 PM, Jimmy g17ji...@gmail.com wrote:
 Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is
 missing. I'm not sure how that is missing. Was there a separate step
 for the IPA install that took care of the CA? It's been 6 months since
 I installed so I don't remember right off.

It's part of the freeipa-server package. I noticed that you are
running version 2.1.1 of ipa. 2.1.4 is the latest in the non-devel
repos. You might want to try a yum update as you might have other
differing packages as well. Make sure you read about the changes in
2.1.4 which might affect machines you have already enrolled.

Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

Ok, I upgraded and that didn't go so well, now IPA doesn't start:

service ipa start
Starting Directory Service
Starting dirsrv:
XX... [  OK  ]
PKI-IPA... [  OK  ]
Failed to read data from Directory Service: Failed to get list of
services to probe status!
Configured hostname 'X' does not match any master server in LDAP:
No master found because of error: {'matched': 'dc=XXX,dc=XXX', 'desc':
'No such object'}
Shutting down
Shutting down dirsrv:
XX... [  OK  ]
PKI-IPA... [  OK  ]

*BUT* /etc/httpd/conf.d/ipa-pki-proxy.conf exists now...

On Wed, Mar 14, 2012 at 3:47 PM, Stephen Ingram sbing...@gmail.com wrote:
 On Wed, Mar 14, 2012 at 12:41 PM, Jimmy g17ji...@gmail.com wrote:
 Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is
 missing. I'm not sure how that is missing. Was there a separate step
 for the IPA install that took care of the CA? It's been 6 months since
 I installed so I don't remember right off.

 It's part of the freeipa-server package. I noticed that you are
 running version 2.1.1 of ipa. 2.1.4 is the latest in the non-devel
 repos. You might want to try a yum update as you might have other
 differing packages as well. Make sure you read about the changes in
 2.1.4 which might affect machines you have already enrolled.

 Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

In response to the last to suggestions, here's what I see:

hostname
ipa.abc.xyz

/etc/hosts:
192.168.201.102 ipa.abc.xyz ipa

ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz
# extended LDIF
#
# LDAPv3
# base cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: dc=abc,dc=xyz

# numResponses: 1

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/14/2012 02:45 PM, Jimmy wrote:

In response to the last to suggestions, here's what I see:

hostname
ipa.abc.xyz

/etc/hosts:
192.168.201.102 ipa.abc.xyz ipa

ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz
# extended LDIF
#
# LDAPv3
# basecn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: dc=abc,dc=xyz

rpm -qi 389-ds-base


# numResponses: 1

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

 rpm -qi 389-ds-base
Name: 389-ds-base
Version : 1.2.10.3
Release : 1.fc15
Architecture: x86_64
Install Date: Wed 04 Jan 2012 12:06:20 AM UTC
Group   : System Environment/Daemons
Size: 4816676
License : GPLv2 with exceptions
Signature   : RSA/SHA256, Wed 07 Mar 2012 09:47:47 PM UTC, Key ID
b4ebf579069c8460
Source RPM  : 389-ds-base-1.2.10.3-1.fc15.src.rpm
Build Date  : Mon 05 Mar 2012 10:50:10 PM UTC
Build Host  : x86-11.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager: Fedora Project
Vendor  : Fedora Project
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.

On Wed, Mar 14, 2012 at 4:45 PM, Rich Megginson rmegg...@redhat.com wrote:
 On 03/14/2012 02:45 PM, Jimmy wrote:

 In response to the last to suggestions, here's what I see:

 hostname
 ipa.abc.xyz

 /etc/hosts:
 192.168.201.102 ipa.abc.xyz ipa

 ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz
 # extended LDIF
 #
 # LDAPv3
 # basecn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz  with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # search result
 search: 2
 result: 32 No such object
 matchedDN: dc=abc,dc=xyz

 rpm -qi 389-ds-base


 # numResponses: 1


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/14/2012 02:49 PM, Jimmy wrote:

  rpm -qi 389-ds-base
Name: 389-ds-base
Version : 1.2.10.3
Release : 1.fc15
Architecture: x86_64
Install Date: Wed 04 Jan 2012 12:06:20 AM UTC
Group   : System Environment/Daemons
Size: 4816676
License : GPLv2 with exceptions
Signature   : RSA/SHA256, Wed 07 Mar 2012 09:47:47 PM UTC, Key ID
b4ebf579069c8460
Source RPM  : 389-ds-base-1.2.10.3-1.fc15.src.rpm
Build Date  : Mon 05 Mar 2012 10:50:10 PM UTC
Build Host  : x86-11.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager: Fedora Project
Vendor  : Fedora Project
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.


dbscan -f 
/var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc


On Wed, Mar 14, 2012 at 4:45 PM, Rich Megginsonrmegg...@redhat.com  wrote:

On 03/14/2012 02:45 PM, Jimmy wrote:

In response to the last to suggestions, here's what I see:

hostname
ipa.abc.xyz

/etc/hosts:
192.168.201.102 ipa.abc.xyz ipa

ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz
# extended LDIF
#
# LDAPv3
# basecn=masters,cn=ipa,cn=etc,dc=abc,dc=xyzwith scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: dc=abc,dc=xyz

rpm -qi 389-ds-base


# numResponses: 1


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

This doesn't appear to be very good. If I drop the `grep` I see the
data I would expect to see.

dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc
22:cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
P22:cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc
  ID: 22; RDN: cn=etc; NRDN: cn=etc

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/14/2012 03:05 PM, Jimmy wrote:

This doesn't appear to be very good. If I drop the `grep` I see the
data I would expect to see.

dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc
22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
P22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc

find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \;

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Jimmy]

bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514
bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514

On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson rmegg...@redhat.com wrote:
 On 03/14/2012 03:05 PM, Jimmy wrote:

 This doesn't appear to be very good. If I drop the `grep` I see the
 data I would expect to see.

 dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep
 cn=etc
 22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
 C22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
 P22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc

 find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \;

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/14/2012 03:13 PM, Jimmy wrote:

bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514
bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514
It appears that the entryrdn upgrade didn't work.  Can you sanitize your 
/var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org?


On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginsonrmegg...@redhat.com  wrote:

On 03/14/2012 03:05 PM, Jimmy wrote:

This doesn't appear to be very good. If I drop the `grep` I see the
data I would expect to see.

dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep
cn=etc
22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
P22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc

find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \;


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Rich Megginson]

On 03/14/2012 03:26 PM, Jimmy wrote:

http://fpaste.org/nSWh/
Thanks.  Looks like you are going to have to export your database to 
ldif, re-import it, and then re-initialize all of your replicas.


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html

For ipa, the scripts are in /var/lib/dirsrv/scripts-YOUR-DOMAIN

For ipa, your database is userRoot (so -n userRoot)

so first, do db2ldif, then ldif2db, then use ipa-replica-manage to 
reinitialize all of your replicas


Here ya go
Jimmy

On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginsonrmegg...@redhat.com  wrote:

On 03/14/2012 03:13 PM, Jimmy wrote:

bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514
bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514

It appears that the entryrdn upgrade didn't work.  Can you sanitize your
/var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org?


On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginsonrmegg...@redhat.com
  wrote:

On 03/14/2012 03:05 PM, Jimmy wrote:

This doesn't appear to be very good. If I drop the `grep` I see the
data I would expect to see.

dbscan -f
/var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep
cn=etc
22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
C22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
P22:cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc
   ID: 22; RDN: cn=etc; NRDN: cn=etc

find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \;




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Dmitri Pal]

Juan José Inchausti wrote:
 Hi all,

 I was looking for Penrose and arrive here! I'm facing a big LDAP project
 that involves two LDAPs, #users about 750.000, and I think Penrose would
 be the right choice. Is Penrose a part of freeipa???

It is not at the moment. Penrose is more a migration tool from NIS to
IPA for now.

  May I use Penrose as
 a standalone component??? 

Yes

 My apps must access the information stored in
 the two big LDAPs, but they only have to look at one LDAP, so I wonder if
 ipa can help me, or I have only to use Penrose.
   
If your applications use identities provided by NSS via nsswitch you can
use SSSD and configure it to get identities from the two LDAP sources.
Can you please be more specific about the use cases you have? Do you
need to do searches against to LDAP servers or it is just user identity
and authentication?
Are your applications web applications?


 Thanks in advance

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

[Juan José Inchausti]

Hi Dmitri,

First of all, thanks for your quick answer...

Well, my apps are web apps.
By the moment, it's only identity and authentication, but my customer
would like not to close doors by the moment. In the future, it will be
possible to get some stathistics from the data stored in the LDAP's
(geographic criteria, for instance)
So, in this right moment, we are starting thinking is the whole
architecture of the solution, and I would like to use a virtual directory
like Penrose, because I think it would give us some flexibility I don't
want to lack for in the future.

Regards








 Juan José Inchausti wrote:
 Hi all,

 I was looking for Penrose and arrive here! I'm facing a big LDAP project
 that involves two LDAPs, #users about 750.000, and I think Penrose would
 be the right choice. Is Penrose a part of freeipa???

 It is not at the moment. Penrose is more a migration tool from NIS to
 IPA for now.

  May I use Penrose as
 a standalone component???

 Yes

 My apps must access the information stored in
 the two big LDAPs, but they only have to look at one LDAP, so I wonder
 if
 ipa can help me, or I have only to use Penrose.

 If your applications use identities provided by NSS via nsswitch you can
 use SSSD and configure it to get identities from the two LDAP sources.
 Can you please be more specific about the use cases you have? Do you
 need to do searches against to LDAP servers or it is just user identity
 and authentication?
 Are your applications web applications?


 Thanks in advance

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users





 --
 Thank you,
 Dmitri Pal

 Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users