Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard 
I guess my issue it totally different then as the files I have contain the
correct values. I'll resubmit a new email with the correct subject line so
as to start fresh.

Thanks,

Jeff

On Thu, Jan 5, 2017 at 7:22 AM, Brian J. Murrell 
wrote:

> On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote:
> > I don't want to hijack someone else's thread but I'm having what
> > appears to
> > be the same problem and have not seen a solution presented yet.
>
> The problem and solution were presented.  These two messages basically
> embody the problem I had:
>
> https://www.redhat.com/archives/freeipa-users/2016-December/msg00310.html
> https://www.redhat.com/archives/freeipa-users/2016-December/msg00397.html
>
> Cheers,
> b.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Brian J. Murrell 
On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote:
> I don't want to hijack someone else's thread but I'm having what
> appears to
> be the same problem and have not seen a solution presented yet.

The problem and solution were presented.  These two messages basically
embody the problem I had:

https://www.redhat.com/archives/freeipa-users/2016-December/msg00310.html
https://www.redhat.com/archives/freeipa-users/2016-December/msg00397.html

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard 
Running the command displays no output.

Here is the config file output:

# This file is sourced by dirsrv upon startup to set
# the default environment for all directory server instances.
# To set instance specific defaults, use the file in the same
# directory called dirsrv-instance where "instance"
# is the name of your directory server instance e.g.
# dirsrv-localhost for the slapd-localhost instance.

# This file is in systemd EnvironmentFile format - see man systemd.exec

# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
# ulimit -n 8192
# note - if using systemd, ulimit won't work -  you must edit
# the systemd unit file for directory server to add the
# LimitNOFILE option - see man systemd.exec for more info

# A per instance keytab does not make much sense for servers.
# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN,
there
# is nothing that can make a client understand how to get a per-instance
ticket.
# Therefore by default a keytab should be considered a per server option.

# Also this file is sourced for all instances, so again all
# instances would ultimately get the same keytab.

# Finally a keytab is normally named either krb5.keytab or .keytab

# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
# if using systemd, omit the "; export VARNAME" at the end

# how many seconds to wait for the startpid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#STARTPID_TIME=10 ; export STARTPID_TIME
# how many seconds to wait for the pid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
KRB5CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab

I tried reinstalling with ipa-dns-install and it failed with errors. From
the logs it looks like it sets resolve.conf to 127.0.0.1 and then tries to
do lookups and fails. Here are selections from the logs:

2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
2017-01-05T13:13:47Z DEBUG   [4/8]: setting up kerberos principal
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
ad...@internal.emerlyn.com with password.

2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com; defaulting to no
policy
add_principal: Principal or policy already exists while creating "DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com".

2017-01-05T13:13:47Z DEBUG Backing up system configuration file
'/etc/named.keytab'
2017-01-05T13:13:47Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab
DNS/id-management-2.internal.emerlyn@internal.emerlyn.com -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
ad...@internal.emerlyn.com with password.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Martin Basti 



On 04.01.2017 22:21, Jeff Goddard wrote:
I don't want to hijack someone else's thread but I'm having what 
appears to be the same problem and have not seen a solution presented yet.


Here is the output of journalctl -xe after having tried to start named:

Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: set 
up managed keys zone for view _default, file 
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, 
compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: LDAP 
error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
couldn't establish connection in LDAP connection pool: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]: 
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]: Failed to 
start Berkeley Internet Name Domain (DNS) with native PKCS#11.

-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel 


--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]:

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-04 Thread Jeff Goddard 
I don't want to hijack someone else's thread but I'm having what appears to
be the same problem and have not seen a solution presented yet.

Here is the output of journalctl -xe after having tried to start named:

Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
set up managed keys zone for view _default, file
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
LDAP error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
couldn't establish connection in LDAP connection pool: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed to
start Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
named-pkcs11.service entered failed state.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
named-pkcs11.service failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
Unregistered Authentication Agent for unix-process:3936:380486 (system bus
name :1.59, object path /org/freedesktop/Policy

Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
ipa-dnskeysyncdcat:

[04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
base="dc=internal,dc=emerlyn,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/
id-management-2.internal.emerlyn@internal.emerlyn.com
)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/
id-management-2.internal.emerlyn@internal.emerlyn.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-30 Thread Brian J. Murrell 
[ Sent just to the list.  Hopefully Martin is on it. ]

On Thu, 2016-12-22 at 10:06 +0100, Martin Babinsky wrote:
> 
> Hi Brian,

Hi Martin,

> DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env
> variable 
> to /etc/dirsrv/ds.keytab.

Ah-ha!

This was the problem.  When I upgraded from 4.2 to 4.4 as part of my
CentOS upgrade I pulled up the config file changes (i.e. those usually
in .rpmnew file) because I like to keep the config files up-to-date
with the package.  But when I did so, the KRB5_KTNAME setting got
dropped.  :-(

> Can you please verify that /etc/sysconfig/dirsrv file exists and that
> it 
> contains the following lines?:
> 
> KRB5_CCNAME=/tmp/krb5cc_389

This is actually KRB5CCNAME in my config file.

> KRB5_KTNAME=/etc/dirsrv/ds.keytab
> 
> 
> If not, please add this line to the file, restart dirsrv and try IPA 
> commands again.

That worked.  Thanks so much!

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-22 Thread Simo Sorce 
On Thu, 2016-12-22 at 08:24 +0100, Petr Spacek wrote:
> On 21.12.2016 21:36, Brian J. Murrell wrote:
> > Some additional information.  I can't seem to use the CLI either. 
> > Perhaps that is expected:
> > 
> > # kinit admin
> > Password for ad...@example.com:
> > 
> > # klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
> > Default principal: ad...@example.com
> > 
> > Valid starting ExpiresService principal
> > 21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example@example.com
> > 
> > # ipa host-find
> > ipa: ERROR: Insufficient access:  Invalid credentials
> > 
> > When I do that (the ipa host-find) /var/log/krb5kdc.log says:
> > 
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> > 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
> > HTTP/server.example@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> > 1482352160, etypes {rep=18 tkt=18 ses=18}, 
> > HTTP/server.example@example.com for ldap/server.example@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
> > CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> > 
> > Not sure if that's helpful or not but it's something new (to me) so I
> > thought I would add it to the case.
> > 
> > Most unfortunately I need to access IPA to do some configuration
> > changes so this is getting more unfortunate than just some errors in a
> > log now.  :-(
> 
> Yes, this will be manifestation of the same problem. Interestingly the LDAP
> server should use the ds.keytab file instead of krb5.keytab.
> 
> We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
> into it.
> 
> Simo, Ludwig, how can this happen?

As Martin said, incorrect configuration of DS makes it fall back to use
the default keytab. Either /etc/sysconfig/dirsrv or the DS systemd unit
file must specify the correct keytab in the KRB5_KTNAME environment
variable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-22 Thread Martin Babinsky 

On 12/21/2016 07:22 PM, Brian J. Murrell wrote:

On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote:

Okay, I believe that this is the problem:

On 21.12.2016 15:53, Brian J. Murrell wrote:

[21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107
connection from local to /var/run/slapd-EXAMPLE.COM.socket


...

[21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI
[21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT
err=49 tag=97 nentries=0 etime=0 - SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Permission denied)
[21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
[21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107
closed - U1


I have no idea why it is returning Permission denied.

Is it reproducible when you run this?
$ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/server.example.com
$ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
?


# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
21/12/16 13:05:16  22/12/16 13:02:12  ldap/server.example@example.com
21/12/16 13:02:12  22/12/16 13:02:12  krbtgt/example@example.com

# ldapsearch -Y GSSAPI -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE.COM.socket
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)



We need to find out why it is blowing up on GSSAPI negotiation.

Wild guess is that /etc/dirsrv/ds.keytab could have wrong
permissions. It
should have
-rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0


# ls -lZ /etc/dirsrv/ds.keytab
-rw---. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 
/etc/dirsrv/ds.keytab


If you manage to reproduce it, you can attach strace to the running
dirsrv


By that I assume you mean the ns-slapd.

The strace (minus poll/select/futex noise) is attached.




process and see what call is failing (if it is a system call)...

Perhaps this one:

[pid 13449] open("/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)

# ls -lZ /etc/krb5.keytab
-rw---. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

But looking into the backup of this system, even a week and a month
ago, that file had the same permissions/ownership.  And changing it to
644 temporarily doesn't fix the "ldap_sasl_interactive_bind_s: Invalid
credentials (49)" from ldapsearch.

Cheers,
b.





Hi Brian,

DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env variable 
to /etc/dirsrv/ds.keytab. I guess that it cannot get this info from the 
file, thus it falls back to Kerberos library default which is 
/etc/krb5.keytab. That obviosuly fails because it is accesible only to 
root and contains keys only to host/, nfs/, and cifs/ (if you have 
Samba) principals.


Can you please verify that /etc/sysconfig/dirsrv file exists and that it 
contains the following lines?:


KRB5_CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab


If not, please add this line to the file, restart dirsrv and try IPA 
commands again.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Petr Spacek 
On 21.12.2016 21:36, Brian J. Murrell wrote:
> Some additional information.  I can't seem to use the CLI either. 
> Perhaps that is expected:
> 
> # kinit admin
> Password for ad...@example.com:
> 
> # klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
> Default principal: ad...@example.com
> 
> Valid starting ExpiresService principal
> 21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example@example.com
> 
> # ipa host-find
> ipa: ERROR: Insufficient access:  Invalid credentials
> 
> When I do that (the ipa host-find) /var/log/krb5kdc.log says:
> 
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
> HTTP/server.example@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> 1482352160, etypes {rep=18 tkt=18 ses=18}, 
> HTTP/server.example@example.com for ldap/server.example@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
> CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> 
> Not sure if that's helpful or not but it's something new (to me) so I
> thought I would add it to the case.
> 
> Most unfortunately I need to access IPA to do some configuration
> changes so this is getting more unfortunate than just some errors in a
> log now.  :-(

Yes, this will be manifestation of the same problem. Interestingly the LDAP
server should use the ds.keytab file instead of krb5.keytab.

We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
into it.

Simo, Ludwig, how can this happen?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
Some additional information.  I can't seem to use the CLI either. 
Perhaps that is expected:

# kinit admin
Password for ad...@example.com:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
Default principal: ad...@example.com

Valid starting ExpiresService principal
21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example@example.com

# ipa host-find
ipa: ERROR: Insufficient access:  Invalid credentials

When I do that (the ipa host-find) /var/log/krb5kdc.log says:

Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
HTTP/server.example@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, HTTP/server.example@example.com 
for ldap/server.example@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
CONSTRAINED-DELEGATION s4u-client=ad...@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12

Not sure if that's helpful or not but it's something new (to me) so I
thought I would add it to the case.

Most unfortunately I need to access IPA to do some configuration
changes so this is getting more unfortunate than just some errors in a
log now.  :-(

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote:
> Okay, I believe that this is the problem:
> 
> On 21.12.2016 15:53, Brian J. Murrell wrote:
> > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107
> > connection from local to /var/run/slapd-EXAMPLE.COM.socket
> 
> ...
> > [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn=""
> > method=sasl version=3 mech=GSSAPI
> > [21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT
> > err=49 tag=97 nentries=0 etime=0 - SASL(-1): generic failure:
> > GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
> > information (Permission denied)
> > [21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
> > [21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107
> > closed - U1
> 
> I have no idea why it is returning Permission denied.
> 
> Is it reproducible when you run this?
> $ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> ipa-dnskeysyncd/server.example.com
> $ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
> ?

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
21/12/16 13:05:16  22/12/16 13:02:12  ldap/server.example@example.com
21/12/16 13:02:12  22/12/16 13:02:12  krbtgt/example@example.com

# ldapsearch -Y GSSAPI -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE.COM.socket 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

> 
> We need to find out why it is blowing up on GSSAPI negotiation.
> 
> Wild guess is that /etc/dirsrv/ds.keytab could have wrong
> permissions. It
> should have
> -rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0

# ls -lZ /etc/dirsrv/ds.keytab
-rw---. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 
/etc/dirsrv/ds.keytab
 
> If you manage to reproduce it, you can attach strace to the running
> dirsrv

By that I assume you mean the ns-slapd.

The strace (minus poll/select/futex noise) is attached.

> 
process and see what call is failing (if it is a system call)...

Perhaps this one:

[pid 13449] open("/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)

# ls -lZ /etc/krb5.keytab
-rw---. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

But looking into the backup of this system, even a week and a month
ago, that file had the same permissions/ownership.  And changing it to
644 temporarily doesn't fix the "ldap_sasl_interactive_bind_s: Invalid
credentials (49)" from ldapsearch.

Cheers,
b.
8967  restart_syscall(<... resuming interrupted call ...> 
13414 restart_syscall(<... resuming interrupted call ...> 
13413 restart_syscall(<... resuming interrupted call ...> 
12933 restart_syscall(<... resuming interrupted call ...>) = 0
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 accept(8, {sa_family=AF_LOCAL, NULL}, [2]) = 65
12933 fcntl(65, F_GETFL)= 0x2 (flags O_RDWR)
12933 fcntl(65, F_SETFL, O_RDWR|O_NONBLOCK) = 0
12933 setsockopt(65, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
12933 getpeername(65, {sa_family=AF_LOCAL, NULL}, [2]) = 0
12933 getsockname(65, {sa_family=AF_LOCAL, 
sun_path="/var/run/slapd-EXAMPLE.COM.socket"}, [40]) = 0
12933 getsockopt(65, SOL_SOCKET, SO_PEERCRED, {pid=16254, uid=0, gid=0}, [12]) 
= 0
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
8967  <... restart_syscall resumed> )   = -1 ETIMEDOUT (Connection timed out)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
13442 recvfrom(65, 
"0\202\2\316\2\1\1`\202\2\307\2\1\3\4\0\243\202\2\276\4\6GSSAPI\4\202\2\262"...,
 512, 0, NULL, NULL) = 512
13442 recvfrom(65, 
"\237\23\203^\177$\376[\345\20\223t\3052\326\305\352\355i\277\207V\214\n\312M\210h=\2\233="...,
 512, 0, NULL, NULL) = 210
13442 write(51, "\0", 1)= 1
13442 sendto(59, "<39>Dec 21 13:16:42 ns-slapd: GS"..., 51, MSG_NOSIGNAL, NULL, 
0) = 51
13442 lstat("/etc/gss/mech", 0x7feac37ecd00) = -1 ENOENT (No such file or 
directory)
13442 openat(AT_FDCWD, "/etc/gss/mech.d", 
O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 107
13442 getdents(107, /* 3 entries */, 32768) = 88
13442 getdents(107, /* 0 entries */, 32768) = 0
13442 close(107)= 0
13442 lstat("/etc/gss/mech.d/gssproxy.conf", {st_mode=S_IFREG|0644, 
st_size=189, ...}) = 0
13442 stat("/usr/lib64/gssproxy/proxymech.so", {st_mode=S_IFREG|0755, 
st_size=110960, ...}) = 0
13442 stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=780, ...}) = 0
13442 open("/etc/krb5.conf", O_RDONLY)  = 107
13442 fcntl(107,

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Petr Spacek 
Okay, I believe that this is the problem:

On 21.12.2016 15:53, Brian J. Murrell wrote:
> [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection 
> from local to /var/run/slapd-EXAMPLE.COM.socket
...
> [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT err=49 tag=97 
> nentries=0 etime=0 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
> failure.  Minor code may provide more information (Permission denied)
> [21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
> [21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107 closed - U1

I have no idea why it is returning Permission denied.

Is it reproducible when you run this?
$ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/server.example.com
$ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
?

We need to find out why it is blowing up on GSSAPI negotiation.

Wild guess is that /etc/dirsrv/ds.keytab could have wrong permissions. It
should have
-rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0

If you manage to reproduce it, you can attach strace to the running dirsrv
process and see what call is failing (if it is a system call)...

I'm CCing LDAP server gurus to see if it rings a bell.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 15:04 +0100, Petr Spacek wrote:
> 
> I'm really curious what you will find out :-)

It seems to be like this, over and over again:

[21/Dec/2016:09:39:02.124732240 -0500] conn=77025 fd=107 slot=107 connection 
from 10.75.22.1 to 10.75.22.247
[21/Dec/2016:09:39:02.125630906 -0500] conn=77025 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl 
supportedExtension supportedFeatures supportedLDAPVersion 
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext 
lastusn highestcommittedusn aci"
[21/Dec/2016:09:39:02.131312941 -0500] conn=77025 op=0 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.138517633 -0500] conn=75097 op=14926 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/pc.example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=host/pc.example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.140094769 -0500] conn=75097 op=14926 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.140571682 -0500] conn=75097 op=14927 SRCH 
base="cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[21/Dec/2016:09:39:02.140877517 -0500] conn=75097 op=14927 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.141169433 -0500] conn=75097 op=14928 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.142218937 -0500] conn=75097 op=14928 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.142565212 -0500] conn=75097 op=14929 SRCH 
base="cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[21/Dec/2016:09:39:02.143021565 -0500] conn=75097 op=14929 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.145295331 -0500] conn=75097 op=14930 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/pc.example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=host/pc.example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.146427034 -0500] conn=75097 op=14930 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.146896867 -0500] conn=75097 op=14931 SRCH 
base="cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[21/Dec/2016:09:39:02.147152183 -0500] conn=75097 op=14931 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.147429299 -0500] conn=75097 op=14932 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote:
> 
> You can try to add line
> KRB5_TRACE=/dev/stdout
> to
> /etc/sysconfig/ipa-dnskeysyncd

[27472] 1482320667.240500: Retrieving 
ipa-dnskeysyncd/server.example@example.com from 
FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype 0) with result: 
0/Success
[27472] 1482320667.240567: Getting initial credentials for 
ipa-dnskeysyncd/server.example@example.com
[27472] 1482320667.241542: Looked up etypes in keytab: aes256-cts, aes128-cts, 
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[27472] 1482320667.241619: Sending request (207 bytes) to EXAMPLE.COM
[27472] 1482320667.241952: Resolving hostname server.example.com
[27472] 1482320667.242781: Initiating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.243067: Sending TCP request to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248018: Received answer (336 bytes) from stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248054: Terminating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248215: Response was from master KDC
[27472] 1482320667.248250: Received error from KDC: -1765328359/Additional 
pre-authentication required
[27472] 1482320667.248304: Processing preauth types: 136, 19, 2, 133
[27472] 1482320667.248317: Selected etype info: etype aes256-cts, salt 
"EXAMPLE.COMipa-dnskeysyncdserver.example.com", params ""
[27472] 1482320667.248327: Received cookie: MIT
[27472] 1482320667.248400: Retrieving 
ipa-dnskeysyncd/server.example@example.com from 
FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype aes256-cts) with 
result: 0/Success
[27472] 1482320667.248424: AS key obtained for encrypted timestamp: 
aes256-cts/BCCF
[27472] 1482320667.248498: Encrypted timestamp (for 1482320667.247961): plain 
[redacted], encrypted [redacted]
[27472] 1482320667.248512: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success
[27472] 1482320667.248520: Produced preauth for next request: 133, 2
[27472] 1482320667.248540: Sending request (302 bytes) to EXAMPLE.COM
[27472] 1482320667.248561: Resolving hostname server.example.com
[27472] 1482320667.248841: Initiating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.249050: Sending TCP request to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.512953: Received answer (837 bytes) from stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.512974: Terminating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.513076: Response was from master KDC
[27472] 1482320667.513117: Processing preauth types: 19
[27472] 1482320667.513131: Selected etype info: etype aes256-cts, salt 
"EXAMPLE.COMipa-dnskeysyncdserver.example.com", params ""
[27472] 1482320667.513143: Produced preauth for next request: (empty)
[27472] 1482320667.513159: AS key determined by preauth: aes256-cts/BCCF
[27472] 1482320667.513244: Decrypted AS reply; session key is: aes256-cts/BD92
[27472] 1482320667.513271: FAST negotiation: available
[27472] 1482320667.513297: Initializing FILE:/tmp/ipa-dnskeysyncd.ccache with 
default princ ipa-dnskeysyncd/server.example@example.com
[27472] 1482320667.513881: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krbtgt/example@example.com in FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.513974: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for krbtgt/example@example.com: fast_avail: yes
[27472] 1482320667.514022: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: 
in FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.514065: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for krbtgt/example@example.com: pa_type: 2
[27472] 1482320667.514102: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.514181: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for : refresh_time: 1482363867
[27472] 1482320667.514220: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/refresh_time@X-CACHECONF: in 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.619828: ccselect module realm chose cache 
FILE:/tmp/ipa-dnskeysyncd.ccache with client principal 
ipa-dnskeysyncd/server.example@example.com for server principal 
ldap/server.example@example.com
[27472] 1482320667.692119: Getting credentials 
ipa-dnskeysyncd/server.example@example.com -> 
ldap/server.example@example.com using ccache 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.692241: Retrieving 
ipa-dnskeysyncd/server.example@example.com -> 
ldap/server.example@example.com from FILE:/tmp/ipa-dnskeysyncd.ccache with 
result: -1765328243/Matching credential not found

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Petr Spacek 
On 20.12.2016 12:41, Brian J. Murrell wrote:
> On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote:
>>
>> So there are actually no issues with credentials, it needs more 
>> debugging, in past we have similar case but we haven't found the
>> root 
>> cause why it doesn't have the right credentials after kinit.
> 
> So, to be clear, all I did was kinit.  I didn't do anything after that
> once the credentials were acquired. Should I have or did you just want
> me to test that credential file was usable?  I did that as root. 
> Here's the permissions on that keytab just in case there is a problem
> there:
> 
> # ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> -r--r-. root ods unconfined_u:object_r:etc_t:s0   
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> 
> restorecon says that the selinux labels are ok.  The file is not in the
> RPM (i.e. as a config file) so I have no reference for the permissions
> of it.
> 
>> Are you 
>> willing to do more basic level code debugging?
> 
> Absolutely.
> 
>> BTW this is used only with DNSSEC feature. I you don't use DNSSEC 
>> signing you can ignore this failing service (ipactl start 
>> --ignore-service-failures)
> 
> Let's also not lose sight of the other problem that occurred at the
> same upgrade and that's the having to fall back to simple
> authentication of bind with:
> 
> arg "auth_method simple";
> arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com";
> arg "password my_password";
> 
> in /etc/named.conf due to:
> 
> 21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed
> 
> trying to start bind via systemctl start ipa.
> 
> Is it most likely that these two problems are in fact not related?

I guess that they are related because it is basically the very same problem.
The keytab does not work when used from the server application.

The question is: Why is that?

You can try to add line
KRB5_TRACE=/dev/stdout
to
/etc/sysconfig/ipa-dnskeysyncd

and see if there will be some additional information in the the journal.

Maybe you will have to use path like /var/lib/ipa/dnssec/debug.log instead of
/dev/stderr and then look into the new file.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Brian J. Murrell 
On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote:
> 
> So there are actually no issues with credentials, it needs more 
> debugging, in past we have similar case but we haven't found the
> root 
> cause why it doesn't have the right credentials after kinit.

So, to be clear, all I did was kinit.  I didn't do anything after that
once the credentials were acquired. Should I have or did you just want
me to test that credential file was usable?  I did that as root. 
Here's the permissions on that keytab just in case there is a problem
there:

# ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
-r--r-. root ods unconfined_u:object_r:etc_t:s0   
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab

restorecon says that the selinux labels are ok.  The file is not in the
RPM (i.e. as a config file) so I have no reference for the permissions
of it.

> Are you 
> willing to do more basic level code debugging?

Absolutely.

> BTW this is used only with DNSSEC feature. I you don't use DNSSEC 
> signing you can ignore this failing service (ipactl start 
> --ignore-service-failures)

Let's also not lose sight of the other problem that occurred at the
same upgrade and that's the having to fall back to simple
authentication of bind with:

    arg "auth_method simple";
    arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com";
    arg "password my_password";

in /etc/named.conf due to:

21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed

trying to start bind via systemctl start ipa.

Is it most likely that these two problems are in fact not related?

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Martin Basti 



On 19.12.2016 21:24, Brian J. Murrell wrote:

On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote:

On 19.12.2016 13:19, Brian J. Murrell wrote:

On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:

Hello,

could you recheck with SElinux in permissive mode?

Yeah, still happens even after doing:

# setenforce 0

Cheers,
b.

could you please kinit as service?


kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-
dnskeysyncd/$(hostname)

# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 
ipa-dnskeysyncd/server.example.com
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
19/12/16 15:20:20  20/12/16 15:20:20  krbtgt/example@example.com

Seems to have worked.  FWIW, I was not asked for any password.

Cheers,
b.




The password is the keytab file

So there are actually no issues with credentials, it needs more 
debugging, in past we have similar case but we haven't found the root 
cause why it doesn't have the right credentials after kinit. Are you 
willing to do more basic level code debugging?


BTW this is used only with DNSSEC feature. I you don't use DNSSEC 
signing you can ignore this failing service (ipactl start 
--ignore-service-failures)


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell 
On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote:
> 
> On 19.12.2016 13:19, Brian J. Murrell wrote:
> > On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
> > > Hello,
> > > 
> > > could you recheck with SElinux in permissive mode?
> > 
> > Yeah, still happens even after doing:
> > 
> > # setenforce 0
> > 
> > Cheers,
> > b.
> 
> could you please kinit as service?
> 
> 
> kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-
> dnskeysyncd/$(hostname)

# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 
ipa-dnskeysyncd/server.example.com
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
19/12/16 15:20:20  20/12/16 15:20:20  krbtgt/example@example.com

Seems to have worked.  FWIW, I was not asked for any password.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Martin Basti 



On 19.12.2016 13:19, Brian J. Murrell wrote:

On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:

Hello,

could you recheck with SElinux in permissive mode?

Yeah, still happens even after doing:

# setenforce 0

Cheers,
b.


could you please kinit as service?


kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/$(hostname)


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell 
On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
> 
> Hello,
> 
> could you recheck with SElinux in permissive mode?

Yeah, still happens even after doing:

# setenforce 0

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Martin Basti 



On 17.12.2016 19:30, Brian J. Murrell wrote:

On Fri, 2016-12-16 at 22:53 -0500, Brian J. Murrell wrote:

Hi,

After upgrading to EL 7.3 which included an upgrade of IPA from
4.2.0-
15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting:

22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...
22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server

I wonder if this is related:

https://bugzilla.redhat.com/show_bug.cgi?id=1405716
SELinux is preventing /usr/bin/python2.7 from read access on the file
unix.

It has started to show up as of this IPA upgrade also.

Cheers,
b.




Hello,

could you recheck with SElinux in permissive mode?

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-17 Thread Brian J. Murrell 
On Fri, 2016-12-16 at 22:53 -0500, Brian J. Murrell wrote:
> Hi,
> 
> After upgrading to EL 7.3 which included an upgrade of IPA from
> 4.2.0-
> 15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting: 
> 
> 22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...
> 22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server 

I wonder if this is related:

https://bugzilla.redhat.com/show_bug.cgi?id=1405716
SELinux is preventing /usr/bin/python2.7 from read access on the file
unix.

It has started to show up as of this IPA upgrade also.

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project