[Freeipa-users] Re: Unable to create an Active Directory Trust

2017-09-01 Thread Alexander Bokovoy via FreeIPA-users

On pe, 01 syys 2017, PAESSENS Daniel (BCS/PSD) wrote:

I've checked on the windows part. And nothing is mentioned overthere.
Even with adsiedit I can't find any trace of it.

Active Directory verifies three important types of conflicts when
establishing a trust between any domains (including a forest trust which
is a trust between the two forest root domains) described in 
https://msdn.microsoft.com/en-us/library/cc223787.aspx


 - SID namespace
 - top level names (TLNs) namespace
 - NetBIOS names of the domains

For example, if you have Active Directory forest with just one forest
root domain, example.com, and NetBIOS name AD, your IPA domain cannot be
example.com and it also cannot have NetBIOS domain name AD.

There is one more limitation, though. Given that trusted domain object
has also a counterpart as a 'machine' account in AD LDAP, and all
machine accounts must have unique names, there could be a conflict at
this level.

Say, your IPA domain's NetBIOS name is FOO. When trust is established,
there will be a machine account FOO$ in AD LDAP. If you already had FOO
machine in your AD, that would be seen as a conflict.

Unfortunately, you did not provide more details on what exactly is
there. If you would add 'log level = 100' to
/usr/share/ipa/smb.conf.empty and try to re-establish trust with 'ipa
trust-add', you'll get a lot of details in /var/log/httpd/error_log.
Send me those details off-list and I can see where it breaks.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-09-01 Thread Robbie Harwood via FreeIPA-users
pgb 205 via FreeIPA-users writes:

> Here is the log that I sent in yesterday. With server1 and server2
> down, but server3 up.
>
> kdc=server1
> kdc=server2
> kdc=server3
> kdc_master=server1
> kdc_master=server2
> kdc_master=server3

kdc_master isn't a valid directive for krb5.conf (we call it
master_kdc).  Can you show your entire krb5.conf, including [realms] and
[libdefaults] sections?

> kinit tries server1 and server2 but never even attempts server3
> KRB5_TRACE=/dev/stdout kinit user(a)test.domain

I assume "(a)" is standing in for '@'?

> [12536] 1501112935.251721: Getting initial credentials for user(a)test.domain 
> [12536] 1501112935.251917: Sending request (181 bytes) to test.domain
> [12536] 1501112935.251956: Resolving hostname server1
> [12536] 1501112935.252875: Sending initial UDP request to dgram server1_ip:88
> [12536] 1501112936.253962: Resolving hostname server2
> [12536] 1501112936.255680: Retrying AS request with master KDC

Alright, so something spooks krb5 here, it looks like.  I need to see
the whole krb5.conf to have a better idea, but:

- is udp_preference_limit set?
- is one of these configured for KKDCP?
- is the DNS for server2 weird in some way?
- same question but for server3?

Can you tell me what the OS/Kerberos versions are for server1, server2,
and server3?  Also the OS/krb5 version/sssd version for the client
you're using.

> [12536] 1501112936.255699: Getting initial credentials for user(a)test.domain
> [12536] 1501112936.255763: Sending request (181 bytes) to test.domain (master)
> [12536] 1501112936.255779: Resolving hostname server1
> [12536] 1501112936.256379: Sending initial UDP request to dgram server1_ip:88
> [12536] 1501112937.257451: Resolving hostname server2
> kinit: Invalid argument while getting initial credentials

Yeah, I suspect getaddrinfo() returns something weird for server2.  If
you can, I'd suggest getting the return values from it; if you're not
comfortable doing that, I can bake you a shim that'll print out that
information.

> kinit with following configuration will work, however.
> kdc=server1
> kdc=server2
> kdc=server3
> kdc_master=server1
> # kdc_master=server2
> kdc_master=server3

See above; as written this isn't different from the configuration above
(krb5 will ignore lines it doesn't recognize).  Assuming you meant
"master_kdc" there: this presumably because is because it never retries
server2 after switching to querying masters, and instead goes on to
server3.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: problem installing 3rd party(trusted cert)

2017-09-01 Thread Florence Blanc-Renaud via FreeIPA-users

On 08/30/2017 08:26 PM, Rob Morin wrote:

I ran this command firstly:

The G2 root CA from Geotrust website..

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,, 
install root_ca.crt

Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful


Then, I ran

[root@auth-1 certs]# ipa-certupdate
trying https://auth-1.domain.com/ipa/session/json
Forwarding 'ca_is_enabled' to json server 
'https://auth-1.domain.com/ipa/session/json'
Forwarding 'ca_find/1' to json server 
'https://auth-1.domain.com/ipa/session/json'

Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful


Then i ran this command with intermediate cert..

[root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt_bundle -t 
C,, install star_domain_com_bundle.crt

Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's 
Certificate issuer is not recognized. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

The intermediate cert only has one cert in it

SO i have 4 files;
Intermediate cert:  star_domain_bundle.crt
Real cert :  star_domain.crt
Key :  star_domain.key

I did try various combinations

cat star_domain_bundle.crt star_domain.crt >star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt > star_domain_combined.crt
cat root_ca.crt star_domain.crt star_domain_bundle.crt > 
star_domain_combined.crt
cat star_domain.crt star_domain_bundle.crt root_ca.crt star > 
star_domain_combined.crt

and so on...

Then i tried adding each one of those with the same command mentioned 
above, no go


What do i do now?
Thanks!



Hi

(putting the mailing back in the recipients lsit)
can you run ipa-cacert-manage install with the -v option and post the 
output? We will be able to see which certificates are already trusted 
and can be downloaded from LDAP.


Also, which IPA version are you using? Is your machine in SElinux 
enforcing mode?


Flo




On Mon, Aug 28, 2017 at 10:30 AM, Florence Blanc-Renaud > wrote:


On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote:

Hello all...

So i have a wildcard cert from geotrust.
I am running freeipa V4.4 fresh install no users yet
I downloaded and installed their  GeoTrust Primary Certification
Authority root cert from here  -->
https://www.geotrust.com/resources/root-certificates/

I ran this command to import it...

ipa-cacert-manage -p password -n httpcrt -t C,, install root_ca.crt

I get back this ;

Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
Then i go to install just the http cert for freeipa as dictated
by company policy

Then I run this...

ipa-certupdate

Then i go to add the cert like this...

ipa-server-certinstall -w star_domain_com.key star_domain_com.crt
Directory Manager password:
Enter private key unlock password:

I get this back

The full certificate chain is not present in
star_domain_com.key, star_domain_com.crt
The ipa-server-certinstall command failed.

So I combined the bundle and cert into one file, still a no go ,
i tried bot ways cert first then bundle, and bundle first then
cert, still a no go.
Any ideas?

Thanks..
___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org


Hi,

is your http cert directly signed by the CA root_ca.crt, or does the
cert chain contain additional certificates? In the latter case, you
need to add each intermediate certificate with ipa-cacert-manage +
ipa-certupdate before running ipa-server-certinstall.

HTH,
Flo




--

--

Rob Morin
Montreal, Canada

The Lounge Sound - Music to drink by - Vegas Style!

http://www.theloungesound.ca

"You're not drunk until you can't lie on the floor without holding on"
Dean Martin



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org