[Freeipa-users] Re: Replication failing on some records

[Mark Reynolds via FreeIPA-users]

On 06/07/2017 10:58 AM, Nick Campion via FreeIPA-users wrote:
>
> Hi all,
>
>  
>
> We have a 3 master setup that is failing to replicate changes from a
> particular node to the other IPA instances. The replication status
> says it's all fine, however the record hasn't been changed on the
> other servers. We've seen this on user password changes, adding hosts
> and services. The only thing we've found that seems to fix this
> temporarily is to re-initialize from the master with the changed
> record. A force-sync doesn't pick up the changed record.
>
What is the change you making, what attribute are you updating?  Could
it be possible that its being excluded by fractional replication?  Or is
it all changes?

Any errors in the logs on the nodes(good and bad): 
/var/log/dirsrv/slapd-INSTANCE/errors

Do you see replication sessions starting between the bad node and good
ones?  Are they talking?  Check the access log (
/var/log/dirsrv/slapd-INSTANCE/access) on a good node and look for
"connection from "

Next would be to enable replication logging on the bad node and
reproduce the problem (then disable repl logging right away), then send
us the logs to look at.  See 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-troubleshooting_replication_related_problems

Regards,
Mark

> Not sure what logs would be helpful to diagnose what is happening in
> this setup. 
>
> # ipa-replica-manage -v list `hostname`
> freeipa03.mgmt.example.com: replica
> last init status: None
> last init ended: 1970-01-01 00:00:00+00:00
> last update status: Error (0) Replica acquired successfully:
> Incremental update succeeded
> last update ended: 2017-06-07 14:43:53+00:00
> freeipa02.mgmt.example.com: replica
> last init status: None
> last init ended: 1970-01-01 00:00:00+00:00
> last update status: Error (0) Replica acquired successfully:
> Incremental update succeeded
> last update ended: 2017-06-07 14:43:53+00:00
>
> # ldapsearch -W -x -D "cn=directory manager" -b
> "cn=users,cn=accounts,dc=ipa,dc=example,dc=com" "nsds5ReplConflict=*"
> \* nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 

[Freeipa-users] samba file server

[Zhanghui via FreeIPA-users]

I want to configure a samba file server. I have read the following two links:

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP

Is the second link based on the first.

I don't have any active directory server. I hope windows clients that are not

enrolled to the ipa domain to be able to access the shares. Is there any more

documents? Thanks.




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: certificate has expired?

[Roberto Cornacchia via FreeIPA-users]

A relatively good news:
The current error (Insufficient access: Principal 'HTTP/
spinque04.hq.spinque@hq.spinque.com' is not permitted to use CA '.'
with profile 'caIPAserviceCert' for certificate issuance.) might not be due
to the package upgrade.

I looked at the journal of 16 Feb 2017 (28 days before the expiration
date): certmonger correctly tries to renew the certificate but fails with
the exact same error as I have now. So this explains why I ended up with an
expired certificate in the first place.

So hopefully I'm back to the original issue that caused all this. Any help
is highly appreciated.


On Wed, 7 Jun 2017 at 19:15 Rob Crittenden  wrote:

> Roberto Cornacchia via FreeIPA-users wrote:
> > Sorry for accidentally dropping freeipa-users.
> >
> > I was impatient so went back in time before your answer, but I did chose
> > a good date
> >
> > Before this, I had the following two entries with an expired date:
> >
> > Request ID '20150316184508':
> > status: NEED_TO_SUBMIT
> > ca-error: Error setting up ccache for "host" service on client using
> > default keytab: Cannot contact any KDC for requested realm.
> >
> > Request ID '20150316184529':
> > status: CA_UNREACHABLE
> > ca-error: Error setting up ccache for "host" service on client using
> > default keytab: Cannot contact any KDC for requested realm.
> >
> > After restarting certmonger, I have:
> >
> > Request ID '20150316184508':
> > status: MONITORING
> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
> > denied our request, giving up: 2100 (RPC failed at server.  Insufficient
> > access: Principal 'ldap/spinque04.hq.spinque@hq.spinque.com
> > ' is not permitted to
> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
> >
> > Request ID '20150316184529':
> > status: MONITORING
> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
> > denied our request, giving up: 2100 (RPC failed at server.  Insufficient
> > access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com
> > ' is not permitted to
> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>
> I think this is a side-effect of updating the packages with expired
> certs (you are about half upgraded right now). The new CA ACL rules
> don't seem to have been applied. I'm not sure what the safest course in,
> maybe Flo or Fraser know.
>
> rob
>
> >
> > The journal shows continuous Tomcat errors such as this:
> >
> > Mar 01 00:09:28 spinque04.hq.spinque.com
> >  named-pkcs11[5692]: validating
> > docs.oracle.com/CNAME : bad cache hit
> > (oracle.com/DS )
> > Mar 01 00:09:28 spinque04.hq.spinque.com
> >  named-pkcs11[5692]: broken trust chain
> > resolving 'docs.oracle.com/A/IN ':
> 8.8.8.8#53
> > Mar 01 00:09:28 spinque04.hq.spinque.com
> >  named-pkcs11[5692]: validating
> > docs.oracle.com/CNAME : bad cache hit
> > (oracle.com/DS )
> > Mar 01 00:09:28 spinque04.hq.spinque.com
> >  named-pkcs11[5692]: broken trust chain
> > resolving 'docs.oracle.com//IN ':
> > 8.8.8.8#53
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: Mar 01, 2017 12:09:32 AM
> > org.apache.catalina.core.ContainerBase backgroundProcess
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: WARNING: Exception
> > processing realm com.netscape.cms.tomcat.ProxyRealm@4077b502 background
> > process
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]:
> > java.lang.NullPointerException
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: at
> > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109)
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: at
> >
> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1154)
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: at
> >
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5697)
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
> > Mar 01 00:09:32 spinque04.hq.spinque.com
> >  server[5912]: at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
> > Mar 01 00:09:32 

[Freeipa-users] Re: certificate has expired?

[Roberto Cornacchia via FreeIPA-users]

Hi Florence,
I just posted that the problem is solved, but thank for coming back to me!

Now (on the fixed system) I get:
$ getcert list-cas -c IPA
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/ipa-submit

One thing I didn't mention in the previous post is that the ACL was also
gone, I had to recreate it manually.
Now it looks like this:

$ ipa caacl-find

1 CA ACL matched

  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert

Number of entries returned 1




On Thu, 8 Jun 2017 at 11:02 Roberto Cornacchia 
wrote:

> It seems solved now, reporting back.
>
> It looks to me like in February, when the certificate renewal failed, I
> had hit the bug described here:
> https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html
>
> Yesterday I updated the packages, including the fix to this bug, but then
> I still had an expired certificate. Which didn't allow to complete
> ipa-server-upgrade.
> Went back in time, asked certmonger to renew, but I was then missing
> certificate profiles, because the upgrade was not completed.
> Now however the certificate was valid, because the date was changed. With
> that, I could manually run ipa-server-upgrade, which successfully imported
> all profiles.
> Restarted ipa, restarted certmonger, got new certificates.
> Went back to today's date, restarted ipa, and everything seems fine.
>
>
>
>
> On Wed, 7 Jun 2017 at 23:25 Roberto Cornacchia <
> roberto.cornacc...@gmail.com> wrote:
>
>> A relatively good news:
>> The current error (Insufficient access: Principal 'HTTP/
>> spinque04.hq.spinque@hq.spinque.com' is not permitted to use CA '.'
>> with profile 'caIPAserviceCert' for certificate issuance.) might not be
>> due to the package upgrade.
>>
>> I looked at the journal of 16 Feb 2017 (28 days before the expiration
>> date): certmonger correctly tries to renew the certificate but fails with
>> the exact same error as I have now. So this explains why I ended up with an
>> expired certificate in the first place.
>>
>> So hopefully I'm back to the original issue that caused all this. Any
>> help is highly appreciated.
>>
>>
>> On Wed, 7 Jun 2017 at 19:15 Rob Crittenden  wrote:
>>
>>> Roberto Cornacchia via FreeIPA-users wrote:
>>> > Sorry for accidentally dropping freeipa-users.
>>> >
>>> > I was impatient so went back in time before your answer, but I did
>>> chose
>>> > a good date
>>> >
>>> > Before this, I had the following two entries with an expired date:
>>> >
>>> > Request ID '20150316184508':
>>> > status: NEED_TO_SUBMIT
>>> > ca-error: Error setting up ccache for "host" service on client using
>>> > default keytab: Cannot contact any KDC for requested realm.
>>> >
>>> > Request ID '20150316184529':
>>> > status: CA_UNREACHABLE
>>> > ca-error: Error setting up ccache for "host" service on client using
>>> > default keytab: Cannot contact any KDC for requested realm.
>>> >
>>> > After restarting certmonger, I have:
>>> >
>>> > Request ID '20150316184508':
>>> > status: MONITORING
>>> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
>>> > denied our request, giving up: 2100 (RPC failed at server.
>>> Insufficient
>>> > access: Principal 'ldap/spinque04.hq.spinque@hq.spinque.com
>>> > ' is not permitted to
>>> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>>> >
>>> > Request ID '20150316184529':
>>> > status: MONITORING
>>> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
>>> > denied our request, giving up: 2100 (RPC failed at server.
>>> Insufficient
>>> > access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com
>>> > ' is not permitted to
>>> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>>>
>>> I think this is a side-effect of updating the packages with expired
>>> certs (you are about half upgraded right now). The new CA ACL rules
>>> don't seem to have been applied. I'm not sure what the safest course in,
>>> maybe Flo or Fraser know.
>>>
>>> rob
>>>
>>> >
>>> > The journal shows continuous Tomcat errors such as this:
>>> >
>>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>>> >  named-pkcs11[5692]: validating
>>> > docs.oracle.com/CNAME : bad cache hit
>>> > (oracle.com/DS )
>>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>>> >  named-pkcs11[5692]: broken trust
>>> chain
>>> > resolving 'docs.oracle.com/A/IN ':
>>> 8.8.8.8#53
>>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>>> > 

[Freeipa-users] Re: certificate has expired?

[Roberto Cornacchia via FreeIPA-users]

It seems solved now, reporting back.

It looks to me like in February, when the certificate renewal failed, I had
hit the bug described here:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html

Yesterday I updated the packages, including the fix to this bug, but then I
still had an expired certificate. Which didn't allow to complete
ipa-server-upgrade.
Went back in time, asked certmonger to renew, but I was then missing
certificate profiles, because the upgrade was not completed.
Now however the certificate was valid, because the date was changed. With
that, I could manually run ipa-server-upgrade, which successfully imported
all profiles.
Restarted ipa, restarted certmonger, got new certificates.
Went back to today's date, restarted ipa, and everything seems fine.




On Wed, 7 Jun 2017 at 23:25 Roberto Cornacchia 
wrote:

> A relatively good news:
> The current error (Insufficient access: Principal 'HTTP/
> spinque04.hq.spinque@hq.spinque.com' is not permitted to use CA '.'
> with profile 'caIPAserviceCert' for certificate issuance.) might not be
> due to the package upgrade.
>
> I looked at the journal of 16 Feb 2017 (28 days before the expiration
> date): certmonger correctly tries to renew the certificate but fails with
> the exact same error as I have now. So this explains why I ended up with an
> expired certificate in the first place.
>
> So hopefully I'm back to the original issue that caused all this. Any help
> is highly appreciated.
>
>
> On Wed, 7 Jun 2017 at 19:15 Rob Crittenden  wrote:
>
>> Roberto Cornacchia via FreeIPA-users wrote:
>> > Sorry for accidentally dropping freeipa-users.
>> >
>> > I was impatient so went back in time before your answer, but I did chose
>> > a good date
>> >
>> > Before this, I had the following two entries with an expired date:
>> >
>> > Request ID '20150316184508':
>> > status: NEED_TO_SUBMIT
>> > ca-error: Error setting up ccache for "host" service on client using
>> > default keytab: Cannot contact any KDC for requested realm.
>> >
>> > Request ID '20150316184529':
>> > status: CA_UNREACHABLE
>> > ca-error: Error setting up ccache for "host" service on client using
>> > default keytab: Cannot contact any KDC for requested realm.
>> >
>> > After restarting certmonger, I have:
>> >
>> > Request ID '20150316184508':
>> > status: MONITORING
>> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
>> > denied our request, giving up: 2100 (RPC failed at server.  Insufficient
>> > access: Principal 'ldap/spinque04.hq.spinque@hq.spinque.com
>> > ' is not permitted to
>> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>> >
>> > Request ID '20150316184529':
>> > status: MONITORING
>> > ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
>> > denied our request, giving up: 2100 (RPC failed at server.  Insufficient
>> > access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com
>> > ' is not permitted to
>> > use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>>
>> I think this is a side-effect of updating the packages with expired
>> certs (you are about half upgraded right now). The new CA ACL rules
>> don't seem to have been applied. I'm not sure what the safest course in,
>> maybe Flo or Fraser know.
>>
>> rob
>>
>> >
>> > The journal shows continuous Tomcat errors such as this:
>> >
>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>> >  named-pkcs11[5692]: validating
>> > docs.oracle.com/CNAME : bad cache hit
>> > (oracle.com/DS )
>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>> >  named-pkcs11[5692]: broken trust
>> chain
>> > resolving 'docs.oracle.com/A/IN ':
>> 8.8.8.8#53
>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>> >  named-pkcs11[5692]: validating
>> > docs.oracle.com/CNAME : bad cache hit
>> > (oracle.com/DS )
>> > Mar 01 00:09:28 spinque04.hq.spinque.com
>> >  named-pkcs11[5692]: broken trust
>> chain
>> > resolving 'docs.oracle.com//IN ':
>> > 8.8.8.8#53
>> > Mar 01 00:09:32 spinque04.hq.spinque.com
>> >  server[5912]: Mar 01, 2017 12:09:32
>> AM
>> > org.apache.catalina.core.ContainerBase backgroundProcess
>> > Mar 01 00:09:32 spinque04.hq.spinque.com
>> >  server[5912]: WARNING: Exception
>> > processing realm com.netscape.cms.tomcat.ProxyRealm@4077b502 background
>> > process
>> > Mar 01 00:09:32 spinque04.hq.spinque.com
>> >  server[5912]:
>> > java.lang.NullPointerException
>> > Mar 

[Freeipa-users] Re: certificate has expired?

[Florence Blanc-Renaud via FreeIPA-users]

On 06/07/2017 11:25 PM, Roberto Cornacchia wrote:

A relatively good news:
The current error (Insufficient access: Principal
'HTTP/spinque04.hq.spinque@hq.spinque.com
' is not permitted to
use CA '.' with profile 'caIPAserviceCert' for certificate issuance.)
might not be due to the package upgrade.


Hi Roberto,

The first thing that looks strange is the log ".. to use CA '.'". I 
would expect to find CA 'IPA' there. Can you check the output of

$ sudo getcert list-cas -c IPA

The log points to a CA ACL issue. What is the output of
$ ipa caacl-find

I would expect to find:

1 CA ACL matched

  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all

Number of entries returned 1


which means that any host and any service can use the profile 
caIPAserviceCert.


Flo.


I looked at the journal of 16 Feb 2017 (28 days before the expiration
date): certmonger correctly tries to renew the certificate but fails
with the exact same error as I have now. So this explains why I ended up
with an expired certificate in the first place.

So hopefully I'm back to the original issue that caused all this. Any
help is highly appreciated.


On Wed, 7 Jun 2017 at 19:15 Rob Crittenden > wrote:

Roberto Cornacchia via FreeIPA-users wrote:
> Sorry for accidentally dropping freeipa-users.
>
> I was impatient so went back in time before your answer, but I did
chose
> a good date
>
> Before this, I had the following two entries with an expired date:
>
> Request ID '20150316184508':
> status: NEED_TO_SUBMIT
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for requested realm.
>
> Request ID '20150316184529':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for requested realm.
>
> After restarting certmonger, I have:
>
> Request ID '20150316184508':
> status: MONITORING
> ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
> denied our request, giving up: 2100 (RPC failed at server.
Insufficient
> access: Principal 'ldap/spinque04.hq.spinque@hq.spinque.com

> >' is not permitted to
> use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).
>
> Request ID '20150316184529':
> status: MONITORING
> ca-error: Server at https://spinque04.hq.spinque.com/ipa/xml
> denied our request, giving up: 2100 (RPC failed at server.
Insufficient
> access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com

> >' is not permitted to
> use CA '.' with profile 'caIPAserviceCert' for certificate issuance.).

I think this is a side-effect of updating the packages with expired
certs (you are about half upgraded right now). The new CA ACL rules
don't seem to have been applied. I'm not sure what the safest course in,
maybe Flo or Fraser know.

rob

>
> The journal shows continuous Tomcat errors such as this:
>
> Mar 01 00:09:28 spinque04.hq.spinque.com

>  named-pkcs11[5692]: validating
> docs.oracle.com/CNAME 
: bad cache hit
> (oracle.com/DS  )
> Mar 01 00:09:28 spinque04.hq.spinque.com

>  named-pkcs11[5692]: broken trust
chain
> resolving 'docs.oracle.com/A/IN 
': 8.8.8.8#53
> Mar 01 00:09:28 spinque04.hq.spinque.com

>  named-pkcs11[5692]: validating
> docs.oracle.com/CNAME 
: bad cache hit
> (oracle.com/DS  )
> Mar 01 00:09:28 spinque04.hq.spinque.com

>  named-pkcs11[5692]: broken trust
chain
> resolving 'docs.oracle.com//IN
 ':
> 8.8.8.8#53
> Mar 01 00:09:32 spinque04.hq.spinque.com

>