date:20170830

[Freeipa-users] Re: Freeipa Certficates issues

2017-08-30 Thread Florence Blanc-Renaud via FreeIPA-users


On 08/29/2017 06:43 PM, Julien Honore wrote:

Hi Florence,

Thank you for the reply.

When I execute the command sudo kinit -kt /etc/krb5.keytab
the result is :
kinit: Clients credentials have been revoked while getting initial credentials

When I try the command ipa-getkeytab, I don't have the same option.


Hi,

(putting mailing list back in the recipients list)
you are right, the --retrieve option was added only in IPA 4.x.

If you run ipa-getkeytab without the -r option, it will request a new 
host keytab (all other keytabs previously obtained will be invalidated). 
So this should unblock certmonger, but if you were using the host keytab 
in other places you will need to overwrite them with the new keytab.


Flo


Thank you.

Julien Honore.

- Original Message -
From: "Florence Blanc-Renaud" 
To: "freeipa-users" 
Cc: "Julien Honore" 
Sent: Tuesday, 29 August, 2017 12:14:10
Subject: Re: [Freeipa-users] Freeipa Certficates issues

On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:


Hi,

I have an issue with my freeipa server.

The certificates expired and I can't resubmit.

I put the date before the expiration of the certs.

The result of ipa-getcert list :


Number of certificates and requests being tracked: 8.
Request ID '20150805183502':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 :35:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183539':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 :35:39 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183647':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 :36:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

If someone can help me with this issue ? It will be very helpful

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING

FreeIpa V3.

Thank you

Julien Honore






___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

I have very little experience with IPA v3, but let's try anyway... If
things didn't change too much, certmonger's IPA helper is using
/etc/krb5.keytab to connect to IPA server. Can you check if this keytab
is still valid using
$ sudo kinit -kt /etc/krb5.keytab

If the operation fails, this is probably the root cause of your issue.
The utility ipa-getkeytab will allow you to get the host keytab (with
the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).

HTH,
Flo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-08-30 Thread Alexander Bokovoy via FreeIPA-users


On ti, 22 elo 2017, bogusmaster--- via FreeIPA-users wrote:

Hi All,

I am setting up a one-way trust from FreeIPA server to AD domain with a
pre-shared key.

This is currently not working due to chicken/egg problem: in order to
turn trust into an active one, you need to validate it. We do not have
code in Samba-IPA integration that makes validation _from_ Windows side
working, thus we can only validate it from Linux side. However, to do
that, we should have *some* administrative account on AD side because
our trusted domain object is not active yet.

There are two ways to get around it today:
- use administrative credentials to establish one-way trust
- establish two-way trust


--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-08-30 Thread Sumit Bose via FreeIPA-users

On Wed, Aug 30, 2017 at 10:45:11AM -, bogusmaster--- via FreeIPA-users 
wrote:
> Behavior that I described above pertains to Windows 2008 R2. When I attempt 
> at doing exactly the same with AD set up on top of Windows 2012, it works 
> flawlessly. Unfortunately, environment I have to set up trust with uses 
> Windows 2008 R2. I am wondering what might be the difference between these 
> two versions that prevent trust from working in case of Windows 2008 R2.

Can you send the KRB5_TRACE output for the 2012 case as well. What looks
suspicious to me in the 2008R2 output is

TGS reply is for testu...@domain.com -> krbtgt/ipa.domain@domain.com 
with session key aes256-cts/C0B1

I would expect krbtgt/ipa.domain@domain.com here. AD typically does
not care about cases in Kerberos principal but IPA's MIT Kerberos KDC
does (because the RFC says Kerberos is case-sensitive).

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-08-30 Thread bogusmaster--- via FreeIPA-users

Behavior that I described above pertains to Windows 2008 R2. When I attempt at 
doing exactly the same with AD set up on top of Windows 2012, it works 
flawlessly. Unfortunately, environment I have to set up trust with uses Windows 
2008 R2. I am wondering what might be the difference between these two versions 
that prevent trust from working in case of Windows 2008 R2.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

2017-08-30 Thread Jochen Hein via FreeIPA-users

Ludwig Krispenz via FreeIPA-users 
writes:

> This is issue: https://pagure.io/389-ds-base/issue/49334

Thanks for the info.  I like the documentation and analysis in the
tickets (not only this one) - well done!

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

2017-08-30 Thread Ludwig Krispenz via FreeIPA-users


This is issue: https://pagure.io/389-ds-base/issue/49334

On 08/30/2017 09:01 AM, Jochen Hein via FreeIPA-users wrote:

I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:

Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - 
dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path 
/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid.
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR - 
dblayer_backup - Error in copying directory 
(/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> 
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): err=-1

The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the
following files:

[root@freeipa1 cldb]# ls -la
insgesamt 6592
drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 .
drwxrwx---. 6 dirsrv dirsrv  47  1. Dez 2016  ..
-rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 
105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
105a1694-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 
6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
6464fab3-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv  30  1. Dez 2016  DBVERSION

The directory
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
does not exist, all I have is:

[root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/
insgesamt 0
drwxrwx---. 2 dirsrv dirsrv  6 30. Aug 01:34 .
drwxrwx---. 6 dirsrv dirsrv 47  1. Dez 2016  ..

I'll create
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
manually and will see if that helps. I think it should be created during
upgrade or backup if it is missing.  What do you think?

Jochen



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] [CentOS 7.5] error message during LDAP backup

2017-08-30 Thread Jochen Hein via FreeIPA-users


I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:

Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR 
- dblayer_copy_directory - Backend instance "cldb" does not exist; Instance 
path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid.
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR 
- dblayer_backup - Error in copying directory 
(/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> 
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): 
err=-1

The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the
following files:

[root@freeipa1 cldb]# ls -la
insgesamt 6592
drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 .
drwxrwx---. 6 dirsrv dirsrv  47  1. Dez 2016  ..
-rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 
105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
105a1694-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 
6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
6464fab3-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv  30  1. Dez 2016  DBVERSION

The directory
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
does not exist, all I have is:

[root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/
insgesamt 0
drwxrwx---. 2 dirsrv dirsrv  6 30. Aug 01:34 .
drwxrwx---. 6 dirsrv dirsrv 47  1. Dez 2016  ..

I'll create
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
manually and will see if that helps. I think it should be created during
upgrade or backup if it is missing.  What do you think?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Freeipa Certficates issues

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

[Freeipa-users] [CentOS 7.5] error message during LDAP backup

7 matches

Site Navigation

Mail list logo

Footer information