[Freeipa-users] Re: Freeipa Certficates issues
On 08/29/2017 06:43 PM, Julien Honore wrote: Hi Florence, Thank you for the reply. When I execute the command sudo kinit -kt /etc/krb5.keytab the result is : kinit: Clients credentials have been revoked while getting initial credentials When I try the command ipa-getkeytab, I don't have the same option. Hi, (putting mailing list back in the recipients list) you are right, the --retrieve option was added only in IPA 4.x. If you run ipa-getkeytab without the -r option, it will request a new host keytab (all other keytabs previously obtained will be invalidated). So this should unblock certmonger, but if you were using the host keytab in other places you will need to overwrite them with the new keytab. Flo Thank you. Julien Honore. - Original Message - From: "Florence Blanc-Renaud"To: "freeipa-users" Cc: "Julien Honore" Sent: Tuesday, 29 August, 2017 12:14:10 Subject: Re: [Freeipa-users] Freeipa Certficates issues On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote: Hi, I have an issue with my freeipa server. The certificates expired and I can't resubmit. I put the date before the expiration of the certs. The result of ipa-getcert list : Number of certificates and requests being tracked: 8. Request ID '20150805183502': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 :35:02 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183539': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 :35:39 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183647': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires:2017-08-05 18 :36:47 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes If someone can help me with this issue ? It will be very helpful Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING FreeIpa V3. Thank you Julien Honore ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, I have very little experience with IPA v3, but let's try anyway... If things didn't change too much, certmonger's IPA helper is using /etc/krb5.keytab to connect to IPA server. Can you check if this keytab is still valid using $ sudo kinit -kt /etc/krb5.keytab If the operation fails, this is probably the root cause of your issue. The utility ipa-getkeytab will allow you to get the host keytab (with the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME). HTH, Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"
On ti, 22 elo 2017, bogusmaster--- via FreeIPA-users wrote: Hi All, I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key. This is currently not working due to chicken/egg problem: in order to turn trust into an active one, you need to validate it. We do not have code in Samba-IPA integration that makes validation _from_ Windows side working, thus we can only validate it from Linux side. However, to do that, we should have *some* administrative account on AD side because our trusted domain object is not active yet. There are two ways to get around it today: - use administrative credentials to establish one-way trust - establish two-way trust -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"
On Wed, Aug 30, 2017 at 10:45:11AM -, bogusmaster--- via FreeIPA-users wrote: > Behavior that I described above pertains to Windows 2008 R2. When I attempt > at doing exactly the same with AD set up on top of Windows 2012, it works > flawlessly. Unfortunately, environment I have to set up trust with uses > Windows 2008 R2. I am wondering what might be the difference between these > two versions that prevent trust from working in case of Windows 2008 R2. Can you send the KRB5_TRACE output for the 2012 case as well. What looks suspicious to me in the 2008R2 output is TGS reply is for testu...@domain.com -> krbtgt/ipa.domain@domain.com with session key aes256-cts/C0B1 I would expect krbtgt/ipa.domain@domain.com here. AD typically does not care about cases in Kerberos principal but IPA's MIT Kerberos KDC does (because the RFC says Kerberos is case-sensitive). bye, Sumit > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"
Behavior that I described above pertains to Windows 2008 R2. When I attempt at doing exactly the same with AD set up on top of Windows 2012, it works flawlessly. Unfortunately, environment I have to set up trust with uses Windows 2008 R2. I am wondering what might be the difference between these two versions that prevent trust from working in case of Windows 2008 R2. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup
Ludwig Krispenz via FreeIPA-userswrites: > This is issue: https://pagure.io/389-ds-base/issue/49334 Thanks for the info. I like the documentation and analysis in the tickets (not only this one) - well done! Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup
This is issue: https://pagure.io/389-ds-base/issue/49334 On 08/30/2017 09:01 AM, Jochen Hein via FreeIPA-users wrote: I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have the following new messages during backup: Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid. Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR - dblayer_backup - Error in copying directory (/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): err=-1 The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the following files: [root@freeipa1 cldb]# ls -la insgesamt 6592 drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. -rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 105a1694-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 6464fab3-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 30 1. Dez 2016 DBVERSION The directory /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup does not exist, all I have is: [root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/ insgesamt 0 drwxrwx---. 2 dirsrv dirsrv 6 30. Aug 01:34 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. I'll create /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup manually and will see if that helps. I think it should be created during upgrade or backup if it is missing. What do you think? Jochen -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] [CentOS 7.5] error message during LDAP backup
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have the following new messages during backup: Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid. Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR - dblayer_backup - Error in copying directory (/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): err=-1 The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the following files: [root@freeipa1 cldb]# ls -la insgesamt 6592 drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. -rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 105a1694-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 6464fab3-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 30 1. Dez 2016 DBVERSION The directory /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup does not exist, all I have is: [root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/ insgesamt 0 drwxrwx---. 2 dirsrv dirsrv 6 30. Aug 01:34 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. I'll create /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup manually and will see if that helps. I think it should be created during upgrade or backup if it is missing. What do you think? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org