[Freeipa-users] Re: mysql and freeipa

[Andrew Meyer via FreeIPA-users]

Thank you for the feedback. 

On Wednesday, November 1, 2017 3:26 PM, Gordon Messmer via FreeIPA-users 
 wrote:
 

  On 11/01/2017 09:46 AM, Robbie Harwood wrote:
  
 
 
 None of that is particularly relevant unless you're specifically
supporting MSCHAPv2 authentication.
 
 
 ... which you shouldn't do because it's 
broken:https://www.schneier.com/blog/archives/2012/08/breaking_micros.html 
 
 ...and also not supported by MySQL, as far as I know.  I suppose I could have 
said that, but I thought it was obvious.  :)
 ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[Alexander Bokovoy via FreeIPA-users]

On ke, 01 marras 2017, abe via FreeIPA-users wrote:

I did, did you read all the pastebins? It's in my original post.

You provided ipaclient-install.log, not ipaserver-install.log.

And I commented on that state already. Seems we are going in a loop
here.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[abe via FreeIPA-users]

I did, did you read all the pastebins? It's in my original post.


On 11/1/17 5:10 PM, Alexander Bokovoy wrote:

On ke, 01 marras 2017, abe wrote:
This is because I have installed and uninstalled the ipa server 
multiple times after refining the cli options. What exactly do you 
want or need to know?

Can you show what's wrong with your ipa-server-install run.
In particular, if it fails to install on RPI2, then show
ipaserver-install.log.

Otherwise, it is very hard to help without seeing what the problem you
have.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[Alexander Bokovoy via FreeIPA-users]

On ke, 01 marras 2017, abe wrote:
This is because I have installed and uninstalled the ipa server 
multiple times after refining the cli options. What exactly do you 
want or need to know?

Can you show what's wrong with your ipa-server-install run.
In particular, if it fails to install on RPI2, then show
ipaserver-install.log.

Otherwise, it is very hard to help without seeing what the problem you
have.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mysql and freeipa

[Gordon Messmer via FreeIPA-users]

On 11/01/2017 09:46 AM, Robbie Harwood wrote:

None of that is particularly relevant unless you're specifically
supporting MSCHAPv2 authentication.

... which you shouldn't do because it's broken:
https://www.schneier.com/blog/archives/2012/08/breaking_micros.html


...and also not supported by MySQL, as far as I know.  I suppose I could 
have said that, but I thought it was obvious.  :)
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[abe via FreeIPA-users]

This is because I have installed and uninstalled the ipa server multiple 
times after refining the cli options. What exactly do you want or need 
to know?



On 11/1/17 4:07 PM, Alexander Bokovoy wrote:

On ke, 01 marras 2017, Abraham Cabrera via FreeIPA-users wrote:

Apologies here is my script

[root@dns01 ~]# cat setup.ipa.sh
#!/bin/sh
set -x

HOSTNAME=dns01
DOMAIN_NAME=int.mrmcmuffinz.com
HOST_FQDN="${HOSTNAME}.${DOMAIN_NAME}"
REALM_NAME=INT.MRMCMUFFINZ.com


# Directory Manager password
DM_PASSWORD="redacted"
# Admin user kerberos password
ADMIN_PASSWORD="redacted"
IP_ADDRESS=$(hostname -I|tr -d '\n')
DNS1=8.8.8.8
DNS2=8.8.4.4
REVERSE_ZONE_NAME="1.168.192.in-addr.arpa."

ipa-server-install --ds-password=${DM_PASSWORD} 
-admin-password=${ADMIN_PASSWORD} --ip-address=${IP_ADDRESS} \
  --domain=${DOMAIN_NAME} --hostname=${HOST_FQDN} 
--realm=${REALM_NAME} \
  --setup-dns --forwarder ${DNS1} --forwarder ${DNS2} 
--forward-policy=only --auto-reverse

But the logs you provided shown that you have somewhere already working
IPA server and you tried to enroll some IPA client and that one failed.

This is what I got from your original email. It is very hard to infer
any additional information from that.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[Alexander Bokovoy via FreeIPA-users]

On ke, 01 marras 2017, Abraham Cabrera via FreeIPA-users wrote:

Apologies here is my script

[root@dns01 ~]# cat setup.ipa.sh
#!/bin/sh
set -x

HOSTNAME=dns01
DOMAIN_NAME=int.mrmcmuffinz.com
HOST_FQDN="${HOSTNAME}.${DOMAIN_NAME}"
REALM_NAME=INT.MRMCMUFFINZ.com


# Directory Manager password
DM_PASSWORD="redacted"
# Admin user kerberos password
ADMIN_PASSWORD="redacted"
IP_ADDRESS=$(hostname -I|tr -d '\n')
DNS1=8.8.8.8
DNS2=8.8.4.4
REVERSE_ZONE_NAME="1.168.192.in-addr.arpa."

ipa-server-install --ds-password=${DM_PASSWORD} 
-admin-password=${ADMIN_PASSWORD} --ip-address=${IP_ADDRESS} \
  --domain=${DOMAIN_NAME} --hostname=${HOST_FQDN} 
--realm=${REALM_NAME} \
  --setup-dns --forwarder ${DNS1} --forwarder ${DNS2} 
--forward-policy=only --auto-reverse

But the logs you provided shown that you have somewhere already working
IPA server and you tried to enroll some IPA client and that one failed.

This is what I got from your original email. It is very hard to infer
any additional information from that.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[Abraham Cabrera via FreeIPA-users]

Apologies here is my script

[root@dns01 ~]# cat setup.ipa.sh
#!/bin/sh
set -x

HOSTNAME=dns01
DOMAIN_NAME=int.mrmcmuffinz.com
HOST_FQDN="${HOSTNAME}.${DOMAIN_NAME}"
REALM_NAME=INT.MRMCMUFFINZ.com


# Directory Manager password
DM_PASSWORD="redacted"
# Admin user kerberos password
ADMIN_PASSWORD="redacted"
IP_ADDRESS=$(hostname -I|tr -d '\n')
DNS1=8.8.8.8
DNS2=8.8.4.4
REVERSE_ZONE_NAME="1.168.192.in-addr.arpa."

ipa-server-install --ds-password=${DM_PASSWORD} 
-admin-password=${ADMIN_PASSWORD} --ip-address=${IP_ADDRESS} \
   --domain=${DOMAIN_NAME} --hostname=${HOST_FQDN} 
--realm=${REALM_NAME} \
   --setup-dns --forwarder ${DNS1} --forwarder ${DNS2} 
--forward-policy=only --auto-reverse
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

[Alexander Bokovoy via FreeIPA-users]

On ke, 01 marras 2017, Abraham Cabrera via FreeIPA-users wrote:

As the title implies I've been trying to setup freeipa on a rpi2 with
centos 7 arm image for the past few days and no luck. I would like to
note this is just for home lab and testing purposes. That being said I
can provide logs on request. Below are some of the logs I think can
help out.

1. http error log https://pastebin.com/6VviVp6A
2. ipaclient-install.log https://pastebin.com/ZzwVug4a
3. krb5kdc.log https://pastebin.com/4NvFcbtz

From what you have provided it is unclear what you are trying to install
on rpi2. Was it an IPA client or what?

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: kinit -n

[Alexander Bokovoy via FreeIPA-users]

On ke, 01 marras 2017, Charles Hedrick via FreeIPA-users wrote:

I understood that kinit -n is supposed to work with IPA 4.5. I have a
server upgraded from 4.4 to 4.5. kinit -n prompts for a password.

What needs to be true on client and server for this to work?

What needs to be done depends on what setup do you have.

Run 'ipa-pkinit-manage status' to see what is the current status.

For integrated IPA CA:
- Run 'ipa-pkinit-manage enable' to enable PKINIT KDC certificate. You
  need to do so on all IPA 4.5 servers. Preferably do upgrade all
  servers to 4.5 as mix between KDCs would create a lot of confusion.

For CA-less setup:
- IPA would be unable to issue KDC certificates automatically in this
  case, so it would only issue self-signed KDC cert on each IPA master
  for the purpose of internal Web UI usage.

- Use 'ipa-server-certinstall' to install KDC certificate issued by
  your external CA. Use instructions on 
  https://web.mit.edu/kerberos/krb5-1.15/doc/admin/pkinit.html to

  generate KDC certificate request and sign it by your CA.

For both cases:

- Make sure your clients trust CA which issued KDC certificate. By
  default, IPA clients are configured to trust IPA CA in
  /etc/krb5.conf:

 pkinit_anchors = FILE:/etc/ipa/ca.crt

  If you are using different CA, you need to make sure this line
  mentions a proper CA certificate.

- run 'ipa-server-upgrade' to make sure all remaining parts are
  created too.

- Don't forget to restart IPA on each updated master.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] RPI2 FreeIPA Installation on Centos 7 not working

[Abraham Cabrera via FreeIPA-users]

As the title implies I've been trying to setup freeipa on a rpi2 with centos 7 
arm image for the past few days and no luck. I would like to note this is just 
for home lab and testing purposes. That being said I can provide logs on 
request. Below are some of the logs I think can help out.

1. http error log https://pastebin.com/6VviVp6A
2. ipaclient-install.log https://pastebin.com/ZzwVug4a
3. krb5kdc.log https://pastebin.com/4NvFcbtz
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] kinit -n

[Charles Hedrick via FreeIPA-users]

I understood that kinit -n is supposed to work with IPA 4.5. I have a server 
upgraded from 4.4 to 4.5. kinit -n prompts for a password.

What needs to be true on client and server for this to work?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

[Kristian Petersen via FreeIPA-users]

I did some checking of some of the same stuff on my other IPA server (ipa2;
not a CA), and in LDAP it still has the old certificate that we replaced on
ipa1.  Could the mismatch between these two servers be what is causing
pki-tomcat to fail?  journalctl shows an error that seems to indicate some
kind of communication error between the two LDAPs when trying to
replicate.  I'm not sure though if that is a symptom of the problem we are
trying to fix or part of the cause.

On Tue, Oct 31, 2017 at 8:06 AM, Kristian Petersen 
wrote:

> Unfortunately, this machine is the only CA.  I tried making one of my
> replicas a CA but because the pki-tomcat stuff was broken, of course that
> didn't work.  Super bad, I know.  Here is the result of that last command:
> sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> < 0> rsa  53ace5456cb0c07b79d061b7aada366063799089   NSS Certificate
> DB:subsystemCert cert-pki-ca
> < 1> rsa  e9ff606015f8c6a032ee88c51459e1952ba7f901   (orphan)
> < 2> rsa  f40b78512366c34f88fa2da4900978a778048d4a   NSS Certificate
> DB:ocspSigningCert cert-pki-ca
> < 3> rsa  8caa824ccc68966582b02dbc14aa422c3d08dee6   NSS Certificate
> DB:Server-Cert cert-pki-ca
> < 4> rsa  6410804f149a562865b616fa3054640b45305ea2   caSigningCert
> cert-pki-ca
> < 5> rsa  13cd3399d4c0734796fee85eca65a2ee05281146   NSS Certificate
> DB:auditSigningCert cert-pki-ca
>
> On Tue, Oct 31, 2017 at 2:57 AM, Florence Blanc-Renaud 
> wrote:
>
>> On 10/30/2017 05:23 PM, Kristian Petersen via FreeIPA-users wrote:
>>
>>> OK I think  I got the ldapmodify to work.  I reran the commands to check
>>> the two certs and they appear to match now.  However, when I run an ipactl
>>> restart the system still fails on pki-tomcatd.
>>>
>>> Hi,
>> In this case I think that the next item to investigate is why the key
>> cannot be listed using
>> sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
>> 'subsystemCert cert-pki-ca'
>>
>> In a previous mail, you wrote that the output of this command was
>> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
>> Key and Certificate Services"
>> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
>> Object Identifier.
>>
>> This tells that
>> 1/ the password is OK (otherwise certutil would display an error message)
>> 2/ the key for 'subsystemCert cert-pki-ca' is missing from the nssdb.
>>
>> Do you have a backup of the NSS DB /etc/pki/pki-tomcat/alias or was the
>> CA installed on another master, so that we can get the private key?
>> Can you also list which keys are present in /etc/pki/pki-tomcat/alias with
>> sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
>>
>> Flo
>>
>> On Mon, Oct 30, 2017 at 3:42 AM, Florence Blanc-Renaud >> > wrote:
>>>
>>> On 10/28/2017 01:15 AM, Kristian Petersen via FreeIPA-users wrote:
>>>
>>> I forgot to include the results of the commands in case it is
>>> helpful:
>>>
>>> -bash-4.2$ ldapsearch -LLL -D 'cn=directory manager' -W -b
>>> uid=pkidbuser,ou=people,o=ipaca userCertificate description
>>> seeAlso
>>> Enter LDAP Password:
>>> dn: uid=pkidbuser,ou=people,o=ipaca
>>> userCertificate::
>>> MIIDdTCCAl2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxD
>>> SEVNLkJZVS5FRFUxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAe
>>> Fw0xNTEwMTMyMDUwM
>>>
>>> jhaFw0xNzEwMDIyMDUwMjhaMC4xFTATBgNVBAoMDENIRU0uQllVLkVEVTEVM
>>> BMGA1UEAwwMQ0EgU3
>>>
>>> Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtW9NKg
>>> tthoustZq+bobtAe+
>>>
>>> z8z82YinNVC9YzOejrRqRHST4ZiJIq2S6pGPUxbDcpit9eBgyjBT5Ale2B1B
>>> SN+SfKcBeK+AMjYF0
>>>
>>> sBM9Aplx/wBu0IIyA4owqw0QxhtSpvTFEAPZ15JJEb5Rakgl/Gb19+GIzt7F
>>> R2t6xtozPFjlzH5HX
>>>
>>> Npiocdl7RvF6UjktsnE/0N5T/8aBPQbunECePUakskUjr0Cv1HjIKsERXtTn
>>> 0HAc5ETitHkbCCxn+
>>>
>>> 8oT082PzDmD1gPgtTI86bsuqcJIHVSqVCk3dIRBL0OLeD3tHkfIp4o+NuoAY
>>> aWi/hjpgq0ZXa2zM8
>>>
>>> zIy33h+A+UQIDAQABo4GUMIGRMB8GA1UdIwQYMBaAFB0PNWo+emloojFyMjH
>>> rItpaAfVCMD8GCCsG
>>>
>>> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYTEuY2hlbS5ieXUu
>>> ZWR1OjgwL2NhL29jc
>>>
>>> 3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFB
>>> QcDAjANBgkqhkiG9w
>>>
>>> 0BAQsFAAOCAQEAnsZeWq5e0UWJwaJqTiJdm+1jvQJrzOPWRYPfu9MTpfFjyh
>>> lNEwMX0azVzTrFbn2
>>>
>>> 7+JjQpcxH60zNurhjfavdx3S+/Dmz0dZPgX6AKBeZMfKyyfLeXaoCz3AW9uI
>>> biQZZFdQloGGB82Ek
>>>
>>> M78W6rJVxb5x9Juck4D4GaeqOuHgNPYVnpNkWR4shCnbGdGjrG4kQRO4I91D
>>> xYBrKnY8Fmucxq2y1
>>>
>>> 4Xi29RT9Plx6p4g4E+LjqdZVAPlK/x3IQDxL2Shp/ycQxGEjfmPX8t3gbyi9
>>> e4QvHv5EdmrGpHlIQ
>>>
>>> bicsPmJ3gmDLn+EcIyoxpT7BLmJKPrn0FjF+FTyE/OrzHBkg==
>>> description: 

[Freeipa-users] Re: mysql and freeipa

[Alexander Bokovoy via FreeIPA-users]

On ti, 31 loka 2017, Gordon Messmer via FreeIPA-users wrote:

On 10/31/2017 03:44 PM, Andrew Meyer via FreeIPA-users wrote:


I've been following this website:
FreeIPA: Giving permissions to service accounts. — Firstyear's 
blog-a-log 



None of that is particularly relevant unless you're specifically 
supporting MSCHAPv2 authentication.


The easiest solution for authenticating MySQL using FreeIPA is 
probably to join the MySQL server to the IPA domain and then use PAM 
authentication:


https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-authentication.html

If you are using MariaDB instead of MySQL, it is possible to configure
GSSAPI (Kerberos) to authenticate. You'd still need to create users in
MariaDB database first so that it knows these are valid ones:
https://mariadb.com/kb/en/library/authentication-plugin-gssapi/

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org