[Freeipa-users] Directory service stop and won't stay up when restarted

2017-11-24 Thread Alexandre Pitre via FreeIPA-users 
Hi,

I had two freeipa replica servers up and running in our german DC for
nearly 2 months and this morning out of the blue they stopped working.

Looking at ipactl status, both servers are reporting that their directory
service is stopped. Trying to restart ipa only works from 2 minutes to an
hour.

Looking at the /var/log/dirsrv/slapd-DOMAIN-COM/errors there's no errors
that show up before it crash.

However, looking at /var/log/messages, this lovely segfault show up:

XX kernel: ns-slapd[17507]: segfault at 8 ip 7fb99e56149f sp
7fb96bee83c0 error 4 in libslapd.s
o.0.1.0[7fb99e483000+128000]

Out of despair to get production back up and running quickly, I reinstalled
one replica...it worked for an hour and came back with the same issue.

We have 6 other freeipa replica running accross 3 different site with zero
issues.

We're running CentOS 7.4 with the latest packages, ipa-server-4.5.0-21 &
389-ds-base-1.3.6.1-21.

Any clues why ?

Thanks

-- 
Alexandre Pitre
alexandre.pi...@gmail.com
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Slow FreeIPA UI

2017-11-24 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 24 marras 2017, Maciej Drobniuch via FreeIPA-users wrote:

Hi All,

One of my IPA UI is working very slow.

I can observe the issue after moving the VM server onto another host.

The machine itself is not overloaded and the number of CPU cores and RAM
memory went up.

Other IPA UI on other servers are working smoothly.

Any ideas how to troubleshoot that?

Use your browser's web development tools to observe communication between web
UI and IPA master. You can see which requests are taking more time and
then co-relate them with corresponding request logging in
/var/log/httpd/error_log and /var/log/dirsrv/slapd-INSTANCE/access logs.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA & wireless

2017-11-24 Thread Maciej Drobniuch via FreeIPA-users 
MacOSx is strict in regards to self-signed and expired certificates. Please
check there.

On Wed, Nov 15, 2017 at 5:48 PM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Weird.  We are having problems with it and our Aruba wireless using
> FreeRADIUS.
>
>
> On Wednesday, November 15, 2017 10:48 AM, Michael Plemmons via
> FreeIPA-users  wrote:
>
>
> I do not remember having to update any SSL certs. I am upgraded to
> High Sierra and have not had any problems with certs.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CrossChx*
> 614.427.2411 <(614)%20427-2411>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Tue, Nov 14, 2017 at 3:47 PM, Andrew Meyer 
> wrote:
>
> For the newer macbooks (High Sierra) how did you get around the TLS 1.2
> requirement?   Did you generate a SSL cert and publish that to the RADIUS
> server?
>
>
>
> On Tuesday, November 14, 2017 9:54 AM, Michael Plemmons via FreeIPA-users 
>  fedorahosted.org > wrote:
>
>
> We have a range of OS X versions from 10.10 and newer.   Our RADIUS server
> (running FreeRadius on Linux) is using FreeIPA for the authentication via
> LDAP.   Our WiFi access point is configured to talk to the radius server
> for authentication.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CrossChx*
> 614.427.2411 <(614)%20427-2411>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Tue, Nov 14, 2017 at 9:47 AM, Andrew Meyer 
> wrote:
>
> Michael,
> What version of Mac OS X are your MacBooks running?   10.12.5+?
>
> You are using Windows Server for RADIUS auth correct?
>
>
> On Monday, November 13, 2017 2:35 PM, Michael Plemmons via FreeIPA-users 
>  fedorahosted.org > wrote:
>
>
> Our entire office is Macbooks.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CrossChx*
> 614.427.2411 <(614)%20427-2411>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Mon, Nov 13, 2017 at 3:18 PM, Andrew Meyer 
> wrote:
>
> Do you have any MacBook users?
>
>
> On Monday, November 13, 2017 2:07 PM, Michael Plemmons via FreeIPA-users 
>  fedorahosted.org > wrote:
>
>
> In order for us to make it work, I had to setup a RADIUS (FreeRadius)
> server which uses FreeIPA as its backend.   Our WiFi access point is
> configured to point to the RADIUS server.   I had to make sure the AD trust
> package was installed on the FreeIPA server in order for the proper
> security features to work.   We do not have SSL certs on our machine.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CrossChx*
> 614.427.2411 <(614)%20427-2411>
> mike.plemm...@crosschx.com
> www.crosschx.com
>
> On Fri, Nov 10, 2017 at 11:07 AM, Andrew Meyer via FreeIPA-users 
>  fedorahosted.org > wrote:
>
> So I was wondering if anyone has FreeIPA setup to do authentication with
> wireless.   We have an ArubaNetworks platform setup to do EAP-PEAP only
> communicating back to the current OpenLDAP system, but would like to
> migrate to FreeIPA.
>
> I was able to set this up using Meraki MR18s but I have to use a WPA2-PSK
> (enterprise) with splash page in order to log into my FreeIPA system.   I
> don't know if I will have to put the password in again I am waiting until
> tonight to test that.
>
> All of our laptops are Mac OS X running El Capitan and a few running High
> Sierra (w/ all of them upgrading eventually).   We have under 5 laptops
> running Windows 7-10 and are mostly hard wired.
>
> The issue is that when I log into wireless using FreeIPA I get prompted
> for a password.   It gets added to the keychain but when I shutdown for the
> night and come back in the next day it asks for the password again the next
> day.
>
> While researching this issue I found that some people have put SSL
> certificates on the machines.   I don't want to create and enroll an SSL
> cert for EACH user.   I would like to get system-wide one deployed IF this
> is the correct way to go.
>
> While this may sound like a ArubaNetworks wireless issue I wanted to pose
> this question to the mailing list just in case there was a step I missed or
> didn't do something that might have been documented somewhere and to see if
> anyone else has had this issue.
>
> Thank you in advance!
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org 
>
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send

[Freeipa-users] Re: RADIUS and FreeIPA

2017-11-24 Thread Maciej Drobniuch via FreeIPA-users 
Hey Andrew,

The guide you are following is 100% allright. Works for me (All my
freeradius servers are bound to ipa)

In regards to syntax - Please try with GUI. This is how I did that.

In regard to macosx and wifi issues. Please check if the freeradius
certificate did not expire(look for issues there)

BR
Maciej

On Tue, Nov 14, 2017 at 10:10 PM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> After all the emails (thank you for your help) I have most of my Mac OS X
> clients authenticating to FreeIPA over wireless.  Clients running on a 2014
> or newer 10.12.5 and up won't work.  I suspect this has to do with the TLS
> version.
>
> Tell me if I'm approaching this the right way.
>
> I am trying to apply a certificate FROM FreeIPA to FreeRADIUS.  I am also
> trying to register the service within FreeIPA but strugglging with some of
> the syntax.
>
> I have been following this:
> FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log
> 
>
> FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log
> Firstyear`s blog-a-log
>
> 
>
>
> I'm having some trouble adding the privileges and roles:
> [andrew.meyer@radius01 ~]$ ipa privilege-add-permission 'Radius service'
> --permission='Radius Service'
>   Privilege name: Radius Service
>   Description: Privileges needed to allow radiusd servers to operate
>   Failed members:
> permission: Radius Service: permission not found
> -
> Number of permissions added 0
> -
> [andrew.meyer@radius01 ~]$ ipa privilege-add-permission 'Radius service'
> --permission='Radius service'
>   Privilege name: Radius Service
>   Description: Privileges needed to allow radiusd servers to operate
>   Failed members:
> permission: Radius service: permission not found
> -
> Number of permissions added 0
> -
> [andrew.meyer@radius01 ~]$ ipa role-add 'Radius server' --desc="Radius
> server role"
> --
> Added role "Radius server"
> --
>   Role name: Radius server
>   Description: Radius server role
> [andrew.meyer@radius01 ~]$ ipa role-add-privilege --privileges="Radius
> services" 'Radius server'
>   Role name: Radius server
>   Description: Radius server role
>   Failed members:
> privilege: Radius services: privilege not found
> 
> Number of privileges added 0
> 
> [andrew.meyer@radius01 ~]$
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Slow FreeIPA UI

2017-11-24 Thread Maciej Drobniuch via FreeIPA-users 
Hi All,

One of my IPA UI is working very slow.

I can observe the issue after moving the VM server onto another host.

The machine itself is not overloaded and the number of CPU cores and RAM
memory went up.

Other IPA UI on other servers are working smoothly.

Any ideas how to troubleshoot that?

Thank You

-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA wiki - emails and notifications working

2017-11-24 Thread Martin Kosek via FreeIPA-users 
Hello all,

Related to our dear FreeIPA Wiki running on new platform now, I was able
to do several improvements to the wiki, including enabling email
infrastructure [1] and related support for *notifications*.

You can now Watch a page and you should receive an email when the page
is modified by someone. From the logs, I can see that some of you
already received such emails.

Just as a reminder, I keep remaining list of issues or ideas for the
wiki in [2].

Enjoy!

[1] https://github.com/freeipa/freeipa-wiki/issues/2
[2] https://github.com/freeipa/freeipa-wiki/issues

-- 
Martin Kosek 
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-24 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 24 marras 2017, Sumit Bose via FreeIPA-users wrote:

On Fri, Nov 24, 2017 at 04:57:01PM +1300, Aaron Hicks via FreeIPA-users wrote:

Hello the list,



It's here:
https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395



SSSD is not doing its job properly when a user has an expired password and
an OTP token, and they should reset their password at the ssh prompt.


Yes, SSSD does no behave well with OTP and an expired password and I
agree with you analysis below. The area of code you mentioned above is
not related because it is a special path only used during password
migration (user was migrated from LDAP with the LDAP password hash but
no Kerberos keys).

Would you mind to open a ticket on https://pagure.io/SSSD/sssd/issues
for this?

https://pagure.io/SSSD/sssd/issue/3585

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org