[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
Glad to know this will be fixed!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Jochen Hein via FreeIPA-users 
Andrew Meyer via FreeIPA-users 
writes:

> [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
...
> Starting smb Service
> Failed to start smb Service
> Forced start, ignoring smb Service, continuing normal operation
> Starting winbind Service
> Failed to start winbind Service
> Forced start, ignoring winbind Service, continuing normal operation
> Starting ipa-otpd Service
> Starting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful

That seems to be a bug - see:
https://bugs.centos.org/view.php?id=16929

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Option to allow single-label domains

2020-01-20 Thread Ronald Wimmer via FreeIPA-users 

On 20.01.20 16:17, Florence Blanc-Renaud wrote:


But if you are doing a brand new deployment, what would be the rationale 
for using single-label domain?


It would just have been a convenience thing. Entering someservice.lan is 
a little shorter than someservice.ipa.lan. I can live with your decision...


When I was setting up IPA I was not aware of how heavily DHCP is used 
here. Are there any best practices for such a scenario?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
[andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Failed to start smb Service
Forced start, ignoring smb Service, continuing normal operation
Starting winbind Service
Failed to start winbind Service
Forced start, ignoring winbind Service, continuing normal operation
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[andrew.meyer@freeipa01 ~]$
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: External CA renewal and self-signed surprise

2020-01-20 Thread Rob Crittenden via FreeIPA-users 
Florence Blanc-Renaud via FreeIPA-users wrote:
> On 1/20/20 1:54 AM, Rob Foehl via FreeIPA-users wrote:
>> On Mon, 20 Jan 2020, Fraser Tweedale wrote:
>>
>>> On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users
>>> wrote:
 On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:

> The question remains: how do I get rid of the self-signed CA entirely?

 Best hint toward this I've managed to find thus far is in the
 comments on
 https://pagure.io/freeipa/issue/7283 , with got me as far as the
 cACertificate and ipaCertIssuerSerial entries corresponding to the
 extraneous self-signed cert...  If I remove those and the cert from the
 NSSDBs, then what?  Reissue all dependent certs in the IPA CA chain?

>>> If the IPA CA's key and subject did not change, then there is no
>>> need to reissue end-entity or other subordinate certificates.  Only
>>> the IPA CA certificate needs to be renewed (from self-signed to
>>> externally signed) and distributed.
>>
>> I did that already.  Newly (re)issued certificates do not have their
>> expiration times bound to the externally-signed CA.  Anything with
>> copies of both CA certs (as fetched by ipa-certupdate, which in and of
>> itself is a nightmare) feeds only the self-signed CA chain to clients,
>> not the correct intermediate cert, breaking everything that only knows
>> about the external root.
>>
>> Any chance we could just stick to the question of how to completely
>> purge the self-signed cert from existence?
>>
> Sure, you can follow a manual process to remove the self-signed cert:
> 1- use ldapmodify in order to remove the cert from the LDAP database.
> You need first to find the exact dn, and then the exact
> cACertificate;binary attribute to delete. It will be stored below
> cn=certificates,cn=ipa,cn=etc,$BASEDN.
> 
> 2- on all the IPA servers, use "certutil -D -d  -n
> " to remove the cert from the following databases:
> /etc/dirsrv/slapd-DOMAIN-COM
> /etc/httpd/alias
> /etc/pki/pki-tomcat/alias/
> /etc/ipa/nssdb
> 
> 3- on all IPA servers and clients, run ipa-certupdate, this command will
> remove the cert from
> /usr/share/ipa/html/ca.crt
> /var/kerberos/krb5kdc/cacert.pem
> /etc/ipa/ca.crt
> /var/lib/ipa-client/pki/kdc-ca-bundle.pem
> /var/lib/ipa-client/pki/ca-bundle.pem
> 
> But as Fraser pointed out, there is no need to re-issue the other certs.

He wants to re-issue them because while they are validly signed by the
right key they aren't bound by the dates of the CA apparently.

I suppose for each one you could resubmit the certmonger request to
force a new cert to be issued. The re-issued cert should conform to the
CA validity period.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Rob Crittenden via FreeIPA-users 
Andrew Meyer via FreeIPA-users wrote:
> I am running CentOS 8.x and have updated to the latest version of IPA and 
> CentOS 8.  I rebooted after updating and am now getting the following:  
> 
> Jan 20 12:55:29 freeipa01 server[7889]: arguments used: stop
> Jan 20 12:55:30 freeipa01 systemd[1]: Stopping 389 Directory Server 
> ZONE1-EXAMPLE-NET
> Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.169315691 
> -0600] - INFO - op_thread_cleanup - slapd shutting down - signaling operation 
> threads - op stack size 2 max work q size 2 max work q stack size 2
[snip]

Not really enough context. I'm guessing ipactl failed to start things,
it would then move to shut them down.

Does ipactl start work on the cli?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: default ipa users seeing too much

2020-01-20 Thread Rob Crittenden via FreeIPA-users 
Florence Blanc-Renaud via FreeIPA-users wrote:
> On 1/20/20 2:06 AM, John Louis via FreeIPA-users wrote:
>> Hi, when a new user is created, she is assigned to the default
>> "ipausers" group.  But she can:
>>
>> 1. see the list of all users, at https://server/ipa/ui/#/e/user/search
>>
>> 2. see all the details of any other users, at
>> https://server/ipa/ui/#/e/user/details/another_user
>>
> Hi,
> 
> points 1 and 2 are working as expected by design. Users are POSIX users
> and expected to be visible. Please see:
> https://pagure.io/freeipa/issue/7204
> 
> flo
>> 3. for herself, she sees too many info that maybe nobody needs, such
>> as "Car License", in her own landing page
>>
>> Is it possible to:
>>
>> A. prevent normal users to see 1. and 2. above
>>
>> B. customize to remove items not needed in 3. above
>>
>> ?
>>
>> I checked, looks like:
>>
>> A. even though we can configure some Roles, Privileges, Permissions,
>> they are all system admins' elevated permissions.  There is no way to
>> remove permission from "ipausers".
>>
>> B. we can configure to disallow users to modify her "Car License" etc,
>> BUT I found no way to not show that item in her landing page.
>>
>> I googled but can't find anything on the above.  Would you help?
>>

Doing #3 would require changes to the UI itself which would mean
changing some javascript if you're up to it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] freeipa failing to start after update

2020-01-20 Thread Andrew Meyer via FreeIPA-users 
I am running CentOS 8.x and have updated to the latest version of IPA and 
CentOS 8.  I rebooted after updating and am now getting the following:  

Jan 20 12:55:29 freeipa01 server[7889]: arguments used: stop
Jan 20 12:55:30 freeipa01 systemd[1]: Stopping 389 Directory Server 
ZONE1-EXAMPLE-NET
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.169315691 
-0600] - INFO - op_thread_cleanup - slapd shutting down - signaling operation 
threads - op stack size 2 max work q size 2 max work q stack size 2
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.396008349 
-0600] - INFO - slapd_daemon - slapd shutting down - closing down internal 
subsystems and plugins
Jan 20 12:55:30 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:30.456826998 
-0600] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop
Jan 20 12:55:30 freeipa01 server[7889]: SEVERE: Could not contact 
[localhost:[8005]]. Tomcat may not be running.
Jan 20 12:55:30 freeipa01 server[7889]: SEVERE: Catalina.stop:
Jan 20 12:55:30 freeipa01 server[7889]: java.net.ConnectException: Connection 
refused (Connection refused)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.PlainSocketImpl.socketConnect(Native Method)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.connect(Socket.java:607)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.connect(Socket.java:556)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.(Socket.java:452)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.net.Socket.(Socket.java:229)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
java.lang.reflect.Method.invoke(Method.java:498)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:403)
Jan 20 12:55:30 freeipa01 server[7889]: #011at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Jan 20 12:55:30 freeipa01 systemd[1]: pki-tomcatd@pki-tomcat.service: Control 
process exited, code=exited status=1
Jan 20 12:55:31 freeipa01 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed 
with result 'exit-code'.
Jan 20 12:55:31 freeipa01 systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.401012956 
-0600] - INFO - dblayer_pre_close - All database threads now stopped
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.477064258 
-0600] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.485527687 
-0600] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 
2 work q stack objects - freed 2 op stack objects
Jan 20 12:55:31 freeipa01 ns-slapd[7385]: [20/Jan/2020:12:55:31.491338592 
-0600] - INFO - main - slapd stopped.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sudo rule doesn't work

2020-01-20 Thread Florence Blanc-Renaud via FreeIPA-users 

On 1/18/20 11:37 AM, Elhamsadat Azarian wrote:

Hi dear Florence
Thanks of ur reply
I wasnt at office and today i chacked parameteres but i cant find them 
in sssd.conf!

How can  i check or set values of them?


Hi,

(adding back freeipa-users mailing list)
All the parameters are described in the man page for sssd.conf or 
sssd-ldap. If they are not set in /etc/sssd/sssd.conf, then the default 
value applies.


flo


On Mon, 13 Jan 2020, 12:21 Florence Blanc-Renaud, > wrote:


On 1/13/20 9:38 AM, Elhamsadat Azarian wrote:
 > I did it but doesnt wotk
 >   I think my sudo rule doesnt place on my hosts!!!
 >
Hi,

the sudorules can be cached on the host. Please check the following
SSSD
parameters:
- entry_cache_sudo_timeout -- How many seconds should sudo consider
rules valid before asking the backend again
- ldap_sudo_smart_refresh_interval -- How many seconds SSSD has to wait
before executing a smart refresh of sudo rules (which downloads all
rules that have USN higher than the highest USN of cached rules).
- ldap_sudo_full_refresh_interval -- How many seconds SSSD will wait
between executing a full refresh of sudo rules (which downloads all
rules that are stored on the server).

HTH,
flo

 > On Mon, 13 Jan 2020, 11:57 Florence Blanc-Renaud, mailto:f...@redhat.com>
 > >> wrote:
 >
 >     On 1/13/20 8:57 AM, Elhamsadat Azarian wrote:
 >      > Hi Florence
 >      > Thanks i replaced but it doest work!
 >      >
 >     Hi,
 >     can you also replace the "RunAs group categoray: all" attr
with "RunAs
 >     User category: all"?
 >     flo
 >
 >      > On Mon, 13 Jan 2020, 11:18 Florence Blanc-Renaud,
mailto:f...@redhat.com>
 >     >
 >      > 
      >
 >      >     On 1/12/20 12:26 PM, Elhamsadat Azarian via
FreeIPA-users wrote:
 >      >      > Hi friends
 >      >      > i define a SudoRule with this properties:
 >      >      >
 >      >      > rulename : rsyslog_rule
 >      >      > Enabled : true
 >      >      > RunAs group Category : All
 >      >      > users :user-test
 >      >      > hosts: ipacli-irvlt01.mydomain.com

 >     
 >      >     
 >      >      > sudo Deny Commands : sudo /usr/bin/systemctl
restart rsyslog
 >      >      >
 >      >      > now i login with "user-test" into "ipacli-irvlt01"
server
 >     and i
 >      >     try to run " sudo /usr/bin/systemctl restart rsyslog"
command. i
 >      >     expected to doesnt allow to run this command but no action
 >     happend
 >      >     and i could run it!!!
 >      >      >
 >      >      > why my sudo rule doesnt work?
 >      >     Hi,
 >      >
 >      >     can you try to replace the "sudo deny commands": "sudo
 >      >     /usr/bin/systemctl restart rsyslog" with
"/usr/bin/systemctl
 >     restart
 >      >     rsyslog" ?
 >      >
 >      >     thanks,
 >      >     flo
 >      >
 >      >      >
 >      >      >
--
 >      >      > this is less /var/log/sssd/sssd_domain.log:
 >      >      > (Sun Jan 12 13:59:01 2020) [sssd[be[lshs.dc]]]
 >     [orderly_shutdown]
 >      >     (0x0010): SIGTERM: killing children
 >      >      >
--
 >      >      > this is /var/log/sssd/sssd_sudo.log
 >      >      > (Sun Jan 12 13:59:01 2020) [sssd[sudo]]
[orderly_shutdown]
 >      >     (0x0010): SIGTERM: killing children
 >      >      >
 >      >      >
--
 >      >      > this is less /var/log/sudo_debug
 >      >      > Jan 12 14:19:27 sudo[17370] /etc/sudoers:53
CMNDALIAS ALIAS =
 >      >     COMMAND , COMMAND ARG , COMMAND ARG
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_add @
./alias.c:120
 >      >      > Jan 12 14:19:27 sudo[17370] -> rcstr_addref @
./rcstr.c:81
 >      >      > Jan 12 14:19:27 sudo[17370] <- rcstr_addref @
./rcstr.c:88 :=
 >      >     0x55f2968e7714
 >      >      > Jan 12 14:19:27 sudo[17370] -> rbinsert @
./redblack.c:177
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_compare @
./alias.c:54
 >      >      > Jan 12 14:19:27 sudo[17370] <- alias_compare @
 >     ./alias.c:62 := -13
 >      >      > Jan 12 14:19:27 sudo[17370] -> alias_compare @
./alias.c:54
 >      >   

[Freeipa-users] Re: Option to allow single-label domains

2020-01-20 Thread Florence Blanc-Renaud via FreeIPA-users 

On 1/20/20 3:39 PM, Ronald Wimmer via FreeIPA-users wrote:
Is there a possibility to allow ipa-server-install for a single-label 
domain? I would like to use IPA at home and will definitely never 
connect it to an AD.


Any version <= 4.6.4 allows the server installation with single-label 
domains. As far as I remember, upgrade is possible.


On the client-side, clients <= 4.6.4 can join a single-label domain 
master. If you want a more recent client, you will have to build the 
packages yourself as the ipa-4-6 branch also allows clients to join 
single-label domains (but there was no release with the fix).


But if you are doing a brand new deployment, what would be the rationale 
for using single-label domain? Since we won't allow it for more recent 
versions, my fear is that such a setup won't be tested any more and 
upgrade may reveal issues that will never be fixed.


flo

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: WARNING Could not update DNS SSHFP records.

2020-01-20 Thread Florence Blanc-Renaud via FreeIPA-users 

On 1/20/20 12:03 AM, Daniel PC via FreeIPA-users wrote:

Hi,

were you able to solve the problem?

I'm facing the same issue with Freeipa 4.8.0



Hi,
which version of sssd is installed on your system? The issue looks a lot 
like https://bugzilla.redhat.com/show_bug.cgi?id=1755643 which got 
solved in sssd-2.2.2-3.


flo

Thank you
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Option to allow single-label domains

2020-01-20 Thread Ronald Wimmer via FreeIPA-users 
Is there a possibility to allow ipa-server-install for a single-label 
domain? I would like to use IPA at home and will definitely never 
connect it to an AD.


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: External CA renewal and self-signed surprise

2020-01-20 Thread Florence Blanc-Renaud via FreeIPA-users 

On 1/20/20 1:54 AM, Rob Foehl via FreeIPA-users wrote:

On Mon, 20 Jan 2020, Fraser Tweedale wrote:

On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users 
wrote:

On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:


The question remains: how do I get rid of the self-signed CA entirely?


Best hint toward this I've managed to find thus far is in the 
comments on

https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificate and ipaCertIssuerSerial entries corresponding to the
extraneous self-signed cert...  If I remove those and the cert from the
NSSDBs, then what?  Reissue all dependent certs in the IPA CA chain?


If the IPA CA's key and subject did not change, then there is no
need to reissue end-entity or other subordinate certificates.  Only
the IPA CA certificate needs to be renewed (from self-signed to
externally signed) and distributed.


I did that already.  Newly (re)issued certificates do not have their 
expiration times bound to the externally-signed CA.  Anything with 
copies of both CA certs (as fetched by ipa-certupdate, which in and of 
itself is a nightmare) feeds only the self-signed CA chain to clients, 
not the correct intermediate cert, breaking everything that only knows 
about the external root.


Any chance we could just stick to the question of how to completely 
purge the self-signed cert from existence?



Sure, you can follow a manual process to remove the self-signed cert:
1- use ldapmodify in order to remove the cert from the LDAP database. 
You need first to find the exact dn, and then the exact 
cACertificate;binary attribute to delete. It will be stored below 
cn=certificates,cn=ipa,cn=etc,$BASEDN.


2- on all the IPA servers, use "certutil -D -d  -n 
" to remove the cert from the following databases:

/etc/dirsrv/slapd-DOMAIN-COM
/etc/httpd/alias
/etc/pki/pki-tomcat/alias/
/etc/ipa/nssdb

3- on all IPA servers and clients, run ipa-certupdate, this command will 
remove the cert from

/usr/share/ipa/html/ca.crt
/var/kerberos/krb5kdc/cacert.pem
/etc/ipa/ca.crt
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
/var/lib/ipa-client/pki/ca-bundle.pem

But as Fraser pointed out, there is no need to re-issue the other certs.
flo


-Rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Two interfaces on FreeIPA server.. How?

2020-01-20 Thread Tony Brian Albers via FreeIPA-users 
On Mon, 2020-01-20 at 13:55 +0200, Alexander Bokovoy wrote:
> On ma, 20 tammi 2020, Tony Brian Albers via FreeIPA-users wrote:
> > Ok guys,
> > 
> > I have a FreeIPA server with 2 interfaces. The primary is for
> > normal
> > usage and is the one that FreeIPA is set up with with regards to
> > hostname and services. The other one is on an administrative
> > network.
> > The Web UI works fine on the primary interface, but I can't really
> > access it on the other interface. It's obvious that the services
> > bind
> > to the primary interface, but isn't it possible to access the UI on
> > the
> > other interface somehow?
> 
> Short answer: not now.
> For details see 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/
> 

Thx Alex,

I guess we'll manage without.

/tony
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

2020-01-20 Thread Florence Blanc-Renaud via FreeIPA-users 

On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade twice but 
every time the update fails.


The ldap server does not listen when I check with ss or netstat.
I reverted back to Fedora 30 with snapshots every time.


Hi,

can you paste the logs from /var/logs/ipaupgrade.log? We would need the 
full logs as the error may differ between a first run and a second run. 
When the packages are upgraded, the script ipa-server-upgrade is called 
and starts by disabling the LDAP server ports to avoid any LDAP 
operation during the upgrade. Then the script performs its duty, and 
re-enables the port.
If there is an untrapped failure before the ports are re-enabled, or the 
user repeatedly presses CTRL-C, we sometimes end up in a situation where 
the ports are still disabled (please see ticket 
https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade 
script exits. If the user re-runs ipa-server-upgrade at this point, the 
script output will be completely different but will not give us any hint 
related to the original failure root cause. That's why we need the full 
logs.


If you are in a situation where the LDAP server isn't listening:
0. stop IPA with ipactl stop
1. edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
2. set nsslapd-port to 389
3. set nsslapd-security to on
4. set nsslapd-global-backend-lock to off (if you have this attribute at
all)
5. restart IPA with ipactl start

If the services are able to restart at this point, try to run 
ipa-server-upgrade and provide full logs.


HTH,
flo


Can someone help me to work this around. The OP writes of an IP that 
changed but mine didn't. Where can I find a clue why ldap does not listen?


Jochen
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Two interfaces on FreeIPA server.. How?

2020-01-20 Thread Alexander Bokovoy via FreeIPA-users 

On ma, 20 tammi 2020, Tony Brian Albers via FreeIPA-users wrote:

Ok guys,

I have a FreeIPA server with 2 interfaces. The primary is for normal
usage and is the one that FreeIPA is set up with with regards to
hostname and services. The other one is on an administrative network.
The Web UI works fine on the primary interface, but I can't really
access it on the other interface. It's obvious that the services bind
to the primary interface, but isn't it possible to access the UI on the
other interface somehow?


Short answer: not now.
For details see 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org