Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cmd-line Unprovision OTP setting for a host
Hi I've used ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST} In the past and that seems to work quite well. The ideal for me would be a situation where the IPA information could persist between rebuilds. Cheers, Charlie On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan duncan.in...@virginmoney.com wrote: Folks, Juggling a problem here that perhaps doesn't have a perfect solution. I'm looking at systems that get re-provisioned by a Satellite/Spacewalk/Installation method. For full (Free)IPA integration, we normally delete the old entry from IPA, create a new one from scratch and set the OTP to match what we put in our post-install script called by the kickstart file. Just noticed that I can do the same thing by Unprovisioning the system via the WebUI and then setting the OTP. Is there a way to Unprovision a registered host and set a OTP via the command line? I was looking at 'ipa host-mod --setattr' but not getting too far with the Unprovisioning aspect. Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 7801 134507 | duncan.in...@virginmoney.com -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of JR Aquino Sent: 18 September 2012 03:58 To: Tim Hildred Cc: freeipa-users Subject: Re: [Freeipa-users] Password requirements too stringent On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin ux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list
[Freeipa-users] MemberOf plugin and LDAP filter
Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand I have the -v already, anyway to make it very verbose? http://port389.org/wiki/FAQ#Troubleshooting Use the replication log level 8192 I'd like to see the directory server errors log /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the --win-subtree cn=VUW_Staff,dc= etc regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, 18 September 2012 12:47 p.m. *To:* Steven Jones *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree cn=mystaff,cn=staff,dc=example,dc=com winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, 18 September 2012 11:37 a.m. *To:* Steven Jones *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group mygroup use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check my memberOf plugin ? 2012/9/18 Rob Crittenden rcrit...@redhat.com James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group mygroup use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com' '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cmd-line Unprovision OTP setting for a host
On 09/18/2012 07:34 AM, Charlie Derwent wrote: Hi I've used ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST} In the past and that seems to work quite well. The ideal for me would be a situation where the IPA information could persist between rebuilds. Can you please elaborate more? Between rebuilds of what client or server? And what information you want to persist: cert, keytab, OTP? Thanks Dmitri Cheers, Charlie On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan duncan.in...@virginmoney.com mailto:duncan.in...@virginmoney.com wrote: Folks, Juggling a problem here that perhaps doesn't have a perfect solution. I'm looking at systems that get re-provisioned by a Satellite/Spacewalk/Installation method. For full (Free)IPA integration, we normally delete the old entry from IPA, create a new one from scratch and set the OTP to match what we put in our post-install script called by the kickstart file. Just noticed that I can do the same thing by Unprovisioning the system via the WebUI and then setting the OTP. Is there a way to Unprovision a registered host and set a OTP via the command line? I was looking at 'ipa host-mod --setattr' but not getting too far with the Unprovisioning aspect. Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 tel:%2B44%201603%20215476 | +44 7801 134507 | duncan.in...@virginmoney.com mailto:duncan.in...@virginmoney.com -Original Message- From: freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com] On Behalf Of JR Aquino Sent: 18 September 2012 03:58 To: Tim Hildred Cc: freeipa-users Subject: Re: [Freeipa-users] Password requirements too stringent On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com mailto:thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 tel:%2B61%204%20666%2025242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com mailto:thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com mailto:freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 tel:%2B1%20805%20690%203478 | F: +1 805 879 3730 tel:%2B1%20805%20879%203730 | M: +1 805 717 0365 tel:%2B1%20805%20717%200365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.com mailto:jr.aqu...@citrix.commailto:jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin
Re: [Freeipa-users] MemberOf plugin and LDAP filter
James James wrote: Oups in the first message I should write : I want to have the email of the emails of all the person belonging to a group. and not I want to have the email of the emails of all the person belongingS to a group. :0) I'd pick a user you know is in the group and start there: ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' uid=someuser memberof Confirm that there is a memberof for that user. This is all pre-configured, there shouldn't be the need to do anything. rob 2012/9/18 James James jre...@gmail.com mailto:jre...@gmail.com Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check my memberOf plugin ? 2012/9/18 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group mygroup use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=__example,dc=com' '(memberOf=cn=mygroup,cn=__groups,cn=accounts,dc=example,__dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [root@ipaclient sssd]# su - mike# short delay ~2 seconds [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for falling off like that. I opened a RedHat ticket on the issue, and have been running in circles with them. I forgot to check on the list for responses. I'm still having problems. Someone suggested I try: kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Which i just did, and it worked, or, at least it initialized my session. I'm still unable to execute ipa commands. In fact, im unable to execute almost any ipa commands. The web interface works, but only after RedHat had me enable kerberos password auth in the httpd config. So i can now auth to the web gui interactively, instead of requiring a kinit from my workstion. The only real client i have here is RHEV. And auth there still works except on accounts which have expired. Those accounts, cant even change their passwords. RedHat had me disable the password expiration via the web gui, however that hasnt helped accounts that are already expired. RedHat is currently blaming time skew, which i think is ridiculous. Im testing my ipa commands right on the ipa master. How could there possible be time skew. I did find that the time on my replica was off, but my replica isnt working anyway, which is a whole other issue. I think it needs to be flattened, and re-joined. I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you do this by setting KrbMethodK5Passwd to on? You say that some commands work, which ones? It seems that kinit works? kinit admin Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the httpd service, then: $ kdestroy $ kinit admin $ ipa user-show admin Provide the logs covering the restart of Apache until the error from /var/log/httpd/error_log, /var/log/krb5kdc.log and /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 seconds so it may be a while before it gets updated. What are the versions of: httpd mod_auth_kerb ipa-server krb5-server This is RHEL 6.3? The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it works with password authentication in the UI. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. I kinda expect the result to be the same (at least for user who is not recently cached) because the case of IPA we need to establish a GSSAPI encrypted connection anyway so we'd talk to the KDC only to perform initgroups. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 IM going to respond inline to avoid confusion. On 09/18/2012 03:22 PM, Rob Crittenden wrote: I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you do this by setting KrbMethodK5Passwd to on? Yes, in /etc/conf.d/ipa.conf, I changed KrbMethodK5Passwd from off to on, and reloaded httpd. You say that some commands work, which ones? There are very few that dont error out. The ones i've come across are things like, ipa-replica-manage, every ipa command command ive attempted to run dies with: [root@caroline0 PROD conf.d]# ipa user-show lagern ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error It seems that kinit works? kinit admin kinit admin works, but admin's password is expired, so the session never fully init's. Before his password expired, i could kinit admin. I can still kinit as myself, which is an admin account. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the httpd service, then: $ kdestroy $ kinit admin $ ipa user-show admin Provide the logs covering the restart of Apache until the error from /var/log/httpd/error_log, /var/log/krb5kdc.log and /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 seconds so it may be a while before it gets updated. loglevel is already debug due to my other testing. I've restarted httpd anyway, in case you get any meaningful errors in httpd's start procedure. I then ran the commands you requested. Here are the log outputs. Im sorry that these are dumped in and hard to read.. /var/log/httpd/error_log: [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down [Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for digest authentication ... [Tue Sep 18 16:26:47 2012] [notice] Digest: done [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2. [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6. [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already
Re: [Freeipa-users] sudden ipa errors.
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 IM going to respond inline to avoid confusion. On 09/18/2012 03:22 PM, Rob Crittenden wrote: I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you do this by setting KrbMethodK5Passwd to on? Yes, in /etc/conf.d/ipa.conf, I changed KrbMethodK5Passwd from off to on, and reloaded httpd. You say that some commands work, which ones? There are very few that dont error out. The ones i've come across are things like, ipa-replica-manage, every ipa command command ive attempted to run dies with: [root@caroline0 PROD conf.d]# ipa user-show lagern ipa: ERROR: cannot connect to u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error It seems that kinit works? kinit admin kinit admin works, but admin's password is expired, so the session never fully init's. Before his password expired, i could kinit admin. I can still kinit as myself, which is an admin account. Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the httpd service, then: $ kdestroy $ kinit admin $ ipa user-show admin Provide the logs covering the restart of Apache until the error from /var/log/httpd/error_log, /var/log/krb5kdc.log and /var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30 seconds so it may be a while before it gets updated. loglevel is already debug due to my other testing. I've restarted httpd anyway, in case you get any meaningful errors in httpd's start procedure. I then ran the commands you requested. Here are the log outputs. Im sorry that these are dumped in and hard to read.. /var/log/httpd/error_log: [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:45 2012] [error] Exception KeyError: KeyError(140591752845280,) in module 'threading' from '/usr/lib64/python2.6/threading.pyc' ignored [Tue Sep 18 16:26:46 2012] [notice] caught SIGTERM, shutting down [Tue Sep 18 16:26:46 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Sep 18 16:26:46 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Sep 18 16:26:47 2012] [info] Configuring server for SSL protocol [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(655): Enabling SSL3 [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(660): Enabling TLS [Tue Sep 18 16:26:47 2012] [debug] nss_engine_init.c(831): Configuring permitted SSL ciphers [+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha] [Tue Sep 18 16:26:47 2012] [info] Using nickname Server-Cert. [Tue Sep 18 16:26:47 2012] [notice] Digest: generating secret for digest authentication ... [Tue Sep 18 16:26:47 2012] [notice] Digest: done [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Compiled for Python/2.6.2. [Tue Sep 18 16:26:47 2012] [warn] mod_wsgi: Runtime using Python/2.6.6. [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/ already initialized [Tue Sep 18 16:26:48 2012] [debug] proxy_util.c(1803): proxy: worker ajp://localhost:9447/
Re: [Freeipa-users] Password requirements too stringent
So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Permission denied, please try again. ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password: Password expired. Change your password now. Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user ykatabam. Current Password: Password change failed. Server message: Password change failed passwd: Authentication token manipulation error Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed. Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:29:12 PM Subject: Re: [Freeipa-users] Password requirements too stringent On Tue, Sep 18, 2012 at 02:57:49AM +, JR Aquino wrote: On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Some services, notably the sshd, must be restarted in order to re-read the PAM config. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
- Original Message - From: Rob Crittenden rcrit...@redhat.com To: Nathan Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa errors. Ok, what are the permissions on the keytab, /etc/httpd/conf/ipa.keytab? They should be apache:apache mode 0600. [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab -rw---. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf/ipa.keytab Are you in SELinux enforcing mode? Can you try in permissive to see if that works? I was enforcing at the start of all of this, but ive since switched to permissive for troubleshooting. It hasnt made a difference. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users