Re: [Freeipa-users] Don't know what To do with this (error?? )
ohh sorry I didn't said that I was using the freeipa server on this problem, anyway thanks for the replies :) and before Thanks, really appreciate it :D On Monday, November 24, 2014 11:55 PM, Martin Kosek mko...@redhat.com wrote: On 11/25/2014 08:12 AM, Rolf Nufable wrote: Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually? Sent from Yahoo Mail on Android Well, you need to have a ticket on your client machine (the one with the browser) to be able to authenticate via Kerberos. You can check that with # klist To get the ticket, you can either run the kinit manually as you said or let SSSD to get it for you as you authenticate/login to your client machine. AFAIK, this is default behavior. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Is it possible to set up SUDO with redudancy?
On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Setting up a Kerberized IMAP Server.
On 24.11.2014 17:45, Maria Jose Yañez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/zimbrafreeipa.example@fi.example.com and got this: --- OUTPUT --- [20649] 1416845334.9690: Getting credentials usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20649] 1416845334.27562: Retrieving usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com from FILE:/tmp/krb5cc_0 with result: 0/Conseguido imap/zimbrafreeipa.fi.example@fi.example.com: kvno = 2 ---END OF OUTPUT --- When I rum KRB5_TRACE=/dev/stdout thunderbird this show: --- OUTPUT --- Gtk-Message: Failed to load module canberra-gtk-module: libcanberra-gtk-module.so: no se puede abrir el fichero del objeto compartido: No existe el fichero o el directorio [20906] 1416845377.323420: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal usu...@fi.example.com for server principal imap/zimbrafreeipa.fi.example@fi.example.com [20906] 1416845377.323834: Retrieving usu...@fi.example.com - krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found [20906] 1416845377.323939: Getting credentials usu...@fi.example.com - imap/zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20906] 1416845377.324677: Retrieving usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com from FILE:/tmp/krb5cc_0 with result: 0/Conseguido [20906] 1416845377.325617: Creating authenticator for usu...@fi.example.com - imap/zimbrafreeipa.fi.example@fi.example.com, seqnum 138355536, subkey aes256-cts/3BB4, session key aes256-cts/A007 [20906] 1416845377.353847: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal usu...@fi.example.com for server principal imap/zimbrafreeipa.fi.example@fi.example.com [20906] 1416845377.353971: Retrieving usu...@fi.example.com - krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey (null), seqnum 1067232298 [20906] 1416845396.10173: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal usu...@fi.example.com for server principal imap/zimbrafreeipa.fi.example@fi.example.com [20906] 1416845396.10290: Retrieving usu...@fi.example.com - krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found [20906] 1416845396.10316: Getting credentials usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20906] 1416845396.10391: Retrieving usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com from FILE:/tmp/krb5cc_0 with result: 0/Conseguido [20906] 1416845396.10469: Creating authenticator for usu...@fi.example.com - imap/zimbrafreeipa.fi.example@fi.example.com, seqnum 592157704, subkey aes256-cts/5F4D, session key aes256-cts/A007 [20906] 1416845396.35033: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal usu...@fi.example.com for server principal imap/zimbrafreeipa.fi.example@fi.example.com [20906] 1416845396.35196: Retrieving usu...@fi.example.com - krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey (null), seqnum 911725412 ---END OF OUTPUT --- This seems okay, Thunderbird got necessary ticket so the problem could be on server side. (Just to be 100% sure: Did you configure network.negotiate-auth option in Thunderbird according to https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html ?) About permissions on keytab file, I have as following: ls -l /opt/zimbra/conf/krb5.keytab -rwxrwxrwx 1 zimbra
Re: [Freeipa-users] Freeipa-users Digest, Vol 76, Issue 111
Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/ zimbrafreeipa.example@fi.example.com and got this: --- OUTPUT --- [20649] 1416845334.9690: Getting credentials usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20649] 1416845334.27562: Retrieving usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com from FILE:/tmp/krb5cc_0 with result: 0/Conseguido imap/zimbrafreeipa.fi.example@fi.example.com: kvno = 2 ---END OF OUTPUT --- When I rum KRB5_TRACE=/dev/stdout thunderbird this show: --- OUTPUT --- Gtk-Message: Failed to load module canberra-gtk-module: libcanberra-gtk-module.so: no se puede abrir el fichero del
[Freeipa-users] backup procedure : procedure for a lost of primary master
Hi, I read the backup procedure on http://www.freeipa.org/page/Backup_and_Restore. If I lose my first master, it is stated than: - Clean deployment from the lost server by removing all replication agreements with it. - Choose another FreeIPA Server with CA installed to become the first master - Nominate this master to be the one in charge or renewing certs and publishing CRLS. This is a manual procedure at the moment. - Follow standard installation procedure to deploy a new master on a hardware/VM of your choice How do I nominate this master to be the one in charge of renews certs and publishing CRLS? I didn't found the procedure. Also do I care to differentiate between the first master and other replica, if my IPA installation use an external root CA certificate (Windows AD in that case)? Regards, Nicolas Zin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
Hi, with the help of Thierry and Rich I managed to debug the running ns-slapd on Server1 (see below). The failing attempt of decoding the SASL data returns a not very fruitful -1 (SASL_FAIL, generic failure). Any ideas? Short summary: Server1 = running IPA server Server2 = intended IPA replica Both machines run the exact same, up-to-date version of CentOS 6.6. However: I had to run ipa-replica-install _without_ the option --setup-ca (didn't work, installation failed with some obscure Perl error), so there's no ns-slapd instance running for PKI-IPA. May this be related? On Fri, 21 Nov 2014, Rich Megginson wrote: On 11/21/2014 04:51 AM, thierry bordaz wrote: On 11/21/2014 10:59 AM, dbisc...@hrz.uni-kassel.de wrote: On Thu, 20 Nov 2014, thierry bordaz wrote: On 11/20/2014 12:03 PM, dbisc...@hrz.uni-kassel.de wrote: On Thu, 20 Nov 2014, thierry bordaz wrote: Server1 successfully replicated to Server2, but Server2 fails to replicated to Server1. The replication Server2-Server1 is done with kerberos authentication. Server1 receives the replication session, successfully identify the replication manager, start to receives replication extop but suddenly closes the connection. [19/Nov/2014:14:21:39 +0100] conn=2980 fd=78 slot=78 connection from xxx to yyy [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=krbprincipalname=xxx [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 EXT oid=2.16.840.1.113730.3.5.12 name=replication-multimaster-extop [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 RESULT err=0 tag=120 nentries=0 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 SRCH base=cn=schema scope=0 filter=(objectClass=*) attrs=nsSchemaCSN [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=-1 fd=78 closed - I/O function error. The reason of this closure is logged in server1 error log. sasl_decode fails to decode a received PDU. [19/Nov/2014:14:21:39 +0100] - sasl_io_recv failed to decode packet for connection 2980 I do not know why it fails but I wonder if the received PDU is not larger than the maximum configured value. The attribute nsslapd-maxsasliosize is set to 2Mb by default. Would it be possible to increase its value (5Mb) to see if it has an impact [...] I set nsslapd-maxsasliosize to 6164480 on both machines, but the problem remains. The sasl-decode fails but the exact returned value is not logged. With standard version we may need to attach a debugger and then set a conditional breakpoint in sasl-decode just after conn-oparams.decode that will fire if result !=0. Now this can change the dynamic and possibly prevent the problem to occur again. The other option is to use an instrumented version to log this value. If I understand the mechanism correctly, Server1 needs to have debug versions of the relevant packages (probably 389-ds-base and cyrus-sasl) installed in order to track down the problem. Unfortunately, my Server1 is in production use - if I break it, my colleagues will grab forks and torches and be after me. A short downtime would be ok, though. Is there something else I could do? Sure I do not want to trigger so much trouble ;-) I think my email was not clear. To go further we would need to know the exact reason why sasl_decode fails. I see two options: * Prepare a debug version, that would report in the error logs the returned valud of sasl_decode (when it fails). Except downtime to install the debug version, it has no impact in production. * Do a debug session (gdb) on Server1. The debug session will install a breakpoint at a specific place, let the server run, catch the sasl_decode failure and note the return code, exit from debugger. When the problem occurs, it happens regularly (each 5 seconds) so we should not have to wait long. That means that debugging Server1 should disturb production for 5 to 10 min. A detailed procedure to do the
Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
My case for HTTP load balancing is little different. Ideally I would like to use a real load balancer (A10 in this case) for balancing HTTP and HTTPS services. Would that be possible? Based on the info in this thread, and Apache configuration for IPA (ipa.conf) the following steps were performed - Added host for sso.example.com - Added service for HTTP/sso.example.com - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' groups of directives. ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k /etc/httpd/conf/ipa.keytab - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect requests to sso.example.com The login page loads but unfortunately authentication is failing with HTTP 401 (unauthorized) response from the server. I wonder what I am doing wrong. IPA ver is 3.0 running on CentOS 6.5, 64bit Thanks Dimitar On Tue, Sep 30, 2014 at 3:01 AM, Petr Spacek pspa...@redhat.com wrote: On 29.9.2014 23:12, Simo Sorce wrote: On Mon, 29 Sep 2014 23:25:08 +0300 Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 29 Sep 2014, Mark Heslin wrote: Folks, I'm looking for the best approach to take for configuring IdM clients to access web services (HTTP) with keytabs when a front-end load-balanced hostname is in place. I have a distributed OpenShift Enterprise configuration with three broker hosts (broker1, broker2, broker3) with all three configured as IdM clients. IdM is configured with one server (idm-srv1.example.com), one replica (idm-srv2.example.com); an HTTP service has been created for each broker host: # ipa service-add HTTP/broker1.example.com # ipa service-add HTTP/broker2.example.com # ipa service-add HTTP/broker3.example.com A DNS round-robin hostname called '*broker**.example.com*' has also been configured to distribute broker requests across the three brokers: # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13 Effectively, this creates a DNS A record that acts as a pseudo DNS load-balancer. To access the HTTP services, we have been creating keytabs for for the first broker host: # ipa-getkeytab -s idm-srv1.example.com -p HTTP/*broker1*.example@example.com -k /var/www/openshift/broker/httpd/conf.d/http.keytab and copying the keytab over to the other two OpenShift broker hosts. This all works fine but in the event that *broker1* should go down, the other broker hosts will lose access to the web service. Ideally, we would like to have web services use the more generic, load balanced hostname (*broker.example.com*) and in turn have the keytabs use this name as well. I tried creating an HTTP service using the load balanced hostname (*broker.example.com*) but that appears to fail due to *broker.example.com* not being a valid host within IdM: # ipa service-add HTTP/broker.example.com ipa: ERROR: The host 'broker.example.com' does not exist to add a service to. In the F18 FreeIPA guide it discusses creating a combined keytab file (Section 6.5.4) using ktutil: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ Guide/managing-services.html#Using_the_Same_Service_ Principal_for_Multiple_Services but would that still work as intended should a broker host go down? The next section (6.5.5) mentions creating a keytab to create a service principal that can be used across multiple hosts: # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc Which seems more in-line with my thinking and exactly what we've been doing but again, if I try to do that using the load balanced hostname (*broker.example.com*) it fails sicne it's not a valid host within IdM. What is the best method to doing this? Make a host named broker.example.com ipa host-add broker.example.com --force --force will make sure to create the host object even if there is no such name in the DNS. Then create services for this host. You'll need to set up your balancer hosts to use the proper service principal instead of allowing them to construct the principal themselves based on the hostname. Even better tell them to not assume any name if the server name is NULL GSSAPI will try every key in the keytab. YUou can even force that behavior with a krb5 config hack even if the app insist setting a name by adding ignore_acceptor_hostname true in [libdefaults] I consider this as a 'workaround'. Even better option is to teach your client application to use DNS SRV records instead of plain A records. SRV records allow you to do more fancy things like non-equal load balancing etc. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
On Tue, 25 Nov 2014, Dimitar Georgievski wrote: My case for HTTP load balancing is little different. Ideally I would like to use a real load balancer (A10 in this case) for balancing HTTP and HTTPS services. Would that be possible? Based on the info in this thread, and Apache configuration for IPA (ipa.conf) the following steps were performed - Added host for sso.example.com - Added service for HTTP/sso.example.com - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' groups of directives. ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k /etc/httpd/conf/ipa.keytab - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect requests to sso.example.com The login page loads but unfortunately authentication is failing with HTTP 401 (unauthorized) response from the server. I wonder what I am doing wrong. Can you show your /var/log/krb5kdc.log, lines concerning HTTP/sso.example.com principal at the time you are trying to access IPA UI. FreeIPA limits service principals' ability to impersonate user principals (or any other principals). FreeIPA UI runs as HTTP/ principal and is given permission to impersonate user principal when talking to ldap/ service. This setup is explicit and requires additional configuration for those Kerberos principals which ask for additional access. For more detailed description read my article at http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] backup procedure : procedure for a lost of primary master
Nicolas Zin wrote: Hi, I read the backup procedure on http://www.freeipa.org/page/Backup_and_Restore. If I lose my first master, it is stated than: - Clean deployment from the lost server by removing all replication agreements with it. - Choose another FreeIPA Server with CA installed to become the first master - Nominate this master to be the one in charge or renewing certs and publishing CRLS. This is a manual procedure at the moment. - Follow standard installation procedure to deploy a new master on a hardware/VM of your choice Yes, that's right. If the master is gone you'll need to use the --force command to remove the agreements. You may also need to do additional replication topology work to ensure that every master has at least one valid agreement. For example, if you have A - B - C and B dies, you'll need to connect A to C as well otherwise you may get complaints about leaving C orphaned. How do I nominate this master to be the one in charge of renews certs and publishing CRLS? I didn't found the procedure. http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master Also do I care to differentiate between the first master and other replica, if my IPA installation use an external root CA certificate (Windows AD in that case)? All masters are equal in IPA with the exception of optional services (CA, DNS) and which one generates the CRL and is the initiator of certificate renewal. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Centos5 - freeipa - AD trust
Hi, I successfully create a trust relationship between a freeipa 3.3 realm (on Centos 7) and a windows 2008 AD. Now I add some machine clients to my IPA realm, and try to connect to them with my AD credential: - connecting to the 2 freeipa server: no problem - connecting to a Centos6 machine: no problem - connecting to a Centos5 machine: fail to say it differently: - when connecting to the Centos5 with a Freeipa Realm user it works - when connecting to the Centos5 with a AD Realm user, it fails I just want a confirmation: it fails because centos5 is packaged with sssd 1.9 and do not support cross realm? (and indeed, it cannot works) or is it possible to make it working? and my error is somewhere else? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
On 11/25/2014 12:32 PM, dbisc...@hrz.uni-kassel.de wrote: Hi, with the help of Thierry and Rich I managed to debug the running ns-slapd on Server1 (see below). The failing attempt of decoding the SASL data returns a not very fruitful -1 (SASL_FAIL, generic failure). Any ideas? Short summary: Server1 = running IPA server Server2 = intended IPA replica Both machines run the exact same, up-to-date version of CentOS 6.6. However: I had to run ipa-replica-install _without_ the option --setup-ca (didn't work, installation failed with some obscure Perl error), so there's no ns-slapd instance running for PKI-IPA. May this be related? Are you asking if not having --setup-ca would cause sasl_io_recv failed to decode packet for connection 2980? Not that I know of. At this point, it's going to take more than a trivial amount of high latency back-and-forth on the mailling lists. I think we have probably run out of log levels for you to try. Please open a ticket against IPA. While this may turn out to be a bug in 389, at the moment it is only reproducible in your IPA environment. The fastest way to get to the bottom of this problem would be for a 389 developer to run an interactive gdb session on your production machine and poke around. That is, allow one of us to ssh into the machine and run gdb (which will kill the performance and cause outages unless this machine can be taken out of rotation somehow). What would we be looking for? I don't know, but hopefully we would know it when we see it. On Fri, 21 Nov 2014, Rich Megginson wrote: On 11/21/2014 04:51 AM, thierry bordaz wrote: On 11/21/2014 10:59 AM, dbisc...@hrz.uni-kassel.de wrote: On Thu, 20 Nov 2014, thierry bordaz wrote: On 11/20/2014 12:03 PM, dbisc...@hrz.uni-kassel.de wrote: On Thu, 20 Nov 2014, thierry bordaz wrote: Server1 successfully replicated to Server2, but Server2 fails to replicated to Server1. The replication Server2-Server1 is done with kerberos authentication. Server1 receives the replication session, successfully identify the replication manager, start to receives replication extop but suddenly closes the connection. [19/Nov/2014:14:21:39 +0100] conn=2980 fd=78 slot=78 connection from xxx to yyy [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [19/Nov/2014:14:21:39 +0100] conn=2980 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=krbprincipalname=xxx [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [19/Nov/2014:14:21:39 +0100] conn=2980 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [19/Nov/2014:14:21:39 +0100] conn=2980 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 EXT oid=2.16.840.1.113730.3.5.12 name=replication-multimaster-extop [19/Nov/2014:14:21:39 +0100] conn=2980 op=5 RESULT err=0 tag=120 nentries=0 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 SRCH base=cn=schema scope=0 filter=(objectClass=*) attrs=nsSchemaCSN [19/Nov/2014:14:21:39 +0100] conn=2980 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [19/Nov/2014:14:21:39 +0100] conn=2980 op=-1 fd=78 closed - I/O function error. The reason of this closure is logged in server1 error log. sasl_decode fails to decode a received PDU. [19/Nov/2014:14:21:39 +0100] - sasl_io_recv failed to decode packet for connection 2980 I do not know why it fails but I wonder if the received PDU is not larger than the maximum configured value. The attribute nsslapd-maxsasliosize is set to 2Mb by default. Would it be possible to increase its value (5Mb) to see if it has an impact [...] I set nsslapd-maxsasliosize to 6164480 on both machines, but the problem remains. The sasl-decode fails but the exact returned value is not logged. With standard version we may need to attach a debugger and then set a conditional breakpoint in sasl-decode just after conn-oparams.decode that will fire if result !=0. Now this can change the dynamic and possibly prevent the problem to occur again. The other option is to use an instrumented version to log this value. If I understand the mechanism correctly, Server1 needs to have debug versions of the relevant packages (probably 389-ds-base and cyrus-sasl) installed in order to track down the problem. Unfortunately, my Server1 is in production use - if I
Re: [Freeipa-users] Is it possible to set up SUDO with redudancy
Implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. Sorry, responding from blackberry which don't seen to indent the question I am responding to. This is sssd version I am using. Certainly newer than 1.10. Do you mind pointing me to the recommended way of handling SUDO now? sssd-common-1.11.2-68.el7_0.6.x86_64 sssd-ipa-1.11.2-68.el7_0.6.x86_64 sssd-1.11.2-68.el7_0.6.x86_64 sssd-client-1.11.2-68.el7_0.6.x86_64 sssd-ad-1.11.2-68.el7_0.6.x86_64 sssd-proxy-1.11.2-68.el7_0.6.x86_64 python-sssdconfig-1.11.2-68.el7_0.6.noarch sssd-common-pac-1.11.2-68.el7_0.6.x86_64 sssd-krb5-1.11.2-68.el7_0.6.x86_64 sssd-krb5-common-1.11.2-68.el7_0.6.x86_64 sssd-ldap-1.11.2-68.el7_0.6.x86_64 William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Is it possible to set up SUDO with redudancy
.yahoo.com Content-Type: text/plain; charset=us-ascii Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually? Sent from Yahoo Mail on Android -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20141124/9e462a63/attachment.html -- Message: 5 Date: Tue, 25 Nov 2014 08:55:04 +0100 From: Martin Kosek mko...@redhat.com To: Rolf Nufable rolf_16_nufa...@yahoo.com, freeipa-users@redhat.com freeipa-users@redhat.com Subject: Re: [Freeipa-users] Don't know what To do with this (error?? ) Message-ID: 547435d8.3080...@redhat.com Content-Type: text/plain; charset=windows-1252 On 11/25/2014 08:12 AM, Rolf Nufable wrote: Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually? Sent from Yahoo Mail on Android Well, you need to have a ticket on your client machine (the one with the browser) to be able to authenticate via Kerberos. You can check that with # klist To get the ticket, you can either run the kinit manually as you said or let SSSD to get it for you as you authenticate/login to your client machine. AFAIK, this is default behavior. Martin -- Message: 6 Date: Tue, 25 Nov 2014 07:59:27 + (UTC) From: Rolf Nufable rolf_16_nufa...@yahoo.com To: Martin Kosek mko...@redhat.com, freeipa-users@redhat.com freeipa-users@redhat.com Subject: Re: [Freeipa-users] Don't know what To do with this (error?? ) Message-ID: 1156877372.623540.1416902367456.javamail.ya...@jws10635.mail.bf1.yahoo.com Content-Type: text/plain; charset=utf-8 ohh sorry I didn't said that I was using the freeipa server on this problem, anyway thanks for the replies :) and before? Thanks, really appreciate it :D On Monday, November 24, 2014 11:55 PM, Martin Kosek mko...@redhat.com wrote: On 11/25/2014 08:12 AM, Rolf Nufable wrote: Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually? Sent from Yahoo Mail on Android Well, you need to have a ticket on your client machine (the one with the browser) to be able to authenticate via Kerberos. You can check that with # klist To get the ticket, you can either run the kinit manually as you said or let SSSD to get it for you as you authenticate/login to your client machine. AFAIK, this is default behavior. Martin -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20141125/bdd3495e/attachment.html -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 76, Issue 110 ** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Freeipa Blocking Sites?
Goodmorning Is there a function in freeipa that blocks websites? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
yea I figured this would be the answer , I was just making sure of the features in free ipa because I didn't read the whole documentation, thanks for the reply Sir Fraser :) On Tuesday, November 25, 2014 9:51 PM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
Actually the problem was that I was accessing our site from outside our network now, our domain in the network locally is named example.com, and the outside website is also at the domain example.com so I guess what freeipa does is it looks for the website inside our local network.. On Tuesday, November 25, 2014 10:32 PM, Outback Dingo outbackdi...@gmail.com wrote: You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Failed to remove host
Hi, I'm encounter strange behavior, I run host removing from web UI and it failed with error Some entries were not deleted : host not found but it's still showing in list. Via cmd: ipa host-find -- 1 host matched -- Host name: Principal name: host/@ Password: True Member of host-groups: all Indirect Member of netgroup: Indirect Member of HBAC rule: Keytab: True Number of entries returned 1 ipa host-del ipa: ERROR: : host not found can you please advice ? Thanks a lot Vasek freeipa-server-4.1.0-1.fc20.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project