[Freeipa-users] ipactl start fails for no apparent reason
Hi List I've just tried to restart my IPA services after recently adding a new replica (0 configuration changes on the IPA server otherwise!), but ipactl fails when starting up named: --- [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Job for named.service failed. See 'systemctl status named.service' and 'journalctl -xn' for details. Failed to start named Service Shutting down Aborting ipactl --- I then manual start named service and try again, but then smb service fails: --- [root@lolpr-xyz-mstr ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl --- systemctl status shows the following output for smb.service: --- [root@lolpr-xyz-mstr ~]# systemctl -l status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 AST; 1min 14s ago Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 4662 (code=exited, status=1/FAILURE) Status: Starting process... CGroup: /system.slice/smb.service Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/lolpr-xyz-mstr@XYZ.LOCAL not found in Kerberos database) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base DN. Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 09:21:10.211210, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start Samba SMB Daemon. Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service entered failed state. Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB Daemon. --- I manually try to start the smb service as follows, but can't (Of course the directory service is not up, so there's a little catch22 there and this many not mean much): --- [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; 57s ago Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 8089 (code=exited, status=1/FAILURE) Status: Starting process... Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base DN. Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:38.574903, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start Samba SMB Daemon. Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service entered failed state. [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# --- Please could someone advise me on how to drill deeper into debugging this issue to get ipactl to start ? NOTES: - This server is successfully in a Trust relationship with ActiveDirectory. - There are a number of replicas established which have been working fine til this morning - Another replica was added around the time of the failure using the same steps as usual (not sure how this could be
Re: [Freeipa-users] ipactl start fails for no apparent reason
Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtospr-idm-slve.idm.local (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:11:02:09 +0300]
Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 04:50 PM, Janelle wrote: On 3/31/15 6:49 AM, Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. That's it exactly. Ok - Bug. :-) I am personally not convinced this is a bug. As Rob mentioned, this is a migration solution, not sync. So what likely happens is that you add new memberships to already-migrated groups (i.e. member attribute in group object), which are then not migrated as they are already present in the FreeIPA. So if anything, I would call it an RFE, for allowing overwriting the memberships for existing groups... Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtospr-idm-slve.idm.local (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't
Re: [Freeipa-users] AD users and IPA's sudo
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote: Hello everyone. We have a IPA 3 and AD domain trust. Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules. When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group which is AD user member of, this user gets u...@ad.commailto:u...@ad.com is not allowed to run sudo on host.com. This incident will be reported. In debug there is a strings (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [((objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=u...@ad.com)( sudoUser=#xx)(sudoUser=%cuted...(sudoUser=%cuted.)(sudoUser=+*))((dataExpireTimestamp=1427702040)))] (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0020): Unable to retr ieve expired sudo rules [5]: Input/output error I've seen a number of closed bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated. And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :( Just to close this thread, we tracked the issue down into this SSSD bug - https://fedorahosted.org/sssd/ticket/2613 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Power down all FreeIPA servers
Hi all, we are going to have power maintenance and needed to shutdown two core FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA server? Anything I need to aware of? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
On 03/31/2015 07:58 PM, Dmitri Pal wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line
Re: [Freeipa-users] where to disable components?
On 1.4.2015 04:47, Rob Crittenden wrote: Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J Not sure the complete reasoning behind that but... The safest route would be to just firewall ports 80 and 443 off. There is a way to tell ipactl to not start a service but I haven't thought through the implications. The CA interfaces on those machines will also be inaccessible. Please keep in mind that this will not prevent users from making changes via LDAP or kpasswd protocol. E.g. password changes will be still possible, this only hides the web interface and API. Such configuration is not tested. Here be dragons. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]:
Re: [Freeipa-users] where to disable components?
On Tue, 31 Mar 2015, Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? You wouldn't get anything by doing such a selecting 'disabling'. Every Kerberos authentication causes updates of LDAP objects on the KDC, so if you have 8 KDCs, all of them will be modifying LDAP store and replicating to each other. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Power down all FreeIPA servers
On 04/01/2015 10:19 AM, Thomas Lau wrote: Hi all, we are going to have power maintenance and needed to shutdown two core FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA server? Anything I need to aware of? Hello, IFAIK there is no recommended Trick. You can turn them off and on normaly (with system or using ipactl stop/start) and after they start again the replication process should continue. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
Hi Jan, Thanks for your response. But my problem is AmazonLinux does not support ipa-client or sssd. No binaries available, lots of dependency issues compiling from source. So the route I have taken is to use FreeIPA on Fedora21. And use authconfig to enumerate users/groups. And have a SSH command to lookup the keys. Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. Thanks for your help. --Prashant -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
On 04/01/2015 07:09 AM, Prashant Bapat wrote: Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Permissions should just work. You can either switch System: Read User Addressbook Attributes permission for anonymous user, with knowing all consequences it brings to your system, all create a new read permission just for this attribute. BTW, note that this attribute is operational and has to be searched out explicitly in the ldapsearch, e.g.: # ldapsearch -Y GSSAPI -h `hostname` -b uid=fbar,cn=users,cn=accounts,dc=f21 nsaccountlock SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=fbar,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: nsaccountlock # # fbar, users, accounts, f21 dn: uid=fbar,cn=users,cn=accounts,dc=f21 nsaccountlock: TRUE # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Final note, new users do not have this attribute until the first time they are enabled/disabled. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
On Tue, 31 Mar 2015, Dmitri Pal wrote: On 03/31/2015 05:30 PM, Andrew Holway wrote: Hello FreeIPA people, I must say that FreeIPA v4 looks very pretty and I am looking forward to trying out the new features. I'm wondering what application and tools can be used to authenticate with the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it how might we go about that? Is there a common library that I should look out for? With VPN you usually do the following: a) Pick a VPN of your choice based on features and needs you have b) Make sure the VPN server supports different authentication methods. You need at least RADIUS which is the most popular option and I would be surprise to find VPN server that does not talk RADIUS to actually do the authentication. c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it happens) box , configure it to do kinit authentication or pam authentication via SSSD against IPA, see freeRADIUS manuals for more details d) Connect VPN server to the RADIUS server e) Provision tokens (or hook IPA to existing OTP solution using another RADIUS server) f) Profit If you have an application that can use RADIUS in such setup you can use FreeIPA 2FA. Also see http://www.freeipa.org/page/Web_App_Authentication how to enable any web application to take advantage of the IPA authentication including 2FA. It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn - system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnu...@example.com UID: 179265 GID: 179265 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
On 04/01/2015 07:52 AM, Traiano Welcome wrote: Hi Dmitri On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 04:14 AM, Traiano Welcome wrote: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300]
Re: [Freeipa-users] ipa: ERROR: Cannot find specified domain or server name
On 1.4.2015 13:16, Ben .T.George wrote: HI i have installed latest FreeIPA 4.1.4 on RHEL 7.1 My DNS is working fine. I am getting good response [root@kwtprsolipa01 ~]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ; dig @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v ^; | egrep _ _ldap._tcp.SUN.LOCAL. 86398 IN SRV 0 100 389 kwtprsolipa01.sun.local. _kerberos._tcp.SUN.LOCAL. 86398 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos._udp.SUN.LOCAL. 84696 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._tcp.SUN.LOCAL. 84699 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._udp.SUN.LOCAL. 86398 IN SRV 0 100 88 kwtprsolipa01.sun.local. _ntp._udp.SUN.LOCAL.86398 IN SRV 0 100 123 kwtprsolipa01.sun.local. and ad domain is pining from IPA server. [root@kwtprsolipa01 ~]# dig SRV _ldap._tcp.mha.local ; DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 SRV _ldap._tcp.mha.local ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44181 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.mha.local. IN SRV ;; ANSWER SECTION: _ldap._tcp.mha.local. 600 IN SRV 0 100 389 rusmosprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 kwtprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 dxbprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 kwtprdc001.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 dxbprdc001.mha.local. ;; ADDITIONAL SECTION: rusmosprdc002.mha.local. 3600 IN A 192.168.115.42 kwtprdc002.mha.local. 3600IN A 172.16.98.171 dxbprdc002.mha.local. 3600IN A 10.10.10.10 kwtprdc001.mha.local. 3600IN A 172.16.100.180 dxbprdc001.mha.local. 3600IN A 10.10.10.11 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 01 13:58:24 AST 2015 ;; MSG SIZE rcvd: 332 [root@kwtprsolipa01 ~]# dig SRV _ldap._tcp.sun.local ; DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 SRV _ldap._tcp.sun.local ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63551 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.sun.local. IN SRV ;; ANSWER SECTION: _ldap._tcp.sun.local. 84509 IN SRV 0 100 389 kwtprsolipa01.sun.local. ;; ADDITIONAL SECTION: kwtprsolipa01.sun.local. 182IN A 172.16.99.99 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 01 13:58:31 AST 2015 ;; MSG SIZE rcvd: 108 all result was as expected and i was following the excat steps from quick start page. but when i try to create trust, i am getting ipa: ERROR: Cannot find specified domain or server name please help me to solve this Please follow http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust ... and send us results and logs. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
Hi Dmitri On Wed, Apr 1, 2015 at 3:06 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 07:52 AM, Traiano Welcome wrote: Hi Dmitri On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 04:14 AM, Traiano Welcome wrote: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform
Re: [Freeipa-users] nsAccountLock attribute
On 1.4.2015 11:43, Prashant Bapat wrote: Hi Jan, Thanks for your response. But my problem is AmazonLinux does not support ipa-client or sssd. No binaries available, lots of dependency issues compiling from source. So the route I have taken is to use FreeIPA on Fedora21. And use authconfig to enumerate users/groups. And have a SSH command to lookup the keys. Interesting. Please complain to Amazon support about this, it will improve situation for others too. Petr^2 Spacek Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta jchol...@redhat.com wrote: Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [RFC] COPR drop support for old distribution
ehlo, CentOS 7.1 was finally released[1]. Yupi. Fedora 21 was rewleased[2] few months ago. People can use FreeIPA 4.1 without any problem. So there's no more reason to maintain COPR repositories for older distributions. It will significantly reduce extra dependencies in repositories. It would be better to focus on backporting FreeIPA 4.2 in COPR. I know it has not been released yet. LS [1] http://lists.centos.org/pipermail/centos-announce/2015-April/021010.html [2] https://fedoraproject.org/wiki/Releases/21/Schedule -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Markus Not sure if this might be related, at least is a place where to look at.. https://bugzilla.redhat.com/show_bug.cgi?id=1196455 thanks On 31/03/2015 10:54, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in
Re: [Freeipa-users] OTP integrations
Please could someone explain to me what is happening internally? In my head I have the following process The openvpn pam module sends the username and password to pam. Pam passes this onto sssd sssd then does the kerberos thing kerberos passes the password to the LDAP some LDAP module takes the password from the database, appends on the OTP and actually does the auth... On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com wrote: It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn - system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnu...@example.com UID: 179265 GID: 179265 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
On Wed, Apr 1, 2015 at 2:20 PM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 10:14 AM, Traiano Welcome wrote: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out)
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
I had this error during my first installation. It turned out the problem was that port 8443 was already used by another process. Roberto On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File
Re: [Freeipa-users] ipactl start fails for no apparent reason
On 04/01/2015 10:14 AM, Traiano Welcome wrote: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meTokwtard-idm-slve.idm.local (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt=cn=meToindpr-idm-slve.idm.local (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP
Re: [Freeipa-users] bind-dyndb-ldap vs DLZ
On 1.4.2015 07:51, Jorgen Lundman wrote: Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of dynamic updates much easier. Well, you weren't wrong there. :) I did try a few different solutions, first letting ARecord/NSRecord trickle in after SOA setup is done. But that did not fit well with some of the checks. (diff tests of SOA updates need to be tuples etc, SOA is handled much more strictly), you can't just re-register/update a zone as easily as records.. and so on. In the end, I went for the change where, before calling update_zone(), I query DLZ for the additional information needed for the SOA record. ARecord/NSRecord etc, then tag those onto the entry-attrs list. This fits better with bind-dyndb-ldap existing framework, and only makes it worse for DLZ users. In addition to creating src/schema.h - to define the name of the common ldap attributes based on WITH_DLZ_SCHEMA. Annoyingly, DLZ Schema reuses the generic DNSData for a lot of things, so one large search just overwrote previous attributes - sigh. So, I was forced to do single individual ldapqueries for each ARecord/NSRecord/... type, then call finally update_zone(). Some additional mapping for update_record() as well, to map things like DNSIPAddr - ARecord was needed. 01-Apr-2015 12:09:13.601 ldap_entry_create dn is 'DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.601 Attempting to pre-populate zone: dn DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.602 Adding 'DNSData' - 'NSRecord' mapping here 01-Apr-2015 12:09:13.603 Adding 'DNSIPAddr' - 'ARecord' mapping here 01-Apr-2015 12:09:13.606 fakesoa is 'hostmaster.example.com dns01.example.com. 20081028 3600 300 360 600 ' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'DNSPrimaryNS' 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'NSRecord' 01-Apr-2015 12:09:13.606 Matched 'DNSPrimaryNS' to 'dns01.example.com.' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'ARecord' 01-Apr-2015 12:09:13.606 ldap_entry_nextrdtype: checking 'ARecord' on dn DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.606 leaving ldap_parse_rrentry 01-Apr-2015 12:09:13.606 make sure we have NS record here? 01-Apr-2015 12:09:13.606 diff.c:185: unexpected error: 01-Apr-2015 12:09:13.606 unexpected non-minimal diff I guess that minimal diff can contain only one del + add operation for arbitrary (name, RR type, data) combination. Maybe you are adding NS which is already in there or something like that. 01-Apr-2015 12:09:13.606 ldap_entry_create dn is 'DNSRecord=A,DNSHostName=pop,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.607 DLZ attrib scam map 'A' + 'DNSIPAddr' 01-Apr-2015 12:09:13.607 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.607 Matched 'DNSIPAddr' to '210.157.5.28' 01-Apr-2015 12:09:13.607 zone example.com/IN: loaded serial 1427857753 # dig -p5353 @0 example.com any ; DiG 9.6-ESV-R8 -p5353 @0 example.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22383 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com. 600 IN A 210.157.5.35 example.com. 600 IN NS dns01.example.com. example.com. 600 IN SOA hostmaster.example.com.example.com. dns01.example.com. 1427857753 3600 300 360 600 Not entirely sure why I trip on the unexpected non-minimal diff INSIST. I had to comment it out. Obviously still very much hack'n'slash, to get a feel for what is involved. Thank you for letting us know. (It is worse than I expected :-) Anyway, let me know if you have some specific questions about bind-dyndb-ldap. We could also change the schema of course, at least long term. That sounds like a good idea, unless you want to get crazy from maintenance of this hybrid. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
On Wed, 01 Apr 2015, Andrew Holway wrote: Please could someone explain to me what is happening internally? In my head I have the following process The openvpn pam module sends the username and password to pam. Pam passes this onto sssd sssd then does the kerberos thing kerberos passes the password to the LDAP KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then binds to IPA LDAP to verify the password some LDAP module takes the password from the database, appends on the OTP and actually does the auth... Yes, the rest is correct. http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture from on the Kerberos thing On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com wrote: It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn - system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnu...@example.com UID: 179265 GID: 179265 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipactl start fails for no apparent reason
Traiano Welcome wrote: Hi Dmitri This is a freshly generated DS log (sanitized: XYZ = realm): 389-Directory/1.3.1.6 B2014.160.2139 lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=xyz,dc=local [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololard-xyz-slve.xyz.local (lolard-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololospr-xyz-slve.xyz.local (lolospr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:15:19:02 +0300] - Listening on /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololpr-xyz-slve.xyz.local (lolpr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
Re: [Freeipa-users] ipactl start fails for no apparent reason
Dude. You rock :-) That was it !! All the entries were the wrong way round (not sure how I missed that ... time for a visit to the optometrists) Beer is in the mail! And thanks to all @redhat for an excellent piece of software and for all the help today! On Wed, Apr 1, 2015 at 4:40 PM, Rob Crittenden rcrit...@redhat.com wrote: Traiano Welcome wrote: Hi Dmitri This is a freshly generated DS log (sanitized: XYZ = realm): 389-Directory/1.3.1.6 B2014.160.2139 lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=xyz,dc=local [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololard-xyz-slve.xyz.local (lolard-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololospr-xyz-slve.xyz.local (lolospr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:15:19:02 +0300] - Listening on /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt=cn=meTololpr-xyz-slve.xyz.local (lolpr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Hmm, really? The port 8443 is already checked in FreeIPA 4.0.4 or later, based on this ticket: https://fedorahosted.org/freeipa/ticket/4564 If your installation crashed because port 8443 was occupied, the fix 4564 is either incomplete or non-functional and we should fix it. On 04/01/2015 01:38 PM, Roberto Cornacchia wrote: I had this error during my first installation. It turned out the problem was that port 8443 was already used by another process. Roberto On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start()
[Freeipa-users] RUVs
Hello again, This is a more general question as I am new to dirsrv a bit. I have read through a lot of the docs, including 389-ds, but with regards to IPA, well, I am not 100% clear and perhaps this could help others in the future. Are there guidelines or suggestions for RUV's and cleaning and how to know when you are actually seeing a problem that needs to be fixed? In a good system, for example, my 8 servers, if there are no issues, what would I expect to see from a list-ruv? What errors would indicate the need to run a clean-ruv id? I am thinking if there was a write up or FAQ for this, it would go a long way to helping new admins with FreeIPA in understanding all of this. Just a suggestion. Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Unfortunately I don't have the log anymore, as it was overwritten by the following successful installation. But the personal log I kept manually says (this was freeIPA 4.1.2): ... Restarting the directory server Restarting the KDC Restarting the certificate server CA did not start in 300.0s It seems that Stash was already using port 8443. Changed Stash configuration and (just to be sure) stopped both Jira and Stash before attempting again Ran $ ipa-server-install --uninstall and tried installation again. Succeeded: On 1 April 2015 at 16:17, Martin Kosek mko...@redhat.com wrote: Hmm, really? The port 8443 is already checked in FreeIPA 4.0.4 or later, based on this ticket: https://fedorahosted.org/freeipa/ticket/4564 If your installation crashed because port 8443 was occupied, the fix 4564 is either incomplete or non-functional and we should fix it. On 04/01/2015 01:38 PM, Roberto Cornacchia wrote: I had this error during my first installation. It turned out the problem was that port 8443 was already used by another process. Roberto On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site-
Re: [Freeipa-users] OTP integrations
On 04/01/2015 12:29 PM, Andrew Holway wrote: Yes. But stored in LDAP. Stored in LDAP salted I assume? Yes. As the standard prescribes. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RUVs
Hi, a RUV (replica update vector) is a structure which on each sever maintains a state of updates it has seen from any other server, it is used in a replication session to determine which updates have to be sent. Normally you don't need to deal with it, only if you remove a replica it is advisable to remove the references to the no longer existing server using clean ruv Ludwig On 04/01/2015 04:29 PM, Janelle wrote: Hello again, This is a more general question as I am new to dirsrv a bit. I have read through a lot of the docs, including 389-ds, but with regards to IPA, well, I am not 100% clear and perhaps this could help others in the future. Are there guidelines or suggestions for RUV's and cleaning and how to know when you are actually seeing a problem that needs to be fixed? In a good system, for example, my 8 servers, if there are no issues, what would I expect to see from a list-ruv? What errors would indicate the need to run a clean-ruv id? I am thinking if there was a write up or FAQ for this, it would go a long way to helping new admins with FreeIPA in understanding all of this. Just a suggestion. Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
Yes. But stored in LDAP. Stored in LDAP salted I assume? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
Thanks Alexander. What happens to the passwords? Are they hashed by Kerberos? On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 01 Apr 2015, Andrew Holway wrote: Please could someone explain to me what is happening internally? In my head I have the following process The openvpn pam module sends the username and password to pam. Pam passes this onto sssd sssd then does the kerberos thing kerberos passes the password to the LDAP KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then binds to IPA LDAP to verify the password some LDAP module takes the password from the database, appends on the OTP and actually does the auth... Yes, the rest is correct. http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture from on the Kerberos thing On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com wrote: It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn - system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnu...@example.com UID: 179265 GID: 179265 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/ope nvpn-plugin-auth-pam.so/ PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
On 04/01/2015 11:46 AM, Andrew Holway wrote: Thanks Alexander. What happens to the passwords? Are they hashed by Kerberos? Yes. But stored in LDAP. On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com wrote: On Wed, 01 Apr 2015, Andrew Holway wrote: Please could someone explain to me what is happening internally? In my head I have the following process The openvpn pam module sends the username and password to pam. Pam passes this onto sssd sssd then does the kerberos thing kerberos passes the password to the LDAP KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then binds to IPA LDAP to verify the password some LDAP module takes the password from the database, appends on the OTP and actually does the auth... Yes, the rest is correct. http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture from on the Kerberos thing On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com mailto:andrew.hol...@gmail.com wrote: It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn login USERNAME password PASSWORD # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn - system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnu...@example.com mailto:vpnu...@example.com UID: 179265 GID: 179265 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com http://ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com http://ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com http://ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ http://openvpn-plugin-auth-pam.so/ PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com http://ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy --
Re: [Freeipa-users] RUVs
Ludwig Krispenz wrote: Hi, a RUV (replica update vector) is a structure which on each sever maintains a state of updates it has seen from any other server, it is used in a replication session to determine which updates have to be sent. Normally you don't need to deal with it, only if you remove a replica it is advisable to remove the references to the no longer existing server using clean ruv The clean-ruv should be done as part of replica removal these days. The separate commands are there for when things go bump in the night. rob Ludwig On 04/01/2015 04:29 PM, Janelle wrote: Hello again, This is a more general question as I am new to dirsrv a bit. I have read through a lot of the docs, including 389-ds, but with regards to IPA, well, I am not 100% clear and perhaps this could help others in the future. Are there guidelines or suggestions for RUV's and cleaning and how to know when you are actually seeing a problem that needs to be fixed? In a good system, for example, my 8 servers, if there are no issues, what would I expect to see from a list-ruv? What errors would indicate the need to run a clean-ruv id? I am thinking if there was a write up or FAQ for this, it would go a long way to helping new admins with FreeIPA in understanding all of this. Just a suggestion. Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired password change on AIX Client
On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I've searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. L Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding kpasswd_protocol = SET_CHANGE as well as kpasswd_protocol = RPCSEC_GSS to the [realms] section but none of them worked. Here is the output from an ssh test session for user teste on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards *__* *L**uiz Fernando Vianna da Silva* ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.br mailto:luiz.via...@tivit.com.br *T I V I T ** *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar São Paulo - SP - CEP 05804-900 www.tivit.com.br http://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Expired password change on AIX Client
Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and geographically distributed masters
Hi if you got the NTPs in sync and using the same timzeone on both it should be ok thanks On 2015-04-01 23:41, Steven Jones wrote: Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote: Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal. (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying to find a way to provide server and client certificates but, to be honest, my understanding of certificates is not good enough to be able to take the leap. I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r command to generate the server.crt and private.key and I know where to find ca.crt however: - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? - Is it bad If this file is compromised? Thanks, Andrew https://fedorahosted.org/freeipa/ticket/2915 says it's planned for 4.2, which I'm hoping for, since I want to have more of the certificate functionality of Dogtag exposed. To use all the bells and whistles that OpenVPN can check on certificates, FreeIPA needs to support setting custom parameters on service certificates, which right now, it cannot do. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and geographically distributed masters
On Thu, 2015-04-02 at 00:22 +0100, g.fer.or...@unicyber.co.uk wrote: Hi if you got the NTPs in sync and using the same timzeone on both it should be ok All operations use UTC, so you can set whatever timezone you want on the machines. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
On Wed, 01 Apr 2015, Guertin, David S. wrote: The 5.x ipa-client should work fine. What isn't working? I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails: $ ssh -l 'MIDD\juser' yakko.ipa Red Hat Enterprise Linux Server release 5.11 (Tikanga) Kernel 2.6.18-402.el5 on an x86_64 Password: Password: Password: MIDD\ju...@yakko.ipa's password: Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [ALL] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something? Show your sssd.conf. Practically, in order to provide access to RHEL5 systems for AD users, you need to configure sssd on RHEL5 against compat tree on IPA LDAP. More to that, we had few bugs that prevented successful authentication to complete from older clients against compat tree. These bugs are fixed as part of RHEL7.1 update 1 cumulative release. A typical RHEL5 configuration script can be obtained by running 'ipa-advise config-redhat-sssd-before-1-9' on IPA master. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
On 04/01/2015 02:28 PM, Guertin, David S. wrote: The 5.x ipa-client should work fine. What isn't working? I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails: $ ssh -l 'MIDD\juser' yakko.ipa Red Hat Enterprise Linux Server release 5.11 (Tikanga) Kernel 2.6.18-402.el5 on an x86_64 Password: Password: Password: MIDD\ju...@yakko.ipa's password: Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [ALL] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something? David Guertin Ah so you are using it with trust. Then you should change the configuration to not use kerberos but rather LDAP instead. More details are here. http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wed, 01 Apr 2015, Andrew Holway wrote: On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r command to generate the server.crt and private.key and I know where to find ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain...@domain.de -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) I do it the same way as I control my systems and can be sure there is one user per system for VPN access. Works nicely. The only issue if you want some systems authenticate with certificates only and others with user/password+OTP. Unfortunately, this combination does not work with OpenVPN as all authentication methods must succeed. There is an option --auth-user-pass-optional that allows core OpenVPN to work without the requirement of passwords but then plugins/scripts must account for it and openvpn-plugin-auth-pam is not aware of that, it seems. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
On 04/01/2015 12:32 PM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RHEL 5 client?
I've just set up an IPA domain that is working with our RHEL 6 clients. (The servers are running RHEL 7.) But about half of our Linux servers are running RHEL 5, and I'd like to be able to add these as clients as well. Unfortunately I haven't been able to get it working. Before I get too deep into debugging and log files, is this even possible? The documentation that I've been able to find is unclear on this. So far I've been looking at this thread: https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html and this document: https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client but without much success. Is there documentation somewhere that describes the procedure, if indeed one exists? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: [Marketing Mail] Re: Expired password change on AIX Client
Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users@redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
On 4/1/15 9:32 AM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben On a related to browser issues -- has anyone else seen a user login to change their PW, any browser - from Chrome, to Firefox, etc, and with the exception of the top portion of the screen, the details of the user account are blank (white screen below main header) ? They can still use the pull down to reset the PW, but everything else seems to be missing. I have also seen this Session expired even when not using a kerberized browser, so if there is a solution -- looking forward to it. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Openvpn and Certificates
Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal. (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying to find a way to provide server and client certificates but, to be honest, my understanding of certificates is not good enough to be able to take the leap. I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r command to generate the server.crt and private.key and I know where to find ca.crt however: - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? - Is it bad If this file is compromised? Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA integration with AIX and sudo
Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven’t figured out a way to make this work and I’ll send you the solution I came up with. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
On Wed, 2015-04-01 at 12:33 -0400, Dmitri Pal wrote: On 04/01/2015 12:29 PM, Andrew Holway wrote: Yes. But stored in LDAP. Stored in LDAP salted I assume? Yes. As the standard prescribes. Except for the RC4 keys, but the whole keyset is encrypted with the master key, so the hashes cannot be seen even if you have access to the LDAP attribute. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
Guertin, David S. wrote: Ive just set up an IPA domain that is working with our RHEL 6 clients. (The servers are running RHEL 7.) But about half of our Linux servers are running RHEL 5, and Id like to be able to add these as clients as well. Unfortunately I havent been able to get it working. Before I get too deep into debugging and log files, is this even possible? The documentation that Ive been able to find is unclear on this. So far Ive been looking at this thread: https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html and this document: https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client but without much success. Is there documentation somewhere that describes the procedure, if indeed one exists? The 5.x ipa-client should work fine. What isn't working? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RES: FreeIPA integration with AIX and sudo
Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo’s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s LDAP fileset. That’s my guess why most sudo packages for AIX aren’t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX’s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: · sudo = 1.8.11 · gettext = 0.10.40 · openldap = 2.4.23 · openssl = 1.0.1j-1 · zlib Make sure you don’t have the sudo fileset installed or another sudo rpm package. Don’t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won’t. Don’t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won’t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a “rpm -ivh *.rpm --test” and if all goes well proceed without the “--test”, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM’s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo’s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX’s LDAP, this is OpenLdap’s config only used by sudo. Don’t worry, this won’t conflict with AIX’s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that’s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running “sudo -l”, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: Yves Degauquier [mailto:y...@degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven’t figured out a way to make this work and I’ll send you the solution I came up with. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Just to be sure, the policies for ticket lifetimes are still set to their defaults, right? Is there anything in the server-side logs (/var/log/krb5kdc.log, /var/log/httpd/error_log) that might shed some light on things, perhaps after having set debug=True in the [global] section of the server's /etc/ipa/default.conf and restarted the httpd service? Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r command to generate the server.crt and private.key and I know where to find ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. I see mention in the docs of optionally requiring that a peer certificate include a particular value in its nsCertType extension (support for that's not currently planned AFAIK), or a particular value in its extendedKeyUsage (EKU) extension (there's a ticket [1] for supporting that), but you're not setting such a requirement above. - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? Yes to both. I'm going by the PKI section of the howto [2] and the man page here. - Is it bad If this file is compromised? The howto and man pages say it's not required to be kept secret, and the secrecy of a key that's generated using DH key agreement doesn't depend on the parameters being kept secret, so I'd say no. HTH, Nalin [1] https://fedorahosted.org/freeipa/ticket/2915 [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired password change on AIX Client
Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users@redhat.commailto:freeipa-users@redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I’ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ☹ Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding “kpasswd_protocol = SET_CHANGE” as well as “kpasswd_protocol = RPCSEC_GSS” to the [realms] section but none of them worked. Here is the output from an ssh test session for user “teste” on a AIX 7.1 machine: -bash-4.2$ ssh teste@localhost # NICE MOTD teste@localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. *** * * * * * Welcome to AIX Version 7.1!* * * * * * Please see the README file in /usr/lpp/bos for information pertinent to* * this release of the AIX Operating System. * * * * * *** # NICE MOTD WARNING: Your password has expired. You must change your password now and login again! Changing password for teste teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
On 04/01/2015 06:52 PM, Janelle wrote: On 4/1/15 9:32 AM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben On a related to browser issues -- has anyone else seen a user login to change their PW, any browser - from Chrome, to Firefox, etc, and with the exception of the top portion of the screen, the details of the user account are blank (white screen below main header) ? They can still use the pull down to reset the PW, but everything else seems to be missing. If you give us a screenshot, Apache error_log and access_log, we should be able to see where the problem is. Did the person try to connect to FreeIPA public demo, to see if it caused by the browser? https://ipa.demo1.freeipa.org/ipa/ui/ I have also seen this Session expired even when not using a kerberized browser, so if there is a solution -- looking forward to it. When the browser is not configured for Kerberos, you should still be able to login with login+password. If not, it is a bug. Note that we require cookies, see potential cave-eats in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
On 4/1/2015 2:29 AM, Martin Kosek wrote: On 03/31/2015 07:58 PM, Dmitri Pal wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: ... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... I uninstalled the ipa server completely several times and installed it again. But it always stops at the same step with the setup. Can anybody help? Markus. Please provide install logs, and look at directory server and PKI server logs created during the installation. It seems that Dogtag did not start. It usually does not start when the DS under it does not start. The logs would show that. DS does not start does because of different issues. Can bind to the port for example. So please review the logs and see what they reveal. This might help you with details http://www.freeipa.org/page/Troubleshooting +1. CCing Dogtag guys for reference. Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
everything is default. but now the issue solved after many restart,kinit ipactl restart don't still don't know how it got fixed Regards, Ben On Wed, Apr 1, 2015 at 8:31 PM, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Just to be sure, the policies for ticket lifetimes are still set to their defaults, right? Is there anything in the server-side logs (/var/log/krb5kdc.log, /var/log/httpd/error_log) that might shed some light on things, perhaps after having set debug=True in the [global] section of the server's /etc/ipa/default.conf and restarted the httpd service? Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
Il 01/Apr/2015 19:36 Rob Crittenden rcrit...@redhat.com ha scritto: Guertin, David S. wrote: I’ve just set up an IPA domain that is working with our RHEL 6 clients. (The servers are running RHEL 7.) But about half of our Linux servers are running RHEL 5, and I’d like to be able to add these as clients as well. Unfortunately I haven’t been able to get it working. Before I get too deep into debugging and log files, is this even possible? The documentation that I’ve been able to find is unclear on this. So far I’ve been looking at this thread: https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html and this document: https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client but without much success. Is there documentation somewhere that describes the procedure, if indeed one exists? The 5.x ipa-client should work fine. What isn't working? rob I would go with identity mgmt guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/index.html And in particular chapter 2: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/setting-up-clients.html I don't think it requires a rhel 5.x ipa server. Hih, Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
The 5.x ipa-client should work fine. What isn't working? I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails: $ ssh -l 'MIDD\juser' yakko.ipa Red Hat Enterprise Linux Server release 5.11 (Tikanga) Kernel 2.6.18-402.el5 on an x86_64 Password: Password: Password: MIDD\ju...@yakko.ipa's password: Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [ALL] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
On 04/01/2015 07:46 PM, Ben .T.George wrote: everything is default. but now the issue solved after many restart,kinit ipactl restart don't still don't know how it got fixed We collected all known potential issues that can have this behavior on this page: http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI I wonder what is it in your case. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi, I'm not gicing up on this, so I'm testing. I'm unsure at the moment about the keytab. The keytab is normally for the user that needs to be able to do stuff, but in this case we need one for the loadbalancer name or the client maybe combined ? I lost that overvieuw... would be nice to get some advice here. Thanks! Matt 2015-03-31 21:23 GMT+02:00 Matt . yamakasi@gmail.com: OK, but we need to do this using IPA or (as IPA does some things different it seems). Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Brendan Kearney wrote: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. One experiment that can be done is to remove all per-server HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went exploring for options/alternatives. Not DNS aliases, Kerberos principal alises. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r command to generate the server.crt and private.key and I know where to find ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain...@domain.de -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) The GUI has some weird advice that did not make much sense when I did: Actions - New Certificate: Issue New Certificate for Host andrews-macbook-air.local.domain.de Create a certificate database or use an existing one. To create a new database: # certutil -N -d database path Create a CSR with subject CN=hostname,O=realm, for example: # certutil -R -d database path -a -g key size -s 'CN= andrews-macbook-air.local.otternetworks.de,O=OTTERNETWORKS.DE' Copy and paste the CSR (from -BEGIN NEW CERTIFICATE REQUEST- to -END NEW CERTIFICATE REQUEST-) into the text area below: I see mention in the docs of optionally requiring that a peer certificate include a particular value in its nsCertType extension (support for that's not currently planned AFAIK), or a particular value in its extendedKeyUsage (EKU) extension (there's a ticket [1] for supporting that), but you're not setting such a requirement above. - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? Yes to both. I'm going by the PKI section of the howto [2] and the man page here. - Is it bad If this file is compromised? The howto and man pages say it's not required to be kept secret, and the secrecy of a key that's generated using DH key agreement doesn't depend on the parameters being kept secret, so I'd say no. HTH, Nalin [1] https://fedorahosted.org/freeipa/ticket/2915 [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unexpected IPA Crashes
In regards to the hangs in the Directory Server that were observed, it seems related thread 15 that is polling waiting for something to come through the pipe which never happens. The default poll timeout is 180(or 30 minutes!). Reducing this timeout should resolve the hang. Example: # ldapmodify -p PORT -h HOST -D cn=directory manager -w PASSWORD dn: cn=config changetype: modify replace: nsslapd-ioblocktimeout nsslapd-ioblocktimeout: 1 press enter twice, then control-D This should be done for all the Directory Servers in your deployment. Regards, Mark On 03/26/2015 06:18 PM, David Kreuter wrote: We have been using FreeIPA since two years and were more than happy. But since two weeks we are facing unexpected crashed and can not really debug the strange behaviours. The crashes are definitely not caused by connecting a new system or changing the LDAP schema heavily. Following IPA is used: Name: ipa-server Arch: x86_64 Version : 3.3.3 Release : 28.0.1.el7.centos.3 Size: 4.1 M I have followed the troubleshooting guide http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting and activated logging and activated the core dumping. Unfortunately, I cannot provide you any core dump, because it is not created after the ipa servers crashes. I'm sure the dirsrv is causing the problem, because when i restart the 389, then ipa works fine for a while. Currently I have activated the replication log level 8192. The error log shows no suspicious error or any fatal error. Following 389* versions are used: Installed Packages 389-ds-base.x86_64 1.3.3.1-15.el7_1 @/389-ds-base-1.3.3.1-15.el7_1.x86_64 389-ds-base-debuginfo.x86_64 1.3.1.6-26.el7_0 @base-debuginfo 389-ds-base-libs.x86_64 1.3.3.1-15.el7_1 Can you please provide some hint how I can debug this problem in more detail. Btw, the ipa infrastructure consist of one master and one replica. The server was also crashing, when the replica server was turned off. Do you thing an upgrade would solve the problem as the last resort? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 12:32 PM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
On 4/1/2015 4:29 PM, Markus Roth wrote: Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: ... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... I uninstalled the ipa server completely several times and installed it again. But it always stops at the same step with the setup. Can anybody help? Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. Hi Markus, Based on the logs that you sent me, the Dogtag took a really long time to start: INFORMATION: Server startup in 739700 ms More than half of that time was spent starting the CA subsystem alone: INFORMATION: Deployment of configuration descriptor /etc/pki /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms The whole (failed) IPA installation took about 38 minutes. Is this correct? It's possible the system was running out of entropy. You might want to install haveged or rngd. See: http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent ropy-for-cloud-servers-using-haveged However, the system seems to be running very slowly in general. How powerful is this machine? Hi Endi the system is a banana pi system. Seems that this ARM CPU based system isn't suitable for FreeIPA The installation might still succeed if IPA doesn't have the 300s time limit. If you want to try, you probably can specify a larger startup_timeout in ~/.ipa/default.conf, or change the code in ipaplatform/redhat/services.py to wait indefinitely, and see what happens. I don't know if it will be usable though. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Am Mittwoch, 1. April 2015, 16:56:51 schrieb Endi Sukma Dewata: On 4/1/2015 4:29 PM, Markus Roth wrote: Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: ... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... I uninstalled the ipa server completely several times and installed it again. But it always stops at the same step with the setup. Can anybody help? Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. Hi Markus, Based on the logs that you sent me, the Dogtag took a really long time to start: INFORMATION: Server startup in 739700 ms More than half of that time was spent starting the CA subsystem alone: INFORMATION: Deployment of configuration descriptor /etc/pki /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms The whole (failed) IPA installation took about 38 minutes. Is this correct? It's possible the system was running out of entropy. You might want to install haveged or rngd. See: http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ https://www.digitalocean.com/community/tutorials/how-to-setup-additional- ent ropy-for-cloud-servers-using-haveged However, the system seems to be running very slowly in general. How powerful is this machine? Hi Endi the system is a banana pi system. Seems that this ARM CPU based system isn't suitable for FreeIPA The installation might still succeed if IPA doesn't have the 300s time limit. If you want to try, you probably can specify a larger startup_timeout in ~/.ipa/default.conf, or change the code in ipaplatform/redhat/services.py to wait indefinitely, and see what happens. I don't know if it will be usable though. I will try it in the next days. I'll give feedback if IPA is suitable as small server (four users). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: ... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... I uninstalled the ipa server completely several times and installed it again. But it always stops at the same step with the setup. Can anybody help? Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. Hi Markus, Based on the logs that you sent me, the Dogtag took a really long time to start: INFORMATION: Server startup in 739700 ms More than half of that time was spent starting the CA subsystem alone: INFORMATION: Deployment of configuration descriptor /etc/pki /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms The whole (failed) IPA installation took about 38 minutes. Is this correct? It's possible the system was running out of entropy. You might want to install haveged or rngd. See: http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent ropy-for-cloud-servers-using-haveged However, the system seems to be running very slowly in general. How powerful is this machine? Hi Endi the system is a banana pi system. Seems that this ARM CPU based system isn't suitable for FreeIPA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
HI i have checked from chrome and got 401 error: This is what exactly i reported 3 weeks back :( http://s1.postimg.org/41ik3o1hr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:45 PM, Ben .T.George bentech4...@gmail.com wrote: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 12:32 PM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: ... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... I uninstalled the ipa server completely several times and installed it again. But it always stops at the same step with the setup. Can anybody help? Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. Hi Markus, Based on the logs that you sent me, the Dogtag took a really long time to start: INFORMATION: Server startup in 739700 ms More than half of that time was spent starting the CA subsystem alone: INFORMATION: Deployment of configuration descriptor /etc/pki /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms The whole (failed) IPA installation took about 38 minutes. Is this correct? It's possible the system was running out of entropy. You might want to install haveged or rngd. See: http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged However, the system seems to be running very slowly in general. How powerful is this machine? -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and geographically distributed masters
Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and geographically distributed masters
We have multiple distributed replicas running in the following locations: East coast AMER West coast AMER London EMEA and have had no issues with replication or performance. (max ping is about 120ms) Will Sheldon On April 1, 2015 at 3:50:23 PM, Steven Jones (steven.jo...@vuw.ac.nz) wrote: Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project