[Freeipa-users] concurrent requests to ipalib app giving network error

2016-04-21 Thread Oğuz Yarımtepe 
Hi,

I have a REST API that is using the ipalib and written with Falcon.
Below is the code or you can check it online here:
http://paste.ubuntu.com/15966308/

from __future__ import print_function
from bson import json_util
import json
import falcon

from ipalib import api as ipaapi
from api.utils.utils import parse_json, check_connection
from api import settings

class Calls(object):

#@falcon.before(check_connection)
def on_post(self, req, resp):

result_json = parse_json(req)
command_name = result_json["command_name"]
params = result_json["params"]

if not hasattr(ipaapi.env, "conf"):
#TODO: add kinit oguz for exceptional case
ipaapi.bootstrap_with_global_options(context='satcloud_api')
ipaapi.finalize()

if ipaapi.env.in_server:
ipaapi.Backend.ldap2.connect()
else:
ipaapi.Backend.rpcclient.connect()

#import ipdb
#ipdb.set_trace()

command=ipaapi.Command
command_result=getattr(command,command_name)

#resp.set_cookie('api_status_cookie', 'True')
if not params:
resp.body = json.dumps(command_result())
resp.status = falcon.HTTP_200
else:
if type(params) == dict:
arguments = []
kwargs = dict()
for key, value in params.iteritems():
if "arg" in key:
arguments.append(value)
else:
kwargs[key]=value
try:
#for datetime serialization problems better to use bson
dump = command_result(*arguments, **kwargs)
resp.body = json.dumps(dump, default=json_util.default)
#resp.body = json.dumps(command_result(*arguments,
**kwargs))
resp.status = falcon.HTTP_200
except UnicodeDecodeError:
resp.body = json.dumps(dump, default=json_util.default,
encoding='latin1')
resp.status = falcon.HTTP_200
except Exception as e:
resp.status = falcon.HTTP_BAD_REQUEST
resp.body = json.dumps({"description": e.message,
"title": "Dublicate entry"})
#raise falcon.HTTPBadRequest(title="Dublicate
entry",
#description=e,
#href=settings.__docs__)
else:
dump = command_result(params)
resp.body = json.dumps(dump, default=json_util.default)
#resp.body = json.dumps(command_result(params))
resp.status = falcon.HTTP_200


Basically i am making concurrent calls to this rest api and i am getting

Network error: http://paste.ubuntu.com/15966347/

ipa: INFO: Forwarding 'user_find' to json server '
https://ipa.foo.com/ipa/json'
ipa: INFO: Forwarding 'netgroup_find' to json server '
https://ipa.foo.com/ipa/json'
[pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} [Thu
Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes in 227
msecs (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0)
Traceback (most recent call last):
  File "falcon/api.py", line 213, in falcon.api.API.__call__
(falcon/api.c:2521)
  File "falcon/api.py", line 182, in falcon.api.API.__call__
(falcon/api.c:2118)
  File "./api/resources/ipa/calls.py", line 38, in on_post
resp.body = json.dumps(command_result())
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in
__call__
ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in
run
return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in
forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in
forward
raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 'https://ipa.foo.com/ipa/json':
Internal Server Error
[pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} [Thu
Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in 1421 msecs
(HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)


This is how a concurrent request is being sent:
#!/usr/bin/env python

from multiprocessing import Process, Pool
import time
import urllib2

def millis():
  return int(round(time.time() * 1000))

def http_get(url):
  start_time = millis()
  request = urllib2.Request(url, headers={"Content-Type":
"application/json", "Origin": "http://ipa.foo.com;, "Authorization":
"{'token':
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzcnYiOiJpcGEuc2F0Y2xvdWQuY29tLnRyIiwic3ViIjoiMGU1ZGZkNDc3N2I2NmNhOTU3ZTc4ZmJhZjMxNjYxMmEifQ.cr8cNy7zgQkY-q7UUyTCNPCjGlmz-LCCzUYSUV9P694'}"})

Re: [Freeipa-users] Account/password expirations

2016-04-21 Thread Steve Huston 
On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek  wrote:
> Did you test that this actually fails with id_provider=ipa? I would
> assume the IPA KDC would kick you out and prompt for a new password..

If you're using a password, yes it kicks back and requires you to
change it.  The problem is if you're not using a password to
authenticate, but instead using an SSH key, then it appears there's no
hooks to check with IPA if the password (or the principal itself) is
expired and the user is allowed to continue to login.  The
"recommended" way to do this in RHEL6 is to set access_provider to
ldap in sssd, but that doesn't seem to cover all cases and doesn't
play well with other IPA things (like HBAC) from what I can tell.

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab ?

2016-04-21 Thread Günther J . Niederwimmer 
Hello List,
Am Donnerstag, 21. April 2016, 16:53:36 CEST schrieb Günther J. Niederwimmer:

Thank's for the answer ;-)

I hope this helps.
 
Thank you

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-04-21 Thread Alexander Bokovoy 

On Thu, 21 Apr 2016, Timo Aaltonen wrote:


Howdy!

 Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1!
The biggest feature of this version is that it also supports replication
by client promotion to replica master. IPA on Debian/Ubuntu has been a
single-master thing until now..

FreeIPA is in the community-supported section of the package archive
called "universe". What this means is that it's not officially supported
by Canonical, but the community. While I and some others have tried to
poke it from every angle we can, it might still have hidden bugs that
need fixing, so feel free to try it out and report any issues you might
find on Launchpad!


ps. Debian unstable will have 4.3.1 once the package has gone through
the NEW queue because the packaging got split in certain ways

This is really exciting news!

Thanks Timo and everyone who made it possible!

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

2016-04-21 Thread Jakub Hrozek 
On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote:
> On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek  wrote:
> > Did you test that this actually fails with id_provider=ipa? I would
> > assume the IPA KDC would kick you out and prompt for a new password..
> 
> If you're using a password, yes it kicks back and requires you to
> change it.  The problem is if you're not using a password to
> authenticate, but instead using an SSH key, then it appears there's no
> hooks to check with IPA if the password (or the principal itself) is
> expired and the user is allowed to continue to login.  The
> "recommended" way to do this in RHEL6 is to set access_provider to
> ldap in sssd, but that doesn't seem to cover all cases and doesn't
> play well with other IPA things (like HBAC) from what I can tell.

Then in my opinion SSSD is behaving correctly there. It wouldn't let in
a locked user (it would check the nsaccountlock attribute), but I'm not
sure it would be correct to check krbPasswordExpiration if you're using
a completely different method to authenticate..

Moreover, if you login through an SSH key, you don't get a ticket on
login and you can't kinit, so you can't access any network resources
anyway..

But to be honest, this is something we discussed even among IPA
developers and we're not in total agreement here either, so maybe others
will overrule me :)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-04-21 Thread Simo Sorce 
On Thu, 2016-04-21 at 22:01 +0300, Timo Aaltonen wrote:
>   Howdy!
> 
>   Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1!
> The biggest feature of this version is that it also supports replication
> by client promotion to replica master. IPA on Debian/Ubuntu has been a
> single-master thing until now..
> 
> FreeIPA is in the community-supported section of the package archive
> called "universe". What this means is that it's not officially supported
> by Canonical, but the community. While I and some others have tried to
> poke it from every angle we can, it might still have hidden bugs that
> need fixing, so feel free to try it out and report any issues you might
> find on Launchpad!
> 
> 
> ps. Debian unstable will have 4.3.1 once the package has gone through
> the NEW queue because the packaging got split in certain ways


Thanks Timo, this is awesome!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-04-21 Thread Timo Aaltonen 

Howdy!

  Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1!
The biggest feature of this version is that it also supports replication
by client promotion to replica master. IPA on Debian/Ubuntu has been a
single-master thing until now..

FreeIPA is in the community-supported section of the package archive
called "universe". What this means is that it's not officially supported
by Canonical, but the community. While I and some others have tried to
poke it from every angle we can, it might still have hidden bugs that
need fixing, so feel free to try it out and report any issues you might
find on Launchpad!


ps. Debian unstable will have 4.3.1 once the package has gone through
the NEW queue because the packaging got split in certain ways

-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-21 Thread Ask Stack 
Half the time ipa-client-install will fail at getting the TGT.  Google showed 
posts like, Bug 845691 – ipa-client-install Failed to obtain host TGT. I 
reduced _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' 
'_kerberos._udp' to one server entry only. But it didn't help to reduce the 
failure rate. Thanks for your help.

cleintipa-client-3.0.0-47.el6_7.2.x86_64

serveripa-server-3.0.0-47.el6_7.1.x86_64

ipa-client-install --hostname=client1.example.com 
--server=ipa-server.example.com --domain=example.com -N --mkhomedir 
--unattended -p ipa...@example.com -w 'password1' 
--ca-cert-file=/etc/ipa/ca.crt -d..Enrolled in IPA realm 
EXAMPLE.COMargs=kdestroystdout=stderr=args=/usr/bin/kinit -k -t 
/etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: 
Generic preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
args=/usr/bin/kinit -k -t /etc/krb5.keytab 
host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic 
preauthentication failure while getting initial credentials
Failed to obtain host TGT.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Username attribute in trusted domain

2016-04-21 Thread Brook, Andy [CRI] 

On 4/18/16, 10:06 AM, "Jakub Hrozek"  wrote:

>On Mon, Apr 18, 2016 at 01:47:04PM +, Brook, Andy [CRI] wrote:
>> 
>> On 4/18/16, 5:03 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub 
>> Hrozek"  
>> wrote:
>> 
>> >On Fri, Apr 15, 2016 at 08:01:06PM +, Brook, Andy [CRI] wrote:
>> >> We’re trying to setup FreeIPA to be a good provider of UIDs and GIDs for 
>> >> our mostly RHEL systems. Overall, that works great. The issue I’m running 
>> >> into is that we need to have the same consistent UIDs and GIDs for our 
>> >> Isilon system which serves up both CIFS and NFS. Each user of the Isilon 
>> >> needs to have a UID so that the files are owned properly. The Isilon has 
>> >> a way of getting information from both Active Directory and an associated 
>> >> LDAP server. It gets its list of users and groups from AD, a list of 
>> >> users, UIDs, groups and GIDs from LDAP, and combine accounts that are the 
>> >> same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. 
>> >> However, FreeIPA will show abrook(as it sees through the Trust 
>> >> relationship with ADTEST.LOCAL) as 
>> >> abrook@adtest.local instead of abrook, so the 
>> >> Isilon will see them as distinct accounts and won’t merge the information 
>> >> in them. I can’t, as far as I can tell right now, tell the Isilon to see 
>> >> users with @adtest.local as the same user without the domain. I can tell 
>> >> the Isilon to look at a different LDAP attribute as its username, but 
>> >> there is no attribute that has only the username.
>> >> 
>> >> I noticed in the documentation that if I were to do a sync with Active 
>> >> Directory (which isn’t something I want to do), I would get the 
>> >> ntDomainUserID attribute that is the same as the samAccountName. This 
>> >> doesn’t happen with a trust. Is there a way to get that in place with a 
>> >> custom attribute or pull more LDAP attributes from AD?
>> >> 
>> >> Has anyone else run into a situation like this? If so, were you able to 
>> >> rectify that? If so, how?
>> >> 
>> >> We have a ticket open with EMC for the Isilon as well, but want to make 
>> >> sure we’re coming at this from all the angles we can.
>> >
>> >I'm sorry, but currently overriding the attribute names for AD trusted
>> >domains is not possible. We are working to make it possible for the next
>> >version, but it's a bit of a stretch goal already, so chances it won't
>> >be ready only for the version after the next one.
>> >
>> >What might perhaps help you is that starting with upstream SSSD 1.14
>> >(upstream 7.3), it should be possible to configure SSSD to only print
>> >the shortname and not qualify the users in trusted domains.
>> >
>> 
>> Thank you. In your suggestion, are you talking about SSSD on the IPA
>> Servers? My understanding of how SSSD on the IPA servers interacts with
>> the servers that talk to them is pretty limited. If I upgrade SSSD on
>> these servers, I might be able to get LDAP to not print the qualifying
>> domain during ldapsearch?
>
>Depends on how you want to query the information, whether with "getent
>passwd $user" or ldapsearch. SSSD itself doesn't provide any data to
>ldapsearch, but provides NSS, PAM and D-Bus interfaces.
>
>And you'd have to upgrade SSSD on both clients and servers.

For the issue that I’m having, it’s not actually something with an SSSD client. 
The Isilon isn’t a server that SSSD is or can be installed on. It’s a storage 
appliance that is provided from EMC. It can, however, search LDAP for accounts 
and groups as well as connect to Active Directory. 

>
>> 
>> I’m not really asking about overriding attribute names, but rather
>> adding a new attribute that only has the shortname. Is there a way to
>> do that may through a custom NIS mapping or something like that? Maybe
>> a dynamic schema extension? I’ve tried reading through extending the
>> schema, but am currently confused as to how to go about it.
>
>It sounds like the new attribute would be added on the AD side, but at
>the moment, SSSD's attribute map for the trusted domains is hardcoded.
>
>The only way would be to query the attribute through our d-bus API.

Okay, so it’s looking like there’s no good way to do what I’m looking for. 
Essentially the issue is that the Isilon can’t quantify the domain that the 
user is logging in with, i.e. it can’t turn LDAPTEST.LOCAL\user into 
user@ldaptest.local to know that what it’s seeing from LDAP is the same as what 
it got from its active directory login. 

We’re working on another way to do what we need, but still use IPA server. Can 
you answer when IPA provisions a UID for a user in the trusted domain? If I 
were to do a ‘ldapsearch cn=users,cn=compat,dc=tst,dc=ipaexample,dc=com’ (where 
tst.ipaexample.com trusts ldaptest.local) would I see all the ldaptest.local 
users/groups with their associated generated UIDs/GIDs?

Re: [Freeipa-users] Servers intermittently losing connection to IPA

2016-04-21 Thread Sumit Bose 
On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> Sumit,
> 
> Raised the debug level to 10 and let it run for about 24 hours.  Uploading
> the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!

Can you send the related krb5_child log file as well?

bye,
Sumit

> 
> https://pastebin.com/MD6N1Dj7
> 
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
> 
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal:  https://my.bloomip.com 
> 
> On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> jeff.hallybur...@bloomip.com> wrote:
> 
> > Sumit,
> >
> > Raised the debug level to 10 and let it run for about 24 hours.  Uploading
> > the full sssd_domain.com.log.  Thanks for your help!
> >
> > Jeff
> >
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> >
> > Engineering Support: supp...@bloomip.com
> > Billing Support: bill...@bloomip.com
> > Customer Support Portal:  https://my.bloomip.com 
> >
> > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose  wrote:
> >
> >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> >> > After setting debug_level=8, this is what I see in the sssd_domain_log:
> >>
> >> Unfortunately the domain log and the krb5_child log do not relate to
> >> each other.
> >>
> >> >
> >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> >> [child_handler_setup]
> >> > (0x2000): Setting up signal handler up for pid [32382]
> >> >
> >>
> >> 
> >>
> >> >
> >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731 [k5c_setup_fast]
> >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> >> > jump02.west-2.production.example@example.com]
> >> >
> >>
> >> ...
> >>
> >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
> >> [get_and_save_tgt]
> >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> >> > pre-auth.
> >> >
> >> >
> >> > Can you shed any light on this?
> >> >
> >>
> >> In the domain log the child with the pid 32382 is started to run a
> >> pre-authentication request. The request is needed to find out which kind
> >> of authentication types are available for the user, e.g. password or
> >> 2-factor authentication with the OTP token. The request in the child
> >> with the PID 32731 looks like a real authentication request with returns
> >> with an error code -1765328324 which just means 'Generic error' but
> >> might have cause SSSD to go offline.
> >>
> >> I would like to ask you to run the test again with debug_level=10 in the
> >> [domain/...] section of sssd.conf which would enable some low level
> >> Kerberos tracing messages which might help to understand what kind of
> >> 'Generic error' was hit here. Additionally I would like ask you to send
> >> the full log files as attachment or in an archive which would hep be to
> >> better navigate through them.
> >>
> >> bye,
> >> Sumit
> >>
> >
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa Synchronisation with AD server issues

2016-04-21 Thread ian.harper 
I am following the various Fedora guides for installing Freeipa with sync of 
users/passwords from AD server.

https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-sync-agmt.html

Hoiwever the documentation says "Active Directory CA certificate needs to be 
imported into the FreeIPA database" my windows colleague at head office says:

  There is no CA in XX domain, so I can't provide any certificates to 
you from there.
  This seems to be a LDAPS connection, and it will work if we use 
certificate that is trusted by both of the servers.

  I can sign the server with our internal CA and provide this to you.
  or
  We can sign both servers with Vaisala CA, and use these certificates.
  To use this setup, I'll need a CSR from IPA

  Also, you have to download and install our root and intermediate CA's to 
IPA server, so it will trust certificates signed by those.

Not being that familiar with certs and with FreeIPA I have got a bit stuck on 
what I should do in order to resolve this and get the FreeIPA up and 
syncronised to one of our AD servers, can anyone offer some suggestions please 
? he has sent me the ROOT and Intermediate Certs for the domain server.

Thanks

Ian

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Servers intermittently losing connection to IPA

2016-04-21 Thread Jeff Hallyburton 
Sumit,

We found a resolution for this and I'm dropping it here for posterity.
After some digging, it turns out that our ipa server and ipa replica were
returning different IPs for systems in the environment in DNS requests (one
returned internal results, one returned external results).

After resolving this our intermittent connectivity issue went away.  So it
seems that in some cases, the incorrect IP was being returned for LDAP
requests.

One additional item found here, it seems that the timeout to resolve an
address (from the sssd logs) is 6 seconds.  Can this be raised?

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: supp...@bloomip.com
Billing Support: bill...@bloomip.com
Customer Support Portal:  https://my.bloomip.com 

On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose  wrote:

> On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> > Sumit,
> >
> > Raised the debug level to 10 and let it run for about 24 hours.
> Uploading
> > the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!
>
> Can you send the related krb5_child log file as well?
>
> bye,
> Sumit
>
> >
> > https://pastebin.com/MD6N1Dj7
> >
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> >
> > Engineering Support: supp...@bloomip.com
> > Billing Support: bill...@bloomip.com
> > Customer Support Portal:  https://my.bloomip.com  >
> >
> > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> > jeff.hallybur...@bloomip.com> wrote:
> >
> > > Sumit,
> > >
> > > Raised the debug level to 10 and let it run for about 24 hours.
> Uploading
> > > the full sssd_domain.com.log.  Thanks for your help!
> > >
> > > Jeff
> > >
> > > Jeff Hallyburton
> > > Strategic Systems Engineer
> > > Bloomip Inc.
> > > Web: http://www.bloomip.com
> > >
> > > Engineering Support: supp...@bloomip.com
> > > Billing Support: bill...@bloomip.com
> > > Customer Support Portal:  https://my.bloomip.com <
> http://my.bloomip.com/>
> > >
> > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose  wrote:
> > >
> > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> > >> > After setting debug_level=8, this is what I see in the
> sssd_domain_log:
> > >>
> > >> Unfortunately the domain log and the krb5_child log do not relate to
> > >> each other.
> > >>
> > >> >
> > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> > >> [child_handler_setup]
> > >> > (0x2000): Setting up signal handler up for pid [32382]
> > >> >
> > >>
> > >> 
> > >>
> > >> >
> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
> [k5c_setup_fast]
> > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > >> > jump02.west-2.production.example@example.com]
> > >> >
> > >>
> > >> ...
> > >>
> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
> > >> [get_and_save_tgt]
> > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> > >> > pre-auth.
> > >> >
> > >> >
> > >> > Can you shed any light on this?
> > >> >
> > >>
> > >> In the domain log the child with the pid 32382 is started to run a
> > >> pre-authentication request. The request is needed to find out which
> kind
> > >> of authentication types are available for the user, e.g. password or
> > >> 2-factor authentication with the OTP token. The request in the child
> > >> with the PID 32731 looks like a real authentication request with
> returns
> > >> with an error code -1765328324 which just means 'Generic error' but
> > >> might have cause SSSD to go offline.
> > >>
> > >> I would like to ask you to run the test again with debug_level=10 in
> the
> > >> [domain/...] section of sssd.conf which would enable some low level
> > >> Kerberos tracing messages which might help to understand what kind of
> > >> 'Generic error' was hit here. Additionally I would like ask you to
> send
> > >> the full log files as attachment or in an archive which would hep be
> to
> > >> better navigate through them.
> > >>
> > >> bye,
> > >> Sumit
> > >>
> > >
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Servers intermittently losing connection to IPA

2016-04-21 Thread Lukas Slebodnik 
On (21/04/16 09:44), Jeff Hallyburton wrote:
>Sumit,
>
>We found a resolution for this and I'm dropping it here for posterity.
>After some digging, it turns out that our ipa server and ipa replica were
>returning different IPs for systems in the environment in DNS requests (one
>returned internal results, one returned external results).
>
>After resolving this our intermittent connectivity issue went away.  So it
>seems that in some cases, the incorrect IP was being returned for LDAP
>requests.
>
>One additional item found here, it seems that the timeout to resolve an
>address (from the sssd logs) is 6 seconds.  Can this be raised?
>
man sssd.conf -> dns_resolver_timeout

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Let's Encrypt SSL pkscs 12 problem notes anyone. CENTOS 7 FreeIPA install

2016-04-21 Thread Martin Kosek 
On 04/21/2016 11:22 AM, Branko Quenode wrote:
> Hi ,
> 
> I am trying to install freeipa with centos and Let's Encrypt SSL.
> 
> I create lets-encrypt with webroot option.
> 
> Then i did
> 
> cat privkey.pem fullchain.pem > /root/key.pem
> 
> openssl pkcs12 -export -in /root/key.pem  -out ipa.pkcs12 -name 
> "ipa.somedomain.com "
> 
> 
> ipa-server-install --ip-address= 
>   --http_pkcs12=/etc/letsencrypt/live/ipa.somedomein.com/ipa.pkcs12 
>  
> --dirsrv_pkcs12=/etc/letsencrypt/live/ipa.somedomain.com/ipa.pkcs12 
>  
> --root-ca-file=/etc/letsencrypt/live/ipa.somedomain.com/fullchain.pem 
> 
> 
> I got error
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe full certificate 
> chain is not present in /etc/letsencrypt/live/ipa.somedomain.com/ipa.pkcs12 
> 
> 
> 
> What I am missing intermediate.crt maybe ?

Probably. Sounds like

https://www.redhat.com/archives/freeipa-users/2016-April/msg00161.html

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with ipa-getkeytab ?

2016-04-21 Thread Günther J . Niederwimmer 
Hello,

I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.

Now I have a Problem to get the Keytab on the second Server

On the first Server I run.

kinit admin
ipa-getkeytab  -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
dovecot.keytab

This is working

but on the second Server when I start

kinit admin
ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/
dovecot/dovecot.keytab

for the same keytab,
I become a Error with not access is possible ?

is this a Bug or a mistake from me ?
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Servers intermittently losing connection to IPA

2016-04-21 Thread Sumit Bose 
On Thu, Apr 21, 2016 at 09:44:47AM -0400, Jeff Hallyburton wrote:
> Sumit,
> 
> We found a resolution for this and I'm dropping it here for posterity.
> After some digging, it turns out that our ipa server and ipa replica were
> returning different IPs for systems in the environment in DNS requests (one
> returned internal results, one returned external results).
> 
> After resolving this our intermittent connectivity issue went away.  So it
> seems that in some cases, the incorrect IP was being returned for LDAP
> requests.

Thank you for the feedback.

bye,
Sumit

> 
> One additional item found here, it seems that the timeout to resolve an
> address (from the sssd logs) is 6 seconds.  Can this be raised?
> 
> Thanks,
> 
> Jeff
> 
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
> 
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal:  https://my.bloomip.com 
> 
> On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose  wrote:
> 
> > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> > > Sumit,
> > >
> > > Raised the debug level to 10 and let it run for about 24 hours.
> > Uploading
> > > the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!
> >
> > Can you send the related krb5_child log file as well?
> >
> > bye,
> > Sumit
> >
> > >
> > > https://pastebin.com/MD6N1Dj7
> > >
> > > Jeff Hallyburton
> > > Strategic Systems Engineer
> > > Bloomip Inc.
> > > Web: http://www.bloomip.com
> > >
> > > Engineering Support: supp...@bloomip.com
> > > Billing Support: bill...@bloomip.com
> > > Customer Support Portal:  https://my.bloomip.com  > >
> > >
> > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> > > jeff.hallybur...@bloomip.com> wrote:
> > >
> > > > Sumit,
> > > >
> > > > Raised the debug level to 10 and let it run for about 24 hours.
> > Uploading
> > > > the full sssd_domain.com.log.  Thanks for your help!
> > > >
> > > > Jeff
> > > >
> > > > Jeff Hallyburton
> > > > Strategic Systems Engineer
> > > > Bloomip Inc.
> > > > Web: http://www.bloomip.com
> > > >
> > > > Engineering Support: supp...@bloomip.com
> > > > Billing Support: bill...@bloomip.com
> > > > Customer Support Portal:  https://my.bloomip.com <
> > http://my.bloomip.com/>
> > > >
> > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose  wrote:
> > > >
> > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> > > >> > After setting debug_level=8, this is what I see in the
> > sssd_domain_log:
> > > >>
> > > >> Unfortunately the domain log and the krb5_child log do not relate to
> > > >> each other.
> > > >>
> > > >> >
> > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> > > >> [child_handler_setup]
> > > >> > (0x2000): Setting up signal handler up for pid [32382]
> > > >> >
> > > >>
> > > >> 
> > > >>
> > > >> >
> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
> > [k5c_setup_fast]
> > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > > >> > jump02.west-2.production.example@example.com]
> > > >> >
> > > >>
> > > >> ...
> > > >>
> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731
> > > >> [get_and_save_tgt]
> > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> > > >> > pre-auth.
> > > >> >
> > > >> >
> > > >> > Can you shed any light on this?
> > > >> >
> > > >>
> > > >> In the domain log the child with the pid 32382 is started to run a
> > > >> pre-authentication request. The request is needed to find out which
> > kind
> > > >> of authentication types are available for the user, e.g. password or
> > > >> 2-factor authentication with the OTP token. The request in the child
> > > >> with the PID 32731 looks like a real authentication request with
> > returns
> > > >> with an error code -1765328324 which just means 'Generic error' but
> > > >> might have cause SSSD to go offline.
> > > >>
> > > >> I would like to ask you to run the test again with debug_level=10 in
> > the
> > > >> [domain/...] section of sssd.conf which would enable some low level
> > > >> Kerberos tracing messages which might help to understand what kind of
> > > >> 'Generic error' was hit here. Additionally I would like ask you to
> > send
> > > >> the full log files as attachment or in an archive which would hep be
> > to
> > > >> better navigate through them.
> > > >>
> > > >> bye,
> > > >> Sumit
> > > >>
> > > >
> > > >
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab ?

2016-04-21 Thread Jochen Hein 
Günther J. Niederwimmer  writes:

> but on the second Server when I start
>
> kinit admin
> ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/
> dovecot/dovecot.keytab
>
> for the same keytab,
> I become a Error with not access is possible ?

You need special authorization to retrieve a keytab, AFAIK. Please have
a look at http://www.freeipa.org/page/V4/Keytab_Retrieval_Management and
http://www.freeipa.org/page/V4/Keytab_Retrieval

Hope that helps,
Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab ?

2016-04-21 Thread Martin Babinsky 

On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:

Hello,

I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.

Now I have a Problem to get the Keytab on the second Server

On the first Server I run.

kinit admin
ipa-getkeytab  -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
dovecot.keytab

This is working

but on the second Server when I start

kinit admin
ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/
dovecot/dovecot.keytab

for the same keytab,
I become a Error with not access is possible ?

is this a Bug or a mistake from me ?



AFAIK reading Kerberos keys is a protected operation reserved for 
root/directory manager only, so you will have to use your Directory 
manager credentials for that:


"""
 ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k 
/etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD

"""
alternatively you can permit your admin user to retrieve the keytab 
using the following command:


"""
ipa service-allow-retrieve-keytab imap/mail.example.com --users admin

"""

and then run ipa-getkeytab as admin

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and PWM

2016-04-21 Thread Martin Kosek 
On 04/20/2016 05:23 PM, Tiemen Ruiten wrote:
> Hello,
> 
> I'm trying to set up a self-service page for a new IPA domain and I'm trying 
> to 
> use PWM for that.
> 
> When I try to bind to FreeIPA from within PWM, with the configured "LDAP 
> Proxy 
> User", I get the following error:
> 
> error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636 
> ': unable to create connection: unable 
> to 
> bind to ldaps://polonium.ipa.rdmedia.com:636 
>  as 
> cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: [LDAP: 
> error code 48 - Inappropriate Authentication]
> 
> In /var/log/krb5kdc.log I see:
> 
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 
> : NEEDED_PREAUTH: 
> host/protactinium.ipa.rdmedia@ipa.rdmedia.com 
>  for 
> krbtgt/ipa.rdmedia@ipa.rdmedia.com 
> , 
> Additional pre-authentication required
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): closing down fd 12
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 
> : ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 
> ses=18}, host/protactinium.ipa.rdmedia@ipa.rdmedia.com 
>  for 
> krbtgt/ipa.rdmedia@ipa.rdmedia.com 
> 
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): closing down fd 12
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 
> : ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 
> ses=18}, host/protactinium.ipa.rdmedia@ipa.rdmedia.com 
>  for 
> ldap/polonium.ipa.rdmedia@ipa.rdmedia.com 
> 
> Apr 20 17:12:29 polonium.ipa.rdmedia.com  
> krb5kdc[25760](info): closing down fd 12
> 
> What is going on? What can I do to debug this more?
> 
> 
> -- 
> Tiemen Ruiten
> Systems Engineer
> R Media

Hello Tiemen,

Just for the record, in FreeIPA we have been also working on our own version of
the Community Portal that could be useful for the registration and is already
well integrated with FreeIPA:

https://github.com/freeipa/freeipa-community-portal
http://freeipa-community-portal.readthedocs.org/en/latest/

CCing Christian who currently owns the project.

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Freeipa-devel] CentOS 7 COPR repository with ipa 4.3.1 available for testing

2016-04-21 Thread Jan Pazdziora 
On Tue, Apr 05, 2016 at 06:37:13PM +0200, Petr Vobornik wrote:
> Hello everyone,
> 
> Copr repository @freeipa/freeipa-4-3-centos-7 is available for testing
> of Freeipa 4.3.1[1] on CentOS 7.
> 
> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/

If you'd like to try FreeIPA 4.3.1 on CentOS 7 in container, use
branch centos-7-upstream of

https://github.com/adelton/docker-freeipa

to built locally, or pull image

adelton/freeipa-server:centos-7-upstream

from Docker hub registry.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Let's Encrypt SSL pkscs 12 problem notes anyone. CENTOS 7 FreeIPA install

2016-04-21 Thread Branko Quenode 
Hi ,

I am trying to install freeipa with centos and Let's Encrypt SSL.

I create lets-encrypt with webroot option.

Then i did

cat privkey.pem fullchain.pem > /root/key.pem

openssl pkcs12 -export -in /root/key.pem  -out ipa.pkcs12 -name "
ipa.somedomain.com"


ipa-server-install --ip-address=  --http_pkcs12=/etc/letsencrypt/live/
ipa.somedomein.com/ipa.pkcs12 --dirsrv_pkcs12=/etc/letsencrypt/live/
ipa.somedomain.com/ipa.pkcs12 --root-ca-file=/etc/letsencrypt/live/
ipa.somedomain.com/fullchain.pem

I got error
ipa.ipapython.install.cli.install_tool(Server): ERRORThe full
certificate chain is not present in /etc/letsencrypt/live/
ipa.somedomain.com/ipa.pkcs12


What I am missing intermediate.crt maybe ?

Thank you.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and PWM

2016-04-21 Thread Tiemen Ruiten 
Hello Martin,

Thanks that does help, I didn't know about this project. I will try this
approach first. Seems like it will be better integrated with FreeIPA and in
general more maintainable than PWM.

On 21 April 2016 at 09:59, Martin Kosek  wrote:

> On 04/20/2016 05:23 PM, Tiemen Ruiten wrote:
> > Hello,
> >
> > I'm trying to set up a self-service page for a new IPA domain and I'm
> trying to
> > use PWM for that.
> >
> > When I try to bind to FreeIPA from within PWM, with the configured "LDAP
> Proxy
> > User", I get the following error:
> >
> > error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636
> > ': unable to create connection:
> unable to
> > bind to ldaps://polonium.ipa.rdmedia.com:636
> >  as
> > cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason:
> [LDAP:
> > error code 48 - Inappropriate Authentication]
> >
> > In /var/log/krb5kdc.log I see:
> >
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33
> > : NEEDED_PREAUTH:
> > host/protactinium.ipa.rdmedia@ipa.rdmedia.com
> >  for
> > krbtgt/ipa.rdmedia@ipa.rdmedia.com  ipa.rdmedia@ipa.rdmedia.com>,
> > Additional pre-authentication required
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): closing down fd 12
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33
> > : ISSUE: authtime 1461165149, etypes {rep=18
> tkt=18
> > ses=18}, host/protactinium.ipa.rdmedia@ipa.rdmedia.com
> >  for
> > krbtgt/ipa.rdmedia@ipa.rdmedia.com  ipa.rdmedia@ipa.rdmedia.com>
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): closing down fd 12
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26})
> 192.168.50.33
> > : ISSUE: authtime 1461165149, etypes {rep=18
> tkt=18
> > ses=18}, host/protactinium.ipa.rdmedia@ipa.rdmedia.com
> >  for
> > ldap/polonium.ipa.rdmedia@ipa.rdmedia.com
> > 
> > Apr 20 17:12:29 polonium.ipa.rdmedia.com <
> http://polonium.ipa.rdmedia.com>
> > krb5kdc[25760](info): closing down fd 12
> >
> > What is going on? What can I do to debug this more?
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R Media
>
> Hello Tiemen,
>
> Just for the record, in FreeIPA we have been also working on our own
> version of
> the Community Portal that could be useful for the registration and is
> already
> well integrated with FreeIPA:
>
> https://github.com/freeipa/freeipa-community-portal
> http://freeipa-community-portal.readthedocs.org/en/latest/
>
> CCing Christian who currently owns the project.
>
> HTH,
> Martin
>



-- 
Tiemen Ruiten
Systems Engineer
R Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project