Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[Barry]

Hi:

Which location i should renew cert?
Http/alias
Etc/dirsrv/slapd*

Enough?
2016年5月24日 下午10:01 於 "Rob Crittenden"  寫道：

> barry...@gmail.com wrote:
>
>> hi all:
>>
>>
>> Thx ad title
>>
>> ipa : ERRORcert validation failed for "CN=server.abc.com
>> ,O=WISER S.COM "
>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>> preparation of replica failed: cannot connect to
>> 'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
>> cannot connect to
>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>
>
> The root of all your problems is that your certificates are expired.
> Fixing this should be your priority. This is probably going to involve
> going back in time to when the certificates are still valid, restarting
> IPA, restarting certmonger and waiting for things to properly renew. It can
> take some time as the certificates don't all renew at once.
>
> I suspect that once renewed and returned to current time the rest of your
> problems will, for the most part, go away.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD replication and password passthrough

[Simpson Lachlan]

We were doing this by utilising overrides (changing user names, /home/ s, etc), 
but I think we had to back out of that plan because we encountered issues. We 
may go back.

Using Host Based Access Control (HBAC) and sudo is a powerful set of tools. 
What did you want to do that wasn’t covered by those three?


L.


From: Redmond, Stacy [mailto:stacy.redm...@blueshieldca.com]
Sent: Wednesday, 25 May 2016 9:15 AM
To: Simpson Lachlan
Subject: RE: AD replication and password passthrough

I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA 
installation (ipa.foo.com) but in all the documentation it says I have to 
install passsync on AD to synchronize passwords, I would rather just tell ipa 
to authorize the user via password from AD.

I have a one way trust setup now, just would rather have everything in IPA, but 
use AD passwords due to new requirements.

From: Simpson Lachlan [mailto:lachlan.simp...@petermac.org]
Sent: Tuesday, May 24, 2016 4:09 PM
To: Redmond, Stacy 
>
Subject: RE: AD replication and password passthrough

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
It depends on what you mean.

If, by replication, you mean using FreeIPA as a backup AD server, it would need 
to be a two way trust.

If you have a separate subdomain, it’s definitely possible with a one way trust.

Cheers
L.

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Redmond, Stacy
Sent: Tuesday, 24 May 2016 3:15 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] AD replication and password passthrough

Is there a way to setup replication from AD, and just use passthrough to AD for 
passwords, vs having to synchronize passwords.  I am getting a lot of pushback 
from the AD team on installing the password sync software due to issues in the 
past.  I would like to setup replication, but still use AD to authenticate 
passwords.
This email (including any attachments or links) may contain confidential and/or 
legally privileged information and is intended only to be read or used by the 
addressee. If you are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly prohibited. Confidentiality and 
legal privilege attached to this email (including any attachments) are not 
waived or lost by reason of its mistaken delivery to you. If you have received 
this email in error, please delete it and notify us immediately by telephone or 
email. Peter MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been intercepted or altered 
and will not be liable for any delay in its receipt.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[barrykfl]

hi all:


Thx ad title

ipa : ERRORcert validation failed for
"CN=server.abc.com,O=WISER
S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certi  ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
nt': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

[Martin Kosek]

On 05/23/2016 03:20 PM, Ben .T.George wrote:
> Hi
> 
> Thanks for your reply.
> 
> I saw this before but the thing is i cant able to follow up this one as i am 
> not 
> completely getting those steps
> 
> ipa trust-add --type=ad "ad_domain" --trust-secret
> 
> Is asking for key and what i need to gave ?
> 
> And the shown gif screens and current AD windows are different for me.

Hi,

Try checking the procedure in the guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#create-trust-shared-secret
Maybe it will help you understand what needs to be clicked on AD side.

HTH,
Martin

> Regards
> Ben
> 
> On 23 May 2016 16:13, "Martin Babinsky"  > wrote:
> 
> On 05/23/2016 02:42 PM, Ben .T.George wrote:
> 
> Hi LIst,
> 
> my Windows domain Admin is not giving domain admin user password.
> 
> in this case how can i proceed ipa trust-add
> 
> regards,
> Ben
> 
> 
> 
> Hi Ben,
> 
> You can ask your AD domain admin to create a shared secret for 
> establishing
> trust. See the corresponding chapter in the guide for creating trusts[1] 
> for
> more details.
> 
> [1]
> 
> http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available
> 
> 
> -- 
> Martin^3 Babinsky
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Error when adding new users via UI:

[Traiano Welcome]

Hi

I have IPA server 4,2 running on centos 7
(ipa-server-4.2.0-15.el7.centos.3.x86_64).

This morning, after many months of stable operation, I tried to add a
user and got this error via the web interface:

---
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
failed! Unable to proceed.
---

So basically, can't add any new users.

Would anyone know how I can troubleshoot this kind of IPA error, or
possibly have come across and resolved it before ?

Thanks in advance,
Traiano

Would anyone know

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] question about automount config

[Prasun Gera]

You can stop the autofs daemon, and run it in foreground with automount
-fvv. Then try to access the mount point in parallel. The logs from the
foreground run should shed some light. Also, does your autofs setup work
without kerberos ? As a first step it to work with non-kerberised nfs.

On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin  wrote:

> Good day, colleagues!
> I am confused about how automount work and howto configure it. I have
> tried to configure it according to
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> document (paragraph 9.1.1 and chapter 20).
> I have tried to make it work on 3 servers:
> 1. ipa server;
> 2. nfs server (node00);
> 3. nfs client (postgres).
>
>
> *** so here how it configured on ipa server:
> $ ipa automountlocation-tofiles amantai
> /etc/auto.master:
> /-  /etc/auto.direct
> /home   /etc/auto.home
> ---
> /etc/auto.direct:
> ---
> /etc/auto.home:
> *   -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/&
>
> maps not connected to /etc/auto.master:
>
> $ ipa service-find nfs
> --
> 2 services matched
> --
>   Основной: nfs/node00.glavsn...@glavsn.ab
>   Keytab: True
>   Managed by: node00.glavsn.ab
>
>   Основной: nfs/postgres.glavsn...@glavsn.ab
>   Keytab: True
>   Managed by: postgres.glavsn.ab
>
>
> *** here is nfs server config:
> $ sudo klist -k
> Пароль:
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 
> --
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>
> $ cat /etc/exports
> /home *(rw,sec=sys:krb5:krb5i:krb5p)
>
> $ sudo firewall-cmd --list-all
> public (default, active)
>   interfaces: bridge0 enp1s0
>   sources:
>   services: dhcpv6-client nfs ssh
>   ports: 8001/tcp
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> $ getenforce
> Enforcing
>
>
> *** here nfs client config:
> # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 
> --
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>
> # firewall-cmd --list-all
> FedoraServer (default, active)
>   interfaces: ens3
>   sources:
>   services: cockpit dhcpv6-client ssh
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> # mount -l  (contains next string)
> auto.home on /home type autofs
> (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect)
>
> # ll /home/afayzullin
> ls says that it cannot access /home/afayzullin: no such file or directory
>
> I have run
> # ipa-client-automount --location=amantai
> on client and it has completed successfully.
>
> I have tried to disable selinux, drop iptables rules. And now I am
> little confused about what to do next. May if someone has faced with
> automount config can give me some advice, or if there is any howto
> config automount, or some can advise howto debug this situation?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

[Ask Stack]

Sorry for asking the dumb question again. Where are the 389-ds logs? I can't 
find them in /var/log/ .  

On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:
 

 Ask Stack wrote:
> Rob
> Thanks for the reply.
> I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
> errors  and /var/log/krb5kdc.log
> Do you know which service is responsible for providing
> "/etc/krb5.keytab" to the client?

It uses an LDAP extended operation so 389-ds. Any errors would be in the 
KDC log or, more likely, in the 389-ds logs.

rob

>
> On Monday, May 23, 2016 2:57 PM, Rob Crittenden  wrote:
>
>
> Ask Stack wrote:
>
>  > My company's ipa-client-install fail very often. Debug logs show the
>  > process always failed at getting the /etc/krb5.keytab .
>  > Is there a way to modify the script to increase number of attempts to
>  > create /etc/krb5.keytab ?
>  >
>  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
>  > host TGT (defaults to 5)." But it comes after setting up the
>  > "/etc/krb5.keytab" file.
>  > Thanks.
>  >
>  > server
>  > ipa-server-3.0.0-47.el6_7.1.x86_64
>  >
>  > cleint
>  > ipa-client-3.0.0-47.el6_7.2.x86_64
>  > ipa-client-3.0.0-50.el6.1.x86_64
>  >
>  >
>  > #SUCCESSFUL ATTEMPT
>  >
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  >
>  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
>  > Certificate subject base is: O=TEST.COM
>  >
>  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
>  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
>  > 2016-05-23T14:40:49Z DEBUG stdout=
>  > 2016-05-23T14:40:49Z DEBUG stderr=
>  >
>  >
>  >
>  > #FAILED ATTEMPT
>  >
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  >
>  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
>  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
>  > Certificate subject base is: O=TEST.COM
>  >
>  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
>  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
>  > 2016-05-23T14:37:08Z DEBUG stdout=
>  > 2016-05-23T14:37:08Z DEBUG stderr=
>
>
> There is no retry capability and in some cases would be impossible to
> add (the one-time password case). Can you check /var/log/krb5kdc on the
> IPA master it connected to, and the 389-ds access and errors logs as
> well. Perhaps one of those will have more information on why things failed.
>
> rob
>
>
>
>



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[Rob Crittenden]

barry...@gmail.com wrote:

hi all:


Thx ad title

ipa : ERRORcert validation failed for "CN=server.abc.com
,O=WISER S.COM "
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.


The root of all your problems is that your certificates are expired. 
Fixing this should be your priority. This is probably going to involve 
going back in time to when the certificates are still valid, restarting 
IPA, restarting certmonger and waiting for things to properly renew. It 
can take some time as the certificates don't all renew at once.


I suspect that once renewed and returned to current time the rest of 
your problems will, for the most part, go away.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ?

[Martin Kosek]

On 05/23/2016 07:56 PM, Zak Wolfinger wrote:
> Does anyone have this combo working?  I’m running into problems with 
> pki-tomcat and tomcat for pwm conflicting and need some pointers.
> 
> Thanks!

You may need to do it on FreeIPA replica without a CA then or isolate these
somehow (containers?)

For the record, PWM question came here couple times already on this list, as
part of the discussion, we also recommended actually using some of the
alternatives we were building in FreeIPA:

https://www.redhat.com/archives/freeipa-users/2016-April/msg00205.html

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error when adding new users via UI:

[Rob Crittenden]

Traiano Welcome wrote:

Hi

I have IPA server 4,2 running on centos 7
(ipa-server-4.2.0-15.el7.centos.3.x86_64).

This morning, after many months of stable operation, I tried to add a
user and got this error via the web interface:

---
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
failed! Unable to proceed.
---

So basically, can't add any new users.

Would anyone know how I can troubleshoot this kind of IPA error, or
possibly have come across and resolved it before ?


At install a range of 100k id's is allocated to IPA. With each new 
master this range is divided in half. It appears you've exhausted one of 
the masters.


What you need to do is take an inventory of what ranges (if any) are 
allocated to various masters then you should be able to move things 
around (this is assuming of course that you haven't exhausted the entire 
range).


ipa-replica-manage list will give you a list of the IPA masters.

ipa-replica-manage dnarange-show  and ipa-replica-manage 
dnanextrange-show  will help discover what is available.


If you have things in nextrange then I'd start there with reallocation. 
Setting a next range of 0-0 removes the next range (e.g. make it 
available for a primary range).


Take care when actually re-assigning ranges.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

[Rob Crittenden]

Ask Stack wrote:

Sorry for asking the dumb question again. Where are the 389-ds logs? I
can't find them in /var/log/ .


/var/log/dirsrv/slapd-REALM

What you'll want to look for is the BIND from the client and all results 
for that connection. The errors log tends to just log critical problems 
so it may not have much.


rob




On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:


Ask Stack wrote:
 > Rob
 > Thanks for the reply.
 > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
 > errors  and /var/log/krb5kdc.log
 > Do you know which service is responsible for providing
 > "/etc/krb5.keytab" to the client?

It uses an LDAP extended operation so 389-ds. Any errors would be in the
KDC log or, more likely, in the 389-ds logs.

rob


 >
 > On Monday, May 23, 2016 2:57 PM, Rob Crittenden > wrote:
 >
 >
 > Ask Stack wrote:
 >
 >  > My company's ipa-client-install fail very often. Debug logs show the
 >  > process always failed at getting the /etc/krb5.keytab .
 >  > Is there a way to modify the script to increase number of attempts to
 >  > create /etc/krb5.keytab ?
 >  >
 >  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to
obtain
 >  > host TGT (defaults to 5)." But it comes after setting up the
 >  > "/etc/krb5.keytab" file.
 >  > Thanks.
 >  >
 >  > server
 >  > ipa-server-3.0.0-47.el6_7.1.x86_64
 >  >
 >  > cleint
 >  > ipa-client-3.0.0-47.el6_7.2.x86_64
 >  > ipa-client-3.0.0-50.el6.1.x86_64
 >  >
 >  >
 >  > #SUCCESSFUL ATTEMPT
 >  >
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  >
 >  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
 >  > Certificate subject base is: O=TEST.COM
 >  >
 >  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
 >  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
 >  > 2016-05-23T14:40:49Z DEBUG stdout=
 >  > 2016-05-23T14:40:49Z DEBUG stderr=
 >  >
 >  >
 >  >
 >  > #FAILED ATTEMPT
 >  >
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  >
 >  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
 >  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
 >  > Certificate subject base is: O=TEST.COM
 >  >
 >  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
 >  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
 >  > 2016-05-23T14:37:08Z DEBUG stdout=
 >  > 2016-05-23T14:37:08Z DEBUG stderr=
 >
 >
 > There is no retry capability and in some cases would be impossible to
 > add (the one-time password case). Can you check /var/log/krb5kdc on the
 > IPA master it connected to, and the 389-ds access and errors logs as
 > well. Perhaps one of those will have more information on why things
failed.
 >
 > rob
 >
 >
 >
 >





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error when adding new users via UI:

[Martin Kosek]

On 05/24/2016 04:07 PM, Rob Crittenden wrote:
> Traiano Welcome wrote:
>> Hi
>>
>> I have IPA server 4,2 running on centos 7
>> (ipa-server-4.2.0-15.el7.centos.3.x86_64).
>>
>> This morning, after many months of stable operation, I tried to add a
>> user and got this error via the web interface:
>>
>> ---
>> Operations error: Allocation of a new value for range cn=posix
>> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
>> failed! Unable to proceed.
>> ---
>>
>> So basically, can't add any new users.
>>
>> Would anyone know how I can troubleshoot this kind of IPA error, or
>> possibly have come across and resolved it before ?
> 
> At install a range of 100k id's is allocated to IPA. With each new master this
> range is divided in half. It appears you've exhausted one of the masters.
> 
> What you need to do is take an inventory of what ranges (if any) are allocated
> to various masters then you should be able to move things around (this is
> assuming of course that you haven't exhausted the entire range).
> 
> ipa-replica-manage list will give you a list of the IPA masters.
> 
> ipa-replica-manage dnarange-show  and ipa-replica-manage
> dnanextrange-show  will help discover what is available.
> 
> If you have things in nextrange then I'd start there with reallocation. 
> Setting
> a next range of 0-0 removes the next range (e.g. make it available for a
> primary range).
> 
> Take care when actually re-assigning ranges.
> 
> rob
> 

For the record, what currently did not work is when user is being added on a
master that does not have direct replication connect to other master with
available range.

This is improved from FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/4026

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the correct repo for Centos 7.2(1511)

[Martin Basti]

On 24.05.2016 17:47, Brooks, Charles wrote:


How do I determine the correct repo to use for Centos 7.2.1511 ?
The only Centos 7 repos are marked "unofficial ... Use at your own risk".

The download page leads to
... https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3/
but that only has Fedora 23/24/Rawhide repos listed.


A search for "freeipa centos7 copr" goes to
... https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/
but that repo is build 124140 from 7 months ago.


Another Centos7 repo is at
... 
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/

for build 173456 about 2 months ago.


*
*

*===
*

*
*

*Charles E. Brooks*


Security Administrator

Computer Incident Response Team

Division of Information Security

Office of Information Technology

Bureau of Indian Affairs

12220 Sunrise Valley Drive

Reston, VA 20191


Office Phone: +1-703-390-6606

charles.bro...@bia.gov 





Hello,

all copr repos are "Use at your own risk"

Supported IPA (4.2) is in default repositories.

IPA 4.3 (at your own risk) is at 
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] What is the correct repo for Centos 7.2(1511)

[Brooks, Charles]

How do I determine the correct repo to use for Centos 7.2.1511 ?
The only Centos 7 repos are marked "unofficial ... Use at your own risk".

The download page leads to
...  https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3/
but that only has Fedora 23/24/Rawhide repos listed.


A search for "freeipa centos7 copr" goes to
...  https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/
but that repo is build 124140 from 7 months ago.


Another Centos7 repo is at
... https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
for build 173456 about 2 months ago.




*===*


*Charles E. Brooks*


Security Administrator

Computer Incident Response Team

Division of Information Security

Office of Information Technology

Bureau of Indian Affairs

12220 Sunrise Valley Drive

Reston, VA 20191

Office Phone: +1-703-390-6606

charles.bro...@bia.gov
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Forcing passync to periodically sync passwords

[Alexander Bokovoy]

On Tue, 24 May 2016, pgb205 wrote:

Currently passync is only triggered one the domain controller where the
password change is made.Is there a way to trigger passync to run
periodically and resend information to freeipa even if there are no
changes?

Passsync implements an interface on AD DC side that is activated only
when AD user changes the password. There is no way to access clear text
password at other time.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Forcing passync to periodically sync passwords

[pgb205]

Currently passync is only triggered one the domain controller where the 
password change is made.Is there a way to trigger passync to run periodically 
and resend information to freeipa even if there are no changes?-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Forcing passync to periodically sync passwords

[Alexander Bokovoy]

On Tue, 24 May 2016, pgb205 wrote:

Alexander, thank you for such a quick reply.
The reason im looking at this is that I want to synchronize from AD to
several FIPA domains, but as you mention it's only1-1 passync option.
This results in my not being able to synchronize passwords to second
idm domain.  Other options I've considered are:1. Run multiple
instances of passsync on each DC. Both will intercept password change
but will send to different ipa replicas in different freeipa domains.
From this link it doesn't seem to be possible however#48174 (RFE:
Support for running multiple instances of the PassSync service) – 389
Project

|   |
#48174 (RFE: Support for running multiple instances of the PassSync service...

2. backing up/copying freeipa database that does have user/pass to
second idm domainThis is not something I'm looking to do but if there
is no other way I'd be willing to consider somehow grabbing files from
ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a
route that's even worth looking into ?  Any other options that you are
aware of to make this setup possible. 1AD->FIPA1.com                   
                                                                       
                                   ->FIPA2.comwith password replication
to both?

I don't think it is possible to achieve what you want this way.

Why can't you go with a cross-forest trust? It doesn't need any
replication as passwords will always be authenticated by AD. AD can have
multiple forest trusts established so there is no problem with
FIPA1.com, FIPA2.com, ..., FIPAN.com.



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Forcing passync to periodically sync passwords

[pgb205]

Alexander, thank you for such a quick reply.
The reason im looking at this is that I want to synchronize from AD to several 
FIPA domains, but as you mention it's only1-1 passync option. This results in 
my not being able to synchronize passwords to second idm domain.
Other options I've considered are:1. Run multiple instances of passsync on each 
DC. Both will intercept password change but will send to different ipa replicas 
in different freeipa domains.
>From this link it doesn't seem to be possible however#48174 (RFE: Support for 
>running multiple instances of the PassSync service) – 389 Project

  
|  
|   
|   
|   ||

   |

  |
|  
|   |  
#48174 (RFE: Support for running multiple instances of the PassSync service...
   |   |

  |

  |

 
2. backing up/copying freeipa database that does have user/pass to second idm 
domainThis is not something I'm looking to do but if there is no other way I'd 
be willing to consider somehow grabbing files from ipa-repplica.domain.comand 
moving to ipa-server.example.net. Is this a route that's even worth looking 
into ?
Any other options that you are aware of to make this setup possible. 
1AD->FIPA1.com                                                                  
                                                             ->FIPA2.comwith 
password replication to both?
thanks

  From: Alexander Bokovoy 
 To: pgb205  
Cc: Freeipa-users 
 Sent: Tuesday, May 24, 2016 12:22 PM
 Subject: Re: [Freeipa-users] Forcing passync to periodically sync passwords
   
On Tue, 24 May 2016, pgb205 wrote:
>Currently passync is only triggered one the domain controller where the
>password change is made.Is there a way to trigger passync to run
>periodically and resend information to freeipa even if there are no
>changes?
Passsync implements an interface on AD DC side that is activated only
when AD user changes the password. There is no way to access clear text
password at other time.


-- 
/ Alexander Bokovoy


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

[Ask Stack]

Thank you.
 

On Tuesday, May 24, 2016 9:56 AM, Rob Crittenden  
wrote:
 

 Ask Stack wrote:
> Sorry for asking the dumb question again. Where are the 389-ds logs? I
> can't find them in /var/log/ .

/var/log/dirsrv/slapd-REALM

What you'll want to look for is the BIND from the client and all results 
for that connection. The errors log tends to just log critical problems 
so it may not have much.

rob

>
>
> On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:
>
>
> Ask Stack wrote:
>  > Rob
>  > Thanks for the reply.
>  > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
>  > errors  and /var/log/krb5kdc.log
>  > Do you know which service is responsible for providing
>  > "/etc/krb5.keytab" to the client?
>
> It uses an LDAP extended operation so 389-ds. Any errors would be in the
> KDC log or, more likely, in the 389-ds logs.
>
> rob
>
>
>  >
>  > On Monday, May 23, 2016 2:57 PM, Rob Crittenden  > wrote:
>  >
>  >
>  > Ask Stack wrote:
>  >
>  >  > My company's ipa-client-install fail very often. Debug logs show the
>  >  > process always failed at getting the /etc/krb5.keytab .
>  >  > Is there a way to modify the script to increase number of attempts to
>  >  > create /etc/krb5.keytab ?
>  >  >
>  >  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to
> obtain
>  >  > host TGT (defaults to 5)." But it comes after setting up the
>  >  > "/etc/krb5.keytab" file.
>  >  > Thanks.
>  >  >
>  >  > server
>  >  > ipa-server-3.0.0-47.el6_7.1.x86_64
>  >  >
>  >  > cleint
>  >  > ipa-client-3.0.0-47.el6_7.2.x86_64
>  >  > ipa-client-3.0.0-50.el6.1.x86_64
>  >  >
>  >  >
>  >  > #SUCCESSFUL ATTEMPT
>  >  >
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  >
>  >  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
>  >  > Certificate subject base is: O=TEST.COM
>  >  >
>  >  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
>  >  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
>  >  > 2016-05-23T14:40:49Z DEBUG stdout=
>  >  > 2016-05-23T14:40:49Z DEBUG stderr=
>  >  >
>  >  >
>  >  >
>  >  > #FAILED ATTEMPT
>  >  >
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  >
>  >  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
>  >  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
>  >  > Certificate subject base is: O=TEST.COM
>  >  >
>  >  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
>  >  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
>  >  > 2016-05-23T14:37:08Z DEBUG stdout=
>  >  > 2016-05-23T14:37:08Z DEBUG stderr=
>  >
>  >
>  > There is no retry capability and in some cases would be impossible to
>  > add (the one-time password case). Can you check /var/log/krb5kdc on the
>  > IPA master it connected to, and the 389-ds access and errors logs as
>  > well. Perhaps one of those will have more information on why things
> failed.
>  >
>  > rob
>  >
>  >
>  >
>  >
>
>
>



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project