Re: [Freeipa-users] Is the krb5.conf no longer used?

[Alexander Bokovoy]

On Wed, 01 Jun 2016, Geordie Grindle wrote:

Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another 
file used to configure kerberos?

I’ve built a host using Foreman and our puppet configuration usually
pushes a krb5.conf file. However, if I delete it, everything still
works fine.

What if any function does /etc/krb5.conf have now?

libkrb5 has some default options compiled in. If your environment is
fine with these defaults, that's OK. However, it does not mean defaults
are always OK for everyone.

In particular, when you have integration with Active Directory, SSSD
generates a number of config snippets which get included via an include
statement in /etc/krb5.conf. These snippets define Kerberos-level
relationship between realms, load mapping plugins for AD Kerberos
principals and so on. This might not be important to you on the older
systems (you are using RHEL 6 where libkrb5 doesn't have some of the
interfaces SSSD is utilizing) but it is very important on RHEL 7, for
example.

Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place
where libkrb5 looks for default credentials cache (ccache) to utilize
kernel keyring storage to enhance security.

But if your setup is very simple topology wise, libkrb5 defaults are
just fine.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is the krb5.conf no longer used?

[Matrix]

Hi, Geordie

I think it should be optional. here is one of my IPA client's krb5.conf

# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.NET
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  EXAMPLE.NET = {
pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .dev.example.net = EXAMPLE.NET
  dev.example.net = EXAMPLE.NET

Matrix


-- Original --
From:  "Geordie Grindle";;
Date:  Thu, Jun 2, 2016 03:57 AM
To:  "freeipa-users"; 

Subject:  [Freeipa-users] Is the krb5.conf no longer used?



Does IPA only use ??sssd.conf?? for kerberos authentication? Is there another 
file used to configure kerberos? 

I??ve built a host using Foreman and our puppet configuration usually pushes a 
krb5.conf file. However, if I delete it, everything still works fine.

What if any function does /etc/krb5.conf have now?



[root@ipa_client ggrindle]# cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
[root@ipa_client ggrindle]# rpm -qa |grep ipa-client
ipa-client-3.0.0-37.el6.x86_64
[root@ipa_client ggrindle]# kdestroy
[root@ipa_client ggrindle]# kinit ggrindle
Password for ggrin...@dev.example.com:
[root@ipa_client ggrindle]# klist
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: ggrin...@dev.example.com

Valid starting ExpiresService principal
06/01/16 19:40:19  06/02/16 19:40:14  krbtgt/dev.example@dev.example.com

[root@ipa_client ggrindle]# tcpdump port 88
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > 
ipa_server.dev.example.com.kerberos:  v5
19:40:53.788043 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.49228:
19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > 
ipa_server.dev.example.com.kerberos:  v5
19:41:06.630012 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.52896:  v5
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel.kerberos:  v5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes.

[Guillermo Fuentes]

I'm now taking stack traces every minute and waiting for it to hang
again to check it. It happens usually under load but it's
unpredictable. Must likely tomorrow.
GUILLERMO FUENTES
SR. SYSTEMS ADMINISTRATOR

561-880-2998 x1337

guillermo.fuen...@modmed.com






On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson  wrote:
> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote:
>>
>> Hi all,
>>
>> We are experiencing a similar issue like the one discussed in the
>> following thread but we are running FreeIPA 4.2 on CentOS 7.2:
>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html
>
>
> Are your stack traces similar?
>
>
>>
>> LDAP service stops responding to queries (hangs). LDAP connections on
>> the server climb sometimes up to 10 times the normal amount and load
>> goes to 0. Then, the connections start to drop until they get to a
>> normal level and the LDAP service starts to respond to queries again.
>> This happens in between 3-5 minutes:
>>
>> Time,LDAP conn, Opened files(ns-slapd), File
>> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15
>> 8:54:03,101,353,216,142,0.43,0.20,0.16
>> 8:55:02,108,359,221,142,0.19,0.18,0.15
>> 8:56:03,110,361,224,142,0.07,0.15,0.14
>> 8:57:14,117,383,246,142,0.15,0.16,0.15
>> 8:58:04,276,371,234,142,0.05,0.13,0.14
>> 8:59:05,469,371,234,142,0.02,0.11,0.13
>> 9:00:08,719,371,234,142,0.01,0.09,0.12
>> 9:01:18,1060,371,234,142,0.00,0.07,0.12
>> 9:02:10,742,371,233,142,0.10,0.09,0.12
>> 9:03:06,365,372,235,142,0.13,0.10,0.13
>> 9:04:04,262,379,242,142,0.87,0.29,0.19
>> 9:05:02,129,371,233,142,0.51,0.31,0.20
>> 9:06:03,126,377,240,142,0.42,0.33,0.22
>> 9:07:03,125,377,238,142,0.17,0.27,0.21
>>
>> Nothing is logged in the errors log file of the server having the
>> problem (ipa1 as an example).
>> In the replicas this is logged:
>> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
>> (ipa1:389): Unable to receive the response for a startReplication
>> extended operation to consumer (Timed out). Will retry later.
>> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
>> (ipa1:389): Unable to receive the response for a startReplication
>> extended operation to consumer (Timed out). Will retry later.
>>
>> Nothing is logged in the access log file until after ns-slapd starts
>> responding again:
>> ...
>> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1
>> to 172.20.2.45
>> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1
>> to 172.20.2.45
>> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1
>> to 172.20.2.45
>> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1
>> to 172.20.2.45
>> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12"
>> name="replication-multimaster-extop"
>> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0
>> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12"
>> name="replication-multimaster-extop"
>> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0
>> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0
>> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1
>> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0
>> filter="(objectClass=*)" attrs="supportedSASLMechanisms
>> defaultnamingcontext namingContexts schemanamingcontext saslrealm"
>> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1
>> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0
>> filter="(objectClass=*)" attrs="supportedSASLMechanisms
>> defaultnamingcontext namingContexts schemanamingcontext saslrealm"
>> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0
>> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1
>> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0
>> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0
>> filter="(objectClass=*)" attrs="supportedSASLMechanisms
>> defaultnamingcontext namingContexts schemanamingcontext saslrealm"
>> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0
>> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3
>> mech=GSSAPI
>> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3
>> mech=GSSAPI
>> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0
>> etime=0, SASL bind in progress
>> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3
>> mech=GSSAPI
>> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5"
>> name="Netscape Replication End Session"
>> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0
>> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0
>> etime=0, SASL bind in progress
>> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1
>> to 172.20.2.45
>> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from
>> 172.20.0.24 to 172.20.2.45
>> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to
>> 

[Freeipa-users] Is the krb5.conf no longer used?

[Geordie Grindle]

Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another 
file used to configure kerberos? 

I’ve built a host using Foreman and our puppet configuration usually pushes a 
krb5.conf file. However, if I delete it, everything still works fine.

What if any function does /etc/krb5.conf have now?



[root@ipa_client ggrindle]# cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
[root@ipa_client ggrindle]# rpm -qa |grep ipa-client
ipa-client-3.0.0-37.el6.x86_64
[root@ipa_client ggrindle]# kdestroy
[root@ipa_client ggrindle]# kinit ggrindle
Password for ggrin...@dev.example.com:
[root@ipa_client ggrindle]# klist
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: ggrin...@dev.example.com

Valid starting ExpiresService principal
06/01/16 19:40:19  06/02/16 19:40:14  krbtgt/dev.example@dev.example.com

[root@ipa_client ggrindle]# tcpdump port 88
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > 
ipa_server.dev.example.com.kerberos:  v5
19:40:53.788043 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.49228:
19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > 
ipa_server.dev.example.com.kerberos:  v5
19:41:06.630012 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.52896:  v5
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel.kerberos:  v5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure

[Michael Rainey (Contractor)]

My apologies for the duplicate thread, but from my vantage point I did 
not see any signs of my message making it to the mailing list.  My 
original message was not posted back to me, nor was your reply posted to me.


Now back to your reply.  I did try the command you suggested and it does 
appear to have removed the last remnants of my first server.  Are there 
any additional steps I should perform to verify things are as they once 
were?


I did notice some of the systems on the network will not carry my 
kerberos credentials over to another machine when using SSH.  The 
working systems log me in with no problems when using ssh .  
While other systems will prompt me for a password.  Has anyone had 
similar problems and what did they do to fix the problem?


*Michael Rainey*

On 05/31/2016 11:10 PM, Martin Basti wrote:




On 31.05.2016 17:36, Michael Rainey (Contractor) wrote:


Greetings community,

I've run into an interesting problem which may be old hat to all of 
you.  I was working to bring down my IPA master server and did it 
improperly.  It was a rookie mistake, but I'm willing to view it as 
an exercise in recovering from a massive system failure.


The original master server is gone with no way of recovering and I 
have managed to replace the server by promoting one of my replicas, 
but I find myself in a situation where I cannot remove the original 
master server from the LDAP directory.  It is still seen as a master 
server and the webUI will not let me delete the system from directory 
server.  Is there a process somewhere that will walk me through 
demoting the old server so I can delete it from the directory and 
officially promote its replacement?


For reference, I followed the steps located at this link.

Centos 7.2 / freeIPA 4.2

Your help is greatly appreciated.

--
*Michael Rainey*




Hello,

can you next time please continue with just one thread please?

You haven't replied if this works for you 
https://www.redhat.com/archives/freeipa-users/2016-May/msg00521.html


regards,
Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes.

[Rich Megginson]

On 06/01/2016 10:37 AM, Guillermo Fuentes wrote:

Hi all,

We are experiencing a similar issue like the one discussed in the
following thread but we are running FreeIPA 4.2 on CentOS 7.2:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html


Are your stack traces similar?



LDAP service stops responding to queries (hangs). LDAP connections on
the server climb sometimes up to 10 times the normal amount and load
goes to 0. Then, the connections start to drop until they get to a
normal level and the LDAP service starts to respond to queries again.
This happens in between 3-5 minutes:

Time,LDAP conn, Opened files(ns-slapd), File
Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15
8:54:03,101,353,216,142,0.43,0.20,0.16
8:55:02,108,359,221,142,0.19,0.18,0.15
8:56:03,110,361,224,142,0.07,0.15,0.14
8:57:14,117,383,246,142,0.15,0.16,0.15
8:58:04,276,371,234,142,0.05,0.13,0.14
8:59:05,469,371,234,142,0.02,0.11,0.13
9:00:08,719,371,234,142,0.01,0.09,0.12
9:01:18,1060,371,234,142,0.00,0.07,0.12
9:02:10,742,371,233,142,0.10,0.09,0.12
9:03:06,365,372,235,142,0.13,0.10,0.13
9:04:04,262,379,242,142,0.87,0.29,0.19
9:05:02,129,371,233,142,0.51,0.31,0.20
9:06:03,126,377,240,142,0.42,0.33,0.22
9:07:03,125,377,238,142,0.17,0.27,0.21

Nothing is logged in the errors log file of the server having the
problem (ipa1 as an example).
In the replicas this is logged:
8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
(ipa1:389): Unable to receive the response for a startReplication
extended operation to consumer (Timed out). Will retry later.
9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
(ipa1:389): Unable to receive the response for a startReplication
extended operation to consumer (Timed out). Will retry later.

Nothing is logged in the access log file until after ns-slapd starts
responding again:
...
8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1
8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1
8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1
8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5"
name="Netscape Replication End Session"
8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from

[Freeipa-users] sessions failing when using different hostname

[Anthony Clark]

Hello All,

I've been asked to allow access to our FreeIPA web UI from a more user
friendly url than I'm currently using.  So I've set up a CNAME
password.example.com for ns01.example.com

At the moment, if I go to the real hostname of the FreeIPA server (
ns01.example.com), everything works.

If I go to the new "friendly" url (password.example.com) then upon login I
get a "your session has expired please re-login" message.

Setting debug to true in /etc/ipa/server.conf shows me that the server
keeps using new session IDs.  (Host and user names changed to protect the
innocent)

- /var/log/httpd/error_log -
[Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no
session cookie found
[Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no
session id in request, generating empty session data with
id=d5bc1c4cab8d3bfaee63b84805147995
[Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store
session: session_id=d5bc1c4cab8d3bfaee63b84805147995
start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995
start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no
ccache, need login
[Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login
[Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
login_password.__call__:
[Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG:
Obtaining armor ccache: principal=HTTP/ns01.example@example.com
keytab=/etc/httpd/conf/ipa.keytab
ccache=/var/run/ipa_memcached/krbcc_A_aclark
[Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG:
Initializing principal HTTP/ns01.example@example.com using keytab
/etc/httpd/conf/ipa.keytab
[Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using
ccache /var/run/ipa_memcached/krbcc_A_aclark
[Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt
1/1: success
[Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG:
Initializing principal acl...@example.com using password
[Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using
armor ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
[Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting
external process
[Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG:
args='/usr/bin/kinit' 'acl...@example.com' '-c'
'FILE:/var/run/ipa_memcached/krbcc_31492' '-T'
'/var/run/ipa_memcached/krbcc_A_aclark'
[Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process
finished, return code=0
[Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG:
stdout=Password for acl...@example.com:
[Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
[Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
[Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup
the armor ccache
[Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting
external process
[Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG:
args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark'
[Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process
finished, return code=0
[Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout=
[Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
[Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no
session cookie found
[Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no
session id in request, generating empty session data with
id=7ab08ba17d30883cff480af9e923cf82
[Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store
session: session_id=7ab08ba17d30883cff480af9e923cf82
start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG:
finalize_kerberos_acquisition: login_password
ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492"
session_id="7ab08ba17d30883cff480af9e923cf82"
[Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading
ccache data from file "/var/run/ipa_memcached/krbcc_31492"
[Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG:
get_credential_times: principal=krbtgt/example@example.com,

[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

[Dan.Finkelstein]

Hi folks,
As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 
4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in 
CentOS 7 and then hope to promote one of them to the CA master. I'm running 
into two problems:

The first is that when we create a replica in FreeIPA 4.2.0 with the —setup-ca 
option, that portion fails. Here's a snippet of the output:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
  [1/23]: creating certificate server user
  [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' 
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs 
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Second, I've tried a "trick" where I run an ipa-backup on the 4.2.0 replica and 
then restore it, hoping to convince the server that it's now a master. When I 
try to run ipa-replica-prepare, it quickly exits with the mysterious "no such 
entry" error:

[root@ipa ~]# ipa-replica-prepare ipa4test.example.local --ip-address 
10.55.10.36
Directory Manager (existing master) password:

Preparing replica for ipa4test.example.local from ipa.example.local
no such entry

Ideas, suggestions, and help are very welcome!

Best regards,
Dan



[cid:image001.jpg@01D1BC03.6DD03360]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes.

[Guillermo Fuentes]

Hi all,

We are experiencing a similar issue like the one discussed in the
following thread but we are running FreeIPA 4.2 on CentOS 7.2:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html

LDAP service stops responding to queries (hangs). LDAP connections on
the server climb sometimes up to 10 times the normal amount and load
goes to 0. Then, the connections start to drop until they get to a
normal level and the LDAP service starts to respond to queries again.
This happens in between 3-5 minutes:

Time,LDAP conn, Opened files(ns-slapd), File
Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15
8:54:03,101,353,216,142,0.43,0.20,0.16
8:55:02,108,359,221,142,0.19,0.18,0.15
8:56:03,110,361,224,142,0.07,0.15,0.14
8:57:14,117,383,246,142,0.15,0.16,0.15
8:58:04,276,371,234,142,0.05,0.13,0.14
8:59:05,469,371,234,142,0.02,0.11,0.13
9:00:08,719,371,234,142,0.01,0.09,0.12
9:01:18,1060,371,234,142,0.00,0.07,0.12
9:02:10,742,371,233,142,0.10,0.09,0.12
9:03:06,365,372,235,142,0.13,0.10,0.13
9:04:04,262,379,242,142,0.87,0.29,0.19
9:05:02,129,371,233,142,0.51,0.31,0.20
9:06:03,126,377,240,142,0.42,0.33,0.22
9:07:03,125,377,238,142,0.17,0.27,0.21

Nothing is logged in the errors log file of the server having the
problem (ipa1 as an example).
In the replicas this is logged:
8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
(ipa1:389): Unable to receive the response for a startReplication
extended operation to consumer (Timed out). Will retry later.
9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com"
(ipa1:389): Unable to receive the response for a startReplication
extended operation to consumer (Timed out). Will retry later.

Nothing is logged in the access log file until after ns-slapd starts
responding again:
...
8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1
to 172.20.2.45
8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1
8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1
8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1
8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedSASLMechanisms
defaultnamingcontext namingContexts schemanamingcontext saslrealm"
8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0
8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5"
name="Netscape Replication End Session"
8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0
8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1
to 172.20.2.45
9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from
172.20.0.24 to 172.20.2.45
9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

[Rob Crittenden]

Kay Zhou Y wrote:

Hi Rob,

1.  I have made snapshots for this system for test, so NSS databases has been 
backed up.

2.  For the pki-cad service, I can't find it in my system, it shows there is no 
such service.
but there is one service failed as below:

root@ecnshlx3039-test2(SH):requests #systemctl status pki-cad@pki-ca.service
pki-cad@pki-ca.service - PKI Certificate Authority Server pki-ca
   Loaded: loaded (/lib/systemd/system/pki-cad@.service; enabled)
   Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 
+0200; 23min ago
  Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, 
status=1/FAILURE)
  Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, 
status=0/SUCCESS)
 Main PID: 2593 (code=exited, status=0/SUCCESS)
   CGroup: name=systemd:/system/pki-cad@.service/pki-ca

Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session closed for user pkiuser
Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session closed for user pkiuser

I can't start it normally, even the log just said:
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad@pki-ca.service: control 
process exited, code=exited status=1
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad@pki-ca.service 
entered failed state.

I will google more to try to start it firstly.


Ok, this is very confusing to me. What distribution are you running? I 
have the feeling you are running an extremely outdated version of Fedora.


Yes, you need the CA up in order to get the certificates renewed. Look 
at catalina.out, the log "debug" and the selftests log for clues on why 
it won't start. You also need the PKI-IPA 389-ds instance running.


And I guess you were just showing me the service name and such, but of 
course it won't start today with expired certs.




3.  About the source of the output for getcert list:

root@ecnshlx3039-test2(SH):requests #ll
total 64
-rw---. 1 root root 5698 Jun  1 06:06 20120704140859
-rw---. 1 root root 5695 Jun  1 06:06 20120704140922
-rw---. 1 root root 5654 Jun  1 06:06 20120704141150
-rw---. 1 root root 5107 Jun  1 06:39 20140605220249
-rw---. 1 root root 4982 Jun  1 06:39 20160601043748
-rw---. 1 root root 5144 Jun  1 06:39 20160601043749
-rw---. 1 root root 5186 Jun  1 06:39 20160601043750
-rw---. 1 root root 5126 Jun  1 06:39 20160601043751
root@ecnshlx3039-test2(SH):requests #
root@ecnshlx3039-test2(SH):requests #grep post_certsave_command *
20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv 
DRUTT-COM
20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd
root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command *
root@ecnshlx3039-test2(SH):requests #

there are just two statements.


Ok, that is fine then I think.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Rob Crittenden]

Günther J. Niederwimmer wrote:

Hello,

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:

Günther J. Niederwimmer wrote:

Hello
I found any Help for the IPA Certificate but I found no way to import the
IPA CA ?
I like to create a webserver with a owncloud virtualhost and other..

But it is for me not possible to create the /etc/httpd/alias correct ?

I found this in IPA DOCS

certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

but with this command line I have a Error /etc/ipa/ca.crt have wrong
format ?

Have any a link with a working example


Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
clients so the documentation is written from that perspective.

Yes.


You can grab a copy from any enrolled system, including an IPA Master.
Otherwise the command looks ok assuming you were sitting in
/etc/httpd/alias when the command was executed (-d .).


Yes ;-).
but certutil mean it is a wrong format from the Certificate


$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
$ certutil -L -d .

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA   CT,,

I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You 
can use openssl for that:


$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt


Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working webserver
(apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't
start?

So now I start again with a new clean /etc/httpd/alias


Not knowing how you created the database or what your nss.conf looks 
like it's hard to say what is going on. If you set a NSS database 
password then you need to tell mod_nss about it.


Typically you'd set this in nss.conf:

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"

and create /etc/httpd/conf/password.conf with contents like:

internal:SecretPassword123

Ensure that the file is owned by apache:apache and mode 0400.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

[Kay Zhou Y]

Hi Rob,

1.  I have made snapshots for this system for test, so NSS databases has been 
backed up.

2.  For the pki-cad service, I can't find it in my system, it shows there is no 
such service. 
but there is one service failed as below:

root@ecnshlx3039-test2(SH):requests #systemctl status pki-cad@pki-ca.service
pki-cad@pki-ca.service - PKI Certificate Authority Server pki-ca
  Loaded: loaded (/lib/systemd/system/pki-cad@.service; enabled)
  Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 
+0200; 23min ago
 Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, 
status=1/FAILURE)
 Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, 
status=0/SUCCESS)
Main PID: 2593 (code=exited, status=0/SUCCESS)
  CGroup: name=systemd:/system/pki-cad@.service/pki-ca

Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session closed for user pkiuser
Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session closed for user pkiuser

I can't start it normally, even the log just said:
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad@pki-ca.service: control 
process exited, code=exited status=1
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad@pki-ca.service 
entered failed state.

I will google more to try to start it firstly.


3.  About the source of the output for getcert list:

root@ecnshlx3039-test2(SH):requests #ll
total 64
-rw---. 1 root root 5698 Jun  1 06:06 20120704140859 
-rw---. 1 root root 5695 Jun  1 06:06 20120704140922
-rw---. 1 root root 5654 Jun  1 06:06 20120704141150
-rw---. 1 root root 5107 Jun  1 06:39 20140605220249
-rw---. 1 root root 4982 Jun  1 06:39 20160601043748   
-rw---. 1 root root 5144 Jun  1 06:39 20160601043749
-rw---. 1 root root 5186 Jun  1 06:39 20160601043750
-rw---. 1 root root 5126 Jun  1 06:39 20160601043751
root@ecnshlx3039-test2(SH):requests #
root@ecnshlx3039-test2(SH):requests #grep post_certsave_command *
20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv 
DRUTT-COM
20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd
root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command *
root@ecnshlx3039-test2(SH):requests #

there are just two statements.

And this is the detail info for ipaCert:
root@ecnshlx3039-test2(SH):requests #cat 20140605220249
id=20140605220249
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_storage_type=NSSDB
key_storage_location=/etc/httpd/alias
key_token=NSS Certificate DB
key_nickname=ipaCert
key_pin_file=/etc/httpd/alias/pwdfile.txt
key_pubkey=3082010A02820101009B12FED4488180E1141CCF9264B5718E8B6FE8F6B5B5001819D49F722342500142D1169B601CD427FB68B08AE8272C4FC50B1730B665A2DB1AF3D1A31C09B8DFBCCC183AD0E87AED4A0B66B5806A3FA6C0807C747C1BA0A2D6B5756F5FB55BC96FD3BFAD8EC61C48C987B1F6CC42418A1500DF309097C1B6BA73C116C2BFCA005A0EF879BC16773A9AD66B9A0EDD802AFF32023927C4B071B17FD5F9EA8D760B2FC1CBCDE2336A141F8D1EA861B182815B8690D6956AA7BC2F342D928C8768ECA9CF43482595494E138295D5C6EC0E13B70BD533091D2C5AAF09563E37C0F0907443BA3291B7F0A0E1ABB0443FE0DE319EBD86D4FB47F89E941C55D84026BB0D0203010001
cert_storage_type=NSSDB
cert_storage_location=/etc/httpd/alias
cert_token=NSS Certificate DB
cert_nickname=ipaCert
cert_issuer=CN=Certificate Authority,O=DRUTT.COM
cert_serial=07
cert_subject=CN=IPA RA,O=DRUTT.COM
cert_spki=30820122300d06092a864886f70d01010105000382010f003082010a02820101009b12fed4488180e1141ccf9264b5718e8b6fe8f6b5b5001819d49f722342500142d1169b601cd427fb68b08ae8272c4fc50b1730b665a2db1af3d1a31c09b8dfbccc183ad0e87aed4a0b66b5806a3fa6c0807c747c1ba0a2d6b5756f5fb55bc96fd3bfad8ec61c48c987b1f6cc42418a1500df309097c1b6ba73c116c2bfca005a0ef879bc16773a9ad66b9a0edd802aff32023927c4b071b17fd5f9ea8d760b2fc1cbcde2336a141f8d1ea861b182815b8690d6956aa7bc2f342d928c8768eca9cf43482595494e138295d5c6ec0e13b70bd533091d2c5aaf09563e37c0f0907443ba3291b7f0a0e1abb0443fe0de319ebd86d4fb47f89e941c55d84026bb0d0203010001
cert_not_before=20120704140850
cert_not_after=20140624140850
cert_ku=
cert_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
last_need_notify_check=20160601044851
last_need_enroll_check=20160601044851
template_subject=CN=IPA RA,O=DRUTT.COM
template_ku=
template_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
csr=-BEGIN NEW CERTIFICATE REQUEST-
 MIICxTCCAa0CAQAwJTESMBAGA1UEChMJRFJVVFQuQ09NMQ8wDQYDVQQDEwZJUEEg
 UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5Jk
 tXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMc
 CbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbM
 

Re: [Freeipa-users] dns location based discovery

[Petr Spacek]

On 31.5.2016 17:41, Winfried de Heiden wrote:
> Hi all,
> 
> I've been playing on this topic but one can implement services discovery. 
> Allthough it looks a bit dirty, you add _sites support to IPA by manually 
> create 
> a DNS zone, something like:
> 
> _tcp.locationX._sites.example.com
> and
> _tcp.locationY._sites.example.com
> 
> and put two SRV records, _ldap en _kerberos, in it.
> 
> Now, add "dns_discovery_domain = locationX._sites.example.com" or 
> "dns_discovery_domain = locationY._sites.example.com"
> 
> dns location based discovery is there...?

In principle yes, it should work just fine if you edit sssd.conf on all clients.

FreeIPA 4.4.0 will make maintenance of it simpler and will remove the
requirement to reconfigure SSSD on clients.

Petr^2 Spacek

> 
> Just curious!
> 
> Winny
> 
> Op 30-05-16 om 18:39 schreef Martin Basti:
>>
>>
>>
>>
>> On 30.05.2016 18:16, Winfried de Heiden wrote:
>>> Hi all,
>>> Thanks for the quick answer even though I send it to the wrong email 
>>> address.
>>> About "Please note that for AD users (which is IIRC the majority of your 
>>> environment), SSSD should
>>> already choose the right site." I noticed that, but I was curious about  
>>> the 
>>> IPA part as well
>>>
>>> Now, it looks like this is going to be an item for IPA 4.4 
>>> (http://www.freeipa.org/page/V4/DNS_Location_Mechanism/)
>>> Willl it be?
>> Yes it will be there (unless something very very bad happen)
>>
>>>
>>> IPA 4.4 is announced "the end of May". When can we expect Freeipa 4.4, I 
>>> curious to test
>>
>> Soon :)
>>
>> Martin
>>>
>>> Kind regards,
>>>
>>> Winny//
>>> ///
>>>
>>> /
>>> Op 30-05-16 om 17:54 schreef Jakub Hrozek:

 On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote:
>
> On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote:
>>
>> Hi all, The sssd-ipa man page will tell:ipa_enable_dns_sites 
>> (boolean)Enables DNS sites - location based service 
>> discovery. 
>>If true and service discovery (see Service Discovery 
>> paragraph 
>> at the bottom of the man page) is enabled, then the SSSD will first 
>> attemptlocation based discovery using a query that contains 
>> "_location.hostname.example.com" and then fall back to traditional SRV 
>> discovery. If thelocation based discovery succeeds, the IPA 
>> servers located with the location based discovery are treated as primary 
>> servers and the IPA serverslocated using the traditional SRV 
>> discovery are used as back up servers After enabling it in a EL 6.8 IPA 
>> client (together with some debugging) this will show up in the sssd 
>> logging: (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] 
>> [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 
>> 'ldap'. Will use DNS discovery domain 
>> '_location.ipa-client-6.blabla.bla' 
>> (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] 
>> (0x0100): Trying to resolve SRV record of 
>> '_ldap._tcp._location.ipa-client-6.blabla.bla' Since this option is 
>> mentioned in the sssd-ipa man page, it sugests I could implement this 
>> location based service discovery. But how? Any documentation on this? 
>> How 
>> to implement on the server? How to implement a location on the client 
>> (while running ipa-client-install) Hope someone can help, it would be 
>> nice 
>> a client will choose the correct server based on it's location...
>
> In this case SSSD was a bit faster then the server side. Please monitor 
> https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is a 
> link to a design page with more details as well. HTH bye, Sumit P.S. I 
> changed the mailing-list address to @redhat.com.

 btw Winfried, I saw today the case you filed. Please note that for AD 
 users 
 (which is IIRC the majority of your environment), SSSD should already 
 choose 
 the right site. The RFE Sumit linked is 'just' about the IPA side of the 
 equation.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

[Günther J . Niederwimmer]

Hello,

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
> Günther J. Niederwimmer wrote:
> > Hello
> > I found any Help for the IPA Certificate but I found no way to import the
> > IPA CA ?
> > I like to create a webserver with a owncloud virtualhost and other..
> > 
> > But it is for me not possible to create the /etc/httpd/alias correct ?
> > 
> > I found this in IPA DOCS
> > 
> > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> > 
> > but with this command line I have a Error /etc/ipa/ca.crt have wrong
> > format ?
> > 
> > Have any a link with a working example
> 
> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> clients so the documentation is written from that perspective.
Yes.
 
> You can grab a copy from any enrolled system, including an IPA Master.
> Otherwise the command looks ok assuming you were sitting in
> /etc/httpd/alias when the command was executed (-d .).

Yes ;-).
but certutil mean it is a wrong format from the Certificate

Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working webserver 
(apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't 
start?

So now I start again with a new clean /etc/httpd/alias

:-(.
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project