Re: [Freeipa-users] DNS question on named.ca

2016-10-19 Thread Petr Spacek 
On 19.10.2016 00:55, Sean Hogan wrote:
> 
> Hi all,
> 
>I have a DNS question on how/why my IPA DNS servers are trying to hit
> the root DNS internet servers.  My IPA servers are in private networks only
> serving DNS for the private domains they manage but recently the network
> team
> indicated they see my ipa IPs trying to hit the outside world.  After
> obtaining the logs I noticed they are trying to hit the internet root DNS
> servers.  I then tracked down named.ca on the IPAs which correlates to the
> IPs the network
> team is showing.  I then found named.conf references named.ca for hints.
> 
> This is where I imagine it is coming from in named.conf
> 
> zone "." IN {
>   type hint;
>   file "named.ca";
> };
> 
> Question is how can I stop my IPA DNS servers from trying to hit the
> internet root DNS servers?  

The answer depends on your environment.

If you are on isolated network and *have your own DNS root domain*, you have
couple of options:
a) specify only IP addresses of your root servers to named.ca file (recommended)

b) use global forwarding with policy only to forward to some other DNS server,
which is properly configured

c) add the root zone to IPA and configure *other* servers with root hints or
forwarders (just create zone named '.' and add appropriate delegations to
sub-zones as usual)


If your requirement is to have IPA DNS servers which do not reply to anything
else except DNS zones they are authoritative for, set allow-recursion policy
to "none;". In that case BIND will not run recursive resolution and thus not
try to contact root servers. It needs to be set in /etc/named.conf, IPA does
not support this setting.

Beware, IPA installer may rewrite named.conf when you run ipa-dns-install or
so. In that case just edit it again.

For all the gory details please see
https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html

I hope it helps.

Petr^2 Spacek


> I was thinking commenting out named.ca in
> named.conf but imagine bad things happening.
> I guess I could also make a new file for named.ca and reference it in
> named.conf...then scp it to the other ipas but no idea as to the syntax
> (giving it a shot at bottom of email) or if it can be empty.  Any help is
> appreciated.
> 
> 
> IPA clients resolv.conf are set for search domain and the nameserver IPs of
> the IPA servers.
> 
> Versions:
> ipa-server-3.0.0-50.el6.1.x86_64
> bind-9.8.2-0.47.rc1.el6.x86_64
> 
> Commands used for server install:
>  ipa-server-install --setup-dns
> 
> 
> 
> Attempt at correct syntax if I need a file with info in it..file named say
> fakenamed.ca
> If my IPA servers are named DNS1  10.10.10.1/2001:7fd::1 and DNS2
> 10.10.10.2/2001:503:c27::2:30 would this work or not even need?
> 
> ; OPERATED BY ME
> ;
> .360  NSDNS1.
> DNS1.  360  A 10.10.10.1
> DNS1.  360    2001:7fd::1
> ;
> ; OPERATED BY ME
> ;
> .360  NSDNS2.
> DNS2.  360  A 10.10.10.2
> DNS2.  360    2001:503:c27::2:30
> 
> 
> 
> Sean Hogan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat 
Some more info.

This is happening on one of the hosts for which replica-info file was
generated but for some reason the replica installation failed. So I went
ahead and deleted and created the replica file again and this time
installation went thru fine. Should this cause logs like this ?

These messages are seen every 5 mins.

On 18 October 2016 at 22:38, Prashant Bapat  wrote:

> Hi,
>
> I'm seeing lots of error messages like this in the DS logs.
>
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%
> 3Dnet) failed.
>
> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8
> IPA servers with replication. Below are the steps I followed.
>
> 1. Install a new Centos server.
> 2. Replicated against a Fedora server with CA.
> 3. Moved the DNA ranges.
> 4. From the Centos master created replicas.
>
> Is this related to the DS package version ? We have 389-ds-base-1.3.4.0-33.
> el7_2.x86_64.
>
> Thanks.
> --Prashant
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz 


On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). 
If replication stops, the consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7400050004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7400050004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f7400050004) error (1).  Aborting replication 
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 30856302, dn = changenumber=30856302,cn=changelog: 
Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f9f0060) error (1).  Aborting replication 
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a0004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a0004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943


Tried deleting the semaphore files and restarting but no luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management features,
specifically "preserved" users and deleted the user "janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance for any pointers.
from the stack trace the process is not hanging, it is trying to 
recover. After a crash/kill  the changelog does not contai a RUV and it 
is reconstructed by reading all records in the changelog, if this is 
large it can take some time.

If you look at that part of the stack repeatedly,

#4  0x7f4e88daeba5 in cl5DBData2Entry (data=, len=, entr

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Ludwig Krispenz 


On 10/19/2016 09:39 AM, Prashant Bapat wrote:

Some more info.

This is happening on one of the hosts for which replica-info file was 
generated but for some reason the replica installation failed. So I 
went ahead and deleted and created the replica file again and this 
time installation went thru fine. Should this cause logs like this ?
you now have two replicaids with the same url, you need to do a cleanruv 
as discussed frequently on this list


These messages are seen every 5 mins.

On 18 October 2016 at 22:38, Prashant Bapat > wrote:


Hi,

I'm seeing lots of error messages like this in the DS logs.

[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.
[18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
(nsslapd-referral,
ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
) failed.

We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have
total 8 IPA servers with replication. Below are the steps I followed.

1. Install a new Centos server.
2. Replicated against a Fedora server with CA.
3. Moved the DNA ranges.
4. From the Centos master created replicas.

Is this related to the DS package version ? We
have 389-ds-base-1.3.4.0-33.el7_2.x86_64.

Thanks.
--Prashant






--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Petr Spacek 
On 19.10.2016 10:14, Ludwig Krispenz wrote:
> 
> On 10/19/2016 09:39 AM, Prashant Bapat wrote:
>> Some more info.
>>
>> This is happening on one of the hosts for which replica-info file was
>> generated but for some reason the replica installation failed. So I went
>> ahead and deleted and created the replica file again and this time
>> installation went thru fine. Should this cause logs like this ?
> you now have two replicaids with the same url, you need to do a cleanruv as
> discussed frequently on this list

For reference, it is described here:
http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records

Petr^2 Spacek

>>
>> These messages are seen every 5 mins.
>>
>> On 18 October 2016 at 22:38, Prashant Bapat > > wrote:
>>
>> Hi,
>>
>> I'm seeing lots of error messages like this in the DS logs.
>>
>> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
>> ) failed.
>>
>> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have
>> total 8 IPA servers with replication. Below are the steps I followed.
>>
>> 1. Install a new Centos server.
>> 2. Replicated against a Fedora server with CA.
>> 3. Moved the DNA ranges.
>> 4. From the Centos master created replicas.
>>
>> Is this related to the DS package version ? We
>> have 389-ds-base-1.3.4.0-33.el7_2.x86_64.
>>
>> Thanks.
>> --Prashant
>>
>>
>>
>>
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat 
Thanks. This is error was did not include ipaca which is discussed a lot on
this list. So I was not sure.

There was indeed a dangling reference to an old replica. Removed now.
ipa-replica-manage
clean-ruv did the trick.

On 19 October 2016 at 14:14, Petr Spacek  wrote:

> On 19.10.2016 10:14, Ludwig Krispenz wrote:
> >
> > On 10/19/2016 09:39 AM, Prashant Bapat wrote:
> >> Some more info.
> >>
> >> This is happening on one of the hosts for which replica-info file was
> >> generated but for some reason the replica installation failed. So I went
> >> ahead and deleted and created the replica file again and this time
> >> installation went thru fine. Should this cause logs like this ?
> > you now have two replicaids with the same url, you need to do a cleanruv
> as
> > discussed frequently on this list
>
> For reference, it is described here:
> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records
>
> Petr^2 Spacek
>
> >>
> >> These messages are seen every 5 mins.
> >>
> >> On 18 October 2016 at 22:38, Prashant Bapat  >> > wrote:
> >>
> >> Hi,
> >>
> >> I'm seeing lots of error messages like this in the DS logs.
> >>
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:37 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >> [18/Oct/2016:17:00:46 +] attrlist_replace - attr_replace
> >> (nsslapd-referral,
> >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet
> >> )
> failed.
> >>
> >> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have
> >> total 8 IPA servers with replication. Below are the steps I
> followed.
> >>
> >> 1. Install a new Centos server.
> >> 2. Replicated against a Fedora server with CA.
> >> 3. Moved the DNA ranges.
> >> 4. From the Centos master created replicas.
> >>
> >> Is this related to the DS package version ? We
> >> have 389-ds-base-1.3.4.0-33.el7_2.x86_64.
> >>
> >> Thanks.
> >> --Prashant
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Promote CA-less replica

2016-10-19 Thread James Harrison 
Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. 

I have some questions:1. Do DNS replicate among other replicas is we change/add 
DNS records? If not can this behaviour be changed? 
2. How do we promote a replica to become a master? We have not configured our 
servers to become a CA. Our CA is Comodo and we have configured FreeIPA to use 
a certificate, key and interim certificates from Comodo. using the options:
--http_pkcs12=--http_pin=
--dirsrv_pkcs12=...
--dirsrv_pin=

Hope someone can help. Quite urgent.
Regards,
James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch

2016-10-19 Thread David Dejaeghere 
Hello,

When installing FreeIPA we used the CA from our Windows servers.
This one recently expired and we created a new one.  It seems that the new
root CA has another subject name and this seems to be an issue when we want
to install new certs on our FreeIPA hosts.

ipa-cacert-manage install certnew.pem -n mycert -t C,,

Installing CA certificate, please wait
Failed to install the certificate: subject public key info mismatch

After validating the subjects are indeed different.

How can we replace the required certs for dirsrv and http when the ca is
not installable?

Kind Regards,

David
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread Martin Babinsky 

On 10/19/2016 11:35 AM, James Harrison wrote:

Hi James,


Hi,
Were using FreeIPA on Ubuntu Xenial. We lost the Master server.

I have some questions:
1. Do DNS replicate among other replicas is we change/add DNS records?
If not can this behaviour be changed?
IPA-intergrated DNS stores records in the replicated LDAP subtree so any 
added/removed DNS record will replicate to other IPA DNS servers.



2. How do we promote a replica to become a master? We have not
configured our servers to become a CA. Our CA is Comodo and we have
configured FreeIPA to use a certificate, key and interim certificates
from Comodo. using the options:

--http_pkcs12=
--http_pin=
--dirsrv_pkcs12=...
--dirsrv_pin=

Hope someone can help. Quite urgent.

The terms FreeIPA master/replica are quite arbitrary as all replicas are 
equal peers and can be considered masters. The only notion of 'master' 
is when you use a Dogtag CA (then one of the CA replicas is designated a 
renewal master and does renew certificates in the topology and one is 
CRL master generating certificate revocation lists) and/or DNSSec (then 
one of DNS replica is designated a key master generating zone signing 
keys and other DNS replicas pull these keys).


As you are using CA-less replicas then there should be no loss in the 
fact that the one designated 'master' is down (unless it was e.g. the 
only DNS server). As long as the others have valid CA and server certs 
they should be working just fine.


You can just install a new replica in place of the master by generating 
replica file on another replicaa nd supplying the required certificates 
through options.



Regards,
James Harrison





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Jan Karásek 
Hi, 

thank you for help. 

This is my sssd.conf from server : 

[domain/vs.example.cz] 
debug_level = 7 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = vs.example.cz 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = tidmipa02.vs.example.cz 
chpass_provider = ipa 
ipa_server = tidmipa02.vs.example.cz 
ipa_server_mode = True 
ldap_tls_cacert = /etc/ipa/ca.crt 
[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 

domains = vs.example.cz 
[nss] 
debug_level = 7 
memcache_timeout = 600 
homedir_substring = /home 

[pam] 
debug_level = 7 
[sudo] 
debug_level = 7 
[autofs] 
debug_level = 7 
[ssh] 
debug_level = 7 
[pac] 
debug_level = 7 
[ifp] 
debug_level = 7 


I can resolve all groups from client : 

SERVER: id tst99...@cen.example.cz 
uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
groups=5001(csunix),93008(final_test_group) 

CLIENT: 
getent group 5001 
csunix:x:5001: 

getent group 93008 
final_test_group:*:93008: 

getent group final_test_gr...@vs.example.cz 
final_test_group:*:93008: 

getent group csu...@cen.example.cz 
No reply - can't resolve that group from client. 


More detailed log from client: 
==> sssd_vs.example.cz.log <== 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): 
dbus conn: 0x7f9e77a81430 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): 
Dispatching. 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_message_handler] 
(0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo 
on path /org/freedesktop/sssd/dataprovider 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_get_sender_id_send] 
(0x2000): Not a sysbus message, quit 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] 
(0x0200): Got request for [0x1001][1][name=tst99654] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] 
(0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] 
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view 
[Default Trust View] with filter 
[(&(objectClass=ipaUserOverride)(uid=tst99654))]. 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_print_server] 
(0x2000): Searching 10.88.14.63 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust 
View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): 
New operation 20 timeout 60 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a92e60], 
ldap[0x7f9e77a60bd0] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] 
(0x2000): Operation 20 finished 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_done] 
(0x4000): No override found with filter 
[(&(objectClass=ipaUserOverride)(uid=tst99654))]. 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] 
(0x4000): releasing operation connection 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
(0x0400): Executing extended operation 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] 
(0x2000): ldap_extended_operation sent, msgid = 21 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): 
New operation 21 timeout 6 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], 
ldap[0x7f9e77a60bd0] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] 
(0x2000): Trace: ldap_result found nothing! 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], 
ldap[0x7f9e77a60bd0] 
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_EXTENDED] 
(Wed Oct 19 10:16:58 2016) [sssd[

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Sumit Bose 
On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote:
> Hi, 
> 
> thank you for help. 
> 
> This is my sssd.conf from server : 
> 
> [domain/vs.example.cz] 
> debug_level = 7 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> ipa_domain = vs.example.cz 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = tidmipa02.vs.example.cz 
> chpass_provider = ipa 
> ipa_server = tidmipa02.vs.example.cz 
> ipa_server_mode = True 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, sudo, pam, ssh 
> config_file_version = 2 
> 
> domains = vs.example.cz 
> [nss] 
> debug_level = 7 
> memcache_timeout = 600 
> homedir_substring = /home 
> 
> [pam] 
> debug_level = 7 
> [sudo] 
> debug_level = 7 
> [autofs] 
> debug_level = 7 
> [ssh] 
> debug_level = 7 
> [pac] 
> debug_level = 7 
> [ifp] 
> debug_level = 7 
> 
> 
> I can resolve all groups from client : 
> 
> SERVER: id tst99...@cen.example.cz 
> uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
> groups=5001(csunix),93008(final_test_group) 
> 
> CLIENT: 
> getent group 5001 
> csunix:x:5001: 
> 
> getent group 93008 
> final_test_group:*:93008: 
> 
> getent group final_test_gr...@vs.example.cz 
> final_test_group:*:93008: 
> 
> getent group csu...@cen.example.cz 
> No reply - can't resolve that group from client. 
> 
> 
...

> 
> Also I find out that in AD there are multiple objects with gidNumber=5001 

This might be the issue each gidNumber (and each uidNumber as well)
should be unique in the whole environment. Please check with the AD
administrators why it was done this way and if it can be changed.

HTH

bye,
Sumit

> 
> ldapsearch  
> (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0
>  > /tmp/csunix_dump 
> cat /tmp/csunix_dump 
> dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_0 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_1 
>  
> gidNumber: 5001 
> 
> dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_2 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_3 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_4 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_5 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix 
> ... 
> gidNumber: 5001 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread James Harrison 
Hi,
Martin thanks for your quick response. Based on your comments. I have further 
questions.

>> equal peers and can be considered masters
1. If there any urgency for us to recreate a "master" server to perform any 
"master" type functions? How do we re-attach "replicas" to this new "master"?

>> As long as the others have valid CA and server certs 2. This is the install 
>> script we are using on the "replicas"

ipa-replica-install \
    --setup-dns --ssh-trust-dns --no-dnssec-validation \
    -p x \
    --admin-password=xxx \
    --ip-address=replica_ip   \
    --no-forwarders \
    -U --mkhomedir --log-file=freeipa_log_file $1

3. The $1 is the cert generated from the "master".  If theres no distinction 
between a "master" and a "replica" in a CA-less environment, can a "replica" 
run the ipa-replica-prepare script once ipa-replica-install has been 
successfully run?
Thank you for any help.Best regards,James Harrison

  From: Martin Babinsky 
 To: freeipa-users@redhat.com 
 Sent: Wednesday, 19 October 2016, 11:01
 Subject: Re: [Freeipa-users] Promote CA-less replica
   
On 10/19/2016 11:35 AM, James Harrison wrote:

Hi James,

> Hi,
> Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>
> I have some questions:
> 1. Do DNS replicate among other replicas is we change/add DNS records?
> If not can this behaviour be changed?
IPA-intergrated DNS stores records in the replicated LDAP subtree so any 
added/removed DNS record will replicate to other IPA DNS servers.

> 2. How do we promote a replica to become a master? We have not
> configured our servers to become a CA. Our CA is Comodo and we have
> configured FreeIPA to use a certificate, key and interim certificates
> from Comodo. using the options:
>
> --http_pkcs12=
> --http_pin=
> --dirsrv_pkcs12=...
> --dirsrv_pin=
>
> Hope someone can help. Quite urgent.
>
The terms FreeIPA master/replica are quite arbitrary as all replicas are 
equal peers and can be considered masters. The only notion of 'master' 
is when you use a Dogtag CA (then one of the CA replicas is designated a 
renewal master and does renew certificates in the topology and one is 
CRL master generating certificate revocation lists) and/or DNSSec (then 
one of DNS replica is designated a key master generating zone signing 
keys and other DNS replicas pull these keys).

As you are using CA-less replicas then there should be no loss in the 
fact that the one designated 'master' is down (unless it was e.g. the 
only DNS server). As long as the others have valid CA and server certs 
they should be working just fine.


You can just install a new replica in place of the master by generating 
replica file on another replicaa nd supplying the required certificates 
through options.

> Regards,
> James Harrison
>
>


-- 
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif 
> De: "Martin Babinsky" 
> À: freeipa-users@redhat.com
> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> > Hello,
> >
> > I had an issue with pki-tomcat.
> > I had serveral certificate that was expired and pki-tomcat did not start
> > anymore.
> >
> > I set the dateon the server before certificate expiration and then
> > pki-tomcat starts properly.
> > Then I try to resubmit the certificate, but I get below error:
> > "Profile caServerCert Not Found"
> >
> > Do you have any idea how I could fix this issue.
> >
> > Please find below output of commands:
> >
> >
> > # getcert resubmit -i 20160108170324
> >
> > # getcert list -i 20160108170324
> > Number of certificates and requests being tracked: 7.
> > Request ID '20160108170324':
> > status: MONITORING
> > ca-error: Server at
> > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
> > Profile caServerCert Not Found
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> > subject: CN=IPA RA,O=A.SKINFRA.EU
> > expires: 2016-06-28 15:25:11 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> >
> >
> > Thanksby advance for your help.
> > Bertrand
> >
> >
> >
> >

> Hi Betrand,

> what version of FreeIPA and Dogtag are you running?

> Also perform the following search on the IPA master and post the result:

> """
> ldapsearch -D "cn=Directory Manager" -W -b
> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
> """

Hi Martin, 

Thanks for your reply. 

Here is version: 
- FreeIPA 4.2.0 
- Centos 7.2 

I have been able to fix the issue with "Profile caServerCert Not Found" by 
editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg 
I replace below entry
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
by 
"subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"

and then launch "ipa-server-upgrade" command
I found this solution in this post: 
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html 

Then I was able to renew my certificate. 

However I reboot my server to and pki-tomcat do not start and provide with a 
new erreor in /var/log/pki/pki-tomcat/ca/debug 

[19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: 
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca 
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: 
create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ 
System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC 
certificate verification 

java.lang.Exception: SystemCertsVerification: system certs verification failure 
at 
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
 
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
 
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
 
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) 
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) 
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) 
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) 
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) 
at javax.servlet.GenericServlet.init(GenericServlet.java:158) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
at java.lang.reflect.Method.invoke(Method.java:606) 
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) 
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) 
at java.security.AccessController.doPrivileged(Native Method) 
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) 
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) 
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) 
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) 
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) 
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) 
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread Rob Crittenden 

James Harrison wrote:

Hi,
Martin thanks for your quick response. Based on your comments. I have
further questions.

 >> equal peers and can be considered masters

1. If there any urgency for us to recreate a "master" server to perform
any "master" type functions? How do we re-attach "replicas" to this new
"master"?


Like he said, all IPA servers are equal (some are just more equal than 
others). If you truly have a CA-less system the the only thing that 
distinguishes one master from another is the presence of the DNS 
service. From below it looks like you install DNS on all which makes 
them all masters.


You can manage the replication topology using ipa-replica-manage.



 >> As long as the others have valid CA and server certs
2. This is the install script we are using on the "replicas"

ipa-replica-install \
 --setup-dns --ssh-trust-dns --no-dnssec-validation \
 -p x \
 --admin-password=xxx \
 --ip-address=replica_ip   \
 --no-forwarders \
 -U --mkhomedir --log-file=freeipa_log_file $1

3. The $1 is the cert generated from the "master".  If theres no
distinction between a "master" and a "replica" in a CA-less environment,
can a "replica" run the ipa-replica-prepare script once
ipa-replica-install has been successfully run?


I think you mean $1 is the replica file generated from some master. 
Seeing how you generate that would tell us whether you are truly in a 
CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to 
ipa-replica-prepare).


To answer your question, yes. In a CA-less environment any master can 
generate a prepare file.


You can add/remove connections using ipa-replica-manage. The initial 
connection is between the master that generated the prepare file and the 
host it was installed on.


rob



Thank you for any help.
Best regards,
James Harrison


*From:* Martin Babinsky 
*To:* freeipa-users@redhat.com
*Sent:* Wednesday, 19 October 2016, 11:01
*Subject:* Re: [Freeipa-users] Promote CA-less replica

On 10/19/2016 11:35 AM, James Harrison wrote:

Hi James,

 > Hi,
 > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
 >
 > I have some questions:
 > 1. Do DNS replicate among other replicas is we change/add DNS records?
 > If not can this behaviour be changed?
IPA-intergrated DNS stores records in the replicated LDAP subtree so any
added/removed DNS record will replicate to other IPA DNS servers.

 > 2. How do we promote a replica to become a master? We have not
 > configured our servers to become a CA. Our CA is Comodo and we have
 > configured FreeIPA to use a certificate, key and interim certificates
 > from Comodo. using the options:
 >
 > --http_pkcs12=
 > --http_pin=
 > --dirsrv_pkcs12=...
 > --dirsrv_pin=
 >
 > Hope someone can help. Quite urgent.
 >
The terms FreeIPA master/replica are quite arbitrary as all replicas are
equal peers and can be considered masters. The only notion of 'master'
is when you use a Dogtag CA (then one of the CA replicas is designated a
renewal master and does renew certificates in the topology and one is
CRL master generating certificate revocation lists) and/or DNSSec (then
one of DNS replica is designated a key master generating zone signing
keys and other DNS replicas pull these keys).

As you are using CA-less replicas then there should be no loss in the
fact that the one designated 'master' is down (unless it was e.g. the
only DNS server). As long as the others have valid CA and server certs
they should be working just fine.



You can just install a new replica in place of the master by generating
replica file on another replicaa nd supplying the required certificates
through options.


 > Regards,
 > James Harrison

 >
 >


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Rob Crittenden 

Bertrand Rétif wrote:

De: "Martin Babinsky" 
À: freeipa-users@redhat.com
Envoyé: Mercredi 19 Octobre 2016 08:45:49
Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue



On 10/18/2016 11:22 PM, Bertrand Rétif wrote:

Hello,

I had an issue with pki-tomcat.
I had serveral certificate that was expired and pki-tomcat did not start
anymore.

I set the dateon the server before certificate expiration and then
pki-tomcat starts properly.
Then I try to resubmit the certificate, but I get below error:
"Profile caServerCert Not Found"

Do you have any idea how I could fix this issue.

Please find below output of commands:


# getcert resubmit -i 20160108170324

# getcert list -i 20160108170324
Number of certificates and requests being tracked: 7.
Request ID '20160108170324':
status: MONITORING
ca-error: Server at
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
Profile caServerCert Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=A.SKINFRA.EU
subject: CN=IPA RA,O=A.SKINFRA.EU
expires: 2016-06-28 15:25:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes


Thanksby advance for your help.
Bertrand







Hi Betrand,



what version of FreeIPA and Dogtag are you running?



Also perform the following search on the IPA master and post the result:



"""
ldapsearch -D "cn=Directory Manager" -W -b
'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
"""


Hi Martin,

Thanks for your reply.

Here is version:
- FreeIPA 4.2.0
- Centos 7.2

I have been able to fix the issue with "Profile caServerCert Not Found" by 
editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
I replace below entry
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
by
"subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"

and then launch "ipa-server-upgrade" command
I found this solution in this post: 
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html

Then I was able to renew my certificate.

However I reboot my server to and pki-tomcat do not start and provide with a 
new erreor in /var/log/pki/pki-tomcat/ca/debug

[19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: 
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: 
create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC 
certificate verification

java.lang.Exception: SystemCertsVerification: system certs verification failure
at 
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Jan Karásek 
Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite 
ok with that. 

Jan 



-- 

Message: 1 
Date: Wed, 19 Oct 2016 12:28:31 +0200 
From: Sumit Bose  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA 
Message-ID: 
<20161019102831.GC9339@p.Speedport_W_724V_Typ_A_05011603_00_009> 
Content-Type: text/plain; charset=iso-8859-1 

On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote: 
> Hi, 
> 
> thank you for help. 
> 
> This is my sssd.conf from server : 
> 
> [domain/vs.example.cz] 
> debug_level = 7 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> ipa_domain = vs.example.cz 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = tidmipa02.vs.example.cz 
> chpass_provider = ipa 
> ipa_server = tidmipa02.vs.example.cz 
> ipa_server_mode = True 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, sudo, pam, ssh 
> config_file_version = 2 
> 
> domains = vs.example.cz 
> [nss] 
> debug_level = 7 
> memcache_timeout = 600 
> homedir_substring = /home 
> 
> [pam] 
> debug_level = 7 
> [sudo] 
> debug_level = 7 
> [autofs] 
> debug_level = 7 
> [ssh] 
> debug_level = 7 
> [pac] 
> debug_level = 7 
> [ifp] 
> debug_level = 7 
> 
> 
> I can resolve all groups from client : 
> 
> SERVER: id tst99...@cen.example.cz 
> uid=20019(tst99...@cen.example.cz) gid=5001(csunix) 
> groups=5001(csunix),93008(final_test_group) 
> 
> CLIENT: 
> getent group 5001 
> csunix:x:5001: 
> 
> getent group 93008 
> final_test_group:*:93008: 
> 
> getent group final_test_gr...@vs.example.cz 
> final_test_group:*:93008: 
> 
> getent group csu...@cen.example.cz 
> No reply - can't resolve that group from client. 
> 
> 
... 

> 
> Also I find out that in AD there are multiple objects with gidNumber=5001 

This might be the issue each gidNumber (and each uidNumber as well) 
should be unique in the whole environment. Please check with the AD 
administrators why it was done this way and if it can be changed. 

HTH 

bye, 
Sumit 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno 
On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:
> 
> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:
> > We had one of our replicas fail today with the following errors:
> > 
> > 
> > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
> > (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog 
> > (DB rc=-30988). If replication stops, the consumer may need to be 
> > reinitialized.
> > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5WriteOperationTxn: retry (49) the transaction 
> > (csn=58065f7400050004) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: 
> > Locker killed to resolve a deadlock))
> > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5WriteOperationTxn: failed to write entry with csn 
> > (58065f7400050004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker 
> > killed to resolve a deadlock
> > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
> > write_changelog_and_ruv: can't add a change for 
> > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
> > 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
> > 58065f7400050004
> > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
> > returned error but did not set SLAPI_RESULT_CODE
> > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed 
> > to apply update (58065f7400050004) error (1).  Aborting replication 
> > session(conn=1314106 op=1688559)
> > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
> > NULL--updating cache just in case
> > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
> > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates 
> > found, which should be added before the CoS Definition.
> > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
> > (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
> > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
> > changenumber=30856302,cn=changelog from entryrdn index (-30993)
> > [18/Oct/2016:13:43:20 -0400] - Operation error fetching 
> > changenumber=30856302,cn=changelog (null), error -30993.
> > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured 
> > while adding change number 30856302, dn = 
> > changenumber=30856302,cn=changelog: Operations error.
> > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation 
> > failure [1]
> > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed 
> > to apply update (58065f9f0060) error (1).  Aborting replication 
> > session(conn=1901274 op=5)
> > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
> > BDB0062 Successful return: 0
> > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5WriteOperationTxn: retry (49) the transaction 
> > (csn=58065f7c000a0004) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: 
> > Locker killed to resolve a deadlock))
> > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5WriteOperationTxn: failed to write entry with csn 
> > (58065f7c000a0004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker 
> > killed to resolve a deadlock
> > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - 
> > write_changelog_and_ruv: can't add a change for 
> > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
> > 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
> > 58065f7c000a0004
> > 
> > 
> > ns-slapd was hung so we restarted and now it's stuck and won't come back 
> > up. It
> > hangs up here:
> > 
> > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
> > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates 
> > found, which should be added before the CoS Definition.
> > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5NewDBFile: PR_DeleteSemaphore: 
> > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
> >  NSPR error - -5943
> > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
> > _cl5NewDBFile: PR_DeleteSemaphore: 
> > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
> >  NSPR error - -5943
> > 
> > 
> > Tried deleting the semaphore files and restarting but no luck. Attached
> > is a stacktrace of the stuck ns-slapd process.
> > 
> > Here's the versions were running:
> > 
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > 389-ds-base-1.3.4.0-33.el7_2.x86_64
> > 
> > FWIW, we were experimenting with the new life-cycle management features,
> > specifically "preserved" users and deleted the user "janedoe" when this
> > happened.  From the errors above looks like this host failed to
> > replicate the change?  Not sure if this is related or n

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz 


On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). 
If replication stops, the consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7400050004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7400050004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f7400050004) error (1).  Aborting replication 
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 30856302, dn = changenumber=30856302,cn=changelog: 
Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f9f0060) error (1).  Aborting replication 
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a0004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a0004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943


Tried deleting the semaphore files and restarting but no luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management features,
specifically "preserved" users and deleted the user "janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance for any pointers.

from the stack trace the process is not hanging, it is trying to recover.
After a crash/kill  the changelog does not contai a RUV and it is
reconstructed by reading all records in the changelog, if this is large it
can take some time.

[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth 
I once asked about Install IPA servers with certificate provided by
third-party like Verisign(https://www.redhat.com/archives/freeipa-users/
2016-September/msg00440.html). Florence, Rob and Jakub from Redhat had been
very helpful, and pointed out the solution at https://access.redhat.com/
documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_
Authentication_and_Policy_Guide/install-server.html#
install-server-without-ca, about "Installing Without a CA", and it worked
great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly renew the
Verisign certificate on the primary and replica IPA servers a year from
now? Or if we decide to use another provider, say Godaddy certificate, how
can I replace the existing certificate on both IPA servers? I found a
relevant instruction at https://access.redhat.com/
documentation/en-US/Red_Hat_Enterprise_Linux/7/html-
single/Linux_Domain_Identity_Authentication_and_Policy_
Guide/index.html#auto-cert-renewal, but that's about the "Dogtag" CA
certificate, not about the third-party certificate I am using in our
upcoming production environment(running IPA 4.2 on RHEL7).

Please advise. Thank you!
Beeth
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz 


On 10/19/2016 05:02 PM, Ludwig Krispenz wrote:


On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] 
agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - 
Can't locate CSN 58065ef300010003 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be 
reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog 
program - _cl5WriteOperationTxn: retry (49) the transaction 
(csn=58065f7400050004) failed (rc=-30993 (BDB0068 
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog 
program - _cl5WriteOperationTxn: failed to write entry with csn 
(58065f7400050004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
write_changelog_and_ruv: can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
(uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to 
changelog csn 58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN 
plugin returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
process_postop: Failed to apply update (58065f7400050004) error 
(1).  Aborting replication session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified 
entry is NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS 
Templates found, which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error 
occured while adding change number 30856302, dn = 
changenumber=30856302,cn=changelog: Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: 
operation failure [1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - 
process_postop: Failed to apply update (58065f9f0060) error 
(1).  Aborting replication session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 
1601, err=0 BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog 
program - _cl5WriteOperationTxn: retry (49) the transaction 
(csn=58065f7c000a0004) failed (rc=-30993 (BDB0068 
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog 
program - _cl5WriteOperationTxn: failed to write entry with csn 
(58065f7c000a0004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - 
write_changelog_and_ruv: can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
(uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to 
changelog csn 58065f7c000a0004



ns-slapd was hung so we restarted and now it's stuck and won't come 
back up. It

hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS 
Templates found, which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog 
program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; 
NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog 
program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; 
NSPR error - -5943



Tried deleting the semaphore files and restarting but no luck. 
Attached

is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management 
features,
specifically "preserved" users and deleted the user "janedoe" when 
this

happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance for any 
pointers.
from the stack trace the process is not hanging, it is trying to 
recover.

After a crash/kill  the changelog does not contai a RUV and it is
reconstructed by reading all re

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif 
- Mail original -

> De: "Rob Crittenden" 
> À: "Bertrand Rétif" , freeipa-users@redhat.com
> Envoyé: Mercredi 19 Octobre 2016 15:30:14
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> Bertrand Rétif wrote:
> >> De: "Martin Babinsky" 
> >> À: freeipa-users@redhat.com
> >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> >> issue
> >
> >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> >>> Hello,
> >>>
> >>> I had an issue with pki-tomcat.
> >>> I had serveral certificate that was expired and pki-tomcat did not start
> >>> anymore.
> >>>
> >>> I set the dateon the server before certificate expiration and then
> >>> pki-tomcat starts properly.
> >>> Then I try to resubmit the certificate, but I get below error:
> >>> "Profile caServerCert Not Found"
> >>>
> >>> Do you have any idea how I could fix this issue.
> >>>
> >>> Please find below output of commands:
> >>>
> >>>
> >>> # getcert resubmit -i 20160108170324
> >>>
> >>> # getcert list -i 20160108170324
> >>> Number of certificates and requests being tracked: 7.
> >>> Request ID '20160108170324':
> >>> status: MONITORING
> >>> ca-error: Server at
> >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
> >>> Profile caServerCert Not Found
> >>> stuck: no
> >>> key pair storage:
> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>> certificate:
> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB'
> >>> CA: dogtag-ipa-ca-renew-agent
> >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> >>> expires: 2016-06-28 15:25:11 UTC
> >>> key usage:
> >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> >>> track: yes
> >>> auto-renew: yes
> >>>
> >>>
> >>> Thanksby advance for your help.
> >>> Bertrand
> >>>
> >>>
> >>>
> >>>
> >
> >> Hi Betrand,
> >
> >> what version of FreeIPA and Dogtag are you running?
> >
> >> Also perform the following search on the IPA master and post the result:
> >
> >> """
> >> ldapsearch -D "cn=Directory Manager" -W -b
> >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
> >> """
> >
> > Hi Martin,
> >
> > Thanks for your reply.
> >
> > Here is version:
> > - FreeIPA 4.2.0
> > - Centos 7.2
> >
> > I have been able to fix the issue with "Profile caServerCert Not Found" by
> > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > I replace below entry
> > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> > by
> > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> >
> > and then launch "ipa-server-upgrade" command
> > I found this solution in this post:
> > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> >
> > Then I was able to renew my certificate.
> >
> > However I reboot my server to and pki-tomcat do not start and provide with
> > a new erreor in /var/log/pki/pki-tomcat/ca/debug
> >
> > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
> > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory:
> > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC
> > certificate verification
> >
> > java.lang.Exception: SystemCertsVerification: system certs verification
> > failure
> > at
> > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> > at
> > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> > at
> > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> > at
> > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> > at
> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> > at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> > at java.security.AccessController.doPr

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread Florence Blanc-Renaud 

On 10/19/2016 05:23 PM, beeth beeth wrote:

I once asked about Install IPA servers with certificate provided by
third-party like
Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
).
Florence, Rob and Jakub from Redhat had been very helpful, and pointed
out the solution at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
,
about "Installing Without a CA", and it worked great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly renew the
Verisign certificate on the primary and replica IPA servers a year from
now? Or if we decide to use another provider, say Godaddy certificate,
how can I replace the existing certificate on both IPA servers? I found
a relevant instruction at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
,
but that's about the "Dogtag" CA certificate, not about the third-party
certificate I am using in our upcoming production environment(running
IPA 4.2 on RHEL7).


Hi,

if you plan to use another CA (for instance switch from Verisign to 
Godaddy), you will need first to install the new CA certificate with 
ipa-cacert-manage install and ipa-certupdate. The instructions are in 
30.4 Manual CA Certificate Installation [1].


Then, if you want to change the HTTP and LDAP certificates for your 
server, you can use the ipa-server-certinstall utility [2].


[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install


[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities


Hope this helps,
Flo.


Please advise. Thank you!
Beeth


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno 
On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote:
> 
> On 10/19/2016 05:02 PM, Ludwig Krispenz wrote:
> > 
> > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:
> > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:
> > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:
> > > > > We had one of our replicas fail today with the following errors:
> > > > > 
> > > > > 
> > > > > [18/Oct/2016:13:40:47 -0400]
> > > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu"
> > > > > (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in
> > > > > the changelog (DB rc=-30988). If replication stops, the
> > > > > consumer may need to be reinitialized.
> > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _cl5WriteOperationTxn: retry (49) the
> > > > > transaction (csn=58065f7400050004) failed (rc=-30993
> > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > deadlock))
> > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _cl5WriteOperationTxn: failed to write
> > > > > entry with csn (58065f7400050004); db error - -30993
> > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > deadlock
> > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > write_changelog_and_ruv: can't add a change for
> > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
> > > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to
> > > > > changelog csn 58065f7400050004
> > > > > [18/Oct/2016:13:43:07 -0400] -
> > > > > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but
> > > > > did not set SLAPI_RESULT_CODE
> > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > process_postop: Failed to apply update
> > > > > (58065f7400050004) error (1).  Aborting replication
> > > > > session(conn=1314106 op=1688559)
> > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify:
> > > > > modified entry is NULL--updating cache just in case
> > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition
> > > > > cn=Password
> > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
> > > > > Templates found, which should be added before the CoS
> > > > > Definition.
> > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null
> > > > > DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
> > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get
> > > > > id for changenumber=30856302,cn=changelog from entryrdn
> > > > > index (-30993)
> > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching
> > > > > changenumber=30856302,cn=changelog (null), error -30993.
> > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an
> > > > > error occured while adding change number 30856302, dn =
> > > > > changenumber=30856302,cn=changelog: Operations error.
> > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin -
> > > > > retrocl_postob: operation failure [1]
> > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin -
> > > > > process_postop: Failed to apply update
> > > > > (58065f9f0060) error (1).  Aborting replication
> > > > > session(conn=1901274 op=5)
> > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry
> > > > > BAD 1601, err=0 BDB0062 Successful return: 0
> > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _cl5WriteOperationTxn: retry (49) the
> > > > > transaction (csn=58065f7c000a0004) failed (rc=-30993
> > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > deadlock))
> > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _cl5WriteOperationTxn: failed to write
> > > > > entry with csn (58065f7c000a0004); db error - -30993
> > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > deadlock
> > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > write_changelog_and_ruv: can't add a change for
> > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
> > > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to
> > > > > changelog csn 58065f7c000a0004
> > > > > 
> > > > > 
> > > > > ns-slapd was hung so we restarted and now it's stuck and
> > > > > won't come back up. It
> > > > > hangs up here:
> > > > > 
> > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition
> > > > > cn=Password
> > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
> > > > > Templates found, which should be added before the CoS
> > > > > Definition.
> > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _cl5NewDBFile: PR_DeleteSemaphore: 
> > > > > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
> > > > > NSPR error - -5943
> > > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin -
> > > > > changelog program - _

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz 



On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). 
If replication stops, the consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7400050004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7400050004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f7400050004) error (1).  Aborting replication 
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 30856302, dn = changenumber=30856302,cn=changelog: 
Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f9f0060) error (1).  Aborting replication 
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a0004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a0004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943


Tried deleting the semaphore files and restarting but no luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management features,
specifically "preserved" users and deleted the user "janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance for any pointers.

from the stack trace the process is not hanging, it is trying to recover.
After a crash/kill  the changelog does not contai a RUV and it is
reconstructed by reading all records in the changelog, if this is large it
can take some time.

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno 
On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote:
> 
> 
> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:
> > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:
> > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:
> > > > We had one of our replicas fail today with the following errors:
> > > > 
> > > > 
> > > > [18/Oct/2016:13:40:47 -0400] 
> > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't 
> > > > locate CSN 58065ef300010003 in the changelog (DB rc=-30988). If 
> > > > replication stops, the consumer may need to be reinitialized.
> > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5WriteOperationTxn: retry (49) the transaction 
> > > > (csn=58065f7400050004) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: 
> > > > Locker killed to resolve a deadlock))
> > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5WriteOperationTxn: failed to write entry with csn 
> > > > (58065f7400050004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
> > > > Locker killed to resolve a deadlock
> > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
> > > > write_changelog_and_ruv: can't add a change for 
> > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
> > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog 
> > > > csn 58065f7400050004
> > > > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN 
> > > > plugin returned error but did not set SLAPI_RESULT_CODE
> > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: 
> > > > Failed to apply update (58065f7400050004) error (1).  Aborting 
> > > > replication session(conn=1314106 op=1688559)
> > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry 
> > > > is NULL--updating cache just in case
> > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
> > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates 
> > > > found, which should be added before the CoS Definition.
> > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
> > > > (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
> > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
> > > > changenumber=30856302,cn=changelog from entryrdn index (-30993)
> > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching 
> > > > changenumber=30856302,cn=changelog (null), error -30993.
> > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured 
> > > > while adding change number 30856302, dn = 
> > > > changenumber=30856302,cn=changelog: Operations error.
> > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation 
> > > > failure [1]
> > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: 
> > > > Failed to apply update (58065f9f0060) error (1).  Aborting 
> > > > replication session(conn=1901274 op=5)
> > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, 
> > > > err=0 BDB0062 Successful return: 0
> > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5WriteOperationTxn: retry (49) the transaction 
> > > > (csn=58065f7c000a0004) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: 
> > > > Locker killed to resolve a deadlock))
> > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5WriteOperationTxn: failed to write entry with csn 
> > > > (58065f7c000a0004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
> > > > Locker killed to resolve a deadlock
> > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - 
> > > > write_changelog_and_ruv: can't add a change for 
> > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
> > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog 
> > > > csn 58065f7c000a0004
> > > > 
> > > > 
> > > > ns-slapd was hung so we restarted and now it's stuck and won't come 
> > > > back up. It
> > > > hangs up here:
> > > > 
> > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
> > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates 
> > > > found, which should be added before the CoS Definition.
> > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5NewDBFile: PR_DeleteSemaphore: 
> > > > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
> > > >  NSPR error - -5943
> > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program 
> > > > - _cl5NewDBFile: PR_DeleteSemaphore: 
> > > > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
> > > >  NSPR error - -5943
> > > > 
> > > > 
> > > > Tried deleting the semaphore files and restarting but no luck. Attached
> > > > is a stacktrace of the st

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz 



On 10/19/2016 06:28 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote:

On 10/19/2016 05:02 PM, Ludwig Krispenz wrote:

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400]
agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu"
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in
the changelog (DB rc=-30988). If replication stops, the
consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: retry (49) the
transaction (csn=58065f7400050004) failed (rc=-30993
(BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: failed to write
entry with csn (58065f7400050004); db error - -30993
BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
(uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to
changelog csn 58065f7400050004
[18/Oct/2016:13:43:07 -0400] -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but
did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
process_postop: Failed to apply update
(58065f7400050004) error (1).  Aborting replication
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify:
modified entry is NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition
cn=Password
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
Templates found, which should be added before the CoS
Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null
DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get
id for changenumber=30856302,cn=changelog from entryrdn
index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an
error occured while adding change number 30856302, dn =
changenumber=30856302,cn=changelog: Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin -
retrocl_postob: operation failure [1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin -
process_postop: Failed to apply update
(58065f9f0060) error (1).  Aborting replication
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry
BAD 1601, err=0 BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: retry (49) the
transaction (csn=58065f7c000a0004) failed (rc=-30993
(BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: failed to write
entry with csn (58065f7c000a0004); db error - -30993
BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
(uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to
changelog csn 58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and
won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition
cn=Password
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
Templates found, which should be added before the CoS
Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin -
changelog program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin -
changelog program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
NSPR error - -5943


Tried deleting the semaphore files and restarting but no
luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle
management features,
specifically "preserved" users and deleted the user
"janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance
for any pointers.

from the stack trace the process is not hanging, it is trying to
recover.
After a crash/kill  the changelog does

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz 



On 10/19/2016 06:54 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote:


On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" 
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). 
If replication stops, the consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7400050004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7400050004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7400050004
[18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin 
returned error but did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f7400050004) error (1).  Aborting replication 
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is 
NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
(4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
changenumber=30856302,cn=changelog from entryrdn index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching 
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 30856302, dn = changenumber=30856302,cn=changelog: 
Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to 
apply update (58065f9f0060) error (1).  Aborting replication 
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 
BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a0004) 
failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a 
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - 
_cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a0004); 
db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: 
can't add a change for 
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 
4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 
58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, 
which should be added before the CoS Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
 NSPR error - -5943


Tried deleting the semaphore files and restarting but no luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle management features,
specifically "preserved" users and deleted the user "janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance for any pointers.

from the stack trace the process is not hanging, it is trying to recover.
After a crash/kill  the changelog does not con

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno 
On Wed, Oct 19, 2016 at 07:05:14PM +0200, thierry bordaz wrote:
> 
> 
> On 10/19/2016 06:54 PM, Andrew E. Bruno wrote:
> > On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote:
> > > 
> > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:
> > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:
> > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:
> > > > > > We had one of our replicas fail today with the following errors:
> > > > > > 
> > > > > > 
> > > > > > [18/Oct/2016:13:40:47 -0400] 
> > > > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - 
> > > > > > Can't locate CSN 58065ef300010003 in the changelog (DB 
> > > > > > rc=-30988). If replication stops, the consumer may need to be 
> > > > > > reinitialized.
> > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog 
> > > > > > program - _cl5WriteOperationTxn: retry (49) the transaction 
> > > > > > (csn=58065f7400050004) failed (rc=-30993 (BDB0068 
> > > > > > DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
> > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog 
> > > > > > program - _cl5WriteOperationTxn: failed to write entry with csn 
> > > > > > (58065f7400050004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
> > > > > > Locker killed to resolve a deadlock
> > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
> > > > > > write_changelog_and_ruv: can't add a change for 
> > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
> > > > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to 
> > > > > > changelog csn 58065f7400050004
> > > > > > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN 
> > > > > > plugin returned error but did not set SLAPI_RESULT_CODE
> > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - 
> > > > > > process_postop: Failed to apply update (58065f7400050004) error 
> > > > > > (1).  Aborting replication session(conn=1314106 op=1688559)
> > > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified 
> > > > > > entry is NULL--updating cache just in case
> > > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password 
> > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS 
> > > > > > Templates found, which should be added before the CoS Definition.
> > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN 
> > > > > > (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
> > > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for 
> > > > > > changenumber=30856302,cn=changelog from entryrdn index (-30993)
> > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching 
> > > > > > changenumber=30856302,cn=changelog (null), error -30993.
> > > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error 
> > > > > > occured while adding change number 30856302, dn = 
> > > > > > changenumber=30856302,cn=changelog: Operations error.
> > > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: 
> > > > > > operation failure [1]
> > > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - 
> > > > > > process_postop: Failed to apply update (58065f9f0060) error 
> > > > > > (1).  Aborting replication session(conn=1901274 op=5)
> > > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 
> > > > > > 1601, err=0 BDB0062 Successful return: 0
> > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog 
> > > > > > program - _cl5WriteOperationTxn: retry (49) the transaction 
> > > > > > (csn=58065f7c000a0004) failed (rc=-30993 (BDB0068 
> > > > > > DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
> > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog 
> > > > > > program - _cl5WriteOperationTxn: failed to write entry with csn 
> > > > > > (58065f7c000a0004); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: 
> > > > > > Locker killed to resolve a deadlock
> > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - 
> > > > > > write_changelog_and_ruv: can't add a change for 
> > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu 
> > > > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to 
> > > > > > changelog csn 58065f7c000a0004
> > > > > > 
> > > > > > 
> > > > > > ns-slapd was hung so we restarted and now it's stuck and won't come 
> > > > > > back up. It
> > > > > > hangs up here:
> > > > > > 
> > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password 
> > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS 
> > > > > > Templates found, which should be added before the CoS Definition.
> > > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog 
> > > > > > program - _cl5NewDBFile: PR_DeleteSemaphore: 
> > > > > > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno 
On Wed, Oct 19, 2016 at 06:59:57PM +0200, thierry bordaz wrote:
> 
> 
> On 10/19/2016 06:28 PM, Andrew E. Bruno wrote:
> > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote:
> > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote:
> > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:
> > > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:
> > > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:
> > > > > > > We had one of our replicas fail today with the following errors:
> > > > > > > 
> > > > > > > 
> > > > > > > [18/Oct/2016:13:40:47 -0400]
> > > > > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu"
> > > > > > > (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in
> > > > > > > the changelog (DB rc=-30988). If replication stops, the
> > > > > > > consumer may need to be reinitialized.
> > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the
> > > > > > > transaction (csn=58065f7400050004) failed (rc=-30993
> > > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > > > deadlock))
> > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > > > changelog program - _cl5WriteOperationTxn: failed to write
> > > > > > > entry with csn (58065f7400050004); db error - -30993
> > > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > > > deadlock
> > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > > > write_changelog_and_ruv: can't add a change for
> > > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
> > > > > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to
> > > > > > > changelog csn 58065f7400050004
> > > > > > > [18/Oct/2016:13:43:07 -0400] -
> > > > > > > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but
> > > > > > > did not set SLAPI_RESULT_CODE
> > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
> > > > > > > process_postop: Failed to apply update
> > > > > > > (58065f7400050004) error (1).  Aborting replication
> > > > > > > session(conn=1314106 op=1688559)
> > > > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify:
> > > > > > > modified entry is NULL--updating cache just in case
> > > > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition
> > > > > > > cn=Password
> > > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
> > > > > > > Templates found, which should be added before the CoS
> > > > > > > Definition.
> > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null
> > > > > > > DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
> > > > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get
> > > > > > > id for changenumber=30856302,cn=changelog from entryrdn
> > > > > > > index (-30993)
> > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching
> > > > > > > changenumber=30856302,cn=changelog (null), error -30993.
> > > > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an
> > > > > > > error occured while adding change number 30856302, dn =
> > > > > > > changenumber=30856302,cn=changelog: Operations error.
> > > > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin -
> > > > > > > retrocl_postob: operation failure [1]
> > > > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin -
> > > > > > > process_postop: Failed to apply update
> > > > > > > (58065f9f0060) error (1).  Aborting replication
> > > > > > > session(conn=1901274 op=5)
> > > > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry
> > > > > > > BAD 1601, err=0 BDB0062 Successful return: 0
> > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the
> > > > > > > transaction (csn=58065f7c000a0004) failed (rc=-30993
> > > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > > > deadlock))
> > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > > > changelog program - _cl5WriteOperationTxn: failed to write
> > > > > > > entry with csn (58065f7c000a0004); db error - -30993
> > > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
> > > > > > > deadlock
> > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
> > > > > > > write_changelog_and_ruv: can't add a change for
> > > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
> > > > > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to
> > > > > > > changelog csn 58065f7c000a0004
> > > > > > > 
> > > > > > > 
> > > > > > > ns-slapd was hung so we restarted and now it's stuck and
> > > > > > > won't come back up. It
> > > > > > > hangs up here:
> > > > > > > 
> > > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition
> > > > > > > cn=Password
> > > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif 
De: "Bertrand Rétif"  

> À: freeipa-users@redhat.com
> Envoyé: Mercredi 19 Octobre 2016 15:42:07
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> - Mail original -

> > De: "Rob Crittenden" 
> 
> > À: "Bertrand Rétif" , freeipa-users@redhat.com
> 
> > Envoyé: Mercredi 19 Octobre 2016 15:30:14
> 
> > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> > issue
> 

> > Bertrand Rétif wrote:
> 
> > >> De: "Martin Babinsky" 
> 
> > >> À: freeipa-users@redhat.com
> 
> > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> 
> > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> > >> issue
> 
> > >
> 
> > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> 
> > >>> Hello,
> 
> > >>>
> 
> > >>> I had an issue with pki-tomcat.
> 
> > >>> I had serveral certificate that was expired and pki-tomcat did not
> > >>> start
> 
> > >>> anymore.
> 
> > >>>
> 
> > >>> I set the dateon the server before certificate expiration and then
> 
> > >>> pki-tomcat starts properly.
> 
> > >>> Then I try to resubmit the certificate, but I get below error:
> 
> > >>> "Profile caServerCert Not Found"
> 
> > >>>
> 
> > >>> Do you have any idea how I could fix this issue.
> 
> > >>>
> 
> > >>> Please find below output of commands:
> 
> > >>>
> 
> > >>>
> 
> > >>> # getcert resubmit -i 20160108170324
> 
> > >>>
> 
> > >>> # getcert list -i 20160108170324
> 
> > >>> Number of certificates and requests being tracked: 7.
> 
> > >>> Request ID '20160108170324':
> 
> > >>> status: MONITORING
> 
> > >>> ca-error: Server at
> 
> > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
> 
> > >>> Profile caServerCert Not Found
> 
> > >>> stuck: no
> 
> > >>> key pair storage:
> 
> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> 
> > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> 
> > >>> certificate:
> 
> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> 
> > >>> Certificate DB'
> 
> > >>> CA: dogtag-ipa-ca-renew-agent
> 
> > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> 
> > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> 
> > >>> expires: 2016-06-28 15:25:11 UTC
> 
> > >>> key usage:
> 
> > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 
> > >>> eku: id-kp-serverAuth,id-kp-clientAuth
> 
> > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> 
> > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> 
> > >>> track: yes
> 
> > >>> auto-renew: yes
> 
> > >>>
> 
> > >>>
> 
> > >>> Thanksby advance for your help.
> 
> > >>> Bertrand
> 
> > >>>
> 
> > >>>
> 
> > >>>
> 
> > >>>
> 
> > >
> 
> > >> Hi Betrand,
> 
> > >
> 
> > >> what version of FreeIPA and Dogtag are you running?
> 
> > >
> 
> > >> Also perform the following search on the IPA master and post the result:
> 
> > >
> 
> > >> """
> 
> > >> ldapsearch -D "cn=Directory Manager" -W -b
> 
> > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
> 
> > >> """
> 
> > >
> 
> > > Hi Martin,
> 
> > >
> 
> > > Thanks for your reply.
> 
> > >
> 
> > > Here is version:
> 
> > > - FreeIPA 4.2.0
> 
> > > - Centos 7.2
> 
> > >
> 
> > > I have been able to fix the issue with "Profile caServerCert Not Found"
> > > by
> > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> 
> > > I replace below entry
> 
> > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> 
> > > by
> 
> > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> 
> > >
> 
> > > and then launch "ipa-server-upgrade" command
> 
> > > I found this solution in this post:
> > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> 
> > >
> 
> > > Then I was able to renew my certificate.
> 
> > >
> 
> > > However I reboot my server to and pki-tomcat do not start and provide
> > > with
> > > a new erreor in /var/log/pki/pki-tomcat/ca/debug
> 
> > >
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
> > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory:
> > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> 
> > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC
> > > certificate verification
> 
> > >
> 
> > > java.lang.Exception: SystemCertsVerification: system certs verification
> > > failure
> 
> > > at
> > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> 
> > > at
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> 
> > > at
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> 
> > > at
> > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> 
> > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> 
> > > at com.netscape.cer

[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Chris Dagdigian 
Thanks to great tips and pointers from people on this list (h/t 
Alexander B) I was able to build an IPA master + replica setup that can 
recognize and allow logins from users coming from multiple disconnected 
AD Forests with 1-way trusts to the IPA servers


Sanitized view of our AWS footprint:

AD Servers & IPA:

AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
AD Forest #3:   company.org
IPA Domain/Realm:company-ipa.org   (successful 1-way trusts to 
company-test.org and company-aws.org etc.)


With basic recognition of users and working SSH logins based on AD 
username and passwords I'm moving on to trying to use the far more 
interesting IPA/IDM features.


Using user accounts defined locally on the IPA server I'm having a blast 
uploading SSH keys and creating sudo rules and groups. So the natural 
next question is "can we do this for users who exist only in remote AD 
controllers?


IPA is doing 100% of the UID/GID/Posix stuff management - we are only 
pulling usernames & groups from AD and checking passwords against the AD 
servers.


The basic question -- is it possible for me to get to "hybrid linux user 
management" nirvana whereby IPA/IDM manages everything about AD users 
except for their username and passwords?


Tried to find this in the official documentation but it dives instantly 
into deep topics about user data mapping, custom schemas and dealing 
with POSIX data served up by the AD controllers. Hard to figure out the 
boundary between what IPA can support with local user accounts vs  what 
it can do when the users exist in remote AD forests.


Any URLs or documentation pointers would be appreciated

Regards,
Chris




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Baird, Josh 
Hi,

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
--external)
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.

Hope this helps.

Thanks,

Josh

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Dagdigian
Sent: Wednesday, October 19, 2016 3:18 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, 
sudo and ssh key management for users who are only in Active Directory

Thanks to great tips and pointers from people on this list (h/t Alexander B) I 
was able to build an IPA master + replica setup that can recognize and allow 
logins from users coming from multiple disconnected AD Forests with 1-way 
trusts to the IPA servers

Sanitized view of our AWS footprint:

AD Servers & IPA:

AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
AD Forest #3:   company.org
IPA Domain/Realm:company-ipa.org   (successful 1-way trusts to 
company-test.org and company-aws.org etc.)

With basic recognition of users and working SSH logins based on AD username and 
passwords I'm moving on to trying to use the far more interesting IPA/IDM 
features.

Using user accounts defined locally on the IPA server I'm having a blast 
uploading SSH keys and creating sudo rules and groups. So the natural next 
question is "can we do this for users who exist only in remote AD controllers?

IPA is doing 100% of the UID/GID/Posix stuff management - we are only pulling 
usernames & groups from AD and checking passwords against the AD servers.

The basic question -- is it possible for me to get to "hybrid linux user 
management" nirvana whereby IPA/IDM manages everything about AD users except 
for their username and passwords?

Tried to find this in the official documentation but it dives instantly into 
deep topics about user data mapping, custom schemas and dealing with POSIX data 
served up by the AD controllers. Hard to figure out the boundary between what 
IPA can support with local user accounts vs  what it can do when the users 
exist in remote AD forests.

Any URLs or documentation pointers would be appreciated

Regards,
Chris




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Alexander Bokovoy 

On ke, 19 loka 2016, Chris Dagdigian wrote:
Thanks to great tips and pointers from people on this list (h/t 
Alexander B) I was able to build an IPA master + replica setup that 
can recognize and allow logins from users coming from multiple 
disconnected AD Forests with 1-way trusts to the IPA servers


Sanitized view of our AWS footprint:

AD Servers & IPA:

AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
AD Forest #3:   company.org
IPA Domain/Realm:company-ipa.org   (successful 1-way trusts to 
company-test.org and company-aws.org etc.)


With basic recognition of users and working SSH logins based on AD 
username and passwords I'm moving on to trying to use the far more 
interesting IPA/IDM features.


Using user accounts defined locally on the IPA server I'm having a 
blast uploading SSH keys and creating sudo rules and groups. So the 
natural next question is "can we do this for users who exist only in 
remote AD controllers?

Yes, you can, by using ID views and ID overrides.

In FreeIPA < 4.4 you need admins to create and populate the overrides.
You can see how it works in this video:
https://www.youtube.com/watch?v=M_umNxB7rSM

Starting with FreeIPA 4.4 you only need to create override as IPA admin,
users can populate it with the use of IPA command line interface while
'kinit' as AD user:

$ kinit admin
$ ipa idoverrideuser-add 'Default Trust View' user@ad.domain

then AD user can do:

$ kinit user@AD.DOMAIN
$ ipa idoverrideuser-mod 'Default Trust View' user@ad.domain \
 --sshpubkey=$(cat /path/to/my-ssh-key.pub)

There are access controls in place which don't allow to change things
like username (--login) or home directory in self-service. Practically,
AD users can maintain their public SSH keys and (starting with FreeIPA
4.4) attach public certificates to their ID overrides.

IPA is doing 100% of the UID/GID/Posix stuff management - we are only 
pulling usernames & groups from AD and checking passwords against the 
AD servers.


The basic question -- is it possible for me to get to "hybrid linux 
user management" nirvana whereby IPA/IDM manages everything about AD 
users except for their username and passwords?

See above.

Tried to find this in the official documentation but it dives 
instantly into deep topics about user data mapping, custom schemas and 
dealing with POSIX data served up by the AD controllers. Hard to 
figure out the boundary between what IPA can support with local user 
accounts vs  what it can do when the users exist in remote AD forests.


Any URLs or documentation pointers would be appreciated

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#managing-id-views-in-ad

ID Views are the thing you need to deal with. FreeIPA 4.4 adds support
for 'self-service' for AD users in the command line. Versions before it
require IPA admins to handle ID overrides. No Web UI support for the
self-service yet.

FreeIPA 4.4 is what is available in RHEL 7.3 beta already.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Chris Dagdigian 


Perfect thank you. I tend to get too wordy in my emails. You've 
described exactly what I'm going for.


Follow up question - Will a similar approach work for users (not groups) 
as well if there is a small collection of AD-defined people I want to 
hold and distribute SSH public keys for?


Happy to document our setup or write up a HowTO or intro guide for other 
novices if we are trying something that is not often done.


Regards,
Chris


Baird, Josh wrote:

Hi,

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
--external)
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.

Hope this helps.

Thanks,

Jos


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Alexander Bokovoy 

On ke, 19 loka 2016, Baird, Josh wrote:

Hi,

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
--external)
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.

Correct -- for HBAC and SUDO rules this is the right procedure. See also
discussions on this list in last couple months, this topic was discussed
several times already.

For ID overrides (SSH public keys/homedir/etc) -- see my other email.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth 
First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is this?
Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin manual
2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace the
certs from GoDaddy(another public cert provider), I assume a new set of
certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.

Please advise the detail. Thanks again!
Beeth


On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud 
wrote:

> On 10/19/2016 05:23 PM, beeth beeth wrote:
>
>> I once asked about Install IPA servers with certificate provided by
>> third-party like
>> Verisign(https://www.redhat.com/archives/freeipa-users/2016-
>> September/msg00440.html
>> > r/msg00440.html>).
>> Florence, Rob and Jakub from Redhat had been very helpful, and pointed
>> out the solution at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca
>> > prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca>,
>> about "Installing Without a CA", and it worked great!
>>
>> Now it came up another problem, is that the Verisign(or any other
>> certificate) will expire in a year or two, how can I smoothly renew the
>> Verisign certificate on the primary and replica IPA servers a year from
>> now? Or if we decide to use another provider, say Godaddy certificate,
>> how can I replace the existing certificate on both IPA servers? I found
>> a relevant instruction at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal
>> > prise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal>,
>> but that's about the "Dogtag" CA certificate, not about the third-party
>> certificate I am using in our upcoming production environment(running
>> IPA 4.2 on RHEL7).
>>
>> Hi,
>
> if you plan to use another CA (for instance switch from Verisign to
> Godaddy), you will need first to install the new CA certificate with
> ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4
> Manual CA Certificate Installation [1].
>
> Then, if you want to change the HTTP and LDAP certificates for your
> server, you can use the ipa-server-certinstall utility [2].
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#manual-cert-install
>
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#Configuring_Certificates_
> and_Certificate_Authorities
>
> Hope this helps,
> Flo.
>
>
> Please advise. Thank you!
>> Beeth
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-19 Thread Robert Sturrock 
Hello,

We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
our University organisational AD.  The AD forest contains *two*
domains:

  EXAMPLE.AU (staff users)
  STUDENT.EXAMPLE.AU (student users)

The IPA domain that trusts these is called:

  IPA.EXAMPLE.AU

The basic configuration as described above works ok - we can login to
IPA client hosts with user principals from either of the AD domains
and we see correct group membership.

However, I would like to tune this configuration to drop the domain
component of the user and group names.  I tried to do this by adding
these settings to the [sssd] section in sssd.conf on the client:

default_domain_suffix = example.au
full_name_format = %1$s

With this configuration, I can login as a staff domain user (example.au)
successfully and I then see the short-name form of the groups:

$ ssh -l r...@example.au ipa-client-rh7.ipa.example.au
[rns@ipa-client-rh7 ~]$ groups
rns domain users d-750g 511all [..etc..]

However, when I try logging in as a student domain user (student.example.au),
I don't see any of the groups (there should be 8):

$ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
[rnst@ipa-client-rh7 ~]$ groups
rnst

Is this expected behaviour?  Is there a possible client configuration that
will support our AD forest setup or is this simply not possible?

Regards,

Robert.

Complete client sssd.conf:
-

[domain/ipa.example.au]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.au
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client-rh7.ipa.example.au
chpass_provider = ipa
ipa_server = _srv_, matilda3.ipa.example.au
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = ipa.example.au
default_domain_suffix = example.au
full_name_format = %1$s

[nss]
homedir_substring = /home
override_shell = /bin/bash

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread Florence Blanc-Renaud 

On 10/20/2016 05:05 AM, beeth beeth wrote:

First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is
this? Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin
manual 2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace
the certs from GoDaddy(another public cert provider), I assume a new set
of certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.


Hi,

Sorry if I was not clear enough. The first step (ipa-cacert-manage 
install) aims at adding the CA certificate thus the root+intermediate 
certs should be provided.


The step with ipa-server-certinstall configures the Server Cert (-d if 
you want to replace the LDAP cert, -w for HTTP cert), meaning that the 
Server-Cert and key should be provided. The man page details all the 
supported formats, and it is possible to provide multiple files.


Hope this clarifies,
Flo.


Please advise the detail. Thanks again!
Beeth


On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud mailto:f...@redhat.com>> wrote:

On 10/19/2016 05:23 PM, beeth beeth wrote:

I once asked about Install IPA servers with certificate provided by
third-party like

Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html



>).
Florence, Rob and Jakub from Redhat had been very helpful, and
pointed
out the solution at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca



>,
about "Installing Without a CA", and it worked great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly
renew the
Verisign certificate on the primary and replica IPA servers a
year from
now? Or if we decide to use another provider, say Godaddy
certificate,
how can I replace the existing certificate on both IPA servers?
I found
a relevant instruction at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal



>,
but that's about the "Dogtag" CA certificate, not about the
third-party
certificate I am using in our upcoming production
environment(running
IPA 4.2 on RHEL7).

Hi,

if you plan to use another CA (fo