Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 Thread Rob Crittenden 
Rob Verduijn wrote:
> Hello,
> 
> For some reason my ipa server no longer boots.
> It keeps trying to start pki-tomcat service.
> 
> Does anybody know where I should start looking to get this fixed ?
> 
> Rob Verduijn
> 
> ipactl -d start gives this output:
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned
> non-zero exit status 8
> ipa: DEBUG: Waiting for CA to start...
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'
> ipa: DEBUG: Process finished, return code=8
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=--2016-12-01 11:06:12-- 
> https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
> Connecting to freeipa02.tjako.thuis
> (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> HTTP request sent, awaiting response...
>   HTTP/1.1 500 Internal Server Error
>   Server: Apache-Coyote/1.1
>   Content-Type: text/html;charset=utf-8
>   Content-Language: en
>   Content-Length: 2134
>   Date: Thu, 01 Dec 2016 10:06:13 GMT
>   Connection: close
> 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> 
> There are also some java warnings in the logs, but its java and I can
> never tell if its a serious error when java gives a warning.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'serverCertNickFile' to
> '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> matching property.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
> find a matching property.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
> did not find a matching property.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> property.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlValidation' to 'false' did not find a matching property.
> Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Dec  1 09:53:59 freeipa02 server: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlNamespaceAware' to 'false' did not find a matching property.
> 
> 
> I'm running centos7.2 x86_64 with the latest patches applied.
> some package versions below
> rpm -qa|egrep "ipa|tomcat"|sort
> ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> libipa_hbac-1.13.0-40.el7_2.12.x86_64
> python-iniparse-0.4-9.el7.noarch
> python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> sssd-ipa-1.13.0-40.el7_2.12.x86_64
> tomcat-7.0.54-8.el7_2.noarch
> tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
> tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
> tomcatjss-7.1.2-1.el7.noarch
> tomcat-lib-7.0.54-8.el7_2.noarch
> tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch

The debug log is quite verbose. I find it helpful to note where the
previous log ended, starting and pulling the difference and going line
by line. It sometimes fails in one place which cascades to others this
generally makes it hard to grok.

I'd also run `getcert list` and check to ensure that the CA subsystem
certificates are still valid.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] No ad users in web gui

2016-12-01 Thread Alexander Bokovoy 

On to, 01 joulu 2016, Denis Müller wrote:

Hello Ipa-users,

i established successful trust to an domain controller and able to get
ssh working. AD users are able to log into ipa-domain via ssh. But
fortunately i can't see those users in the web gui. What im i doing
wrong?

The only thing you are doing wrong is not reading documentation
carefully. You are not going to see AD users in IPA web UI because they
are not managed there.

Go to your AD DC and use Active Directory management tools to Manage AD
users and groups.

You can use FreeIPA web UI to manage ID overrides for these users and
groups. You can use FreeIPA web UI to define mapping between AD users
and groups and FreeIPA 'external' groups for the purpose of HBAC and
SUDO rules.

You cannot manage users/groups from AD, neither use them to manage
FreeIPA right now.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] No ad users in web gui

2016-12-01 Thread Alexander Bokovoy 

On to, 01 joulu 2016, Alexander Bokovoy wrote:

On to, 01 joulu 2016, Denis Müller wrote:

Hello Ipa-users,

i established successful trust to an domain controller and able to get
ssh working. AD users are able to log into ipa-domain via ssh. But
fortunately i can't see those users in the web gui. What im i doing
wrong?

The only thing you are doing wrong is not reading documentation
carefully. You are not going to see AD users in IPA web UI because they
are not managed there.

Go to your AD DC and use Active Directory management tools to Manage AD
users and groups.

You can use FreeIPA web UI to manage ID overrides for these users and
groups. You can use FreeIPA web UI to define mapping between AD users
and groups and FreeIPA 'external' groups for the purpose of HBAC and
SUDO rules.

You cannot manage users/groups from AD, neither use them to manage
FreeIPA right now.

... And I did not mean anything hostile by saying that. Sorry if it was
felt so...
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] No ad users in web gui

2016-12-01 Thread Alexander Bokovoy 

Please keep freeipa-users@ in CC:

On to, 01 joulu 2016, Denis Müller wrote:

Sorry, but i still do not understand how can i apply a single HAC-Rule
to a single user. Editing a HBAC-Rule, there is no option to select an
ad_user.

As I said, there wouldn't any. The concept is that you need to have a
real LDAP object to include into the HBAC or SUDO rule and that object
must be a POSIX user or group.

We cannot map AD user to POSIX user this way yet, only to POSIX groups,
so in the HBAC rule you need to use POSIX group to add instead of AD
user (or IPA user).




[root@ipa01 ~]# ipa group-show ad_users_external
 Gruppenname: ad_users_external
 Beschreibung: AD users external map
 Mitglied der Gruppen: ad_users
 Indirect Member of HBAC rule: ssh_rule
 External member: us...@rto.de, 
us...@rto.de



[root@ipa01 ~]# ipa hbacrule-add-user
Regelname: ssh_rule
[Mitglied Benutzer]: us...@rto.de
[Mitglied Gruppe]: ad_users_external
 Regelname: ssh_rule
 Aktiviert: TRUE
 Benutzergruppen: ad_users, ad_users_external
 Hosts: ipa-web.wop.bto.de
 Dienste: sshd
 Failed users/groups:
   Mitglied Benutzer: us...@rto.de: no such entry
   Mitglied Gruppe:


Am Donnerstag, den 01.12.2016, 16:12 +0200 schrieb Alexander Bokovoy:

On to, 01 joulu 2016, Denis Müller wrote:


Hello Alexander,

thank you for reply. As i understand, working with ad users/groups works this 
way:

ad_users => ad_users_external_group => ipa_users_group

So i can manage ipa_users_group to provide Sudo Rules etc.

But how can i provide rules to a single user? What would be the best way?


The same way -- by specifying user as part of the external group.

Check out this email, this topic is raised regularly:
https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html




--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Loss of initial master in multi master setup

2016-12-01 Thread Rob Crittenden 
Martin Babinsky wrote:
> On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:
>> Hi IPA Gurus,
>>
>>
>> I had a 3 site multi master IPA replication setup (1 office and 2
>> datacentres) with 2 IPA servers at each site. Each server was
>> replicating successfully to 3 other servers (the other local site server
>> and one server at each of the two remote sites). Everything is running
>> on the default packages from CentOS 7.2 and each server is a full
>> replica (ipa-replica-install
>> /var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
>> --setup-dns --mkhomedir --forwarder 8.8.8.8)
>>
>>
>> Everything was ticking over nicely until we had notice that the
>> office site was moving on short notice.
>>
>>
>> I successfully created IPA servers at the new site, setup replication
>> again between the new office and the two datacentres that were to remain
>> online, tested and everything worked as expected - unfortunately in the
>> rush I did not have time to properly retire the IPA servers in the old
>> office.
>>
>>
>> The problem this has caused is that I only ever created users in one of
>> the IPA servers in the original office - so only those servers have a
>> DNA range and I am now unable to create new users on the active servers.
>> The original office servers are still in the IPA replication and powered
>> on but offline so potential split brain?
>>
>>
>> I now have two things I would like to know before proceeding:
>>
>>   * Is the best fix here to force remove the original IPA servers and
>> manually add a new dna range significantly different from the
>> original to avoid overlaps?
>>   * Is there anything else I should check? I can't see any issues
>> however did not notice the DNA range until I tried to create a user.
>>
>> Any pointers greatly appreciated.
>>
>>
>> Thanks,
>>
>> Neal.
>>
>>
>>
>>
>>
>>
> 
> Hi Neal,
> 
> If you already disconnected/decomissioned the old masters then I thnk
> the best you can do is option a, i.e. re-set DNA ranges on replicas to
> new values while avioding overlap with old ranges.
> 
> We have an upstream document[1] describing the procedure. Hope it helps.
> 
> Also make sure that you migrated CA renewal and CRL master
> responsibilities to the new replicas, otherwise you may get problems
> with expiring certificates which are really hard to solve. See the
> following guide for details. [2]
> 
> [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
> [2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> 

You may want to look at this too, http://blog-rcritten.rhcloud.com/?p=50

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 Thread Rob Verduijn 
2016-12-01 15:41 GMT+01:00 Rob Crittenden :

> Rob Verduijn wrote:
> > Hello,
> >
> > For some reason my ipa server no longer boots.
> > It keeps trying to start pki-tomcat service.
> >
> > Does anybody know where I should start looking to get this fixed ?
> >
> > Rob Verduijn
> >
> > ipactl -d start gives this output:
> > ipa: DEBUG: The CA status is: check interrupted due to error: Command
> > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned
> > non-zero exit status 8
> > ipa: DEBUG: Waiting for CA to start...
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'
> > ipa: DEBUG: Process finished, return code=8
> > ipa: DEBUG: stdout=
> > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
> > Connecting to freeipa02.tjako.thuis
> > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> > HTTP request sent, awaiting response...
> >   HTTP/1.1 500 Internal Server Error
> >   Server: Apache-Coyote/1.1
> >   Content-Type: text/html;charset=utf-8
> >   Content-Language: en
> >   Content-Length: 2134
> >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> >   Connection: close
> > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> >
> > There are also some java warnings in the logs, but its java and I can
> > never tell if its a serious error when java gives a warning.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'serverCertNickFile' to
> > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> > matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
> > find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
> > did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> > property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlValidation' to 'false' did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlNamespaceAware' to 'false' did not find a matching property.
> >
> >
> > I'm running centos7.2 x86_64 with the latest patches applied.
> > some package versions below
> > rpm -qa|egrep "ipa|tomcat"|sort
> > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> > tomcat-7.0.54-8.el7_2.noarch
> > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
> > tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
> > tomcatjss-7.1.2-1.el7.noarch
> > tomcat-lib-7.0.54-8.el7_2.noarch
> > tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch
>
> The debug log is quite verbose. I find it helpful to note where the
> previous log ended, starting and pulling the difference and going line
> by line. It sometimes fails in one place which cascades to others this
> generally makes it hard to grok.
>
> I'd also run `getcert list` and check to ensure that the CA subsystem
> certificates are still valid.
>
> rob
>


Hi,

My certs where indeed expired.
I did what was said in here
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
And now they are all valid again.

However

Re: [Freeipa-users] No ad users in web gui

2016-12-01 Thread Alexander Bokovoy 

On to, 01 joulu 2016, Denis Müller wrote:

Hello Alexander,

thank you for reply. As i understand, working with ad users/groups works this 
way:

ad_users => ad_users_external_group => ipa_users_group

So i can manage ipa_users_group to provide Sudo Rules etc.

But how can i provide rules to a single user? What would be the best way?

The same way -- by specifying user as part of the external group.

Check out this email, this topic is raised regularly:
https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] new IPA Servers

2016-12-01 Thread Outback Dingo 
trying to deploy new ipa servers so i can take down the old ones prior
to a move however the install is failing with.

zone optimcloud.com. already exists in DNS and is handled by
server(s): ipa.optimcloud.com., ipa2.optimcloud.com.


so how can i get around this... note the old servers are going away
forever. but i need them alive until the new ones are ready

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

2016-12-01 Thread Nordgren, Bryce L -FS 
My guess aligns with this response:  
http://stackoverflow.com/questions/31153584/why-is-there-such-a-performance-difference-on-raspberry-pi-between-open-and-orac

Bryce

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
Sent: Thursday, December 01, 2016 1:08 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

Hi all,

Started as "just because it's possible" running FreeIPA on a BananaPI or 
Raspberry PI turned to out to be rather succesfull and for more than a year I 
use FreeIPA at home.

OK, running on small boards like Raspberry PI it never will be fast but it's 
surely quick enough to run at small scale. However, starting FreeIPA became 
much slower since Fedora 24 and even more on Fedora 25.
Since Oracle Java is also available for ARM and there's much written this is 
much faster I took some time for an experiment.

Starting FreeIPA using the default installation (running OpenJDK) starting 
FreeIPA takes a painfull 15 minutes (afterward, it all just works fine):

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real15m40.638s
user0m33.095s
sys0m1.910s

Now, after installing Oracle Java and changing JAVA_HOME in 
/etc/sysconfig/pki-tomcat to:

#JAVA_HOME="/usr/lib/jvm/jre-1.8.0-openjdk"
JAVA_HOME="/opt/jdk1.8.0_111/jre"

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real2m14.823s
user0m33.400s
sys0m1.730s

Wow, I expected some improvement, but this far better than expected! This 
leaves a question: what is happening here!!??

I prefer to use OpenJDK, it 's Open Source and because it's availabe from the 
Fedora ARM repositories it is also much more easy to update. But for now, 
Oracle is much faster and OpenJDK from this point of view is a very poor 
alternative.
Why is OpenJDK so much slower? Is improvement possible? For now (some 
"tweaking") of in a future release?

For the record, I tested these Java versions:

[root@rpi2 sysconfig]# 
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-3.b16.fc25.arm/jre/bin/java -version
openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b16)
OpenJDK Zero VM (build 25.111-b16, interpreted mode)

[root@rpi2 sysconfig]# /opt/jdk1.8.0_111/jre/bin/java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) Client VM (build 25.111-b14, mixed mode)


Kind regards,

Winfried




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 Thread Rob Crittenden 
Rob Verduijn wrote:
> 
> 
> 2016-12-01 15:41 GMT+01:00 Rob Crittenden  >:
> 
> Rob Verduijn wrote:
> > Hello,
> >
> > For some reason my ipa server no longer boots.
> > It keeps trying to start pki-tomcat service.
> >
> > Does anybody know where I should start looking to get this fixed ?
> >
> > Rob Verduijn
> >
> > ipactl -d start gives this output:
> > ipa: DEBUG: The CA status is: check interrupted due to error: Command
> > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> '' returned
> > non-zero exit status 8
> > ipa: DEBUG: Waiting for CA to start...
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> '
> > ipa: DEBUG: Process finished, return code=8
> > ipa: DEBUG: stdout=
> > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> 
> > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
> > Connecting to freeipa02.tjako.thuis
> > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> > HTTP request sent, awaiting response...
> >   HTTP/1.1 500 Internal Server Error
> >   Server: Apache-Coyote/1.1
> >   Content-Type: text/html;charset=utf-8
> >   Content-Language: en
> >   Content-Length: 2134
> >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> >   Connection: close
> > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> >
> > There are also some java warnings in the logs, but its java and I can
> > never tell if its a serious error when java gives a warning.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'serverCertNickFile' to
> > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> > matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
> > find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordClass' to 'org.apache.tomcat.util.net
> .jss.PlainPasswordFile'
> > did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> > property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlValidation' to 'false' did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlNamespaceAware' to 'false' did not find a matching property.
> >
> >
> > I'm running centos7.2 x86_64 with the latest patches applied.
> > some package versions below
> > rpm -qa|egrep "ipa|tomcat"|sort
> > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> > tomcat-7.0.54-8.el7_2.noarch
> > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
> >

Re: [Freeipa-users] Loss of initial master in multi master setup

2016-12-01 Thread Neal Harrington | i-Neda Ltd 
> > Hi IPA Gurus,
> >
> >
> > I had a 3 site multi master IPA replication setup (1 office and 2
> > datacentres) with 2 IPA servers at each site. Each server was
> > replicating successfully to 3 other servers (the other local site
> > server and one server at each of the two remote sites). Everything is
> > running on the default packages from CentOS 7.2 and each server is a
> > full replica (ipa-replica-install
> > /var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
> > --setup-dns --mkhomedir --forwarder 8.8.8.8)
> >
> >
> > Everything was ticking over nicely until we had notice that the office
> > site was moving on short notice.
> >
> >
> > I successfully created IPA servers at the new site, setup replication
> > again between the new office and the two datacentres that were to
> > remain online, tested and everything worked as expected -
> > unfortunately in the rush I did not have time to properly retire the
> > IPA servers in the old office.
> >
> >
> > The problem this has caused is that I only ever created users in one
> > of the IPA servers in the original office - so only those servers have
> > a DNA range and I am now unable to create new users on the active
> servers.
> > The original office servers are still in the IPA replication and
> > powered on but offline so potential split brain?
> >
> >
> > I now have two things I would like to know before proceeding:
> >
> >   * Is the best fix here to force remove the original IPA servers and
> > manually add a new dna range significantly different from the
> > original to avoid overlaps?
> >   * Is there anything else I should check? I can't see any issues
> > however did not notice the DNA range until I tried to create a user.
> >
> > Any pointers greatly appreciated.
> >
> >
> > Thanks,
> >
> > Neal.
>
> Hi Neal,
>
> If you already disconnected/decomissioned the old masters then I thnk the
> best you can do is option a, i.e. re-set DNA ranges on replicas to new values
> while avioding overlap with old ranges.
>
> We have an upstream document[1] describing the procedure. Hope it helps.
>
> Also make sure that you migrated CA renewal and CRL master responsibilities
> to the new replicas, otherwise you may get problems with expiring
> certificates which are really hard to solve. See the following guide for 
> details.
> [2]
>
> [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
> [2]
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_
> Master
>
> --
> Martin^3 Babinsky

Hi Martin & Rob,

Thank you very much for the pointers. I have added a new range to a IPA server 
I used the top half of the previous range, I only had 30 ish ID's used so far)
# ipa-replica-manage dnarange-set office03.fqdn.com 31030-31039
and this has allowed me to add a user on that server. However when I try to add 
a user on a different server it still fails with "allocation of new value for 
range". I was expecting this to request a new range and halve the currently 
assigned range. Robs link included this command:
# ldapsearch -x -D 'cn=Directory Manager' -W -b 
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=int,dc=i-neda,dc=com
...Which seems to list all of the other servers, including office03.fqdn.com 
which it shows as having 9 dnaRemainingValues (all the rest have 0) so the 
server that cannot add users can see office03 has 9 unused.

However of more immediate concern now I can create user accounts is the CA 
replication which I seem to have completely messed up. Most CA replication went 
back to the (now offline) office and even what I have does not seem to work as 
expected. Eg on Office03:
# ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 
'cn=masters,cn=ipa,cn=etc,dc=example,dc=com' 
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn

search result
search: 2
result: 32 No such object

Following the instructions to set the master seems to work at first (no errors) 
but the ldap search for renewal master still returns "result: 32 No Such Object"
# ipa-csreplica-manage set-renewal-master
ipa: WARNING: session memcached servers not running
Directory Manager password:
office03.fqdn.com is now the renewal master

re running the set-renwal-master command reports that this server is already 
the renewal master.

I think I need to reinitialize the CA replication and connect everything up in 
a redundant loop as I have with the main replication - however the LDAP query 
not returning the replication master does not seem right. I have not added any 
IPA servers since these network changes happened a week ago, is it reasonably 
safe to assume no certificates will have been created so all servers are 
effectively in sync?

Your help with this is greatly appreciated. On the plus side the systems we use 
this for are all dev, not live, so it is a good learning experience for me if 
nothing else!

Best Regards,
Neal.
-- 
Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] FreeIPA, Ipsilon, Duo Security integration

2016-12-01 Thread Mike Jacobacci 
Hi,

As of now, we have FreeIPA/FreeRadius with OTP and Ipsilon working
perfectly.  Now, I am looking at possibly integrating Duo security instead
of FreeIPA's 2FA.  I am concerned about how it will fit in with Ipsilon and
FreeIPA... Has anyone else tried this before?  If so, are there any
pitfalls or problems you have encountered or any general advise?

Cheers,
Mike
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 Thread Rob Verduijn 
2016-12-01 17:20 GMT+01:00 Rob Crittenden :

> Rob Verduijn wrote:
> >
> >
> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden  > >:
> >
> > Rob Verduijn wrote:
> > > Hello,
> > >
> > > For some reason my ipa server no longer boots.
> > > It keeps trying to start pki-tomcat service.
> > >
> > > Does anybody know where I should start looking to get this fixed ?
> > >
> > > Rob Verduijn
> > >
> > > ipactl -d start gives this output:
> > > ipa: DEBUG: The CA status is: check interrupted due to error:
> Command
> > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > ''
> returned
> > > non-zero exit status 8
> > > ipa: DEBUG: Waiting for CA to start...
> > > ipa: DEBUG: Starting external process
> > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > > '--no-check-certificate'
> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > '
> > > ipa: DEBUG: Process finished, return code=8
> > > ipa: DEBUG: stdout=
> > > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > 
> > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)...
> 172.16.1.13
> > > Connecting to freeipa02.tjako.thuis
> > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> > > HTTP request sent, awaiting response...
> > >   HTTP/1.1 500 Internal Server Error
> > >   Server: Apache-Coyote/1.1
> > >   Content-Type: text/html;charset=utf-8
> > >   Content-Language: en
> > >   Content-Length: 2134
> > >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> > >   Connection: close
> > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> > >
> > > There are also some java warnings in the logs, but its java and I
> can
> > > never tell if its a serious error when java gives a warning.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'serverCertNickFile' to
> > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> > > matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
> did not
> > > find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordClass' to 'org.apache.tomcat.util.net
> > .jss.PlainPasswordFile'
> > > did not find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
> matching
> > > property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > > 'xmlValidation' to 'false' did not find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > > 'xmlNamespaceAware' to 'false' did not find a matching property.
> > >
> > >
> > > I'm running centos7.2 x86_64 with the latest patches applied.
> > > some package versions below
> > > rpm -qa|egrep "ipa|tomcat"|sort
> > > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > >

Re: [Freeipa-users] FreeIPA, Ipsilon, Duo Security integration

2016-12-01 Thread Simo Sorce 
On Thu, 2016-12-01 at 11:37 -0800, Mike Jacobacci wrote:
> Hi,
> 
> As of now, we have FreeIPA/FreeRadius with OTP and Ipsilon working
> perfectly.  Now, I am looking at possibly integrating Duo security instead
> of FreeIPA's 2FA.  I am concerned about how it will fit in with Ipsilon and
> FreeIPA... Has anyone else tried this before?  If so, are there any
> pitfalls or problems you have encountered or any general advise?

I think there are issues with the workflow Duo requires and the latency
(sending token via SMS and waiting for user to input).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails

2016-12-01 Thread Jochen Hein 
Jochen Hein  writes:

> I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That
> server has been updated from earlier Fedoras and runs DNS and CA.
> I've updated domainlevel to 1 manually.
>
> Now I'd like to switch to a CentOS install, so I installed CentOS 7.2
> on a new VM and updated to the CR repo, so I'll get IPA 4.4.
> When installing a replica with "ipa-replica-install --setup-ca" I get:
...
>   [3/5]: Importing RA Key
> /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: 
> Certificate has no `subjectAltName`, falling back to check for a `commonName` 
> for now. This feature is being removed by major browsers and deprecated by 
> RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> SecurityWarning
> [error] HTTPError: 406 Client Error: Failed to validate message: No recipient 
> matched the provided key["Failed: [ValueError('Multibackend cannot be 
> initialized with no backends. If you are seeing this error when trying to use 
> default_backend() please try uninstalling and reinstalling cryptography.',)]"]
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.

> ipa.ipapython.install.cli.install_tool(Replica): ERROR406 Client Error: 
> Failed to validate message: No recipient matched the provided key["Failed: 
> [ValueError('Multibackend cannot be initialized with no backends. If you are 
> seeing this error when trying to use default_backend() please try 
> uninstalling and reinstalling cryptography.',)]"]
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
> more information
>

In CentOS 7.2/7.3 we have python-jwcrypto-0.2.1-1.el7, in Fedora 23 we
have 0.3.2-1.
https://github.com/latchset/jwcrypto/issues/47 talks about problems with
FreeIPA and custodia, and that downgrading python-jwcrypto helped. Since
I consider the way forward a better choice I upgraded python-jwcrypto on
CentOS to 0.3.2, and now I have new replicas with FreeIPA 4.4 attached
to my 4.3 master.  Yeah!  It might be a good idea to get the package in
CentOS/RHEL upgraded...

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] new IPA Servers

2016-12-01 Thread Martin Babinsky 

On 12/01/2016 05:50 PM, Outback Dingo wrote:

trying to deploy new ipa servers so i can take down the old ones prior
to a move however the install is failing with.

zone optimcloud.com. already exists in DNS and is handled by
server(s): ipa.optimcloud.com., ipa2.optimcloud.com.


so how can i get around this... note the old servers are going away
forever. but i need them alive until the new ones are ready



The error message says that you are trying to install DNS server for a 
zone that is already managed by old masters.


You should rather create replicas of the old servers, move CA 
renewal/CRL/DNSSec master from them to new replicas and then disconnect 
and decommission the old masters.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ACIerrors is httpd log

2016-12-01 Thread Rob Crittenden 
Jim Richard wrote:
> I think I know what the issue is.
> 
> I had 2 IPA servers, both with CA’s
> 
> I dropped one and rebuilt without the CA but a bunch of clients are
> still pointing at this one server that now is without a CA.
> 
> Will rebuild that one with a CA and almost sure that will fix.

I'm rather skeptical of that. Not having a CA should not result in an
ACI error. It should internally forward any cert requests to an IPA
server that does have a CA and relay the result back to the requester.

rob

> 
> 
> Jim Richard
> 
> 
> 
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 / 
> 
> 
> PlaceIQ:Alibaba
> 
> 
> 
> 
> 
>> On Nov 28, 2016, at 2:39 PM, Rob Crittenden > > wrote:
>>
>> Jim Richard wrote:
>>> Honestly I’m not even sure if something is not working correctly :)
>>>
>>> All I know is that my httpd, access and krb5 logs are filling up all my
>>> disk space extremely quickly and I have no idea why.
>>>
>>> Centos 6.8 + IPA 3.0
>>>
>>> One master and one replica.
>>>
>>> Are these things related?
>>>
>>> How do I fix, where do I even start?
>>>
>>> Thanks !
>>>
>>> On the replica the httpd log is constantly getting spammed with:
>>>
>>> [Thu Nov 24 05:55:18 2016] [error] ipa: INFO:
>>> host/phoenix-153.nym1.placeiq@placeiq.net
>>> :
>>> cert_request(u’actual cert removed
>> .. , add=True): ACIError
>>>
>>> and on the master the access log is filling up quickly with:
>>>
>>> 10.1.41.110 - - [24/Nov/2016:06:09:54 +] "POST
>>> /ca/agent/ca/displayBySerial HTTP/1.1" 200 10106
>>
>> Looks like certmonger trying to renew the per-client SSL certificate.
>> You can confirm by pulling out the CSR and poking at it with openssl req.
>>
>> On the client you can try running: ipa-getcert list
>>
>> This may show more details on why the request was rejected.
>>
>> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ACIerrors is httpd log

2016-12-01 Thread Jim Richard 
I think I know what the issue is.

I had 2 IPA servers, both with CA’s

I dropped one and rebuilt without the CA but a bunch of clients are still 
pointing at this one server that now is without a CA.

Will rebuild that one with a CA and almost sure that will fix.

     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 




> On Nov 28, 2016, at 2:39 PM, Rob Crittenden  wrote:
> 
> Jim Richard wrote:
>> Honestly I’m not even sure if something is not working correctly :)
>> 
>> All I know is that my httpd, access and krb5 logs are filling up all my
>> disk space extremely quickly and I have no idea why.
>> 
>> Centos 6.8 + IPA 3.0
>> 
>> One master and one replica.
>> 
>> Are these things related? 
>> 
>> How do I fix, where do I even start?
>> 
>> Thanks !
>> 
>> On the replica the httpd log is constantly getting spammed with:
>> 
>> [Thu Nov 24 05:55:18 2016] [error] ipa: INFO:
>> host/phoenix-153.nym1.placeiq@placeiq.net:
>> cert_request(u’actual cert removed
> .. , add=True): ACIError
>> 
>> and on the master the access log is filling up quickly with:
>> 
>> 10.1.41.110 - - [24/Nov/2016:06:09:54 +] "POST
>> /ca/agent/ca/displayBySerial HTTP/1.1" 200 10106
> 
> Looks like certmonger trying to renew the per-client SSL certificate.
> You can confirm by pulling out the CSR and poking at it with openssl req.
> 
> On the client you can try running: ipa-getcert list
> 
> This may show more details on why the request was rejected.
> 
> rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

2016-12-01 Thread Winfried de Heiden 

  
  
Hi all,

Started as "just because it's possible" running FreeIPA on a
BananaPI or Raspberry PI turned to out to be rather succesfull
and for more than a year I use FreeIPA at home.

OK, running on small boards like Raspberry PI it never will be
fast but it's surely quick enough to run at small scale.
However, starting FreeIPA became much slower since Fedora 24 and
even more on Fedora 25.
Since Oracle Java is also available for ARM and there's much
written this is much faster I took some time for an experiment.

Starting FreeIPA using the default installation (running
OpenJDK) starting FreeIPA takes a painfull 15 minutes
(afterward, it all just works fine):

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real    15m40.638s
user    0m33.095s
sys    0m1.910s

Now, after installing Oracle Java and changing JAVA_HOME in
/etc/sysconfig/pki-tomcat to:

#JAVA_HOME="/usr/lib/jvm/jre-1.8.0-openjdk"
JAVA_HOME="/opt/jdk1.8.0_111/jre"

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real    2m14.823s
user    0m33.400s
sys    0m1.730s

Wow, I expected some improvement, but this far better than
expected! This leaves a question: what is happening here!!??

I prefer to use OpenJDK, it 's Open Source and because it's
availabe from the Fedora ARM repositories it is also much more
easy to update. But for now, Oracle is much faster and OpenJDK
from this point of view is a very poor alternative.
Why is OpenJDK so much slower? Is improvement possible? For now
(some "tweaking") of in a future release?

For the record, I tested these Java versions:

[root@rpi2 sysconfig]#
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-3.b16.fc25.arm/jre/bin/java
-version
openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b16)
OpenJDK Zero VM (build 25.111-b16, interpreted mode)

[root@rpi2 sysconfig]# /opt/jdk1.8.0_111/jre/bin/java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) Client VM (build 25.111-b14, mixed mode)


Kind regards,

Winfried
  
  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

2016-12-01 Thread Petr Spacek 
On 1.12.2016 09:07, Winfried de Heiden wrote:
> Hi all,
> 
> Started as "just because it's possible" running FreeIPA on a BananaPI or 
> Raspberry PI turned to out to be rather succesfull and for more than a year I 
> use FreeIPA at home.
> 
> OK, running on small boards like Raspberry PI it never will be fast but it's 
> surely quick enough to run at small scale. However, starting FreeIPA became 
> much 
> slower since Fedora 24 and even more on Fedora 25.
> Since Oracle Java is also available for ARM and there's much written this is 
> much faster I took some time for an experiment.
> 
> Starting FreeIPA using the default installation (running OpenJDK) starting 
> FreeIPA takes a painfull 15 minutes (afterward, it all just works fine):
> 
> [root@rpi2 sysconfig]# time ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting ipa-custodia Service
> Starting ntpd Service
> Starting pki-tomcatd Service
> Starting ipa-otpd Service
> Starting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
> 
> real15m40.638s
> user0m33.095s
> sys0m1.910s
> 
> Now, after installing Oracle Java and changing JAVA_HOME in 
> /etc/sysconfig/pki-tomcat to:
> 
> #JAVA_HOME="/usr/lib/jvm/jre-1.8.0-openjdk"
> JAVA_HOME="/opt/jdk1.8.0_111/jre"
> 
> [root@rpi2 sysconfig]# time ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting ipa-custodia Service
> Starting ntpd Service
> Starting pki-tomcatd Service
> Starting ipa-otpd Service
> Starting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
> 
> real2m14.823s
> user0m33.400s
> sys0m1.730s
> 
> Wow, I expected some improvement, but this far better than expected! This 
> leaves 
> a question: what is happening here!!??

Huh? That is really huge difference. Please open a bug against OpenJDK:
https://bugzilla.redhat.com/enter_bug.cgi

That way it will reach OpenJDK developers. They will have better idea than
FreeIPA developers, I guess.

Please report the bug number to this forum so we can track it as well.

Thank you very much!
Petr^2 Spacek

> 
> I prefer to use OpenJDK, it 's Open Source and because it's availabe from the 
> Fedora ARM repositories it is also much more easy to update. But for now, 
> Oracle 
> is much faster and OpenJDK from this point of view is a very poor alternative.
> Why is OpenJDK so much slower? Is improvement possible? For now (some 
> "tweaking") of in a future release?
> 
> For the record, I tested these Java versions:
> 
> [root@rpi2 sysconfig]# 
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-3.b16.fc25.arm/jre/bin/java -version
> openjdk version "1.8.0_111"
> OpenJDK Runtime Environment (build 1.8.0_111-b16)
> OpenJDK Zero VM (build 25.111-b16, interpreted mode)
> 
> [root@rpi2 sysconfig]# /opt/jdk1.8.0_111/jre/bin/java -version
> java version "1.8.0_111"
> Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
> Java HotSpot(TM) Client VM (build 25.111-b14, mixed mode)
> 
> 
> Kind regards,
> 
> Winfried
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Loss of initial master in multi master setup

2016-12-01 Thread Neal Harrington | i-Neda Ltd 
Hi IPA Gurus,


I had a 3 site multi master IPA replication setup (1 office and 2 datacentres) 
with 2 IPA servers at each site. Each server was replicating successfully to 3 
other servers (the other local site server and one server at each of the two 
remote sites). Everything is running on the default packages from CentOS 7.2 
and each server is a full replica (ipa-replica-install 
/var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca --setup-dns 
--mkhomedir --forwarder 8.8.8.8)


Everything was ticking over nicely until we had notice that the office site was 
moving on short notice.


I successfully created IPA servers at the new site, setup replication again 
between the new office and the two datacentres that were to remain online, 
tested and everything worked as expected - unfortunately in the rush I did not 
have time to properly retire the IPA servers in the old office.


The problem this has caused is that I only ever created users in one of the IPA 
servers in the original office - so only those servers have a DNA range and I 
am now unable to create new users on the active servers. The original office 
servers are still in the IPA replication and powered on but offline so 
potential split brain?


I now have two things I would like to know before proceeding:

  *   Is the best fix here to force remove the original IPA servers and 
manually add a new dna range significantly different from the original to avoid 
overlaps?
  *   Is there anything else I should check? I can't see any issues however did 
not notice the DNA range until I tried to create a user.

Any pointers greatly appreciated.


Thanks,

Neal.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

2016-12-01 Thread Winfried de Heiden 

  
  
Hi all,

Bugzilla created:
https://bugzilla.redhat.com/show_bug.cgi?id=1400462

Winfried
  
Op 01-12-16 om 09:19 schreef Petr
  Spacek:


  On 1.12.2016 09:07, Winfried de Heiden wrote:

  
Hi all,

Started as "just because it's possible" running FreeIPA on a BananaPI or 
Raspberry PI turned to out to be rather succesfull and for more than a year I 
use FreeIPA at home.

OK, running on small boards like Raspberry PI it never will be fast but it's 
surely quick enough to run at small scale. However, starting FreeIPA became much 
slower since Fedora 24 and even more on Fedora 25.
Since Oracle Java is also available for ARM and there's much written this is 
much faster I took some time for an experiment.

Starting FreeIPA using the default installation (running OpenJDK) starting 
FreeIPA takes a painfull 15 minutes (afterward, it all just works fine):

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real15m40.638s
user0m33.095s
sys0m1.910s

Now, after installing Oracle Java and changing JAVA_HOME in 
/etc/sysconfig/pki-tomcat to:

#JAVA_HOME="/usr/lib/jvm/jre-1.8.0-openjdk"
JAVA_HOME="/opt/jdk1.8.0_111/jre"

[root@rpi2 sysconfig]# time ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

real2m14.823s
user0m33.400s
sys0m1.730s

Wow, I expected some improvement, but this far better than expected! This leaves 
a question: what is happening here!!??

  
  
Huh? That is really huge difference. Please open a bug against OpenJDK:
https://bugzilla.redhat.com/enter_bug.cgi

That way it will reach OpenJDK developers. They will have better idea than
FreeIPA developers, I guess.

Please report the bug number to this forum so we can track it as well.

Thank you very much!
Petr^2 Spacek


  

I prefer to use OpenJDK, it 's Open Source and because it's availabe from the 
Fedora ARM repositories it is also much more easy to update. But for now, Oracle 
is much faster and OpenJDK from this point of view is a very poor alternative.
Why is OpenJDK so much slower? Is improvement possible? For now (some 
"tweaking") of in a future release?

For the record, I tested these Java versions:

[root@rpi2 sysconfig]# 
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-3.b16.fc25.arm/jre/bin/java -version
openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b16)
OpenJDK Zero VM (build 25.111-b16, interpreted mode)

[root@rpi2 sysconfig]# /opt/jdk1.8.0_111/jre/bin/java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) Client VM (build 25.111-b14, mixed mode)


Kind regards,

Winfried




  
  




  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 Thread Rob Verduijn 
Hello,

For some reason my ipa server no longer boots.
It keeps trying to start pki-tomcat service.

Does anybody know where I should start looking to get this fixed ?

Rob Verduijn

ipactl -d start gives this output:
ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' '
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned
non-zero exit status 8
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate' '
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=8
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-12-01 11:06:12--
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
Connecting to freeipa02.tjako.thuis
(freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 500 Internal Server Error
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 2134
  Date: Thu, 01 Dec 2016 10:06:13 GMT
  Connection: close
2016-12-01 11:06:13 ERROR 500: Internal Server Error.

There are also some java warnings in the logs, but its java and I can never
tell if its a serious error when java gives a warning.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
did not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find
a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did
not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.


I'm running centos7.2 x86_64 with the latest patches applied.
some package versions below
rpm -qa|egrep "ipa|tomcat"|sort
ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
tomcat-7.0.54-8.el7_2.noarch
tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
tomcatjss-7.1.2-1.el7.noarch
tomcat-lib-7.0.54-8.el7_2.noarch
tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Loss of initial master in multi master setup

2016-12-01 Thread Martin Babinsky 

On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:

Hi IPA Gurus,


I had a 3 site multi master IPA replication setup (1 office and 2
datacentres) with 2 IPA servers at each site. Each server was
replicating successfully to 3 other servers (the other local site server
and one server at each of the two remote sites). Everything is running
on the default packages from CentOS 7.2 and each server is a full
replica (ipa-replica-install
/var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
--setup-dns --mkhomedir --forwarder 8.8.8.8)


Everything was ticking over nicely until we had notice that the
office site was moving on short notice.


I successfully created IPA servers at the new site, setup replication
again between the new office and the two datacentres that were to remain
online, tested and everything worked as expected - unfortunately in the
rush I did not have time to properly retire the IPA servers in the old
office.


The problem this has caused is that I only ever created users in one of
the IPA servers in the original office - so only those servers have a
DNA range and I am now unable to create new users on the active servers.
The original office servers are still in the IPA replication and powered
on but offline so potential split brain?


I now have two things I would like to know before proceeding:

  * Is the best fix here to force remove the original IPA servers and
manually add a new dna range significantly different from the
original to avoid overlaps?
  * Is there anything else I should check? I can't see any issues
however did not notice the DNA range until I tried to create a user.

Any pointers greatly appreciated.


Thanks,

Neal.








Hi Neal,

If you already disconnected/decomissioned the old masters then I thnk 
the best you can do is option a, i.e. re-set DNA ranges on replicas to 
new values while avioding overlap with old ranges.


We have an upstream document[1] describing the procedure. Hope it helps.

Also make sure that you migrated CA renewal and CRL master 
responsibilities to the new replicas, otherwise you may get problems 
with expiring certificates which are really hard to solve. See the 
following guide for details. [2]


[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
[2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project