Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[Lukas Slebodnik]

On (05/01/17 15:38), Jakub Hrozek wrote:
>On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote:
>> Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
>> I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
>> I get 1 rule returned, which I expect.
>> Many thanks,James Harrison
>
>I would check if (with the help of ldbsearch against the sssd cache or
>with the help of the sudo logs) if the rule is really the one you are
>expecting or if it's just the cn=defaults rule.
>
>If it's just cn=defaults, then I would check if the rules are downloaded
>(sssd always downloads all rules applicable for the host IIRC) or if
>they just don't match the filter that you can see in the debug message
>from sudosrv_get_sudorules_query_cache. Keep in mind that this is a
>filter that applies for the sssd cache, not LDAP.
>
>And lastly, if the rules are downloaded as expected, the sudo rules
>would tell you why the rule didn't match.
>
>All in all, this document:
>https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>describes how to troubleshoot the sudo integration.
>
Or you might check older thread
https://www.redhat.com/archives/freeipa-users/2016-August/msg00489.html

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + /etc/named.conf

[Martin Basti]

On 05.01.2017 20:03, TomK wrote:

Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf?  Until I 
manually change /etc/named.conf, can't ping the windows AD cluster: 
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV 
_ldap._tcp.mds.xyz).


sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not 
what's in /etc/named.conf file when I check.  Again, it works if I 
change /etc/named.conf manually.




Forwarder settings has priority:

named.conf < global forwarders (ipa dnsconfig-mod) < local dns server 
config (ipa dnsserver-*) < forwardzones (applied per query, not as 
global forwarder)


so what is in named.conf is usually always overwritten


How did you edited the named.conf?

Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA + /etc/named.conf

[TomK]

Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf?  Until I 
manually change /etc/named.conf, can't ping the windows AD cluster: 
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV 
_ldap._tcp.mds.xyz).


sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not 
what's in /etc/named.conf file when I check.  Again, it works if I 
change /etc/named.conf manually.


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.



[root@idmipa02 network-scripts]# ipa dnsforwardzone-find mds.xyz
  Zone name: mds.xyz.
  Active zone: TRUE
  Zone forwarders: 192.168.0.224
  Forward policy: first

Number of entries returned 1

[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward only;
forwarders {
[root@idmipa02 network-scripts]# vi /etc/named.conf
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ping mds.xyz
PING mds.xyz (192.168.0.224) 56(84) bytes of data.
64 bytes from 192.168.0.224: icmp_seq=1 ttl=128 time=0.515 ms
64 bytes from 192.168.0.224: icmp_seq=2 ttl=128 time=0.447 ms
^C
--- mds.xyz ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 
1000ms

rtt min/avg/max/mdev = 0.447/83.695/333.339/144.132 ms
[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward first;
forwarders {
[root@idmipa02 network-scripts]# dig SRV _ldap._tcp.mds.xyz

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> SRV _ldap._tcp.mds.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5407
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mds.xyz.IN  SRV

;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad01.mds.xyz.
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad02.mds.xyz.

;; AUTHORITY SECTION:
xyz.10876   IN  NS  generationxyz.nic.xyz.
xyz.10876   IN  NS  z.nic.xyz.
xyz.10876   IN  NS  y.nic.xyz.
xyz.10876   IN  NS  x.nic.xyz.

;; ADDITIONAL SECTION:
winad02.mds.xyz.497 IN  A   192.168.0.221
winad02.mds.xyz.497 IN  A   192.168.0.223
winad01.mds.xyz.2902IN  A   192.168.0.224
winad01.mds.xyz.2902IN  A   192.168.0.220
winad01.mds.xyz.2902IN  A   192.168.0.222

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 05 13:55:51 EST 2017
;; MSG SIZE  rcvd: 277

[root@idmipa02 network-scripts]#

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS service fails to start on replica master

[Jeff Goddard]

I re-read and walked through the troubleshooting steps. I have a mismatch
in Key Version Numbers in the keytab file:


Trying to renew the keytab file results in this error:

Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab

Using simple authentication does work but I would prefer to find a solution
to the Kerberos problem. Do you have any further suggestions?

Thanks,

Jeff






On Thu, Jan 5, 2017 at 11:50 AM, Tomas Krizek  wrote:

> On 01/05/2017 04:11 PM, Jeff Goddard wrote:
>
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link https://fedorahosted.org/bind-
> dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials
> :bindtoLDAPserverfailed
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   cn: DNS Servers
>   description: DNS Servers
>   member: krbprincipalname=DNS/id-management-1.internal.emerlyn.
> c...@internal.emerlyn.com,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/id-management-1.
> internal.emerlyn@internal.emerlyn.com,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/idmfs-01.internal.emerlyn.com@INTERNAL.
> EMERLYN.COM,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.
> emerlyn@internal.emerlyn.com,cn=services,cn=accounts,
> dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn@internal.emerlyn.com,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> c...@internal.emerlyn.com+nsuniqueid=be8eda7e-fcd311e5-
> 859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> c...@internal.emerlyn.com,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Write DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Add DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,
> dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Remove DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Update DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup
>
> From the previous thread's logs, it seems there is an issue when
> bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
> posted has some good advice on how to troubleshoot this.
>
> I don't understand whether you went through the steps and identified any
> issue.
>
> Does your setup use simple authentication or Kerberos?
> When you try to manually set named.conf to use the other option, does it
> work?
> Are you able to authenticate to LDAP using these methods in commands like
> ldapsearch?
>
> Jeff
>
>
>
> --
> Tomas Krizek
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Assistance with Samba share intergration with IPA

[Loris Santamaria]

Hello, replied inline below

El mié, 28-12-2016 a las 18:15 -0500, William Muriithi escribió:
> Hello
> 
> I am trying to setup a samba share - actually replace winbind on a
> current samba server and I am basing my change on these instructions.
> 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
> h_IPA
> 
> The IPA servers is version ipa-server-4.4.0-14.el7 and I have trust
> established between AD and IPA.  Samba server is on RHEL 6.8
> 
> Ideally, I would prefer to leave samba on RHEL 6 and it looks like
> RHEL 6 is currently using sssd-1.13.3-22.el6_8.4.x86_64.  According
> to
> above link, you need sssd v1.12.2 and above. Would the version on
> RHEL
> 6 above be bundling sssd-libwbclient by any chance?  If not, is it
> possible to install sssd-libwbclient on RHEL 6?

You could try installing sssd-1.14 from a COPR repo, like https://copr.
fedorainfracloud.org/coprs/g/sssd/sssd-1-14/

> Also, on smb.conf, its a bit ambiguous what REALM need to be used.
> Does one need to use IPA REALM or active directory REALM on these two
> lines below?
> 
> workgroup = MY
> realm = MY.REALM

The samba fileserver will be a member of the ipa domain, so you should
use freeipa's kerberos realm in the 'realm' parameter in smb.conf. As
for the 'workgroup' parameter, you can find the appropriate value in
the 'NetBios Name' parameter from the 'ipa trustconfig-show' command
output.

> Lastly, when I followed the above article to setup samba, I got the
> following errors when I attempted to connect to samba from Windows.
> What would be potential places to go check for misconfiguration?
> 
> Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.503322,
> 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket)
> Dec 28 17:49:41 manganese smbd[30221]:   krb5_rd_req failed (Wrong
> principal in request)
> Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.507090,
> 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket)
> Dec 28 17:49:41 manganese smbd[30221]:   krb5_rd_req failed (Wrong
> principal in request)

Check that you're using the proper realm and workgroup in smb.conf,
that the principal used by samba is cifs/@

Best regards

-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS service fails to start on replica master

[Tomas Krizek]

On 01/05/2017 04:11 PM, Jeff Goddard wrote:
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed
> 
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   cn: DNS Servers
>   description: DNS Servers
>   member:
> krbprincipalname=DNS/id-management-1.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-1.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/idmfs-01.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn@internal.emerlyn.com
> +nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn@internal.emerlyn.com
> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Write DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Add DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Remove DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Update DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup
>
From the previous thread's logs, it seems there is an issue when
bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
posted has some good advice on how to troubleshoot this.

I don't understand whether you went through the steps and identified any
issue.

Does your setup use simple authentication or Kerberos?
When you try to manually set named.conf to use the other option, does it
work?
Are you able to authenticate to LDAP using these methods in commands
like ldapsearch?
>
> Jeff
>
>
>

-- 
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica issue / Certificate Authority

[Yohan JAROSZ]

Hi

@Fraser,
tried the commands and certificates matched in both cases.


@everyone
I tried to look a little bit in the code, and the only references I saw are in
https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit
 (4 references)
And the only one that could fit is this one:
https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L142
as our cookie seems to be empty (ca-error: Invalid cookie: '')
and this is the only condition of the 4 that does only test for «  None », the 
other 3 are testing for None, empty strings, … and it should be false.

meaning that somehow the cookie is set somewhere but with no value?

Anyway, do you think it can impact our setup?
Instead of trying to resolve the issue, we could also delete this replica and 
replicate a new one instead?

What do you think?



Yohan
Doing the following up for Christophe.



On 05 Jan 2017, at 07:33, Fraser Tweedale 
> wrote:

On Wed, Jan 04, 2017 at 01:19:19PM +, Christophe TREFOIS wrote:
Hi Florence,

I did what you said, and then the status went to CA_WORKING. Then I restart ipa 
and certmonger and the status went to CA_UNREACHABLE.
Then i did “resubmit” again and now the status is back to MONITORING, but the 
cookie error is back.

Any advice?

I have encountered the cookie error before. IIRC it was caused by
authn certs in Dogtag user entries not matching the client certs
used.

Check the following entries:

1. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
  -b uid=pkidbuser,ou=people,o=ipaca userCertificate``

  should match

  ``certutil -d /etc/pki/pki-tomcat/alias -L -n "subsystemCert cert-pki-ca"``

2. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \
  -b uid=ipara,ou=people,o=ipaca userCertificate``

  should match

  ``certutil -d /etc/httpd/alias -L -n "ipaCert"``

If either of these do not match, update LDAP with what is in the
certificate databases (a.k.a. NSSDBs).  Ensure all certs are
non-expired, etc.

HTH,
Fraser


[root@lums3 ~]# getcert list -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20161216025136':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=UNI.LU
subject: CN=IPA RA,O=UNI.LU
expires: 2018-12-16 03:13:48 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

--

Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb 
      
   
   
>

This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original 
message and any copies.




On 4 Jan 2017, at 13:49, Florence Blanc-Renaud 
> wrote:

getcert resubmit -i 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS service fails to start on replica master

[Jeff Goddard]

I'm starting a new thread rather than continuing to submit under:
https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.

My problem is that I cannot get the DNS service to start on one of my
replica masters. From the previous message thread:

Hello,

could you check this link https://fedorahosted.org/bind-
dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:
bindtoLDAPserverfailed

kinit prints nothing when it works, so it works in your case, can you after
kinit as DNS service try to use ldapsearch -Y GSSAPI ?


Martin

Reading the article and following the steps I get this as a result of:

ipa privilege-show 'DNS Servers' --all --raw

  dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
  cn: DNS Servers
  description: DNS Servers
  member: krbprincipalname=DNS/
id-management-1.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
id-management-1.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
idmfs-01.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
idmfs-01.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
id-management-2.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com
+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup


Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA to IPA migration

[Rob Crittenden]

Timothy Geier wrote:
> This is something I’ve looked at lately and a manual proof of concept I
> just did (using ideas from
> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA)
> makes it seem theoretically possible (though it looks like, barring the
> migration of the kerberos master key, all enrolled hosts would need to
> use ipa-getkeytab to get a replacement keytab from the new server and
> copy it to /etc/krb5.keytab so that sssd will work properly..the
> alternative is re-enrollment.  All other keytabs in use by other
> applications would have to be similarly replaced).  

Why migrate at all?

> Is https://fedorahosted.org/freeipa/ticket/3656 something that’s coming
> sooner or later to a future version of FreeIPA?  Has anyone done a
> manual migration on a moderate-to-large setup?

Based on where it sits now later seems more probable. I've always seen
this as a way to avert catastrophe, like your only CA just died, not as
a way to move between versions. So it depends on what your use case is,
and if it's a good one, that could affect the timing of the work.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Jeff Goddard]

I guess my issue it totally different then as the files I have contain the
correct values. I'll resubmit a new email with the correct subject line so
as to start fresh.

Thanks,

Jeff

On Thu, Jan 5, 2017 at 7:22 AM, Brian J. Murrell 
wrote:

> On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote:
> > I don't want to hijack someone else's thread but I'm having what
> > appears to
> > be the same problem and have not seen a solution presented yet.
>
> The problem and solution were presented.  These two messages basically
> embody the problem I had:
>
> https://www.redhat.com/archives/freeipa-users/2016-December/msg00310.html
> https://www.redhat.com/archives/freeipa-users/2016-December/msg00397.html
>
> Cheers,
> b.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Jeff Goddard]

I cannot. I get:

dap_sasl_interactive_bind_s: Can't contact LDAP server (-1)


On Thu, Jan 5, 2017 at 9:08 AM, Martin Basti  wrote:

> Hello,
>
> could you check this link https://fedorahosted.org/bind-
> dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:
> bindtoLDAPserverfailed
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
>
> Martin
>
>
>
> On 05.01.2017 14:58, Jeff Goddard wrote:
>
>
> -- Forwarded message --
> From: Jeff Goddard 
> Date: Thu, Jan 5, 2017 at 8:57 AM
> Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP
> server failed: {'desc': 'Invalid credentials'}
> To: Martin Basti 
>
>
>
>
> On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti  wrote:
>
>>
>>
>> On 04.01.2017 22:21, Jeff Goddard wrote:
>>
>> I don't want to hijack someone else's thread but I'm having what appears
>> to be the same problem and have not seen a solution presented yet.
>>
>> Here is the output of journalctl -xe after having tried to start named:
>>
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> loading configuration from '/etc/named.conf'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> reading built-in trusted keys from file '/etc/named.iscdlv.key'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> using default UDP/IPv4 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> using default UDP/IPv6 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv6 interfaces, port 53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv4 interface lo, 127.0.0.1#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv4 interface ens32, 10.73.100.31#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> generating session key for dynamic DNS
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> sizing zone task pool based on 6 zones
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> set up managed keys zone for view _default, file
>> '/var/named/dynamic/managed-keys.bind'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
>> 4.8.5 20150623 (Red Hat 4.8.5-11)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> option 'serial_autoincrement' is not supported, ignoring
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 3
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> LDAP error: Invalid credentials: bind to LDAP server failed
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> couldn't establish connection in LDAP connection pool: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> dynamic database 'ipa' configuration failed: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> loading configuration: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> exiting (due to fatal error)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
>> named-pkcs11.service: control process exited, code=exited status=1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed
>> to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
>> -- Subject: Unit named-pkcs11.service has failed
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit named-pkcs11.service has failed.
>> --
>> -- The result is failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
>> named-pkcs11.service entered failed state.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
>> named-pkcs11.service failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
>> Unregistered Authentication Agent for 

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[Jakub Hrozek]

On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote:
> Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
> I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
> I get 1 rule returned, which I expect.
> Many thanks,James Harrison

I would check if (with the help of ldbsearch against the sssd cache or
with the help of the sudo logs) if the rule is really the one you are
expecting or if it's just the cn=defaults rule.

If it's just cn=defaults, then I would check if the rules are downloaded
(sssd always downloads all rules applicable for the host IIRC) or if
they just don't match the filter that you can see in the debug message
from sudosrv_get_sudorules_query_cache. Keep in mind that this is a
filter that applies for the sssd cache, not LDAP.

And lastly, if the rules are downloaded as expected, the sudo rules
would tell you why the rule didn't match.

All in all, this document:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
describes how to troubleshoot the sudo integration.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

[Florence Blanc-Renaud]

On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:

From the logs:
/var/log/dirsrv/slapd-DOMAIN-COM/errors
... a few warnings about cache size, NSACLPLugin and schema-compat-plugin
[04/Jan/2017:12:14:21.392642021 -0600] slapd started.  Listening on All
Interfaces port 389 for LDAP requests

/var/log/dirsrv/slapd-DOMAIN-COM/access
... lots of entries, not sure what to look for some lines contain RESULT
with err!=0
[04/Jan/2017:12:18:01.753400307 -0600] conn=5 op=243 RESULT err=32
tag=101 nentries=0 etime=0
[04/Jan/2017:12:18:01.786928085 -0600] conn=44 op=1 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress


Hi Daniel,

are there any RESULT err=48 that could correspond to the error seen on 
pki logs?


Flo


/var/log/dirsrv/slapd-DOMAIN-COM/errors
[04/Jan/2017:12:19:25.566022098 -0600] slapd shutting down - signaling
operation threads - op stack size 5 max work q size 2 max work q stack
size 2
[04/Jan/2017:12:19:25.572566622 -0600] slapd shutting down - closing
down internal subsystems and plugins


2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl >:

Do you have a list of all log files involved in IPA?
Would be good to consolidate them into ELK for analysis.

2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud >:

On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:

Thanks for your reply.

This was the initial error I asked for help a while ago and
did not get
resolved. Further digging showed the recent errors.
The service was running (using ipactl start --force) and
only after a
restart I am getting a stack trace for two primary messages:

Could not connect to LDAP server host wwgwho01.webwim.com

 port 636 Error
netscape.ldap.LDAPException:
Authentication failed (48)
...

Internal Database Error encountered: Could not connect to
LDAP server
host wwgwho01.webwim.com 
 port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
...

and finally:
[02/Jan/2017:12:20:34][localhost-startStop-1]:
CMSEngine.shutdown()


2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud

>>:

systemctl start pki-tomcatd@pki-tomcat.service



Hi Daniel,

the next step would be to understand the root cause of this
"Authentication failed (48)" error. Note the exact time of this
log and look for a corresponding log in the LDAP server logs
(/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing
BIND with err=48. This may help diagnose the issue (if we can
see which certificate is used for the bind or if there is a
specific error message).

For the record, a successful bind over SSL would produce this
type of log where we can see the certificate subject and the
user mapped to this certificate:
[...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
10.34.58.150
[...] conn=47 TLS1.2 128-bit AES; client CN=CA
Subsystem,O=DOMAIN.COM ; issuer
CN=Certificate Authority,O=DOMAIN.COM 
[...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
[...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
[...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="uid=pkidbuser,ou=people,o=ipaca"

Flo





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Martin Basti]

Hello,

could you check this link 
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed


kinit prints nothing when it works, so it works in your case, can you 
after kinit as DNS service try to use ldapsearch -Y GSSAPI ?



Martin



On 05.01.2017 14:58, Jeff Goddard wrote:


-- Forwarded message --
From: *Jeff Goddard* >
Date: Thu, Jan 5, 2017 at 8:57 AM
Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP 
server failed: {'desc': 'Invalid credentials'}

To: Martin Basti >




On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti > wrote:




On 04.01.2017 22:21, Jeff Goddard wrote:

I don't want to hijack someone else's thread but I'm having what
appears to be the same problem and have not seen a solution
presented yet.

Here is the output of journalctl -xe after having tried to start
named:

Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
set up managed keys zone for view _default, file
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016,
compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 ns-slapd[2596]:
GSSAPI server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 ns-slapd[2596]:
GSSAPI server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 ns-slapd[2596]:
GSSAPI server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
LDAP error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
couldn't establish connection in LDAP connection pool: permission
denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
 named-pkcs11[3948]:
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Brian J. Murrell]

On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote:
> I don't want to hijack someone else's thread but I'm having what
> appears to
> be the same problem and have not seen a solution presented yet.

The problem and solution were presented.  These two messages basically
embody the problem I had:

https://www.redhat.com/archives/freeipa-users/2016-December/msg00310.html
https://www.redhat.com/archives/freeipa-users/2016-December/msg00397.html

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Jeff Goddard]

-- Forwarded message --
From: Jeff Goddard 
Date: Thu, Jan 5, 2017 at 8:57 AM
Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP
server failed: {'desc': 'Invalid credentials'}
To: Martin Basti 




On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti  wrote:

>
>
> On 04.01.2017 22:21, Jeff Goddard wrote:
>
> I don't want to hijack someone else's thread but I'm having what appears
> to be the same problem and have not seen a solution presented yet.
>
> Here is the output of journalctl -xe after having tried to start named:
>
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> loading configuration from '/etc/named.conf'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> reading built-in trusted keys from file '/etc/named.iscdlv.key'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> using default UDP/IPv4 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> using default UDP/IPv6 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv6 interfaces, port 53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv4 interface lo, 127.0.0.1#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv4 interface ens32, 10.73.100.31#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> generating session key for dynamic DNS
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> sizing zone task pool based on 6 zones
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> set up managed keys zone for view _default, file
> '/var/named/dynamic/managed-keys.bind'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
> 4.8.5 20150623 (Red Hat 4.8.5-11)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> option 'serial_autoincrement' is not supported, ignoring
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 3
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> LDAP error: Invalid credentials: bind to LDAP server failed
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> couldn't establish connection in LDAP connection pool: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> dynamic database 'ipa' configuration failed: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> loading configuration: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> exiting (due to fatal error)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
> named-pkcs11.service: control process exited, code=exited status=1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed
> to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
> -- Subject: Unit named-pkcs11.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit named-pkcs11.service has failed.
> --
> -- The result is failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
> named-pkcs11.service entered failed state.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
> named-pkcs11.service failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
> Unregistered Authentication Agent for unix-process:3936:380486 (system bus
> name :1.59, object path /org/freedesktop/Policy
>
> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
> ipa-dnskeysyncdcat:
>
> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
> base="dc=internal,dc=emerlyn,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
> ncipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias
> =ipa-dnskeysyncd/id-management-2.internal.emerlyn@internal.emerlyn.com
> )(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn@internal.emerlyn.com)))" 

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Jeff Goddard]

Running the command displays no output.

Here is the config file output:

# This file is sourced by dirsrv upon startup to set
# the default environment for all directory server instances.
# To set instance specific defaults, use the file in the same
# directory called dirsrv-instance where "instance"
# is the name of your directory server instance e.g.
# dirsrv-localhost for the slapd-localhost instance.

# This file is in systemd EnvironmentFile format - see man systemd.exec

# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
# ulimit -n 8192
# note - if using systemd, ulimit won't work -  you must edit
# the systemd unit file for directory server to add the
# LimitNOFILE option - see man systemd.exec for more info

# A per instance keytab does not make much sense for servers.
# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN,
there
# is nothing that can make a client understand how to get a per-instance
ticket.
# Therefore by default a keytab should be considered a per server option.

# Also this file is sourced for all instances, so again all
# instances would ultimately get the same keytab.

# Finally a keytab is normally named either krb5.keytab or .keytab

# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
# if using systemd, omit the "; export VARNAME" at the end

# how many seconds to wait for the startpid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#STARTPID_TIME=10 ; export STARTPID_TIME
# how many seconds to wait for the pid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
KRB5CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab

I tried reinstalling with ipa-dns-install and it failed with errors. From
the logs it looks like it sets resolve.conf to 127.0.0.1 and then tries to
do lookups and fails. Here are selections from the logs:

2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
2017-01-05T13:13:47Z DEBUG   [4/8]: setting up kerberos principal
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
ad...@internal.emerlyn.com with password.

2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com; defaulting to no
policy
add_principal: Principal or policy already exists while creating "DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com".

2017-01-05T13:13:47Z DEBUG Backing up system configuration file
'/etc/named.keytab'
2017-01-05T13:13:47Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab
DNS/id-management-2.internal.emerlyn@internal.emerlyn.com -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
ad...@internal.emerlyn.com with password.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with kvno 7,
encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn@internal.emerlyn.com with 

[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
I get 1 rule returned, which I expect.
Many thanks,James Harrison


(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
info for user [x_james.harri...@domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [x_james.harrison] from [domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1da40

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1da40 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c18790

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1b720

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1b720 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c12600

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0f550 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0dfd0

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0dfd0 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
(0x0400): Returning 1 rules for [x_james.harri...@domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer 
re-set for client [0x1c0e770][18]

==> sssd/sssd.log <==
(Thu Jan  5 12:10:00 2017) [sssd] [service_send_ping] (0x2000): Pinging 
domain.com
(Thu Jan  5 12:10:00 2017) [sssd] 

[Freeipa-users] Effect of reversing trust relationship

[William Muriithi]

Hello,

Curious, two weeks ago, we established a two way trust between AD and
FreeIPA. This has been working fine till yesterday when AD started
having DNS issues.  I am 99% certain trust had nothing to do with DNS
issue, but want to reverse the trust and see if we could fair better

My question is, if I run "ipa trustdomain-del", what does it do behind the back?

- Will there be a change in the AD systems or just remove association
on IPA side without reversing changes on the AD side?

- Whats the implication on the IPA client?  Any possibility of an outage?

- Whats the difference of "ipa trustdomain-del" and restoring from
"ipa-backup" and what would be more recommended if one has both
options?

Regards,

William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 2FA and AllowNTHash

[Brian Candler]

On 05/01/2017 10:57, Maciej Drobniuch wrote:

Maybe I'll paraphrase the question.

It would suffice if I could tell IPA to use pass+otp only instead of 
both (Password+ pass+otp) for particular hosts.

So for example users from hosts X can login with OTP only.

Sorry, I don't understand that.  What are the two passwords you refer 
to, when you say "Password + pass+otp"?


Can you give an example of the type of exchange that goes on now, and 
what you would like it to do instead?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 2FA and AllowNTHash

[Maciej Drobniuch]

Hi Brian

Thank You for your answer.
It started working, not sure yet why it did not work. I need to do some
extensive testing.

So, I've actually followed the blogposts you've mentioned to setup
ipanthash + freeradius.

Maybe I'll paraphrase the question.

It would suffice if I could tell IPA to use pass+otp only instead of both
(Password+ pass+otp) for particular hosts.
So for example users from hosts X can login with OTP only.

Thanks for help!

On Tue, Jan 3, 2017 at 7:02 PM, Brian Candler  wrote:

> On 03/01/2017 15:28, Maciej Drobniuch wrote:
>
>> We have a topo with 3x IPA servers + freeradius.
>>
>> Freeradius is being used to do mschap with wifi APs. Freeradius connects
>> over ldap to IPA.
>>
>> In order to do the challange-response thing, freeipa has AllowNTHash
>> enabled.
>>
>> So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
>>
>> In the moment I disallow Password auth for a user and enable OTP the wifi
>> auth stopps working, but the hash clearly stays in ldap.
>>
> How are you actually authenticating the user? Are you just reading the
> ipaNTHash out of the LDAP database and letting FreeRADIUS check it? Then
> AFAICS it shouldn't make any different whether OTP is enabled or not.  Can
> you show more of your RADIUS config, and the debug output from the part
> which authenticates the user?
>
> I don't use OTP myself, but I wouldn't expect the ipaNTHash to change
> depending on whether OTP is enabled or not (and you're saying the hash
> stays put).
>
> I have what sounds like a similar setup to yours, using FreeRADIUS 3.0.12
> talking to FreeIPA 4.4.0, using a service user which has permissions to
> read out the ipaNTHash directly, based on this blog post:
> http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_
> permissions_to_service_accounts..html
>
> ldap config:
>
> base_dn = 'cn=users,cn=accounts,dc=ipa,dc=example,dc=com'
>
> sasl {
> mech = 'GSSAPI'
> realm = 'IPA.EXAMPLE.COM'
> }
>
> update {
> control:NT-Password := 'ipaNTHash'
> control:Tmp-String-9:= 'krbPasswordExpiration'
> }
>
> user {
> base_dn = "${..base_dn}"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> scope = "one"
> }
>
> group {
> membership_attribute = 'memberOf'
> name_attributes = 'cn'
>
> cacheable_dn = 'yes'
> cacheable_name = 'no'
> }
>
> default and inner-tunnel authentication is then just:
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
>
> eap
> }
>
> Also you need to put the service user's keytab somewhere, and set a couple
> of environment variables when it starts, if you want to use Kerberos to
> protect the LDAP connection. Using systemd override:
>
> [Unit]
> Requires=dirsrv.target
> After=dirsrv.target
>
> [Service]
> Environment=KRB5_CLIENT_KTNAME=/etc/radiusd.keytab
> Environment=KRB5CCNAME=MEMORY:
> Restart=always
> RestartSec=5
>
> (Otherwise you can bind with a specific dn and password, but then you also
> need to sort out TLS to secure the LDAP traffic)
>
> There is more magic you can do with the krbPasswordExpiration attribute to
> force the user to do a password change over MSCHAP - but that's now
> straying a long way from what's relevant on a FreeIPA mailing list.
>
> HTH,
>
> Brian.
>



-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.4.0: clcache_load_buffer_bulk error

[Youenn PIOLET]

Hi,
Got the same messages :)
(and I almost got all other problems you posted on this list since your 4.4
upgrade)

If anyone can tell us if we have to do anything to clean problematic CSN...

Happy new year to all freeipa-users!
--
Youenn Piolet
piole...@gmail.com


2016-12-24 9:33 GMT+01:00 :

> Since upgrading to IPA 4.4.0 and CentOS-7.3, our master has been
> outputting the follow line repeatedly in its slapd error logs:
>
>
>
> [24/Dec/2016:08:11:36.684385818 +] clcache_load_buffer_bulk -
> changelog record with csn (585e436900150004) not found for DB_NEXT
>
>
>
> What does it mean and, if repair is needed, what should I do?
>
>
>
> Thanks and regards,
>
> Dan
>
>
>
> [image: id:image001.jpg@01D1C26F.0E28FA60] 
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> *dan.finkelst...@h5g.com * | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
>
>
> www.high5games.com
>
> Play High 5 Casino  and Shake
> the Sky 
>
> Follow us on: Facebook , Twitter
> , YouTube
> , Linkedin
> 
>
>
>
> *This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender by
> return email, and delete or destroy this and all copies of this message and
> all attachments. Any unauthorized disclosure, use, distribution, or
> reproduction of this message or any attachments is prohibited and may be
> unlawful.*
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica installation help

[Fraser Tweedale]

On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote:
> HI
> 
> there is no filrewall running on both servers,
> 
> [root@zkwipamstr01 ~]# systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
>Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
> vendor preset: enabled)
>Active: inactive (dead)
>  Docs: man:firewalld(1)
> 
> [root@zkwipamstr01 ~]# sestatus
> SELinux status: disabled
> 
OK, very well.  And actually, forget about my idea about connecting
to port 8009 from client - that is not what happens at all.  It is
the end of day for me and my brain checked out :/

I shall continue analysis of your problem tomorrow.

Thanks,
Fraser

> 
> On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale  wrote:
> 
> > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > > HI,
> > >
> > > on master server and replica server, i have enabled ipv6
> > >
> > > below on master server
> > >
> > > [root@zkwipamstr01 ~]# ip addr | grep inet6
> > >
> > > inet6 fe80::250:56ff:fea0:3857/64 scope link
> > >
> > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > tcp6   0  0 ::1:8009:::*
> > LISTEN
> > >  12692/java
> > >
> > >
> > > after that 8009 is listening on master server.
> > >
> > > on replica side uninstalled ipa and tried to enrolled again. Do i need to
> > > enable any service replica side?
> > >
> > > [28/44]: restarting directory server
> > > ipa : CRITICAL Failed to restart the directory server (Command
> > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> > > exit status 1). See the installation log for details.
> > >   [29/44]: setting up initial replication
> > >   [error] error: [Errno 111] Connection refused
> > > Your system may be partly configured.
> > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >
> > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > > Connection refused
> > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> > for
> > > more information
> > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > Job for pki-tomcatd@pki-tomcat.service failed because the control
> > process
> > > exited with error code. See "systemctl status
> > pki-tomcatd@pki-tomcat.service"
> > > and "journalctl -xe" for details.
> > >
> > > Still same error.
> > >
> > > is this service restart pki-tomcatd@pki-tomcat only applicable on master
> > > server?
> > >
> > Yes, because no CA has been created on replica (yet).
> >
> > Can you confirm that your firewall (if any/enabled) on master is
> > letting the traffic from client/replica through to :8009?
> > Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> > suffices to check.
> >
> > Thanks,
> > Fraser
> >
> > > Regards,
> > > Ben
> > >
> > >
> > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik 
> > wrote:
> > >
> > > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > > HI
> > > > >
> > > > > yes i did the same and still port is not listening.
> > > > >
> > > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > > 127.0.0.1   localhost localhost.localdomain localhost4
> > > > localhost4.localdomain4
> > > > > ::1 localhost localhost.localdomain localhost6
> > > > localhost6.localdomain6
> > > > > 10.151.4.64 zkwipamstr01.kw.example.com  > > > example.com>
> > > > > zkwipamstr01
> > > > > 10.151.4.65 zkwiparepa01.kw.example.com  > > > example.com>
> > > > > zkwiparepa01
> > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > > >
> > > > >
> > > > > Regards
> > > > > Ben
> > > >
> > > > Also IPv6 stack needs to be enabled.
> > > >
> > > > >
> > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > > > wrote:
> > > > >
> > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > > > HI
> > > > > >
> > > > > > port 8009 is not listening in master server
> > > > > >
> > > > > > and i added ::1 localhost localhost.localdomain
> > localhost6
> > > > > > localhost6.localdomain6 in hosts file.
> > > > > >
> > > > >
> > > > > Did you add this to the host file on the master (then `systemctl
> > > > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on
> > port
> > > > > 8009)?  Or just the client you are trying to promote?
> > > > >
> > > > > It is needed on the master.  Won't hurt to make this change to
> > > > > /etc/hosts on both machines, though.
> > > > >
> > > > > HTH,
> > > > > Fraser
> > > > >
> > > > >  > still getting same 

Re: [Freeipa-users] ipa replica installation help

[Ben .T.George]

HI

there is no filrewall running on both servers,

[root@zkwipamstr01 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
vendor preset: enabled)
   Active: inactive (dead)
 Docs: man:firewalld(1)

[root@zkwipamstr01 ~]# sestatus
SELinux status: disabled


On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale  wrote:

> On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> > HI,
> >
> > on master server and replica server, i have enabled ipv6
> >
> > below on master server
> >
> > [root@zkwipamstr01 ~]# ip addr | grep inet6
> >
> > inet6 fe80::250:56ff:fea0:3857/64 scope link
> >
> > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > tcp6   0  0 ::1:8009:::*
> LISTEN
> >  12692/java
> >
> >
> > after that 8009 is listening on master server.
> >
> > on replica side uninstalled ipa and tried to enrolled again. Do i need to
> > enable any service replica side?
> >
> > [28/44]: restarting directory server
> > ipa : CRITICAL Failed to restart the directory server (Command
> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> > exit status 1). See the installation log for details.
> >   [29/44]: setting up initial replication
> >   [error] error: [Errno 111] Connection refused
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> > Connection refused
> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for
> > more information
> > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > Job for pki-tomcatd@pki-tomcat.service failed because the control
> process
> > exited with error code. See "systemctl status
> pki-tomcatd@pki-tomcat.service"
> > and "journalctl -xe" for details.
> >
> > Still same error.
> >
> > is this service restart pki-tomcatd@pki-tomcat only applicable on master
> > server?
> >
> Yes, because no CA has been created on replica (yet).
>
> Can you confirm that your firewall (if any/enabled) on master is
> letting the traffic from client/replica through to :8009?
> Executing: ``nc -v $MASTER_IP 8009`` from the client machine
> suffices to check.
>
> Thanks,
> Fraser
>
> > Regards,
> > Ben
> >
> >
> > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik 
> wrote:
> >
> > > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > > HI
> > > >
> > > > yes i did the same and still port is not listening.
> > > >
> > > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > > 127.0.0.1   localhost localhost.localdomain localhost4
> > > localhost4.localdomain4
> > > > ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6
> > > > 10.151.4.64 zkwipamstr01.kw.example.com  > > example.com>
> > > > zkwipamstr01
> > > > 10.151.4.65 zkwiparepa01.kw.example.com  > > example.com>
> > > > zkwiparepa01
> > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > > >
> > > >
> > > > Regards
> > > > Ben
> > >
> > > Also IPv6 stack needs to be enabled.
> > >
> > > >
> > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > > wrote:
> > > >
> > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > > HI
> > > > >
> > > > > port 8009 is not listening in master server
> > > > >
> > > > > and i added ::1 localhost localhost.localdomain
> localhost6
> > > > > localhost6.localdomain6 in hosts file.
> > > > >
> > > >
> > > > Did you add this to the host file on the master (then `systemctl
> > > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on
> port
> > > > 8009)?  Or just the client you are trying to promote?
> > > >
> > > > It is needed on the master.  Won't hurt to make this change to
> > > > /etc/hosts on both machines, though.
> > > >
> > > > HTH,
> > > > Fraser
> > > >
> > > >  > still getting same error
> > > >  >
> > > >  >  [28/44]: restarting directory server
> > > >  > ipa : CRITICAL Failed to restart the directory server
> > > (Command
> > > >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service'
> returned
> > > non-zero
> > > >  > exit status 1). See the installation log for details.
> > > >  >   [29/44]: setting up initial replication
> > > >  >   [error] error: [Errno 111] Connection refused
> > > >  > Your system may be partly configured.
> > > >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >  >

Re: [Freeipa-users] ipa replica installation help

[Fraser Tweedale]

On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote:
> HI,
> 
> on master server and replica server, i have enabled ipv6
> 
> below on master server
> 
> [root@zkwipamstr01 ~]# ip addr | grep inet6
> 
> inet6 fe80::250:56ff:fea0:3857/64 scope link
> 
> [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> tcp6   0  0 ::1:8009:::*LISTEN
>  12692/java
> 
> 
> after that 8009 is listening on master server.
> 
> on replica side uninstalled ipa and tried to enrolled again. Do i need to
> enable any service replica side?
> 
> [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information
> [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> Job for pki-tomcatd@pki-tomcat.service failed because the control process
> exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service"
> and "journalctl -xe" for details.
> 
> Still same error.
> 
> is this service restart pki-tomcatd@pki-tomcat only applicable on master
> server?
> 
Yes, because no CA has been created on replica (yet).

Can you confirm that your firewall (if any/enabled) on master is
letting the traffic from client/replica through to :8009?
Executing: ``nc -v $MASTER_IP 8009`` from the client machine
suffices to check.

Thanks,
Fraser

> Regards,
> Ben
> 
> 
> On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik  wrote:
> 
> > On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > > HI
> > >
> > > yes i did the same and still port is not listening.
> > >
> > > [root@zkwipamstr01 ~]# cat /etc/hosts
> > > 127.0.0.1   localhost localhost.localdomain localhost4
> > localhost4.localdomain4
> > > ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6
> > > 10.151.4.64 zkwipamstr01.kw.example.com  > example.com>
> > > zkwipamstr01
> > > 10.151.4.65 zkwiparepa01.kw.example.com  > example.com>
> > > zkwiparepa01
> > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> > >
> > >
> > > Regards
> > > Ben
> >
> > Also IPv6 stack needs to be enabled.
> >
> > >
> > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > > wrote:
> > >
> > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > > HI
> > > >
> > > > port 8009 is not listening in master server
> > > >
> > > > and i added ::1 localhost localhost.localdomain localhost6
> > > > localhost6.localdomain6 in hosts file.
> > > >
> > >
> > > Did you add this to the host file on the master (then `systemctl
> > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> > > 8009)?  Or just the client you are trying to promote?
> > >
> > > It is needed on the master.  Won't hurt to make this change to
> > > /etc/hosts on both machines, though.
> > >
> > > HTH,
> > > Fraser
> > >
> > >  > still getting same error
> > >  >
> > >  >  [28/44]: restarting directory server
> > >  > ipa : CRITICAL Failed to restart the directory server
> > (Command
> > >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> > non-zero
> > >  > exit status 1). See the installation log for details.
> > >  >   [29/44]: setting up initial replication
> > >  >   [error] error: [Errno 111] Connection refused
> > >  > Your system may be partly configured.
> > >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > >  >
> > >  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> > 111]
> > >  > Connection refused
> > >  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> > >  > ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for
> > >  > more information
> > >  >
> > >  >
> > >  > Also  ipv6 is disabled on both nodes
> > >  >
> > >  > Regards,
> > >  > Ben
> > >  >
> > >  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
> > pvobo...@redhat.com
> > > > wrote:
> > >  >
> > >  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> > >  > > > HI
> > >  

Re: [Freeipa-users] ipa replica installation help

[Ben .T.George]

HI,

on master server and replica server, i have enabled ipv6

below on master server

[root@zkwipamstr01 ~]# ip addr | grep inet6

inet6 fe80::250:56ff:fea0:3857/64 scope link

[root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
[root@zkwipamstr01 ~]# netstat -tunap | grep 8009
tcp6   0  0 ::1:8009:::*LISTEN
 12692/java


after that 8009 is listening on master server.

on replica side uninstalled ipa and tried to enrolled again. Do i need to
enable any service replica side?

[28/44]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero
exit status 1). See the installation log for details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
[root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat
Job for pki-tomcatd@pki-tomcat.service failed because the control process
exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service"
and "journalctl -xe" for details.

Still same error.

is this service restart pki-tomcatd@pki-tomcat only applicable on master
server?

Regards,
Ben


On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik  wrote:

> On 01/05/2017 07:10 AM, Ben .T.George wrote:
> > HI
> >
> > yes i did the same and still port is not listening.
> >
> > [root@zkwipamstr01 ~]# cat /etc/hosts
> > 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> > ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> > 10.151.4.64 zkwipamstr01.kw.example.com  example.com>
> > zkwipamstr01
> > 10.151.4.65 zkwiparepa01.kw.example.com  example.com>
> > zkwiparepa01
> > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> >
> >
> > Regards
> > Ben
>
> Also IPv6 stack needs to be enabled.
>
> >
> > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > > wrote:
> >
> > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > > HI
> > >
> > > port 8009 is not listening in master server
> > >
> > > and i added ::1 localhost localhost.localdomain localhost6
> > > localhost6.localdomain6 in hosts file.
> > >
> >
> > Did you add this to the host file on the master (then `systemctl
> > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> > 8009)?  Or just the client you are trying to promote?
> >
> > It is needed on the master.  Won't hurt to make this change to
> > /etc/hosts on both machines, though.
> >
> > HTH,
> > Fraser
> >
> >  > still getting same error
> >  >
> >  >  [28/44]: restarting directory server
> >  > ipa : CRITICAL Failed to restart the directory server
> (Command
> >  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
> non-zero
> >  > exit status 1). See the installation log for details.
> >  >   [29/44]: setting up initial replication
> >  >   [error] error: [Errno 111] Connection refused
> >  > Your system may be partly configured.
> >  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >  >
> >  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno
> 111]
> >  > Connection refused
> >  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> >  > ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for
> >  > more information
> >  >
> >  >
> >  > Also  ipv6 is disabled on both nodes
> >  >
> >  > Regards,
> >  > Ben
> >  >
> >  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <
> pvobo...@redhat.com
> > > wrote:
> >  >
> >  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
> >  > > > HI
> >  > > >
> >  > > > i tried the method mentioned on that document and it end up
> with below
> >  > > error. My
> >  > > > DNS is managed by external box and i dont want to create any
> DNS record
> >  > > on these
> >  > > > servers.
> >  > > >
> >  > > > and the command which i tried is(non client server)
> >  > > >
> >  > > > ipa-replica-install --principal admin --admin-password
> P@ssw0rd --domain
> >  > > > kw.example.com  
> --server
> >  > > zkwipamstr01.kw.example.com 

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

[Martin Basti]

On 04.01.2017 22:21, Jeff Goddard wrote:
I don't want to hijack someone else's thread but I'm having what 
appears to be the same problem and have not seen a solution presented yet.


Here is the output of journalctl -xe after having tried to start named:

Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: set 
up managed keys zone for view _default, file 
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, 
compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 ns-slapd[2596]: GSSAPI 
server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: LDAP 
error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
couldn't establish connection in LDAP connection pool: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 named-pkcs11[3948]: 
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]: 
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]: Failed to 
start Berkeley Internet Name Domain (DNS) with native PKCS#11.

-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel 


--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
 systemd[1]: 

Re: [Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

[Martin Basti]

On 04.01.2017 23:40, Jason B. Nance wrote:

Hello everyone,

I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to 
an Active Directory domain controller.  When a client attempts to lookup any 
DNS record other than those to which FreeIPA is authoritative the client 
reports NXDOMAIN and the FreeIPA server has the following in its logs:

(first lookup)
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no 
valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no 
valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53

(subsequent lookups)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: validating 
@0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error 
(broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 
10.48.8.18#53

In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served by 
AD (as is gen.zone).  10.48.8.18 is an AD domain controller for tkc.gen.zone 
(and the forwarder the FreeIPA servers are pointed at).

I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes.  We've 
tried both NSEC3 and NSEC.

Anyone have guidance as to what may be going on?

Thanks,

j



Hello,

you use non-existent TLD domain or TLD domain doesn't have DS record of 
your zone, so this is expected behavior for DNSSEC considered as attack. 
You have to disable DNSSEC validation on all IPA DNS servers in 
/etc/named.conf in first case or fix incorrect/missing DS record in 
second case.


The 'zone.' is registered TLD, so if you own it you have probably 
missing DS record in path, thus broken trust chain.

If you don't own the TLD, you shouldn't use it at all.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica installation help

[Petr Vobornik]

On 01/05/2017 07:10 AM, Ben .T.George wrote:
> HI
> 
> yes i did the same and still port is not listening.
> 
> [root@zkwipamstr01 ~]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 10.151.4.64 zkwipamstr01.kw.example.com   
>
> zkwipamstr01
> 10.151.4.65 zkwiparepa01.kw.example.com   
>
> zkwiparepa01
> [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat
> [root@zkwipamstr01 ~]# netstat -tunap | grep 8009
> 
> 
> Regards
> Ben

Also IPv6 stack needs to be enabled.

> 
> On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale  > wrote:
> 
> On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote:
> > HI
> >
> > port 8009 is not listening in master server
> >
> > and i added ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6 in hosts file.
> >
> 
> Did you add this to the host file on the master (then `systemctl
> restart pki-tomcatd@pki-tomcat` and confirm it is listening on port
> 8009)?  Or just the client you are trying to promote?
> 
> It is needed on the master.  Won't hurt to make this change to
> /etc/hosts on both machines, though.
> 
> HTH,
> Fraser
> 
>  > still getting same error
>  >
>  >  [28/44]: restarting directory server
>  > ipa : CRITICAL Failed to restart the directory server (Command
>  > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned 
> non-zero
>  > exit status 1). See the installation log for details.
>  >   [29/44]: setting up initial replication
>  >   [error] error: [Errno 111] Connection refused
>  > Your system may be partly configured.
>  > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>  >
>  > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>  > Connection refused
>  > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>  > ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log for
>  > more information
>  >
>  >
>  > Also  ipv6 is disabled on both nodes
>  >
>  > Regards,
>  > Ben
>  >
>  > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik  > wrote:
>  >
>  > > On 01/04/2017 10:59 AM, Ben .T.George wrote:
>  > > > HI
>  > > >
>  > > > i tried the method mentioned on that document and it end up with 
> below
>  > > error. My
>  > > > DNS is managed by external box and i dont want to create any DNS 
> record
>  > > on these
>  > > > servers.
>  > > >
>  > > > and the command which i tried is(non client server)
>  > > >
>  > > > ipa-replica-install --principal admin --admin-password P@ssw0rd 
> --domain
>  > > > kw.example.com   
> --server
>  > > zkwipamstr01.kw.example.com 
>  > > >  >
>  > > >
>  > > >
>  > > >
>  > > > ipa : CRITICAL Failed to restart the directory server 
> (Command
>  > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned
>  > > non-zero exit
>  > > > status 1). See the installation log for details.
>  > > >[29/44]: setting up initial replication
>  > > >[error] error: [Errno 111] Connection refused
>  > > > Your system may be partly configured.
>  > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>  > > >
>  > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 
> 111]
>  > > Connection
>  > > > refused
>  > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>  > > > ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log
>  > > for more
>  > > > information
>  > >
>  > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575
> 
>  > >
>  > > To verify that, could you check if master server internally listens 
> on
>  > > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string
>  > > near  step 27.
>  > >
>  > > Usual fix is to add following line to /etc/hosts
>  > >   ::1 localhost localhost.localdomain localhost6
>  > > localhost6.localdomain6
>  > >
>  > >
>  > > > [root@zkwiparepa01 ~]# /bin/systemctl restart
>  > > dirsrv@KW-EXAMPLE-COM.service
>  > > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control
>  > > process exited
>  > > > with error code. See "systemctl status 
> dirsrv@KW-EXAMPLE-COM.service"