Re: [Freeipa-users] Password requirements too stringent

[Tim Hildred]

Hey, sorry, I'm a little confused about all the pieces. 

I want to let my users reset expired password using ssh. I would really like 
them to be able to use the same password every time, and not worry if that 
password is "icecream". 

>From what I can tell, sshd_config turns the authentication over to PAM, which 
>uses sssd(?) to get information from IPA.

Is it true this line in /etc/pam.d/password-auth was enforcing the stringent 
requirements, and not IPA? 
passwordrequisite pam_cracklib.so

I've noticed that if I comment out that line, authentication fails because none 
of my IPA users are in /etc/passwd. The configuration also gets reset to the 
default when I restart sssd.

Can anyone give me a suggestion that will:
- allow my users to use any password they want, with the least possible 
restrictions, 
- reset expired passwords with SSH?

Here is a selection from krb5kdc.log (followed by the corresponding section of 
/var/log/secure):

Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111377, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
preauth (timestamp) verify failure: Decrypt integrity check failed
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: PREAUTH_FAILED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Decrypt integrity check failed
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat@ecs-cloud.lab.eng.bne.redhat.com, 
Password has expired
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111435, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111437, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com, Additional pre-authentication 
required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, 
etypes {rep=18 tkt=18 ses=18}, ti...@ecs-cloud.lab.eng.bne.redhat.com for 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: 
kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com for 
krbtgt/ecs-cloud.lab.eng.bne.redhat@ecs-cloud.lab.eng.bne.redhat.com, 
Additional pre-authentication required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): 
AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, 
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@ecs-cloud.lab.eng.bne.redhat.com 
for krbtgt/ecs-cloud.lab.eng.bne.redhat@ecs-cloud.l

Re: [Freeipa-users] winsync agreement wipes IPA users

[Steven Jones]

it isnt,

Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except 
Im also getting some "rubbish" so its looking like the import script/query to 
AD isnt right.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Thursday, 20 September 2012 12:15 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
=

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn vi

Re: [Freeipa-users] winsync agreement wipes IPA users

[Steven Jones]

Hi,

I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are 
the same thing?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
=

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you specify, 
winsync will search AD starting from the dc=domain suff

Re: [Freeipa-users] winsync agreement wipes IPA users

[Steven Jones]

Hi,

No that is the replication agreement, Ive turned that server off so it doesnt 
also get "wiped".

I am running with a log error level 8192 right now for a full errrors output...



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, 20 September 2012 11:03 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote:
Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
=

Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what 

Re: [Freeipa-users] winsync agreement wipes IPA users

[Rich Megginson]

On 09/19/2012 04:55 PM, Steven Jones wrote:

Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): 
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): 
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
ruv_add_csn_inprogress: successfully inserted csn 504d01f80011 
into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state 
information from entry 
uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN 
504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program 
- _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): 
State: stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): 
State: stop_fatal_error -> stop_fatal_error

=


Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?





regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, 19 September 2012 12:32 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:

Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree 
cn=VUW_Staff,dc= etc






This I dont understand

I have the -v already, anyway to make it very verbose?


http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under 
the --win-subtree cn=VUW_Staff,dc= etc




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Tuesday, 18 September 2012 12:47 p.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:

Hi,

The first time missed the --win-subtree settings so I wiped the 
admins in the IPA admin group and users as they were not in cn=users 
as per the bug.  The second time as far as I can tell I specified 
the correct cn via win-subtree flag but I still appear to have lost 
the users in IPA.now I expected to lose the admins but the loss 
of users as well confounds me.


I did a ldapsearch as per checking and its seems to be saying the 
right folder/ou/cn but IPA is empty.


Hence I was wondering if there was a log recording what the update 
was doing so I could try and figure out the mistake.  Ive tried 
greping cant find any indication.


I will re-try with -v, verbose.


It is not clear from the manuals, but no matter what -win-subtree you 
specify, winsync will search AD starting from the dc=domain suffix.  
So, for example, if you have

cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
winsync will still search starting from dc=example,dc=com and will 
hit ticket/355 if there are any users outside of 
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as 
a user in IPA.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 

Re: [Freeipa-users] winsync agreement wipes IPA users

[Steven Jones]

Hi,


Sample of errors log,

=
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f70011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_add_csn_inprogress: 
successfully inserted csn 504d01f80011 into pending list
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state information 
from entry uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
CSN 504d42c50004
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - 
_cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database 
/var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv: 
successfully committed csn 504d01f80011
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): State: 
stop_fatal_error -> stop_fatal_error
[17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): State: 
stop_fatal_error -> stop_fatal_error
=




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 19 September 2012 12:32 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 07:10 PM, Steven Jones wrote:
Hi,

I understand that I'll lose users that are cn=Staff_Admins,dc=etc

So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc




This I dont understand

I have the -v already, anyway to make it very verbose?

http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level  8192
I'd like to see the directory server errors log 
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under the 
--win-subtree cn=VUW_Staff,dc= etc



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 18 September 2012 12:47 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/17/2012 06:17 PM, Steven Jones wrote:
Hi,

The first time missed the --win-subtree settings so I wiped the admins in the 
IPA admin group and users as they were not in cn=users as per the bug.  The 
second time as far as I can tell I specified the correct cn via win-subtree 
flag but I still appear to have lost the users in IPA.now I expected to 
lose the admins but the loss of users as well confounds me.

I did a ldapsearch as per checking and its seems to be saying the right 
folder/ou/cn but IPA is empty.

Hence I was wondering if there was a log recording what the update was doing so 
I could try and figure out the mistake.  Ive tried greping cant find any 
indication.

I will re-try with -v, verbose.

It is not clear from the manuals, but no matter what -win-subtree you specify, 
winsync will search AD starting from the dc=domain suffix.  So, for example, if 
you have
cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
winsync will still search starting from dc=example,dc=com and will hit 
ticket/355 if there are any users 
outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as 
a user in IPA.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, 1

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Rob Crittenden]

Sigbjorn Lie wrote:

On 09/19/2012 11:05 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

On 09/19/2012 10:48 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled
selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
krbtgt/ix.test@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?


Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob

Sorry, that did not help. There seem to be a new error in the messages
file every time I attempt a named restart though. See below for the
latest:

Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
(IX.TEST.COM) does not match tkey-gssapi-credential
(DNS/ipa01.ix.test.com)
Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)


I'd continue to check /var/log/audit/audit.log for AVCs.

rob



OK, I had a quick look before I'm off for today. :)

There's a lot of these messages, denying named access to /var/tmp/DNS_25.



type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for
pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
s

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Sigbjorn Lie]

On 09/19/2012 11:05 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

On 09/19/2012 10:48 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled 
selinux

(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client>
for , Cannot create replay cache file 
/var/tmp/krbtgt_0:

File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client>
for , Cannot create replay cache file 
/var/tmp/krbtgt_0:

File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 
etypes

{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 
etypes

{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
krbtgt/ix.test@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?


Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob

Sorry, that did not help. There seem to be a new error in the messages
file every time I attempt a named restart though. See below for the 
latest:


Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
(IX.TEST.COM) does not match tkey-gssapi-credential 
(DNS/ipa01.ix.test.com)

Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)


I'd continue to check /var/log/audit/audit.log for AVCs.

rob



OK, I had a quick look before I'm off for today. :)

There's a lot of these messages, denying named access to /var/tmp/DNS_25.



type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for  
pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write } 
for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for  
pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for  
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for  
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for  
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for  
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for  
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for  
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140 
scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for  
pid=12639 comm="named

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Sigbjorn Lie]

Ok. I'm fairly new to selinux but I will give it a go tomorrow.

Thanks.

Rgds
S.

Rob Crittenden  wrote:

>Sigbjorn Lie wrote:
>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
 Hi,

 I noticed an updated krb5-server package today advertising that
>it's
 fixing the issue with slow GSSAPI binds discussed earlier, so I
 installed it in my test environment, set SElinux back to enforcing
>in
 /etc/sysconfig/selinux and rebooted.

 The named daemon does not start now. The error below was logged in
 /var/log/messages:

 Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
 failure.  Minor code may provide more information (KDC returned
>error
 string: PROCESS_TGS)

 I am able to start named after setting SElinux in permissive mode
 (setenforce 0).

 Then to verify: I stop all IPA services (ipactl stop), reenabled
>selinux
 (setenforce 1), and start the IPA services (ipactl start). A new
>error
 is logged in /var/log/messages:

 Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed:
>Invalid
 credentials
 Sep 19 22:00:49 ipa01 named[5918]: loading configuration:
>permission
 denied
 Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


  From the /var/log/krb5kdc.log:
 Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>etypes
 {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client>
 for , Cannot create replay cache file
>/var/tmp/krbtgt_0:
 File exists
 Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>etypes
 {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, client>
 for , Cannot create replay cache file
>/var/tmp/krbtgt_0:
 File exists
 Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>etypes
 {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
 DNS/ipa01.ix.test@ix.test.com for
>krbtgt/ix.test@ix.test.com,
 Additional pre-authentication required
 Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>etypes
 {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
 {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
 krbtgt/ix.test@ix.test.com

 /var/named/data/named.run logged nothing.



 Any suggestions for how to troubleshoot this issue?
>>>
>>> Pure guess, but:
>>>
>>> restorecon /var/tmp/krbtgt_0
>>>
>>> rob
>> Sorry, that did not help. There seem to be a new error in the
>messages
>> file every time I attempt a named restart though. See below for the
>latest:
>>
>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>> (IX.TEST.COM) does not match tkey-gssapi-credential
>(DNS/ipa01.ix.test.com)
>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>
>I'd continue to check /var/log/audit/audit.log for AVCs.
>
>rob

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Rob Crittenden]

Sigbjorn Lie wrote:

On 09/19/2012 10:48 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
krbtgt/ix.test@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?


Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob

Sorry, that did not help. There seem to be a new error in the messages
file every time I attempt a named restart though. See below for the latest:

Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
(IX.TEST.COM) does not match tkey-gssapi-credential (DNS/ipa01.ix.test.com)
Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)


I'd continue to check /var/log/audit/audit.log for AVCs.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Sigbjorn Lie]

On 09/19/2012 10:48 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission 
denied

Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
krbtgt/ix.test@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?


Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob
Sorry, that did not help. There seem to be a new error in the messages 
file every time I attempt a named restart though. See below for the latest:


Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf 
(IX.TEST.COM) does not match tkey-gssapi-credential (DNS/ipa01.ix.test.com)

Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)


Rgds,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS on Mac

[Steven Jones]

I can do you a virtual Mac...

:P

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, 19 September 2012 8:18 p.m.
To: Petr Spacek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] NFS on Mac

As usual, if someone is interested in sending me a Mac I'll be happy to do the 
testing and submit
the results.

*grin* :)



Regards,
Siggi



On Wed, September 19, 2012 10:08, Petr Spacek wrote:
> On 09/17/2012 10:32 PM, Steven Jones wrote:
>
>> If anyone has MAC instructions' I'd love a copy pls.
>>
>
> As usual, we can create account on freeipa.org wiki if anybody is interested
> in creating a how-to. That is the best place to share.
>
> Let us know!
>
>
> Petr^2 Spacek
>
>
>>
>> --
>> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
>> on
>> behalf of Dmitri Pal [d...@redhat.com] *Sent:* Tuesday, 18 September 2012 
>> 6:47 a.m.
>> *To:* george he
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] NFS on Mac
>>
>>
>> On 09/17/2012 02:21 PM, george he wrote:
>>
>>> sounds to me the link may work for nfs version 3 only. Now with IPA and 
>>> NFS4, there got to be
>>> something more. George
>>>
>>
>> I do not know the exact steps on mac because the is no ipa-client on Mac so
>> you would have to configure the machine to be an IPA client manually. This 
>> would mean that you
>> need to authenticate with kerberos and then make the nfs part use the 
>> credential cache of the
>> logged in user (if you are planning to use it for users mounting shares). 
>> This is what needs to
>> happen conceptually. I know that people have done in the past but I do not 
>> think there are
>> instructions.
>>
>> Once you manged to do it please see the presentation how to setup secure NFS
>> on Linux 
>> http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf
>> May be it will give you some hints and pointers.
>>
>>
>> The only known problem with this slide deck is that on slide 18 after kinit
>> admin and before ipa-getkeytab you need to add service for the NFS server 
>> ipa service-add
>> nfs/`hostname`@EXAMPLE
>>
>> HTH
>>
>>>
>>> --
>>> *From:* Dmitri Pal 
>>> *To:* freeipa-users@redhat.com
>>> *Sent:* Monday, September 17, 2012 11:20 AM
>>> *Subject:* Re: [Freeipa-users] NFS on Mac
>>>
>>>
>>> On 09/17/2012 11:07 AM, george he wrote:
>>>
 Hello all,
 I have IPA server and NFS server set up on a computer running centos 6.3.
 Is there a way to set up a mac laptop to access the data on the NFS server?
 The laptop does not have a static IP. DNS is not configured with IPA.
 If yes, how do I config the mac?

>>>
>>> Is this what you are looking for?
>>> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/
>>>
>>>
 Thanks,
 George

>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Rob Crittenden]

Sigbjorn Lie wrote:

Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, 
for , Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for
krbtgt/ix.test@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?


Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Rob Crittenden]

Nathan Lager wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:

Dmitri Pal wrote:


Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?


No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down the
problem to httpd/mod_auth_kerb but I don't know yet if this is a
configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?

Sure, as far as I know its completely stock, aside from the krb
password auth change.


Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{"method":"batch","params":[[
{"method":"user_show","params":[["admin"],{"all":false}]}
],{}],"id":1}

then run this:

curl -H "Content-Type:application/json" -H "Accept:application/json" -H 
"Accept-Language:en" -H "Referer: 
https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u : --cacert 
/etc/ipa/ca.crt -d  @test.json -X POST 
https://caroline0.lafayette.edu/ipa/json


This does the equivalent of an: ipa user-show admin

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

[Sigbjorn Lie]

Hi,

I noticed an updated krb5-server package today advertising that it's 
fixing the issue with slow GSSAPI binds discussed earlier, so I 
installed it in my test environment, set SElinux back to enforcing in 
/etc/sysconfig/selinux and rebooted.


The named daemon does not start now. The error below was logged in 
/var/log/messages:


Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (KDC returned error 
string: PROCESS_TGS)


I am able to start named after setting SElinux in permissive mode 
(setenforce 0).


Then to verify: I stop all IPA services (ipactl stop), reenabled selinux 
(setenforce 1), and start the IPA services (ipactl start). A new error 
is logged in /var/log/messages:


Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid 
credentials

Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0,  
for , Cannot create replay cache file /var/tmp/krbtgt_0: 
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes 
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0,  
for , Cannot create replay cache file /var/tmp/krbtgt_0: 
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: 
DNS/ipa01.ix.test@ix.test.com for krbtgt/ix.test@ix.test.com, 
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes 
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes 
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test@ix.test.com for 
krbtgt/ix.test@ix.test.com


/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?



Regards,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Nathan Lager]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> 
>> Rob, keytab and kerberos part seems to be fine, ldap works too. 
>> Can it be one of the certs? May be some cert expired?
> 
> No, the error is coming from GSSAPI, it is unfortunately
> completely useless. I think we've pretty well narrowed down the
> problem to httpd/mod_auth_kerb but I don't know yet if this is a
> configuration issue or a bug.
> 
> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
Sure, as far as I know its completely stock, aside from the krb
password auth change.

#
# VERSION 4 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html



# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archivejar


# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi
package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /var/run/httpd/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa
application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:

  SetHandler None


  SetHandler None


  SetHandler None


KrbConstrainedDelegationLock ipa

# Protect /ipa and everything below it in webspace with Apache
Kerberos auth

  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbServiceName HTTP
  KrbAuthRealms SYSTEMS.LAFAYETTE.EDU
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  KrbConstrainedDelegation on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html


# Turn off Apache authentication for sessions

  Satisfy Any
  Order Deny,Allow
  Allow from all



  Satisfy Any
  Order Deny,Allow
  Allow from all


# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages

  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all



# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"

  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all



#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"

  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all




# Protect our CGIs

  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms SYSTEMS.LAFAYETTE.EDU
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html



# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"

AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py



> 
> rob
> 
> ___ Freeipa-users
> mailing list Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaI3QACgkQsZqG4IN3sumy3wCbBqmfPFIXwZOstNiH8jBY39hx
+uQAn11DGp7RbKyM4PiV8VJ0NH1v4lwY
=ol+i
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Rob Crittenden]

Dmitri Pal wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 03:37 PM, Nathan Lager wrote:



 >
 > On 09/19/2012 02:54 PM, Rob Crittenden wrote:
 > > Nathan Lager wrote:
 > >>
 > >>
 > >> On 09/19/2012 11:34 AM, Rob Crittenden wrote:
 > >>> Nathan Lager wrote:
 > 
 >  On 09/19/2012 10:37 AM, Rob Crittenden wrote:
 > > Lager, Nathan T. wrote:
 > >>
 > >> - Original Message -
 > >>> From: "Rob Crittenden"  To:
 > >>> "Nathan Lager"  Cc:
 > >>> freeipa-users@redhat.com Sent: Tuesday, September 18,
 > >>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
 > >>> errors.
 > >>>
 > >>> Ok, what are the permissions on the keytab,
 > >>> /etc/httpd/conf/ipa.keytab? They should be
 > >>> apache:apache mode 0600.
 > >>
 > >> [lagern@caroline0 PROD ~]$ ls -lZ
 > >> /etc/httpd/conf/ipa.keytab -rw---. apache apache
 > >> unconfined_u:object_r:httpd_config_t:s0
 > >> /etc/httpd/conf/ipa.keytab
 > >>
 > >>>
 > >>> Are you in SELinux enforcing mode? Can you try in
 > >>> permissive to see if that works?
 > >> I was enforcing at the start of all of this, but ive
 > >> since switched to permissive for troubleshooting. It
 > >> hasnt made a difference.
 > >
 > > Are you getting an HTTP service principal in the client?
 > >
 > > $ kdestroy $ kinit admin $ ipa user-show admin  $
 > > klist -fea
 > >
 > > Lets try to skip s4u2proxy. Does this work:
 > >
 > > $ ipa --delegate user-show admin
 > >
 > > Unfortunately the major and minor error codes are as
 > > generic as can be so they aren't any help at all.
 > >
 > > rob
 > 
 >  Here's the output. The --delegate still failed.
 > 
 >  [root@caroline0 PROD ~]# klist -fea Ticket cache:
 >  FILE:/tmp/krb5cc_0 Default principal:
 >  lag...@systems.lafayette.edu
 > 
 >  Valid starting Expires Service principal
 >  09/19/12 11:23:03 09/20/12 11:22:52
 >  krbtgt/systems.lafayette@systems.lafayette.edu Flags:
 >  FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
 >  aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
 >  09/20/12 11:22:52
 >  HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
 >  FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
 >  aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
 >  PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
 >  connect to u'http://caroline0.lafayette.edu/ipa/xml':
 >  Internal Server Error [root@caroline0 PROD ~]#
 > >>>
 > >>> Is it the same major/minor error in gss_acquire_cred()?
 > >>>
 > >>> Does GSSAPI over LDAP work?
 > >>>
 > >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b
 > >>> cn=users,cn=accounts,dc=example,dc=com admin
 > >>>
 > >> This appears to work.
 > >>
 > >> [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
 > >> caroline0.lafayette.edu -b
 > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
 > >> SASL/GSSAPI authentication started SASL username:
 > >> lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
 > >> layer installed. # extended LDIF # # LDAPv3 # base
 > >>  with scope
 > >> subtree # filter: (objectclass=*) # requesting: admin #
 > >>
 > >> # users, accounts, systems.lafayette.edu dn:
 > >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 > >>
 > >> # admin, users, accounts, systems.lafayette.edu dn:
 > >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
 > >>
 > >> <-- a bunch of other users here -->
 > >>
 > >> # search result search: 4 result: 0 Success
 > >>
 > >> # numResponses: 10 # numEntries: 9
 > >>
 >
 > > Ok, so it's JUST Apache then.
 >
 > > Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
 >
 > > If not, I'd try setting it to caroline0.lafayette.edu
 >
 > > If so, might be worth trying to refresh your Apache keytab. I made
 > > some educated guesses on your hostnames/realm, please
 > > double-check:
 >
 > > # ipa-getkeytab -s caroline0.lafayette.edu -p
 > > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
 > > /etc/httpd/conf/ipa.keytab
 >
 > > Should not be required to restart httpd but it shouldn't hurt. Run
 > > kdestroy/kinit before trying ipa user-show again.
 >
 > > rob
 >
 > well, seems like we're at least narrowing things down. But its still
 > no good.
 >
 > The hostname is the fqdn. /bin/hostname returns it as such.
 >
 >
 > [root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
 > HTTP/caroline0.lafayette@systems.lafayette.edu -k
 > /etc/httpd/conf/ipa.keytab
 > Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
 > [root@caroline0 PROD ~]# service httpd restart
 > Stopping httpd: [ OK ]
 > Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
 > ajp://localhost:9447/ already used by another worker
 > [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
 > used by another worke

Re: [Freeipa-users] sudden ipa errors.

[Dmitri Pal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2012 03:37 PM, Nathan Lager wrote:
>
>
> On 09/19/2012 02:54 PM, Rob Crittenden wrote:
> > Nathan Lager wrote:
> >>
> >>
> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote:
> >>> Nathan Lager wrote:
> 
>  On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> > Lager, Nathan T. wrote:
> >>
> >> - Original Message -
> >>> From: "Rob Crittenden"  To:
> >>> "Nathan Lager"  Cc:
> >>> freeipa-users@redhat.com Sent: Tuesday, September 18,
> >>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
> >>> errors.
> >>>
> >>> Ok, what are the permissions on the keytab,
> >>> /etc/httpd/conf/ipa.keytab? They should be
> >>> apache:apache mode 0600.
> >>
> >> [lagern@caroline0 PROD ~]$ ls -lZ
> >> /etc/httpd/conf/ipa.keytab -rw---. apache apache
> >> unconfined_u:object_r:httpd_config_t:s0
> >> /etc/httpd/conf/ipa.keytab
> >>
> >>>
> >>> Are you in SELinux enforcing mode? Can you try in
> >>> permissive to see if that works?
> >> I was enforcing at the start of all of this, but ive
> >> since switched to permissive for troubleshooting. It
> >> hasnt made a difference.
> >
> > Are you getting an HTTP service principal in the client?
> >
> > $ kdestroy $ kinit admin $ ipa user-show admin  $
> > klist -fea
> >
> > Lets try to skip s4u2proxy. Does this work:
> >
> > $ ipa --delegate user-show admin
> >
> > Unfortunately the major and minor error codes are as
> > generic as can be so they aren't any help at all.
> >
> > rob
> 
>  Here's the output. The --delegate still failed.
> 
>  [root@caroline0 PROD ~]# klist -fea Ticket cache:
>  FILE:/tmp/krb5cc_0 Default principal:
>  lag...@systems.lafayette.edu
> 
>  Valid starting Expires Service principal
>  09/19/12 11:23:03 09/20/12 11:22:52
>  krbtgt/systems.lafayette@systems.lafayette.edu Flags:
>  FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
>  aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
>  09/20/12 11:22:52
>  HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
>  FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
>  aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
>  PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
>  connect to u'http://caroline0.lafayette.edu/ipa/xml':
>  Internal Server Error [root@caroline0 PROD ~]#
> >>>
> >>> Is it the same major/minor error in gss_acquire_cred()?
> >>>
> >>> Does GSSAPI over LDAP work?
> >>>
> >>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b
> >>> cn=users,cn=accounts,dc=example,dc=com admin
> >>>
> >> This appears to work.
> >>
> >> [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
> >> caroline0.lafayette.edu -b
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
> >> SASL/GSSAPI authentication started SASL username:
> >> lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
> >> layer installed. # extended LDIF # # LDAPv3 # base
> >>  with scope
> >> subtree # filter: (objectclass=*) # requesting: admin #
> >>
> >> # users, accounts, systems.lafayette.edu dn:
> >> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
> >>
> >> # admin, users, accounts, systems.lafayette.edu dn:
> >> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
> >>
> >> <-- a bunch of other users here -->
> >>
> >> # search result search: 4 result: 0 Success
> >>
> >> # numResponses: 10 # numEntries: 9
> >>
>
> > Ok, so it's JUST Apache then.
>
> > Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
>
> > If not, I'd try setting it to caroline0.lafayette.edu
>
> > If so, might be worth trying to refresh your Apache keytab. I made
> > some educated guesses on your hostnames/realm, please
> > double-check:
>
> > # ipa-getkeytab -s caroline0.lafayette.edu -p
> > HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k
> > /etc/httpd/conf/ipa.keytab
>
> > Should not be required to restart httpd but it shouldn't hurt. Run
> > kdestroy/kinit before trying ipa user-show again.
>
> > rob
>
> well, seems like we're at least narrowing things down. But its still
> no good.
>
> The hostname is the fqdn. /bin/hostname returns it as such.
>
>
> [root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
> HTTP/caroline0.lafayette@systems.lafayette.edu -k
> /etc/httpd/conf/ipa.keytab
> Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
> [root@caroline0 PROD ~]# service httpd restart
> Stopping httpd: [ OK ]
> Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
> ajp://localhost:9447/ already used by another worker
> [Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
> used by another worker
> [ OK ]
> [root@caroline0 PROD ~]# kdestroy
> [root@caroline0 PROD ~]# kinit lagern
> Password for lag...@systems.lafayette.edu:
> [root@caroline0 PROD

Re: [Freeipa-users] sudden ipa errors.

[Nathan Lager]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 09/19/2012 02:54 PM, Rob Crittenden wrote:
> Nathan Lager wrote:
>> 
>> 
>> On 09/19/2012 11:34 AM, Rob Crittenden wrote:
>>> Nathan Lager wrote:
 
 On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> 
>> - Original Message -
>>> From: "Rob Crittenden"  To:
>>> "Nathan Lager"  Cc:
>>> freeipa-users@redhat.com Sent: Tuesday, September 18,
>>> 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa
>>> errors.
>>> 
>>> Ok, what are the permissions on the keytab, 
>>> /etc/httpd/conf/ipa.keytab? They should be
>>> apache:apache mode 0600.
>> 
>> [lagern@caroline0 PROD ~]$ ls -lZ
>> /etc/httpd/conf/ipa.keytab -rw---. apache apache 
>> unconfined_u:object_r:httpd_config_t:s0 
>> /etc/httpd/conf/ipa.keytab
>> 
>>> 
>>> Are you in SELinux enforcing mode? Can you try in 
>>> permissive to see if that works?
>> I was enforcing at the start of all of this, but ive
>> since switched to permissive for troubleshooting.  It
>> hasnt made a difference.
> 
> Are you getting an HTTP service principal in the client?
> 
> $ kdestroy $ kinit admin $ ipa user-show admin  $
> klist -fea
> 
> Lets try to skip s4u2proxy. Does this work:
> 
> $ ipa --delegate user-show admin
> 
> Unfortunately the major and minor error codes are as
> generic as can be so they aren't any help at all.
> 
> rob
 
 Here's the output. The --delegate still failed.
 
 [root@caroline0 PROD ~]# klist -fea Ticket cache: 
 FILE:/tmp/krb5cc_0 Default principal: 
 lag...@systems.lafayette.edu
 
 Valid starting ExpiresService principal
 09/19/12 11:23:03  09/20/12 11:22:52 
 krbtgt/systems.lafayette@systems.lafayette.edu Flags:
 FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11 
 09/20/12 11:22:52 
 HTTP/caroline0.lafayette@systems.lafayette.edu Flags:
 FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
 aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0
 PROD ~]# ipa --delegate user-show admin ipa: ERROR: cannot
 connect to u'http://caroline0.lafayette.edu/ipa/xml':
 Internal Server Error [root@caroline0 PROD ~]#
>>> 
>>> Is it the same major/minor error in gss_acquire_cred()?
>>> 
>>> Does GSSAPI over LDAP work?
>>> 
>>> $ ldapsearch -Y GSSAPI -h ipa.example.com -b 
>>> cn=users,cn=accounts,dc=example,dc=com admin
>>> 
>> This appears to work.
>> 
>> [root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h 
>> caroline0.lafayette.edu -b 
>> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin 
>> SASL/GSSAPI authentication started SASL username:
>> lag...@systems.lafayette.edu SASL SSF: 56 SASL data security
>> layer installed. # extended LDIF # # LDAPv3 # base
>>  with scope
>> subtree # filter: (objectclass=*) # requesting: admin #
>> 
>> # users, accounts, systems.lafayette.edu dn:
>> cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
>> 
>> # admin, users, accounts, systems.lafayette.edu dn:
>> uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu
>> 
>> <-- a bunch of other users here -->
>> 
>> # search result search: 4 result: 0 Success
>> 
>> # numResponses: 10 # numEntries: 9
>> 
> 
> Ok, so it's JUST Apache then.
> 
> Is the hostname on caroline0 set as a FQDN (/bin/hostname)?
> 
> If not, I'd try setting it to caroline0.lafayette.edu
> 
> If so, might be worth trying to refresh your Apache keytab. I made
> some educated guesses on your hostnames/realm, please
> double-check:
> 
> # ipa-getkeytab -s caroline0.lafayette.edu -p 
> HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k 
> /etc/httpd/conf/ipa.keytab
> 
> Should not be required to restart httpd but it shouldn't hurt. Run 
> kdestroy/kinit before trying ipa user-show again.
> 
> rob

well, seems like we're at least narrowing things down.  But its still
no good.

The hostname is the fqdn. /bin/hostname returns it as such.


[root@caroline0 PROD ~]# ipa-getkeytab -s caroline0.lafayette.edu -p
HTTP/caroline0.lafayette@systems.lafayette.edu -k
/etc/httpd/conf/ipa.keytab
Keytab successfully retrieved and stored in: /etc/httpd/conf/ipa.keytab
[root@caroline0 PROD ~]# service httpd restart
Stopping httpd:[  OK  ]
Starting httpd: [Wed Sep 19 15:34:24 2012] [warn] worker
ajp://localhost:9447/ already used by another worker
[Wed Sep 19 15:34:24 2012] [warn] worker ajp://localhost:9447/ already
used by another worker
   [  OK  ]
[root@caroline0 PROD ~]# kdestroy
[root@caroline0 PROD ~]# kinit lagern
Password for lag...@systems.lafayette.edu:
[root@caroline0 PROD ~]# ipa pwpolicy-show
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error


- -- 

Re: [Freeipa-users] sudden ipa errors.

[Rob Crittenden]

Nathan Lager wrote:



On 09/19/2012 11:34 AM, Rob Crittenden wrote:

Nathan Lager wrote:


On 09/19/2012 10:37 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: "Rob Crittenden"  To: "Nathan
Lager"  Cc: freeipa-users@redhat.com
Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab? They should be apache:apache
mode 0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache
unconfined_u:object_r:httpd_config_t:s0
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in
permissive to see if that works?

I was enforcing at the start of all of this, but ive since
switched to permissive for troubleshooting.  It hasnt made a
difference.


Are you getting an HTTP service principal in the client?

$ kdestroy $ kinit admin $ ipa user-show admin  $ klist
-fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as
can be so they aren't any help at all.

rob


Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea Ticket cache:
FILE:/tmp/krb5cc_0 Default principal:
lag...@systems.lafayette.edu

Valid starting ExpiresService principal 09/19/12
11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA,
Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
09/20/12 11:22:52
HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT,
Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD
~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#


Is it the same major/minor error in gss_acquire_cred()?

Does GSSAPI over LDAP work?

$ ldapsearch -Y GSSAPI -h ipa.example.com -b
cn=users,cn=accounts,dc=example,dc=com admin


This appears to work.

[root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
caroline0.lafayette.edu -b
cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
SASL/GSSAPI authentication started
SASL username: lag...@systems.lafayette.edu
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with
scope subtree
# filter: (objectclass=*)
# requesting: admin
#

# users, accounts, systems.lafayette.edu
dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

# admin, users, accounts, systems.lafayette.edu
dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

<-- a bunch of other users here -->

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9



Ok, so it's JUST Apache then.

Is the hostname on caroline0 set as a FQDN (/bin/hostname)?

If not, I'd try setting it to caroline0.lafayette.edu

If so, might be worth trying to refresh your Apache keytab. I made some 
educated guesses on your hostnames/realm, please double-check:


# ipa-getkeytab -s caroline0.lafayette.edu -p 
HTTP/caroline0.lafayette.edu@ SYSTEMS.LAFAYETTE.EDU -k 
/etc/httpd/conf/ipa.keytab


Should not be required to restart httpd but it shouldn't hurt. Run 
kdestroy/kinit before trying ipa user-show again.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Nathan Lager]

On 09/19/2012 11:34 AM, Rob Crittenden wrote:
> Nathan Lager wrote:
>> 
>> On 09/19/2012 10:37 AM, Rob Crittenden wrote:
>>> Lager, Nathan T. wrote:
 
 - Original Message -
> From: "Rob Crittenden"  To: "Nathan
> Lager"  Cc: freeipa-users@redhat.com
> Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: 
> [Freeipa-users] sudden ipa errors.
> 
> Ok, what are the permissions on the keytab, 
> /etc/httpd/conf/ipa.keytab? They should be apache:apache
> mode 0600.
 
 [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab 
 -rw---. apache apache 
 unconfined_u:object_r:httpd_config_t:s0 
 /etc/httpd/conf/ipa.keytab
 
> 
> Are you in SELinux enforcing mode? Can you try in
> permissive to see if that works?
 I was enforcing at the start of all of this, but ive since 
 switched to permissive for troubleshooting.  It hasnt made a 
 difference.
>>> 
>>> Are you getting an HTTP service principal in the client?
>>> 
>>> $ kdestroy $ kinit admin $ ipa user-show admin  $ klist
>>> -fea
>>> 
>>> Lets try to skip s4u2proxy. Does this work:
>>> 
>>> $ ipa --delegate user-show admin
>>> 
>>> Unfortunately the major and minor error codes are as generic as
>>> can be so they aren't any help at all.
>>> 
>>> rob
>> 
>> Here's the output. The --delegate still failed.
>> 
>> [root@caroline0 PROD ~]# klist -fea Ticket cache:
>> FILE:/tmp/krb5cc_0 Default principal:
>> lag...@systems.lafayette.edu
>> 
>> Valid starting ExpiresService principal 09/19/12
>> 11:23:03  09/20/12 11:22:52 
>> krbtgt/systems.lafayette@systems.lafayette.edu Flags: FIA,
>> Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
>> aes256-cts-hmac-sha1-96 Addresses: (none) 09/19/12 11:23:11
>> 09/20/12 11:22:52 
>> HTTP/caroline0.lafayette@systems.lafayette.edu Flags: FAT,
>> Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
>> aes256-cts-hmac-sha1-96 Addresses: (none) [root@caroline0 PROD
>> ~]# ipa --delegate user-show admin ipa: ERROR: cannot connect to 
>> u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error 
>> [root@caroline0 PROD ~]#
> 
> Is it the same major/minor error in gss_acquire_cred()?
> 
> Does GSSAPI over LDAP work?
> 
> $ ldapsearch -Y GSSAPI -h ipa.example.com -b 
> cn=users,cn=accounts,dc=example,dc=com admin
> 
This appears to work.

[root@caroline0 PROD ~]# ldapsearch -Y GSSAPI -h
caroline0.lafayette.edu -b
cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu admin
SASL/GSSAPI authentication started
SASL username: lag...@systems.lafayette.edu
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with
scope subtree
# filter: (objectclass=*)
# requesting: admin
#

# users, accounts, systems.lafayette.edu
dn: cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

# admin, users, accounts, systems.lafayette.edu
dn: uid=admin,cn=users,cn=accounts,dc=systems,dc=lafayette,dc=edu

<-- a bunch of other users here -->

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9

> rob
> 
> 

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] errors when one ipa server down

[Dmitri Pal]

On 09/19/2012 12:11 PM, Jakub Hrozek wrote:
> On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote:
>> On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote:
>>
>>> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote:
 On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:

> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
>>> [root@ipaserver2 ~]ifdown eth0   # NOTE: ipaserver2 is 172.16.112.8
>>>
>>> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in 
>>> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
>>> family[0] socktype[2] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in 
>>> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
>>> family[0] socktype[1] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
>>> initial credentials
>> Jakub, does this make sense to you?
>>
> As stated elsewhere in this thread, bare kinit does not contact the SSSD
> at all. You want to go through the PAM stack (with "su - mike" or "ssh
> mike@ipaclient") in order to contact the SSSD so that the SSSD refreshes
> the file.
>
> Does using "su - mike" refresh the file?
 When performing an 'su - mike' I will occasionally see a short delay (~2 
 seconds) when bringing the interfaces up and down on the servers.

 e.g.

 [root@ipaclient sssd]# su - mike
>>> ^^ Sorry, but can you re-run the test again and either su from another
>>> non-root user or ssh into the client for instance? The reason is that
>>> performing su as root would not contact the SSSD at all either. The
>>> default PAM configuration for su includes "pam_rootok.so" which just
>>> returns PAM_SUCCESS if the user who performs su has UID=0.
>> Hello,
>>
>> [mike@ipaclient ~]$ su - eric
>> Password:  # NOTE: no delay
>> [eric@ipaclient ~]$ exit
>> logout
>>
>> [root@ipaserver ~]ifdown eth0
>>
>> [mike@ipaclient ~]$ su - eric
>> Password:# NOTE: there is a delay here, ~5 seconds
>> [eric@ipaclient ~]$ exit
>> logout
>>
>> [root@ipaserver ~]ifup eth0
>>
>> [root@ipaserver2 ~]ifdown eth0
>>
>> [mike@ipaclient ~]$ su - eric
>> Password:   # NOTE: no delay
>> [eric@ipaclient ~]$exit
>> logout
>>
>> [root@ipaserver ~]ifdown eth0
>>
>> [root@ipaserver2 ~]ifup eth0
>>
>> [mike@ipaclient ~]$ su - eric
>> Password:  # NOTE: no delay
>> [eric@ipaclient ~]$ exit
>> logout
>>
>> There does not appear to be any problems when doing an su -.
>>
> I agree. I think that the SSSD fails over just fine.
>
>> An addition note is that the ipaclient system had been sitting idle all 
>> night.  Right before starting this test, I had to unlock the workstation.
> The unlock (if perfomed through GDM at least) would trigger an auth and
> by extension going online/offline.
>
> What I suspect was happening is that the kinit just contacted a KDC that was
> present in the kdcinfo files, but down without the Kerberos libraries
> knowing it was down -- and without a mechanism to tell the SSSD to go
> and try another server. We're tracking this as a future enhancement..

Do you have a ticket handy?

>
> Thank you for testing, Mike!


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] errors when one ipa server down

[Jakub Hrozek]

On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote:
> 
> On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote:
> 
> > On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote:
> >> 
> >> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:
> >> 
> >>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
> > [root@ipaserver2 ~]ifdown eth0   # NOTE: ipaserver2 is 172.16.112.8
> > 
> > [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
> > [sssd_krb5_locator] sssd_krb5_locator_init called
> > [sssd_krb5_locator] Found [172.16.112.8] in 
> > [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
> > family[0] socktype[2] locate_service[1]
> > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
> > [sssd_krb5_locator] [172.16.112.8] used
> > [sssd_krb5_locator] sssd_krb5_locator_close called
> > [sssd_krb5_locator] sssd_krb5_locator_init called
> > [sssd_krb5_locator] Found [172.16.112.8] in 
> > [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
> > family[0] socktype[1] locate_service[1]
> > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
> > [sssd_krb5_locator] [172.16.112.8] used
> > [sssd_krb5_locator] sssd_krb5_locator_close called
> > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
> > initial credentials
>  
>  Jakub, does this make sense to you?
>  
> >>> 
> >>> As stated elsewhere in this thread, bare kinit does not contact the SSSD
> >>> at all. You want to go through the PAM stack (with "su - mike" or "ssh
> >>> mike@ipaclient") in order to contact the SSSD so that the SSSD refreshes
> >>> the file.
> >>> 
> >>> Does using "su - mike" refresh the file?
> >> 
> >> When performing an 'su - mike' I will occasionally see a short delay (~2 
> >> seconds) when bringing the interfaces up and down on the servers.
> >> 
> >> e.g.
> >> 
> >> [root@ipaclient sssd]# su - mike
> > 
> > ^^ Sorry, but can you re-run the test again and either su from another
> > non-root user or ssh into the client for instance? The reason is that
> > performing su as root would not contact the SSSD at all either. The
> > default PAM configuration for su includes "pam_rootok.so" which just
> > returns PAM_SUCCESS if the user who performs su has UID=0.
> 
> Hello,
> 
> [mike@ipaclient ~]$ su - eric
> Password:  # NOTE: no delay
> [eric@ipaclient ~]$ exit
> logout
> 
> [root@ipaserver ~]ifdown eth0
> 
> [mike@ipaclient ~]$ su - eric
> Password:# NOTE: there is a delay here, ~5 seconds
> [eric@ipaclient ~]$ exit
> logout
> 
> [root@ipaserver ~]ifup eth0
> 
> [root@ipaserver2 ~]ifdown eth0
> 
> [mike@ipaclient ~]$ su - eric
> Password:   # NOTE: no delay
> [eric@ipaclient ~]$exit
> logout
> 
> [root@ipaserver ~]ifdown eth0
> 
> [root@ipaserver2 ~]ifup eth0
> 
> [mike@ipaclient ~]$ su - eric
> Password:  # NOTE: no delay
> [eric@ipaclient ~]$ exit
> logout
> 
> There does not appear to be any problems when doing an su -.
> 

I agree. I think that the SSSD fails over just fine.

> An addition note is that the ipaclient system had been sitting idle all 
> night.  Right before starting this test, I had to unlock the workstation.

The unlock (if perfomed through GDM at least) would trigger an auth and
by extension going online/offline.

What I suspect was happening is that the kinit just contacted a KDC that was
present in the kdcinfo files, but down without the Kerberos libraries
knowing it was down -- and without a mechanism to tell the SSSD to go
and try another server. We're tracking this as a future enhancement..

Thank you for testing, Mike!

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] errors when one ipa server down

[Michael Mercier]

On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote:

> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote:
>> 
>> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:
>> 
>>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
> [root@ipaserver2 ~]ifdown eth0   # NOTE: ipaserver2 is 172.16.112.8
> 
> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] Found [172.16.112.8] in 
> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
> family[0] socktype[2] locate_service[1]
> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
> [sssd_krb5_locator] [172.16.112.8] used
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] Found [172.16.112.8] in 
> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] 
> family[0] socktype[1] locate_service[1]
> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
> [sssd_krb5_locator] [172.16.112.8] used
> [sssd_krb5_locator] sssd_krb5_locator_close called
> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
> initial credentials
 
 Jakub, does this make sense to you?
 
>>> 
>>> As stated elsewhere in this thread, bare kinit does not contact the SSSD
>>> at all. You want to go through the PAM stack (with "su - mike" or "ssh
>>> mike@ipaclient") in order to contact the SSSD so that the SSSD refreshes
>>> the file.
>>> 
>>> Does using "su - mike" refresh the file?
>> 
>> When performing an 'su - mike' I will occasionally see a short delay (~2 
>> seconds) when bringing the interfaces up and down on the servers.
>> 
>> e.g.
>> 
>> [root@ipaclient sssd]# su - mike
> 
> ^^ Sorry, but can you re-run the test again and either su from another
> non-root user or ssh into the client for instance? The reason is that
> performing su as root would not contact the SSSD at all either. The
> default PAM configuration for su includes "pam_rootok.so" which just
> returns PAM_SUCCESS if the user who performs su has UID=0.

Hello,

[mike@ipaclient ~]$ su - eric
Password:  # NOTE: no delay
[eric@ipaclient ~]$ exit
logout

[root@ipaserver ~]ifdown eth0

[mike@ipaclient ~]$ su - eric
Password:# NOTE: there is a delay here, ~5 seconds
[eric@ipaclient ~]$ exit
logout

[root@ipaserver ~]ifup eth0

[root@ipaserver2 ~]ifdown eth0

[mike@ipaclient ~]$ su - eric
Password:   # NOTE: no delay
[eric@ipaclient ~]$exit
logout

[root@ipaserver ~]ifdown eth0

[root@ipaserver2 ~]ifup eth0

[mike@ipaclient ~]$ su - eric
Password:  # NOTE: no delay
[eric@ipaclient ~]$ exit
logout

There does not appear to be any problems when doing an su -.

An addition note is that the ipaclient system had been sitting idle all night.  
Right before starting this test, I had to unlock the workstation.

Thanks,
Mike

> 
> I kinda expect the result to be the same (at least for user who is not
> recently cached) because the case of IPA we need to establish a GSSAPI
> encrypted connection anyway so we'd talk to the KDC only to perform
> initgroups.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Rob Crittenden]

Nathan Lager wrote:


On 09/19/2012 10:37 AM, Rob Crittenden wrote:

Lager, Nathan T. wrote:


- Original Message -

From: "Rob Crittenden"  To: "Nathan Lager"
 Cc: freeipa-users@redhat.com Sent:
Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
[Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab? They should be apache:apache mode
0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache
unconfined_u:object_r:httpd_config_t:s0
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in permissive to
see if that works?

I was enforcing at the start of all of this, but ive since
switched to permissive for troubleshooting.  It hasnt made a
difference.


Are you getting an HTTP service principal in the client?

$ kdestroy $ kinit admin $ ipa user-show admin  $ klist -fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as can
be so they aren't any help at all.

rob


Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lag...@systems.lafayette.edu

Valid starting ExpiresService principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette@systems.lafayette.edu
Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette@systems.lafayette.edu
Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
[root@caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#


Is it the same major/minor error in gss_acquire_cred()?

Does GSSAPI over LDAP work?

$ ldapsearch -Y GSSAPI -h ipa.example.com -b 
cn=users,cn=accounts,dc=example,dc=com admin


rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Nathan Lager]

On 09/19/2012 10:37 AM, Rob Crittenden wrote:
> Lager, Nathan T. wrote:
>> 
>> - Original Message -
>>> From: "Rob Crittenden"  To: "Nathan Lager"
>>>  Cc: freeipa-users@redhat.com Sent:
>>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re:
>>> [Freeipa-users] sudden ipa errors.
>>> 
>>> Ok, what are the permissions on the keytab, 
>>> /etc/httpd/conf/ipa.keytab? They should be apache:apache mode
>>> 0600.
>> 
>> [lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab 
>> -rw---. apache apache
>> unconfined_u:object_r:httpd_config_t:s0 
>> /etc/httpd/conf/ipa.keytab
>> 
>>> 
>>> Are you in SELinux enforcing mode? Can you try in permissive to
>>> see if that works?
>> I was enforcing at the start of all of this, but ive since
>> switched to permissive for troubleshooting.  It hasnt made a
>> difference.
> 
> Are you getting an HTTP service principal in the client?
> 
> $ kdestroy $ kinit admin $ ipa user-show admin  $ klist -fea
> 
> Lets try to skip s4u2proxy. Does this work:
> 
> $ ipa --delegate user-show admin
> 
> Unfortunately the major and minor error codes are as generic as can
> be so they aren't any help at all.
> 
> rob

Here's the output. The --delegate still failed.

[root@caroline0 PROD ~]# klist -fea
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lag...@systems.lafayette.edu

Valid starting ExpiresService principal
09/19/12 11:23:03  09/20/12 11:22:52
krbtgt/systems.lafayette@systems.lafayette.edu
Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
09/19/12 11:23:11  09/20/12 11:22:52
HTTP/caroline0.lafayette@systems.lafayette.edu
Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
Addresses: (none)
[root@caroline0 PROD ~]# ipa --delegate user-show admin
ipa: ERROR: cannot connect to
u'http://caroline0.lafayette.edu/ipa/xml': Internal Server Error
[root@caroline0 PROD ~]#




-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa {user-find} ca cert file

[James James]

OK Thanks a lot for the solution and for the advice.


2012/9/19 Rob Crittenden 

> James James wrote:
>
>> Hi,
>>
>> I have followed this
>> http://freeipa.org/page/**Certificate_Authority#Using_**
>> Certificates_From_a_Different_**CA
>> and everything works well.
>>
>> Now when, from the console, I execute
>>
>> $ ipa user-find
>>
>> I've got
>>
>> [root@ipa ipa]# ipa user-find
>> ipa: ERROR: cert validation failed for "E=certus...@example.com
>> **,CN=ipa.example.com
>> ,OU=**TEST,O=TEST,C=FR"
>>
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
>> as not trusted by the user.)
>> ipa: ERROR: cannot connect to 
>> u'http://ipa.lix.example.com/**ipa/xml
>> ':
>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>> been marked as not trusted by the user.
>>
>> Any help will be very appreciated ..
>>
>
> You need to add the CA certificate to /etc/pki/nssdb on the client and
> mark it as trusted.
>
> Note that installing certificates from another CA is not recommended and
> you may run into further corner cases. If you have an existing CA then
> installing the IPA dogtag CA as a subordinate is a better long-term
> solution.
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa {user-find} ca cert file

[Rob Crittenden]

James James wrote:

Hi,

I have followed this
http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA
and everything works well.

Now when, from the console, I execute

$ ipa user-find

I've got

[root@ipa ipa]# ipa user-find
ipa: ERROR: cert validation failed for "E=certus...@example.com
,CN=ipa.example.com
,OU=TEST,O=TEST,C=FR"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)
ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml':
[Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
been marked as not trusted by the user.

Any help will be very appreciated ..


You need to add the CA certificate to /etc/pki/nssdb on the client and 
mark it as trusted.


Note that installing certificates from another CA is not recommended and 
you may run into further corner cases. If you have an existing CA then 
installing the IPA dogtag CA as a subordinate is a better long-term 
solution.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Rob Crittenden]

Lager, Nathan T. wrote:


- Original Message -

From: "Rob Crittenden" 
To: "Nathan Lager" 
Cc: freeipa-users@redhat.com
Sent: Tuesday, September 18, 2012 5:17:00 PM
Subject: Re: [Freeipa-users] sudden ipa errors.

Ok, what are the permissions on the keytab,
/etc/httpd/conf/ipa.keytab?
They should be apache:apache mode 0600.


[lagern@caroline0 PROD ~]$ ls -lZ /etc/httpd/conf/ipa.keytab
-rw---. apache apache unconfined_u:object_r:httpd_config_t:s0 
/etc/httpd/conf/ipa.keytab



Are you in SELinux enforcing mode? Can you try in permissive to see if
that works?

I was enforcing at the start of all of this, but ive since switched to 
permissive for troubleshooting.  It hasnt made a difference.


Are you getting an HTTP service principal in the client?

$ kdestroy
$ kinit admin
$ ipa user-show admin

$ klist -fea

Lets try to skip s4u2proxy. Does this work:

$ ipa --delegate user-show admin

Unfortunately the major and minor error codes are as generic as can be 
so they aren't any help at all.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa {user-find} ca cert file

[James James]

Hi,

I have followed this
http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CAand
everything works well.

Now when, from the console, I execute

$ ipa user-find

I've got

[root@ipa ipa]# ipa user-find
ipa: ERROR: cert validation failed for "E=certus...@example.com,CN=
ipa.example.com,OU=TEST,O=TEST,C=FR" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked as not trusted by the user.

Any help will be very appreciated ..


James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Dmitri Pal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/18/2012 04:37 PM, Nathan Lager wrote:
> [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1597): [client
> 139.147.7.204] Done obtaining credentials for s4u2proxy, referer:
> https://caroline0.lafayette.edu/ipa/xml
> [Tue Sep 18 16:27:08 2012] [debug] src/mod_auth_kerb.c(1138): [client
> 139.147.7.204] GSS-API major_status:000d, minor_status:,
> referer: https://caroline0.lafayette.edu/ipa/xml
> [Tue Sep 18 16:27:08 2012] [error] [client 139.147.7.204]
> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
> provide more information (, Unknown error), referer:
> https://caroline0.lafayette.edu/ipa/xml
> [Tue Sep 18 16:27:08 2012] [info] [client 139.147.7.204] (32)Broken
> pipe: core_output_filter: writing data to the network
> [Tue Sep 18 16:27:08 2012] [info] Connection to child 1 closed (server
> caroline0.lafayette.edu:443, client 139.147.7.204)
This is probably most significant part.
It gets creds for s4u2proxy and then dies getting the what? The cred for
ldap?
Rob is there any log that would be worth looking at this situation?
There should be a keytab for ldap principal. Do we know if it is OK?

- -- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


- ---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQWbipAAoJEKRjuMOPSn1YlNUH/3ROJcCL1kQR+Mh7hYnTETPV
SEaKJOZOM9MH4h5TbcyGcpnBYDQhg5CphATdlW2VONZCiAy9wKIS9lbVAYz2zUn9
Zc4ovwM5JHijqEgPcStV2dXbnI/5+FaCpIncv3rLrQ1zpokWdqwJBUxpXVOOlMyU
hHttu4lWbHjSsWdntwi8Nf66UkN0fEFL+JfHI+hkQ+86LPFxzY0IFkren6dvSk7J
a3Wlgxw9bDaHH8HMJCmrPcLMyCqaOKDOGcIekBbEk2XoKnin5cxh0W3IsvrY6L66
900rV5isA2j0EbCFEvY/iG8ydmhacVQA8+GX00Pf2ApUhFJ+cyYg5UOocvjA81A=
=4uGm
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sudden ipa errors.

[Dmitri Pal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/18/2012 03:06 PM, Nathan Lager wrote:
> Sorry for falling off like that.
> I opened a RedHat ticket on the issue, and have been running in
> circles with them. I forgot to check on the list for responses.
>
>
> I'm still having problems. Someone suggested I try:
>
> kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
>
> Which i just did, and it worked, or, at least it initialized my session.
>
> I'm still unable to execute ipa commands. In fact, im unable to
> execute almost any ipa commands.
>
> The web interface works, but only after RedHat had me enable kerberos
> password auth in the httpd config. So i can now auth to the web gui
> interactively, instead of requiring a kinit from my workstion.
>
> The only real client i have here is RHEV. And auth there still works
> except on accounts which have expired. Those accounts, cant even
> change their passwords.
>
> RedHat had me disable the password expiration via the web gui, however
> that hasnt helped accounts that are already expired.
>
> RedHat is currently blaming time skew, which i think is ridiculous.

Well this is probably my fault. I looked in the case (it is huge) and
saw that there are issues with the time in the log so I suggested they
ask you to check the times to rule that part out. I have not had a
chance to follow up. But time skew usually creates all sorts of strange
things and if the time skew was the problem in the past but some
passwords were created then there might be problems with the expiration.

I was also very concerned about the framework not being able to get
kerberos ticket for whatever reason and the reason was not clear.

> Im testing my ipa commands right on the ipa master. How could there
> possible be time skew.

This was not clear from the case and also I asked to ask you just to
check the time on the server.

> I did find that the time on my replica was
> off, but my replica isnt working anyway, which is a whole other issue.
> I think it needs to be flattened, and re-joined.

OK let us treat it as a separate issue.

>
>
> On 09/10/2012 08:54 AM, Dmitri Pal wrote:
> > On 08/24/2012 04:43 PM, Rob Crittenden wrote:
> >> Nathan Lager wrote:
> >>> This did not seem to help...
> >>>
> >>
> >> What else isn't working? Does the UI work? Do clients on other
> >> machines work? Does user lookup still work?
> >>
> >> rob
>
>
> > Was this issue ever resolved?
>
> >>
> >>>
> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote:
>  Nathan Lager wrote:
> > [root@ipaserver PROD krb5kdc]# ipactl status Directory
> > Service: RUNNING KDC Service: RUNNING KPASSWD Service:
> > RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA
> > Service: RUNNING [root@ipaserver PROD krb5kdc]# rpm -qa |
> > grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64
> > ipa-server-2.2.0-16.el6.x86_64
> 
>  I'd try removing /tmp/krb5cc_48. This is the ccache used by
>  Apache for doing S4U2Proxy. No restart of httpd should be
>  required.
> 
>  rob
> 
> >
> >
> > On 08/22/2012 04:08 PM, Rob Crittenden wrote:
> >> Nathan Lager wrote:
> >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
> >>>
> >>> I tried the same, kinit, and then ipa passwd commands
> >>> as before, here's the output:
> >>>
> >>> Aug 22 14:32:13 ipaserver.lafayette.edu
> >>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
> >>> ipa-servers-ip: NEEDED_PREAUTH:
> >>> lag...@systems.lafayette.edu for
> >>> krbtgt/systems.lafayette@systems.lafayette.edu,
> >>> Additional pre-authentication required
> >>>
> >>> Aug 22 14:32:19 ipaserver.lafayette.edu
> >>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23})
> >>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
> >>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu
> >>> for krbtgt/systems.lafayette@systems.lafayette.edu
> >>>
> >>> Aug 22 14:32:35 ipaserver.lafayette.edu
> >>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23})
> >>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes
> >>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu
> >>> for HTTP/ipaserver.lafayette@systems.lafayette.edu
> >>
> >> What version of IPA is this?
> >>
> >> Does ipactl status show all services up?
> >>
> >> rob
> >
> >
> 
> 
> >>>
> >>
> >>
> >> ___ Freeipa-users
> >> mailing list Freeipa-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

- -- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


- ---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


-BEGIN PG

Re: [Freeipa-users] Password requirements too stringent

[Petr Spacek]

On 09/19/2012 01:32 PM, Dmitri Pal wrote:

On 09/19/2012 02:56 AM, Jakub Hrozek wrote:

On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:

So, commenting out:
passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Permission denied, please try again.
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of 
commenting out the password requisite pam_cracklib.so, I should have replaced 
it with something?

What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..

Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.


BTW if required character classes == 1 there is nothing to enforce, because 
each (non-empty) password has at least one character class.


You can check if there is some difference between 0 and 1.

Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

[Dmitri Pal]

On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
>> So, commenting out: 
>> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
>> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
>>
>> Caused users updating their passwords using ssh to get:
>>
>> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Permission denied, please try again.
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Password expired. Change your password now.
>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user ykatabam.
>> Current Password:
>> Password change failed. Server message: Password change failed
>> passwd: Authentication token manipulation error
>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>>
>> Is that to say that you need at least 1 password requisite? That instead of 
>> commenting out the password requisite pam_cracklib.so, I should have 
>> replaced it with something?
> What did /var/log/secure have to say?
>
> The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS on Mac

[Ondrej Valousek]

what about this one?
http://code.google.com/p/macnfsv4/wiki/HOWTO
looks like rpc.idmapd on linux == nfsuserd on Mac
O.


On 09/19/2012 10:18 AM, Sigbjorn Lie wrote:

As usual, if someone is interested in sending me a Mac I'll be happy to do the 
testing and submit
the results.

*grin* :)



Regards,
Siggi



On Wed, September 19, 2012 10:08, Petr Spacek wrote:

On 09/17/2012 10:32 PM, Steven Jones wrote:


If anyone has MAC instructions' I'd love a copy pls.


As usual, we can create account on freeipa.org wiki if anybody is interested
in creating a how-to. That is the best place to share.

Let us know!


Petr^2 Spacek



--
*From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com] *Sent:* Tuesday, 18 September 2012 6:47 
a.m.
*To:* george he
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] NFS on Mac


On 09/17/2012 02:21 PM, george he wrote:


sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, 
there got to be
something more. George


I do not know the exact steps on mac because the is no ipa-client on Mac so
you would have to configure the machine to be an IPA client manually. This 
would mean that you
need to authenticate with kerberos and then make the nfs part use the 
credential cache of the
logged in user (if you are planning to use it for users mounting shares). This 
is what needs to
happen conceptually. I know that people have done in the past but I do not 
think there are
instructions.

Once you manged to do it please see the presentation how to setup secure NFS
on Linux 
http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf
May be it will give you some hints and pointers.


The only known problem with this slide deck is that on slide 18 after kinit
admin and before ipa-getkeytab you need to add service for the NFS server ipa 
service-add
nfs/`hostname`@EXAMPLE

HTH


--
*From:* Dmitri Pal
*To:* freeipa-users@redhat.com
*Sent:* Monday, September 17, 2012 11:20 AM
*Subject:* Re: [Freeipa-users] NFS on Mac


On 09/17/2012 11:07 AM, george he wrote:


Hello all,
I have IPA server and NFS server set up on a computer running centos 6.3.
Is there a way to set up a mac laptop to access the data on the NFS server?
The laptop does not have a static IP. DNS is not configured with IPA.
If yes, how do I config the mac?


Is this what you are looking for?
http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/



Thanks,
George


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS on Mac

[Sigbjorn Lie]

As usual, if someone is interested in sending me a Mac I'll be happy to do the 
testing and submit
the results.

*grin* :)



Regards,
Siggi



On Wed, September 19, 2012 10:08, Petr Spacek wrote:
> On 09/17/2012 10:32 PM, Steven Jones wrote:
>
>> If anyone has MAC instructions' I'd love a copy pls.
>>
>
> As usual, we can create account on freeipa.org wiki if anybody is interested
> in creating a how-to. That is the best place to share.
>
> Let us know!
>
>
> Petr^2 Spacek
>
>
>>
>> --
>> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
>> on
>> behalf of Dmitri Pal [d...@redhat.com] *Sent:* Tuesday, 18 September 2012 
>> 6:47 a.m.
>> *To:* george he
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] NFS on Mac
>>
>>
>> On 09/17/2012 02:21 PM, george he wrote:
>>
>>> sounds to me the link may work for nfs version 3 only. Now with IPA and 
>>> NFS4, there got to be
>>> something more. George
>>>
>>
>> I do not know the exact steps on mac because the is no ipa-client on Mac so
>> you would have to configure the machine to be an IPA client manually. This 
>> would mean that you
>> need to authenticate with kerberos and then make the nfs part use the 
>> credential cache of the
>> logged in user (if you are planning to use it for users mounting shares). 
>> This is what needs to
>> happen conceptually. I know that people have done in the past but I do not 
>> think there are
>> instructions.
>>
>> Once you manged to do it please see the presentation how to setup secure NFS
>> on Linux 
>> http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf
>> May be it will give you some hints and pointers.
>>
>>
>> The only known problem with this slide deck is that on slide 18 after kinit
>> admin and before ipa-getkeytab you need to add service for the NFS server 
>> ipa service-add
>> nfs/`hostname`@EXAMPLE
>>
>> HTH
>>
>>>
>>> --
>>> *From:* Dmitri Pal 
>>> *To:* freeipa-users@redhat.com
>>> *Sent:* Monday, September 17, 2012 11:20 AM
>>> *Subject:* Re: [Freeipa-users] NFS on Mac
>>>
>>>
>>> On 09/17/2012 11:07 AM, george he wrote:
>>>
 Hello all,
 I have IPA server and NFS server set up on a computer running centos 6.3.
 Is there a way to set up a mac laptop to access the data on the NFS server?
 The laptop does not have a static IP. DNS is not configured with IPA.
 If yes, how do I config the mac?

>>>
>>> Is this what you are looking for?
>>> http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/
>>>
>>>
 Thanks,
 George

>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS on Mac

[Petr Spacek]

On 09/17/2012 10:32 PM, Steven Jones wrote:

If anyone has MAC instructions' I'd love a copy pls.


As usual, we can create account on freeipa.org wiki if anybody is interested 
in creating a how-to. That is the best place to share.


Let us know!

Petr^2 Spacek



--
*From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com]
*Sent:* Tuesday, 18 September 2012 6:47 a.m.
*To:* george he
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] NFS on Mac

On 09/17/2012 02:21 PM, george he wrote:

sounds to me the link may work for nfs version 3 only.
Now with IPA and NFS4, there got to be something more.
George


I do not know the exact steps on mac because the is no ipa-client on Mac so
you would have to configure the machine to be an IPA client manually.
This would mean that you need to authenticate with kerberos and then make the
nfs part use the credential cache of the logged in user (if you are planning
to use it for users mounting shares). This is what needs to happen
conceptually. I know that people have done in the past but I do not think
there are instructions.

Once you manged to do it please see the presentation how to setup secure NFS
on Linux
http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf
May be it will give you some hints and pointers.

The only known problem with this slide deck is that on slide 18 after kinit
admin and before ipa-getkeytab you need to add service for the NFS server
ipa service-add nfs/`hostname`@EXAMPLE

HTH



--
*From:* Dmitri Pal 
*To:* freeipa-users@redhat.com
*Sent:* Monday, September 17, 2012 11:20 AM
*Subject:* Re: [Freeipa-users] NFS on Mac

On 09/17/2012 11:07 AM, george he wrote:

Hello all,
I have IPA server and NFS server set up on a computer running centos 6.3.
Is there a way to set up a mac laptop to access the data on the NFS server?
The laptop does not have a static IP. DNS is not configured with IPA.
If yes, how do I config the mac?


Is this what you are looking for?
http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/


Thanks,
George


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

[Tim Hildred]

Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 
10.64.48.102 port 47713 ssh2
Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for 
user ykatabam by (uid=0)
Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does 
not exist in /etc/passwd
Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does 
not exist in /etc/passwd
Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: 
disconnected by user
Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for 
user ykatabam
Sep 19 14:40:33 dns1 sshd[3]: Received disconnect from 10.64.15.231: 11: 
disconnected by user

Looks like you're right Jakub. 

>From what I gather:
- the server requires a complex password in that cracklib.so, so it was 
suggested I take that "password requisite cracklib.so" out. 
- with that gone, it looks kind of like IPA doesn't come into the picture?

I uncommented that line, and now it all works again, but I'm back to 
really-stringent-password-requirement-town.

What next?
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
> From: "Jakub Hrozek" 
> To: "Tim Hildred" 
> Cc: freeipa-users@redhat.com
> Sent: Wednesday, September 19, 2012 4:56:42 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> > So, commenting out:
> > passwordrequisite pam_cracklib.so try_first_pass retry=3
> > type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> > 
> > Caused users updating their passwords using ssh to get:
> > 
> > [ykatabam@ykatabam ~]$ ssh
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Permission denied, please try again.
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Password expired. Change your password now.
> > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user ykatabam.
> > Current Password:
> > Password change failed. Server message: Password change failed
> > passwd: Authentication token manipulation error
> > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> > 
> > Is that to say that you need at least 1 password requisite? That
> > instead of commenting out the password requisite pam_cracklib.so,
> > I should have replaced it with something?
> 
> What did /var/log/secure have to say?
> 
> The message sounds to me like it's coming from the server..
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

[Jakub Hrozek]

On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> So, commenting out: 
> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> 
> Caused users updating their passwords using ssh to get:
> 
> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> Permission denied, please try again.
> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> Password expired. Change your password now.
> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user ykatabam.
> Current Password:
> Password change failed. Server message: Password change failed
> passwd: Authentication token manipulation error
> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> 
> Is that to say that you need at least 1 password requisite? That instead of 
> commenting out the password requisite pam_cracklib.so, I should have replaced 
> it with something?

What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users