Re: [Freeipa-users] reboot required after ipa-client-install?

2013-11-08 Thread Dean Hunter 
On Thu, 2013-11-07 at 22:17 -0500, Dmitri Pal wrote:

> On 11/07/2013 06:20 PM, Dean Hunter wrote: 
> 
> > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> > 
> > > On 11/07/2013 12:59 PM, Dean Hunter wrote: 
> > > 
> > > > On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
> > > > 
> > > > > On 11/07/2013 12:21 PM, Dean Hunter wrote: 
> > > > > 
> > > > > > On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: 
> > > > > > 
> > > > > > > On Wed, 06 Nov 2013, Dean Hunter wrote:
> > > > > > > 
> > > > > > > >After building a new VM and configuring the IPA 3.3.2 client, 
> > > > > > > >Gnome
> > > > > > > >seems to only perform a local log-in until the system is 
> > > > > > > >rebooted. SSH
> > > > > > > >works with IPA, but not Gnome. Is this correct? Is there 
> > > > > > > >anything less
> > > > > > > >disruptive than a reboot that I can do?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > > Restart gdm.service?
> > > > > > > I'm not sure how gdm handles PAM auth.
> > > > > > 
> > > > > > 
> > > > > > I have tried:
> > > > > > 
> > > > > > ipa-client-install ...
> > > > > > systemctl restart gdm.service
> > > > > > 
> > > > > > but the behavior remains the same. The Gnome log in screen
> > > > > > accepts the user name, pauses about 25 seconds, then
> > > > > > displays the log in screen again without any messages or
> > > > > > indication of a problem. This is the same behavior I see
> > > > > > when entering an incorrect local user name before
> > > > > > configuring IPA.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > ___
> > > > > > Freeipa-users mailing list
> > > > > > Freeipa-users@redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > 
> > > > > Can it be a DIR cache issue and the fact that the directory
> > > > > can't is not created at proper time?
> > > > 
> > > > 
> > > > Which directory, please?
> > > 
> > > 
> > > If you are hitting the DIR cache issue (which I am not sure is the
> > > case this is why I asked about AVCs) then the directory we are
> > > talking about is /var/run/usr/ 
> > > This directory should be created by kerberos library when it tries
> > > to authenticate a user. But it might not be able to since a parent
> > > directory /var/run/usr might not be created yet. This is one of
> > > the reasons why we decided not to continue the path of DIR cache
> > > but switched to using Kernel based ccache.
> > > 
> > > 
> > > 
> > > > 
> > > > 
> > > > > Do you see any AVCs?
> > > 
> > > 
> > > Question still stands.
> > 
> > 
> > I see no AVCs:
> > 
> > [root@ipa ~]# ausearch --message AVC
> > 
> > [root@ipa ~]# 
> > 
> > 
> > I did find this in the man page for nsswitch.conf:
> > 
> > FILES
> >A service named SERVICE is implemented by a shared
> > object library named
> >libnss_SERVICE.so.X that resides in /lib.
> > 
> >/etc/nsswitch.conf   NSS configuration file.
> >/lib/libnss_compat.so.X  implements "compat"
> > source.
> >/lib/libnss_db.so.X  implements "db" source.
> >/lib/libnss_dns.so.X implements "dns" source.
> >/lib/libnss_files.so.X   implements "files"
> > source.
> >/lib/libnss_hesiod.so.X  implements "hesiod"
> > source.
> >/lib/libnss_nis.so.X implements "nis" source.
> >/lib/libnss_nisplus.so.X implements "nisplus"
> > source.
> > 
> > NOTES
> >Within each process that uses nsswitch.conf, the
> > entire  file  is  read
> >only  once.   If  the  file is later changed, the
> > process will continue
> >using the old configuration.
> > 
> > 
> > Is this why the default configuration of nsswitch.conf is changing
> > in Fedora 20, as noted on of the preceeding e-mails?
> > 
> 
> 
> 
> Yes I think SSS is now included by default. But if man page does not
> list it it is probably a bug in the man page.


Hmm, I just built a Fedora 20 Beta VM.  /etc/nsswitch.conf is no
different than after a Fedora 19 build.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Access differentiation in group policy

2013-11-08 Thread Rob Crittenden 

Исаев Виталий Анатольевич wrote:

Rob, I apologize, just one more question. We dealt with the editing of 
attributes, but it is still not clear if it is possible to restrict the user 
adding to isolated group in case of the user's membership in other isolated 
group.


I'm not sure I follow. As you can see, this sort of access control can 
get very complex :-) Can you provide an example of what you want to do?


rob



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:

Dear colleagues, we faced with an issue of access differentiation for
junior IPA admins. Our idea was to create several (say, three –
group1, group2, group3) isolated groups with one junior admin per group.

The group isolation means that admin of group1 is not able to add to
his group neither users nor subgroups – members of other global groups (i.e.
group2, group3)

We have attempted to accomplish this by RBAC for every junior admin.
It was pointed out, that the admin can modify the objects (users,
subgroups) belonging to his group only.  However, every user enrolled
to IPA can see all the other objects by default, therefore any junior
admin can add users and subgroups FROM THE OTHER isolated group to his
group with no restrictions.

So the question is – how to implement (the specified) group “isolation”
in IPA?

We’re running on the RHEL 6.4 with IPA 3.0. Thank you.


You need to create some custom permissions that limit the capabilities by 
memberof.

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 
--last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member 
--users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa 
group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. 
This permission allows the phone number attribute to be written only for 
members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin 
ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege 
--privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its 
members.

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1

Modified user "g1u1"

User login: g1u1
First name: group1
Last name: user1
Home directory: /home/g1u1
Login shell: /bin/sh
Email address: g...@example.com
UID: 119704
GID: 119704
Telephone Number: 410-555-1212
Account disabled: False
Password: False
Member of groups: ipausers, g1
Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.

Change the phone number of a non-member of the group and it also fails as 
expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Access differentiation in group policy

2013-11-08 Thread Исаев Виталий Анатольевич 
Rob, I apologize, just one more question. We dealt with the editing of 
attributes, but it is still not clear if it is possible to restrict the user 
adding to isolated group in case of the user's membership in other isolated 
group. 

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for 
> junior IPA admins. Our idea was to create several (say, three – 
> group1, group2, group3) isolated groups with one junior admin per group.
>
> The group isolation means that admin of group1 is not able to add to 
> his group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
>
> We have attempted to accomplish this by RBAC for every junior admin.  
> It was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only.  However, every user enrolled 
> to IPA can see all the other objects by default, therefore any junior 
> admin can add users and subgroups FROM THE OTHER isolated group to his 
> group with no restrictions.
>
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
>
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.

You need to create some custom permissions that limit the capabilities by 
memberof.

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 
--last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member 
--users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa 
group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. 
This permission allows the phone number attribute to be written only for 
members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin 
ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege 
--privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its 
members.

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1

Modified user "g1u1"

   User login: g1u1
   First name: group1
   Last name: user1
   Home directory: /home/g1u1
   Login shell: /bin/sh
   Email address: g...@example.com
   UID: 119704
   GID: 119704
   Telephone Number: 410-555-1212
   Account disabled: False
   Password: False
   Member of groups: ipausers, g1
   Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.

Change the phone number of a non-member of the group and it also fails as 
expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Access differentiation in group policy

2013-11-08 Thread Исаев Виталий Анатольевич 
Thank you, Rob! This example is very useful. 


Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for 
> junior IPA admins. Our idea was to create several (say, three – 
> group1, group2, group3) isolated groups with one junior admin per group.
>
> The group isolation means that admin of group1 is not able to add to 
> his group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
>
> We have attempted to accomplish this by RBAC for every junior admin.  
> It was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only.  However, every user enrolled 
> to IPA can see all the other objects by default, therefore any junior 
> admin can add users and subgroups FROM THE OTHER isolated group to his 
> group with no restrictions.
>
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
>
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.

You need to create some custom permissions that limit the capabilities by 
memberof.

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 
--last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member 
--users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa 
group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. 
This permission allows the phone number attribute to be written only for 
members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin 
ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege 
--privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its 
members.

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1

Modified user "g1u1"

   User login: g1u1
   First name: group1
   Last name: user1
   Home directory: /home/g1u1
   Login shell: /bin/sh
   Email address: g...@example.com
   UID: 119704
   GID: 119704
   Telephone Number: 410-555-1212
   Account disabled: False
   Password: False
   Member of groups: ipausers, g1
   Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.

Change the phone number of a non-member of the group and it also fails as 
expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Access differentiation in group policy

2013-11-08 Thread Rob Crittenden 

Исаев Виталий Анатольевич wrote:

Dear colleagues, we faced with an issue of access differentiation for
junior IPA admins. Our idea was to create several (say, three – group1,
group2, group3) isolated groups with one junior admin per group.

The group isolation means that admin of group1 is not able to add to his
group neither users nor subgroups – members of other global groups (i.e.
group2, group3)

We have attempted to accomplish this by RBAC for every junior admin.  It
was pointed out, that the admin can modify the objects (users,
subgroups) belonging to his group only.  However, every user enrolled to
IPA can see all the other objects by default, therefore any junior admin
can add users and subgroups FROM THE OTHER isolated group to his group
with no restrictions.

So the question is – how to implement (the specified) group “isolation”
in IPA?

We’re running on the RHEL 6.4 with IPA 3.0. Thank you.


You need to create some custom permissions that limit the capabilities 
by memberof.


I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1
ipa user-add --first=group2 --last=user1 g2u1
ipa group-add-member --users g1u1 g1
ipa group-add-member --users g2u1 g2
ipa user-add --first=group1 --last=admin1 g1a1
ipa group-add-member --users g1a1 g1
ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone 
number. This permission allows the phone number attribute to be written 
only for members of the group g1.


ipa permission-add --attrs=telephonenumber --memberof=g1 
--permissions=write g1_modify_members

ipa privilege-add g1_junior_admin --desc='Group 1 junior admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin
ipa role-add --desc='Group 1 junior admin' group1
ipa role-add-privilege --privileges=g1_junior_admin group1
ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute 
of its members.


Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1

Modified user "g1u1"

  User login: g1u1
  First name: group1
  Last name: user1
  Home directory: /home/g1u1
  Login shell: /bin/sh
  Email address: g...@example.com
  UID: 119704
  GID: 119704
  Telephone Number: 410-555-1212
  Account disabled: False
  Password: False
  Member of groups: ipausers, g1
  Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.


Change the phone number of a non-member of the group and it also fails 
as expected:

ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread John Dennis 
On 11/08/2013 08:53 AM, John Dennis wrote:
> FWIW I've authored a set of Python utilities to work with pem files for
> OpenStack. They work just fine with PEM blocks embedded with non-PEM
> text. I was thinking the utilities would also be useful in FreeIPA (in
> fact my experience in IPA is what guided the development of these
> utilities. I'll try to get them up in a git repo shortly and send a pointer.

Done.

git clone git://fedorapeople.org/~jdennis/utilities.git

Look in the x509 subdirectory, there are also unittests for both modules.

-- 
John

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Access differentiation in group policy

2013-11-08 Thread Исаев Виталий Анатольевич 
Dear colleagues, we faced with an issue of access differentiation for junior 
IPA admins. Our idea was to create several (say, three - group1, group2, 
group3) isolated groups with one junior admin per group.

The group isolation means that admin of group1 is not able to add to his group 
neither users nor subgroups - members of other global groups (i.e. group2, 
group3)

We have attempted to accomplish this by RBAC for every junior admin.  It was 
pointed out, that the admin can modify the objects (users, subgroups) belonging 
to his group only.  However, every user enrolled to IPA can see all the other 
objects by default, therefore any junior admin can add users and subgroups FROM 
THE OTHER isolated group to his group with no restrictions.

So the question is - how to implement (the specified) group "isolation" in IPA?

We're running on the RHEL 6.4 with IPA 3.0. Thank you.

Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Rob Crittenden 

Andrea Bontempi wrote:

Here the log /var/log/pki/pki-tomcat/ca/debug

[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = 
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start 
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal 
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data 
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 
13:40:43 CET 2013 id=caProfileSubmit time=100

Log /var/log/pki/pki-tomcat/ca/system:

1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: 
Object certificate not found. Error 
org.mozilla.jss.crypto.ObjectNotFoundException


Ok, I'm not sure if the caServerCert error is a red herring or not. Does 
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca 
pass?


I wonder if the certificate you're passing is valid. Can openssl x509 
-text -in /path/to/ca.crt show the cert ok?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi 
> /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? 

Yes

> Does rpm -V pki-ca pass?

No response

> Can openssl x509 -text -in /path/to/ca.crt show the cert ok?

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1383914316 (0x527cdb4c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=DBM
Validity
Not Before: Nov  8 12:38:37 2013 GMT
Not After : Feb 16 12:38:38 2014 GMT
Subject: O=DBMSRL.COM, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:4b... [omissis]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name: 
email:d...@dbmsrl.com
X509v3 Extended Key Usage: 
Code Signing, OCSP Signing, Time Stamping
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier: 
2D:21:C5:07... [omissis]
X509v3 Authority Key Identifier: 
keyid:2A:B7... [omissis]


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi 
Here the log /var/log/pki/pki-tomcat/ca/debug

[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = 
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start 
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal 
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data 
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 
13:40:43 CET 2013 id=caProfileSubmit time=100

Log /var/log/pki/pki-tomcat/ca/system:

1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: 
Object certificate not found. Error 
org.mozilla.jss.crypto.ObjectNotFoundException

Thank you

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Rob Crittenden 

Andrea Bontempi wrote:

Hi, i'm trying to install FreeIPA with external CA (again)

Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA 
certificate from CA":


2013-11-08T11:07:38Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, 
in run_script
return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1096, in main
subject_base=options.subject)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
478, in configure_instance
self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
364, in start_creation
method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1089, in __request_ra_certificate
self.requestId = item_node[0].childNodes[0].data

2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: 
IndexError: list index out of range


So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on 
the line 1089:


  # Send the request to the CA
  conn = httplib.HTTPConnection(
  self.fqdn, self.dogtag_constants.UNSECURE_PORT)
  params = urllib.urlencode({'profileId': 'caServerCert',
  'cert_request_type': 'pkcs10',
  'requestor_name': 'IPA Installer',
  'cert_request': csr,
  'xmlOutput': 'true'})
  headers = {"Content-type": "application/x-www-form-urlencoded",
 "Accept": "text/plain"}

  conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
  res = conn.getresponse()
  if res.status == 200:
  data = res.read()
  conn.close()
  doc = xml.dom.minidom.parseString(data)
  item_node = doc.getElementsByTagName("RequestId")
  self.requestId = item_node[0].childNodes[0].data   <--  exception: 
IndexError: list index out of range
  doc.unlink()
  self.requestId = self.requestId.strip()
  if self.requestId is None:
  raise RuntimeError("Unable to determine RA certificate requestId")


I read the value of "data":




1
Profile caServerCert Not Found



Can someone help me?


I'd check out the CA logs in /var/log/pki/pki-tomcat/ca for more 
information.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

2013-11-08 Thread Jonathan Underwood 
On 8 November 2013 13:46, Dmitri Pal  wrote:
> On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
>> Sooo I think that means the problem lies with apache and NSS, right?
>
>
> Or in the negotiated authentication.
> Is there anything in the kerberos logs on the server side?

Nothing error wise.

> Can you do an ldap connection using GSSAPI from the client?

Yep. (Note the client machine in all my tests has actually been the
same machine as the server).

> May be KDC is not accessible because FW does allow access to the KDC port?
>

Nope, tisn't that, have stopped the iptables service, and also done a
setenforce 0.

> Just some ideas what to check...
>

OK, I am getting closer to diagnosing the problem. On the server
machine I had also configured apache to serve up another name based
vhost. Removing that vhost config and restarting httpd caused the ipa
ping command to work successfully. So, this seems to be a problem with
httpd/mod_nss and hosting IPA and other vhosts. Note the other vhost
wasn't using nss or ssl. I'll dig some more.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread John Dennis 
On 11/08/2013 04:56 AM, Petr Viktorin wrote:
> On 11/08/2013 09:01 AM, Martin Kosek wrote:
>> Thanks for heads up. You mean by the difference between "O=MW" and
>> "O=MELTWATER.COM"?

>> Petr, is this possible? Can it be validated in the the installer if this is 
>> the
>> root cause?

Thats a good question. Typically with cert validation only the CN
component in the subject is cross checked. More aggressive validators
are free to examine all RDN's in the subject (not sure what the PKIX
behavior is with respect other RDN's). Of course this isn't cert
validation but validating a CSR is closely related. The first place I
would look is the Dogtag policy.

> It is possible. It's hard to tell without the logs; looks like the 
> failure was inside Dogtag. There may be more issues; for instance I 
> don't think we considered PEM files with extra data before the BEGIN 
> CERTIFICATE.
> I filed a ticket to investigate: 
> https://fedorahosted.org/freeipa/ticket/4019

FWIW I've authored a set of Python utilities to work with pem files for
OpenStack. They work just fine with PEM blocks embedded with non-PEM
text. I was thinking the utilities would also be useful in FreeIPA (in
fact my experience in IPA is what guided the development of these
utilities. I'll try to get them up in a git repo shortly and send a pointer.

-- 
John

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

2013-11-08 Thread Dmitri Pal 
On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
> On 8 November 2013 12:50, Jonathan Underwood
>  wrote:
>> On 7 November 2013 22:45, Rob Crittenden  wrote:
>>> This is it trying to close a connection that was never made.
>>>
>>> Can you run ipa -vv ping?
>> # ipa -vv ping
>> ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml
>> ipa: INFO: Forwarding 'ping' to server
>> u'https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml'
>> send: u'POST /ipa/xml HTTP/1.0\r\nHost:
>> nirvana.asteroids.phys.ucl.ac.uk\r\nAccept-Language: en-gb\r\nReferer:
>> https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml\r\nAuthorization:
>> negotiate 
>> YIICjQYJKoZIhvcSAQICAQBuggJ8MIICeKADAgEFoQMCAQ6iBwMFACCjggGDYYIBfzCCAXugAwIBBaEaGxhBU1RFUk9JRFMuUEhZUy5VQ0wuQUMuVUuiMzAxoAMCAQOhKjAoGwRIVFRQGyBuaXJ2YW5hLmFzdGVyb2lkcy5waHlzLnVjbC5hYy51a6OCASEwggEdoAMCARKhAwIBAqKCAQ8EggEL09s+S7cDtuzsWkvkvwYltApZCzFJ+fpEMB4Daw84x624iPeoIAeg9szUrU/V4h/nCB93rE5VRWP2N2abIEZfKiw6YzU+b4NXV7FftRWUuFI+YuHDPvtSoGkRIYpUebLOhBp+tdCly38u1EKPGqMX5EzcuqNCFaMWPKw14bc4DXZFGnKgO0vKWqT/OnBCfYhx9+5tNaJB7FHcKzzo4MA+NOooMKZCoPntLWAYCOA2IQjyX4FW6c+RkpDgq/NfG3JEEebHfZX50Cm5fYhjp2AqmZYdqZUfpuy/lcjmdBEAh0VkKa2+RPtz3fKS0KNuE23/ZJtR9zrd7i1QPQvb3m0oU4JP0xPdknV6KWowpIHbMIHYoAMCARKigdAEgc2S6M88mEbkZsIqK3dMsluzqtCiG23TTm1zLNh8cyJA9dQX0PaXXkf5NvPmpE2p9vsDmPvJCYHTNr2aKjBMp7FRTB1yaNuZWsxJXn7juqYa1paXTK7pLTHOt6QrkZM3PjvS9pYcHbpBBlgGTnGA0vr+ZthRr64gMTWIiRBtQ602R3DQokHKKYrWLrM97dOH5w4nw4GQ6z/tvUhvDVLtBwMJjNI6CUTtF/iA1j7CjEoUVC7y2kzIH6YjtNEn90DBWkT57rBCOJoF55+2TZF1\r\nUser-Agent:
>> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
>> text/xml\r\nContent-Length: 228\r\n\r\n'
>> ipa: ERROR: non-public: AttributeError: KerbTransport instance has no
>> attribute '_conn'
>> Traceback (most recent call last):
>>   File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129,
>> in execute
>> result = self.Command[_name](*args, **options)
>>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
>> 435, in __call__
>> ret = self.run(*args, **options)
>>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in 
>> run
>> return self.forward(*args, **options)
>>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
>> 769, in forward
>> return self.Backend.xmlclient.forward(self.name, *args, **kw)
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward
>> response = command(*xml_wrap(params))
>>   File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
>> return self.__send(self.__name, args)
>>   File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
>> verbose=self.__verbose
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request
>> self.close()
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close
>> self._conn.close()
>> AttributeError: KerbTransport instance has no attribute '_conn'
>> ipa: ERROR: an internal error has occurred
> And with debug=True in default.conf:
>
> # ipa -vv ping
> ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
> ipa: DEBUG: importin

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

2013-11-08 Thread Jonathan Underwood 
On 7 November 2013 22:45, Rob Crittenden  wrote:
> This is it trying to close a connection that was never made.
>
> Can you run ipa -vv ping?

# ipa -vv ping
ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml
ipa: INFO: Forwarding 'ping' to server
u'https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml'
send: u'POST /ipa/xml HTTP/1.0\r\nHost:
nirvana.asteroids.phys.ucl.ac.uk\r\nAccept-Language: en-gb\r\nReferer:
https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml\r\nAuthorization:
negotiate 
YIICjQYJKoZIhvcSAQICAQBuggJ8MIICeKADAgEFoQMCAQ6iBwMFACCjggGDYYIBfzCCAXugAwIBBaEaGxhBU1RFUk9JRFMuUEhZUy5VQ0wuQUMuVUuiMzAxoAMCAQOhKjAoGwRIVFRQGyBuaXJ2YW5hLmFzdGVyb2lkcy5waHlzLnVjbC5hYy51a6OCASEwggEdoAMCARKhAwIBAqKCAQ8EggEL09s+S7cDtuzsWkvkvwYltApZCzFJ+fpEMB4Daw84x624iPeoIAeg9szUrU/V4h/nCB93rE5VRWP2N2abIEZfKiw6YzU+b4NXV7FftRWUuFI+YuHDPvtSoGkRIYpUebLOhBp+tdCly38u1EKPGqMX5EzcuqNCFaMWPKw14bc4DXZFGnKgO0vKWqT/OnBCfYhx9+5tNaJB7FHcKzzo4MA+NOooMKZCoPntLWAYCOA2IQjyX4FW6c+RkpDgq/NfG3JEEebHfZX50Cm5fYhjp2AqmZYdqZUfpuy/lcjmdBEAh0VkKa2+RPtz3fKS0KNuE23/ZJtR9zrd7i1QPQvb3m0oU4JP0xPdknV6KWowpIHbMIHYoAMCARKigdAEgc2S6M88mEbkZsIqK3dMsluzqtCiG23TTm1zLNh8cyJA9dQX0PaXXkf5NvPmpE2p9vsDmPvJCYHTNr2aKjBMp7FRTB1yaNuZWsxJXn7juqYa1paXTK7pLTHOt6QrkZM3PjvS9pYcHbpBBlgGTnGA0vr+ZthRr64gMTWIiRBtQ602R3DQokHKKYrWLrM97dOH5w4nw4GQ6z/tvUhvDVLtBwMJjNI6CUTtF/iA1j7CjEoUVC7y2kzIH6YjtNEn90DBWkT57rBCOJoF55+2TZF1\r\nUser-Agent:
xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
text/xml\r\nContent-Length: 228\r\n\r\n'
ipa: ERROR: non-public: AttributeError: KerbTransport instance has no
attribute '_conn'
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129,
in execute
result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
435, in __call__
ret = self.run(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in run
return self.forward(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
769, in forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward
response = command(*xml_wrap(params))
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
return self.__send(self.__name, args)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
verbose=self.__verbose
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request
self.close()
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close
self._conn.close()
AttributeError: KerbTransport instance has no attribute '_conn'
ipa: ERROR: an internal error has occurred

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

2013-11-08 Thread Jonathan Underwood 
On 8 November 2013 12:50, Jonathan Underwood
 wrote:
> On 7 November 2013 22:45, Rob Crittenden  wrote:
>> This is it trying to close a connection that was never made.
>>
>> Can you run ipa -vv ping?
>
> # ipa -vv ping
> ipa: INFO: trying https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml
> ipa: INFO: Forwarding 'ping' to server
> u'https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml'
> send: u'POST /ipa/xml HTTP/1.0\r\nHost:
> nirvana.asteroids.phys.ucl.ac.uk\r\nAccept-Language: en-gb\r\nReferer:
> https://nirvana.asteroids.phys.ucl.ac.uk/ipa/xml\r\nAuthorization:
> negotiate 
> YIICjQYJKoZIhvcSAQICAQBuggJ8MIICeKADAgEFoQMCAQ6iBwMFACCjggGDYYIBfzCCAXugAwIBBaEaGxhBU1RFUk9JRFMuUEhZUy5VQ0wuQUMuVUuiMzAxoAMCAQOhKjAoGwRIVFRQGyBuaXJ2YW5hLmFzdGVyb2lkcy5waHlzLnVjbC5hYy51a6OCASEwggEdoAMCARKhAwIBAqKCAQ8EggEL09s+S7cDtuzsWkvkvwYltApZCzFJ+fpEMB4Daw84x624iPeoIAeg9szUrU/V4h/nCB93rE5VRWP2N2abIEZfKiw6YzU+b4NXV7FftRWUuFI+YuHDPvtSoGkRIYpUebLOhBp+tdCly38u1EKPGqMX5EzcuqNCFaMWPKw14bc4DXZFGnKgO0vKWqT/OnBCfYhx9+5tNaJB7FHcKzzo4MA+NOooMKZCoPntLWAYCOA2IQjyX4FW6c+RkpDgq/NfG3JEEebHfZX50Cm5fYhjp2AqmZYdqZUfpuy/lcjmdBEAh0VkKa2+RPtz3fKS0KNuE23/ZJtR9zrd7i1QPQvb3m0oU4JP0xPdknV6KWowpIHbMIHYoAMCARKigdAEgc2S6M88mEbkZsIqK3dMsluzqtCiG23TTm1zLNh8cyJA9dQX0PaXXkf5NvPmpE2p9vsDmPvJCYHTNr2aKjBMp7FRTB1yaNuZWsxJXn7juqYa1paXTK7pLTHOt6QrkZM3PjvS9pYcHbpBBlgGTnGA0vr+ZthRr64gMTWIiRBtQ602R3DQokHKKYrWLrM97dOH5w4nw4GQ6z/tvUhvDVLtBwMJjNI6CUTtF/iA1j7CjEoUVC7y2kzIH6YjtNEn90DBWkT57rBCOJoF55+2TZF1\r\nUser-Agent:
> xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type:
> text/xml\r\nContent-Length: 228\r\n\r\n'
> ipa: ERROR: non-public: AttributeError: KerbTransport instance has no
> attribute '_conn'
> Traceback (most recent call last):
>   File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 129,
> in execute
> result = self.Command[_name](*args, **options)
>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
> 435, in __call__
> ret = self.run(*args, **options)
>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 748, in run
> return self.forward(*args, **options)
>   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
> 769, in forward
> return self.Backend.xmlclient.forward(self.name, *args, **kw)
>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 728, in forward
> response = command(*xml_wrap(params))
>   File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
> return self.__send(self.__name, args)
>   File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
> verbose=self.__verbose
>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 475, in request
> self.close()
>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 442, in close
> self._conn.close()
> AttributeError: KerbTransport instance has no attribute '_conn'
> ipa: ERROR: an internal error has occurred

And with debug=True in default.conf:

# ipa -vv ping
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
i

[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi 
Hi, i'm trying to install FreeIPA with external CA (again)

Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA 
certificate from CA":

>2013-11-08T11:07:38Z DEBUG   File 
>"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 
>622, in run_script
>return_value = main_function()
>
>  File "/usr/sbin/ipa-server-install", line 1096, in main
>subject_base=options.subject)
>
>  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
> line 478, in configure_instance
>self.start_creation(runtime=210)
>
>  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
> 364, in start_creation
>method()
>
>  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
> line 1089, in __request_ra_certificate
>self.requestId = item_node[0].childNodes[0].data
>
>2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: 
>IndexError: list index out of range

So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on 
the line 1089:

>  # Send the request to the CA
>  conn = httplib.HTTPConnection(
>  self.fqdn, self.dogtag_constants.UNSECURE_PORT)
>  params = urllib.urlencode({'profileId': 'caServerCert',
>  'cert_request_type': 'pkcs10',
>  'requestor_name': 'IPA Installer',
>  'cert_request': csr,
>  'xmlOutput': 'true'})
>  headers = {"Content-type": "application/x-www-form-urlencoded",
> "Accept": "text/plain"}
>
>  conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
>  res = conn.getresponse()
>  if res.status == 200:
>  data = res.read()
>  conn.close()
>  doc = xml.dom.minidom.parseString(data)
>  item_node = doc.getElementsByTagName("RequestId")
>  self.requestId = item_node[0].childNodes[0].data   <--  exception: 
> IndexError: list index out of range
>  doc.unlink()
>  self.requestId = self.requestId.strip()
>  if self.requestId is None:
>  raise RuntimeError("Unable to determine RA certificate requestId")

I read the value of "data":

> 
> 
> 1
> Profile caServerCert Not Found
> 

Can someone help me?

Thank you

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

2013-11-08 Thread Jonathan Underwood 
On 7 November 2013 22:43, Dmitri Pal  wrote:
> What about Kerberos package?

# rpm -qa | grep krb
krb5-server-1.10.3-10.el6_4.3.x86_64
krb5-libs-1.10.3-10.el6_4.3.x86_64
krb5-workstation-1.10.3-10.el6_4.3.x86_64
pam_krb5-2.3.11-9.el6.x86_64
python-krbV-1.0.90-3.el6.x86_64

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread Petr Viktorin 

On 11/08/2013 09:01 AM, Martin Kosek wrote:

Thanks for heads up. You mean by the difference between "O=MW" and
"O=MELTWATER.COM"?

Petr, is this possible? Can it be validated in the the installer if this is the
root cause?


It is possible. It's hard to tell without the logs; looks like the 
failure was inside Dogtag. There may be more issues; for instance I 
don't think we considered PEM files with extra data before the BEGIN 
CERTIFICATE.
I filed a ticket to investigate: 
https://fedorahosted.org/freeipa/ticket/4019



On 11/08/2013 01:55 AM, William Leese wrote:

I was able to solve this by recreating my test CA. I believe the problem
was with non-matching Organisation between the CSR and CA - but I dont have
the knowledge to know if this is really required.

Anyhow, things work, despite not having removed the "-BEGIN
CERTIFICATE-" lines this time around.

Thanks for the help and sorry for wasting your time!




--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] reboot required after ipa-client-install?

2013-11-08 Thread Jakub Hrozek 
On Thu, Nov 07, 2013 at 10:17:44PM -0500, Dmitri Pal wrote:
> On 11/07/2013 06:20 PM, Dean Hunter wrote:
> > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> >> On 11/07/2013 12:59 PM, Dean Hunter wrote:
> >>> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
>  On 11/07/2013 12:21 PM, Dean Hunter wrote:
> > On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote:
> >> On Wed, 06 Nov 2013, Dean Hunter wrote:
> >>
> >> >After building a new VM and configuring the IPA 3.3.2 client, Gnome
> >> >seems to only perform a local log-in until the system is rebooted. SSH
> >> >works with IPA, but not Gnome. Is this correct? Is there anything less
> >> >disruptive than a reboot that I can do?
> >
> >> Restart gdm.service?
> >> I'm not sure how gdm handles PAM auth.
> >
> > I have tried:
> >
> > ipa-client-install ...
> > systemctl restart gdm.service
> >
> > but the behavior remains the same. The Gnome log in screen accepts
> > the user name, pauses about 25 seconds, then displays the log in
> > screen again without any messages or indication of a problem. This
> > is the same behavior I see when entering an incorrect local user
> > name before configuring IPA.
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com 
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>  Can it be a DIR cache issue and the fact that the directory can't
>  is not created at proper time?
> >>>
> >>> Which directory, please?
> >>
> >> If you are hitting the DIR cache issue (which I am not sure is the
> >> case this is why I asked about AVCs) then the directory we are
> >> talking about is /var/run/usr/
> >> This directory should be created by kerberos library when it tries to
> >> authenticate a user. But it might not be able to since a parent
> >> directory /var/run/usr might not be created yet. This is one of the
> >> reasons why we decided not to continue the path of DIR cache but
> >> switched to using Kernel based ccache.
> >>
> >>
> >>>
>  Do you see any AVCs?
> >>
> >> Question still stands.
> >
> > I see no AVCs:
> >
> > [root@ipa  ~]# ausearch --message AVC
> > 
> > [root@ipa  ~]#
> >
> > I did find this in the man page for nsswitch.conf:
> >
> > FILES
> >A service named SERVICE is implemented by a shared object
> > library named
> >libnss_SERVICE.so.X that resides in /lib.
> >
> >/etc/nsswitch.conf   NSS configuration file.
> >/lib/libnss_compat.so.X  implements "compat" source.
> >/lib/libnss_db.so.X  implements "db" source.
> >/lib/libnss_dns.so.X implements "dns" source.
> >/lib/libnss_files.so.X   implements "files" source.
> >/lib/libnss_hesiod.so.X  implements "hesiod" source.
> >/lib/libnss_nis.so.X implements "nis" source.
> >/lib/libnss_nisplus.so.X implements "nisplus" source.
> >
> > NOTES
> >Within each process that uses nsswitch.conf, the entire 
> > file  is  read
> >only  once.   If  the  file is later changed, the process
> > will continue
> >using the old configuration.
> >
> >
> > Is this why the default configuration of nsswitch.conf is changing in
> > Fedora 20, as noted on of the preceeding e-mails?
> >
> 
> 
> Yes I think SSS is now included by default.

Yes, starting with F-20.

> But if man page does not
> list it it is probably a bug in the man page.

I think the man page only lists modules that are shipped with the glibc
RPM, not any 3rd party modules like nss_ldap or nss_sss.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread William Leese 
> You mean by the difference between "O=MW" and "O=MELTWATER.COM"?

Yes, but again I don't know for sure. I wasn't very diligent setting up my
test CA.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External CA

2013-11-08 Thread Martin Kosek 
Thanks for heads up. You mean by the difference between "O=MW" and
"O=MELTWATER.COM"?

Petr, is this possible? Can it be validated in the the installer if this is the
root cause?

Martin

On 11/08/2013 01:55 AM, William Leese wrote:
> I was able to solve this by recreating my test CA. I believe the problem
> was with non-matching Organisation between the CSR and CA - but I dont have
> the knowledge to know if this is really required.
> 
> Anyhow, things work, despite not having removed the "-BEGIN
> CERTIFICATE-" lines this time around.
> 
> Thanks for the help and sorry for wasting your time!
> 
> 
> --
> William Leese
> Production Engineer,
> Operations, Asia Pacific
> Meltwater Group
> m: +81 80 4946 0329
> skype: william.leese1
> w: meltwater.com
> 
> This email and any attachment(s) is intended for and confidential to the
> addressee. If you are neither the addressee nor an authorized recipient for
> the addressee, please notify us of receipt, delete this message from your
> system and do not use, copy or disseminate the information in, or attached
> to it, in any way. Our messages are checked for viruses but please note
> that we do not accept liability for any viruses which may be transmitted in
> or with this message.
> 
> 
> 
> On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin  wrote:
> 
>> On 11/07/2013 08:34 AM, William Leese wrote:
>>
>>>
>>> [root@vagrant-centos-6 CA]# cat /root/server.pem
>>> Certificate:
>>>   Data:
>>>   Version: 3 (0x2)
>>>   Serial Number: 2 (0x2)
>>>   Signature Algorithm: sha1WithRSAEncryption
>>>   Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
>>> CN=vagrant.localdomain/__emailAddress=t...@t.com 
>>> >
>>>
>>>
>>>   Validity
>>>   Not Before: Nov  6 05:12:09 2013 GMT
>>>   Not After : Nov  6 05:12:09 2014 GMT
>>>   Subject: O=MELTWATER.COM 
>>> , CN=Certificate
>>>
>>> Authority
>>> [snip]
>>> -BEGIN CERTIFICATE-
>>> MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK
>>> __UDEL
>>> MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV
>>> __BAsM
>>> A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3
>>> __DQEJ
>>>
>>> [snip]
>>>
>>>
>>> Try removing everything before the -BEGIN CERTIFICATE- line
>>> from the PEM.
>>>
>>> Well that was unexpected: removing the BEGIN Certificate / End lines now
>>> makes the install proceed up until:
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> The PKCS#10 certificate is not signed by the external CA (unknown issuer
>>> E=x...@x.com ,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=
>>> JP,C=JP).
>>>
>>
>> Can you please post more (all) of /var/lig/ipaserver-install.log? We need
>> to know where exactly the issue is occuring and what the traceback is.
>>
>>
>>  Do I need to do anything to make my freshly created internal CA trusted
>>> for the installation? I've tried the usual magic in /etc/pki/tls/certs,
>>> but to no avail.
>>>
>>
>> No, --external_ca_file should have been enough.
>>
>> --
>> Petrł
>>
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users