date:20140428

We are planning to reconfigure our core Freeipa servers, basically 
building a replacement infrastructure and migrating to it. What we're 
planning right now is a core of three Freeipa servers each of which has 
a CA, with as much distribution of replication as we can manage. I 
imagine that means one of them replicates to the other two but am open 
to other ideas.


For remote locations, we're planning to stand up caching-only DNS 
servers, as authenticating back to the main IPA servers works extremely 
well; it's just DNS that needs a little help.


Any thoughts before I start setting these servers (VMs, most likely) up?


--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Best practices for core servers

2014-04-28 Thread Petr Spacek


On 28.4.2014 13:03, Bret Wortman wrote:

We are planning to reconfigure our core Freeipa servers, basically building a
replacement infrastructure and migrating to it. What we're planning right now is
a core of three Freeipa servers each of which has a CA, with as much
distribution of replication as we can manage. I imagine that means one of them
replicates to the other two but am open to other ideas.

For remote locations, we're planning to stand up caching-only DNS servers, as
authenticating back to the main IPA servers works extremely well; it's just DNS
that needs a little help.

Could you be more specific? I'm very interested in any feedback about IPA DNS!

Thank you!

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Error creating new freeipa-server

I'm trying to stand up a new ipa server on a clean box, and I keep 
getting this error so _something_ is amiss but I'm not sure what:


:
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 
30 seconds

[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa: CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1

Configuration of CA failed
#

In the /var/log/ipaserver-install.log, I see this:

:
:
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.


2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR  PKI 
subsystem 'CA' for instance 'pki-tomcat' already exists!


2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1
2014-04-28T11:43:46Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 622, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
478, in configure_instance

self.start_creation(runtime=210)

  File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, 
line 364, in start_creation

method()

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
604, in __spawn_instance

raise RUntimeError('Configuration of CA failed')
:
:

So it looks like somehow this has gotten configured already. Possibly 
Puppet copied over something it shouldn't have. What do I need to remove 
to make this step work without removing so much that I render something 
inoperable?



--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server


On 04/28/2014 07:52 AM, Bret Wortman wrote:
I'm trying to stand up a new ipa server on a clean box, and I keep 
getting this error so _something_ is amiss but I'm not sure what:


:
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 
30 seconds

[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa: CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit 
status 1

Configuration of CA failed
#

In the /var/log/ipaserver-install.log, I see this:

:
:
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.


2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR  PKI 
subsystem 'CA' for instance 'pki-tomcat' already exists!


2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit 
status 1
2014-04-28T11:43:46Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 622, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 478, in configure_instance

self.start_creation(runtime=210)

  File 
/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 
364, in start_creation

method()

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 604, in __spawn_instance

raise RUntimeError('Configuration of CA failed')
:
:

So it looks like somehow this has gotten configured already. Possibly 
Puppet copied over something it shouldn't have. What do I need to 
remove to make this step work without removing so much that I render 
something inoperable?



Run uninstall several times. Each time uninstall might clean next 
portion and untangle things so trying to do it several times pays off.
Then check if there is a DS instance for PKI. If there is remove it and 
try again.



--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

Not to be thick, but what's the best way to check the DS instance for a 
pki entry?


On 04/28/2014 07:57 AM, Dmitri Pal wrote:

On 04/28/2014 07:52 AM, Bret Wortman wrote:
I'm trying to stand up a new ipa server on a clean box, and I keep 
getting this error so _something_ is amiss but I'm not sure what:


:
Configuring certificate server (pki-tomcatd): Estimated time 3 
minutes 30 seconds

[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa: CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit 
status 1

Configuration of CA failed
#

In the /var/log/ipaserver-install.log, I see this:

:
:
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.


2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR 
PKI subsystem 'CA' for instance 'pki-tomcat' already exists!


2014-04-28T11:432:46Z CRITICAL failed to configure ca instance 
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned 
non-zero exit status 1
2014-04-28T11:43:46Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 622, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 478, in configure_instance

self.start_creation(runtime=210)

  File 
/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 
364, in start_creation

method()

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 604, in __spawn_instance

raise RUntimeError('Configuration of CA failed')
:
:

So it looks like somehow this has gotten configured already. Possibly 
Puppet copied over something it shouldn't have. What do I need to 
remove to make this step work without removing so much that I render 
something inoperable?



Run uninstall several times. Each time uninstall might clean next 
portion and untangle things so trying to do it several times pays off.
Then check if there is a DS instance for PKI. If there is remove it 
and try again.



--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Google Apps Directory Sync and Free-IPA

2014-04-28 Thread Chris Whittle

I've seen a lot of people have issues with making GADS work with FreeIPA.
 Does anyone have it working and care to share how?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA


On 04/28/2014 08:11 AM, Chris Whittle wrote:
I've seen a lot of people have issues with making GADS work with 
FreeIPA.  Does anyone have it working and care to share how?



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


There was a thread last week. It had some hints. Also it ended up with 
Simo needing to put documentation about Ipsilon IdP so that we can show 
how to federate FreeIPA and Google but this is not done yet.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server


On 04/28/2014 08:06 AM, Bret Wortman wrote:
Not to be thick, but what's the best way to check the DS instance for 
a pki entry?


I do not remember the exact path and I do not have an instance handy. 
Something like /var/lib/dirsrv/PKI, do not want to mislead you.





On 04/28/2014 07:57 AM, Dmitri Pal wrote:

On 04/28/2014 07:52 AM, Bret Wortman wrote:
I'm trying to stand up a new ipa server on a clean box, and I keep 
getting this error so _something_ is amiss but I'm not sure what:


:
Configuring certificate server (pki-tomcatd): Estimated time 3 
minutes 30 seconds

[1/22]: creating certificate server user
[2/22]: configuring certificate server instance
ipa: CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit 
status 1

Configuration of CA failed
#

In the /var/log/ipaserver-install.log, I see this:

:
:
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.


2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR 
PKI subsystem 'CA' for instance 'pki-tomcat' already exists!


2014-04-28T11:432:46Z CRITICAL failed to configure ca instance 
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned 
non-zero exit status 1
2014-04-28T11:43:46Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 
622, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 478, in configure_instance

self.start_creation(runtime=210)

  File 
/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, 
line 364, in start_creation

method()

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
line 604, in __spawn_instance

raise RUntimeError('Configuration of CA failed')
:
:

So it looks like somehow this has gotten configured already. 
Possibly Puppet copied over something it shouldn't have. What do I 
need to remove to make this step work without removing so much that 
I render something inoperable?



Run uninstall several times. Each time uninstall might clean next 
portion and untangle things so trying to do it several times pays off.
Then check if there is a DS instance for PKI. If there is remove it 
and try again.



--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA

2014-04-28 Thread Chris Whittle

Ha! that was my thread about SAML vs GADS but there ended up not being any
info on how to actually use GADS with Free IPA.  It dropped after Simo
saying he was going to work on getting docs for ipsilon (which from the
conversation and I can gather is basically SAML) and I asked for someone
who had experience with GADS so I started a new one for simplification.


On Mon, Apr 28, 2014 at 7:17 AM, Dmitri Pal d...@redhat.com wrote:

  On 04/28/2014 08:11 AM, Chris Whittle wrote:

 I've seen a lot of people have issues with making GADS work with FreeIPA.
  Does anyone have it working and care to share how?


 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users


 There was a thread last week. It had some hints. Also it ended up with
 Simo needing to put documentation about Ipsilon IdP so that we can show how
 to federate FreeIPA and Google but this is not done yet.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA


On 04/28/2014 08:22 AM, Chris Whittle wrote:
Ha! that was my thread about SAML vs GADS but there ended up not being 
any info on how to actually use GADS with Free IPA.  It dropped after 
Simo saying he was going to work on getting docs for ipsilon (which 
from the conversation and I can gather is basically SAML) and I asked 
for someone who had experience with GADS so I started a new one for 
simplification.


I do not think we have a better answer for you other than what Martin 
mentioned and SAML IdP Simo is working on.





On Mon, Apr 28, 2014 at 7:17 AM, Dmitri Pal d...@redhat.com 
mailto:d...@redhat.com wrote:


On 04/28/2014 08:11 AM, Chris Whittle wrote:

I've seen a lot of people have issues with making GADS work with
FreeIPA.  Does anyone have it working and care to share how?


___
Freeipa-users mailing list
Freeipa-users@redhat.com  mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


There was a thread last week. It had some hints. Also it ended up
with Simo needing to put documentation about Ipsilon IdP so that
we can show how to federate FreeIPA and Google but this is not
done yet.

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

2014-04-28 Thread Petr Viktorin


On 04/28/2014 01:52 PM, Bret Wortman wrote:

I'm trying to stand up a new ipa server on a clean box, and I keep
getting this error so _something_ is amiss but I'm not sure what:

:
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
 [1/22]: creating certificate server user
 [2/22]: configuring certificate server instance
ipa: CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1
Configuration of CA failed
#

In the /var/log/ipaserver-install.log, I see this:

:
:
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.


2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR  PKI
subsystem 'CA' for instance 'pki-tomcat' already exists!

2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1
2014-04-28T11:43:46Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 622, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-server-install, line 1074, in main
 dm_password, subject_base=options.subject)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
 self.start_creation(runtime=210)

   File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py,
line 364, in start_creation
 method()

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
604, in __spawn_instance
 raise RUntimeError('Configuration of CA failed')
:
:

So it looks like somehow this has gotten configured already. Possibly
Puppet copied over something it shouldn't have. What do I need to remove
to make this step work without removing so much that I render something
inoperable?



According to the error you're getting, there is a CA instance already 
installed.

After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat



--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

Great. I'll try that next. 


Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman

 On Apr 28, 2014, at 8:33 AM, Petr Viktorin pvikt...@redhat.com wrote:
 
 On 04/28/2014 01:52 PM, Bret Wortman wrote:
 I'm trying to stand up a new ipa server on a clean box, and I keep
 getting this error so _something_ is amiss but I'm not sure what:
 
 :
 Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
 30 seconds
 [1/22]: creating certificate server user
 [2/22]: configuring certificate server instance
 ipa: CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1
 Configuration of CA failed
 #
 
 In the /var/log/ipaserver-install.log, I see this:
 
 :
 :
 Installing CA into /var/lib/pki/pki-tomcat.
 
 Installation failed.
 
 
 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR  PKI
 subsystem 'CA' for instance 'pki-tomcat' already exists!
 
 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1
 2014-04-28T11:43:46Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 622, in run_script
 return_value = main_function()
 
   File /usr/sbin/ipa-server-install, line 1074, in main
 dm_password, subject_base=options.subject)
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 478, in configure_instance
 self.start_creation(runtime=210)
 
   File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py,
 line 364, in start_creation
 method()
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
 604, in __spawn_instance
 raise RUntimeError('Configuration of CA failed')
 :
 :
 
 So it looks like somehow this has gotten configured already. Possibly
 Puppet copied over something it shouldn't have. What do I need to remove
 to make this step work without removing so much that I render something
 inoperable?
 
 
 According to the error you're getting, there is a CA instance already 
 installed.
 After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat
 
 
 
 -- 
 Petr³
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

I thought that might be it and didn't see anything but will look again. 


Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman

 On Apr 28, 2014, at 8:20 AM, Dmitri Pal d...@redhat.com wrote:
 
 On 04/28/2014 08:06 AM, Bret Wortman wrote:
 Not to be thick, but what's the best way to check the DS instance   for 
 a pki entry?
 
 I do not remember the exact path and I do not have an instance handy. 
 Something like /var/lib/dirsrv/PKI, do not want to mislead you.
 
 
 
 On 04/28/2014 07:57 AM, Dmitri Pal wrote:
 On 04/28/2014 07:52 AM, Bret Wortman wrote:
 I'm trying to stand up a new ipa server on a clean box, and I keep getting 
 this error so _something_ is amiss but I'm not sure what:
 
 :
 Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
 seconds
 [1/22]: creating certificate server user
 [2/22]: configuring certificate server instance
 ipa: CRITICAL failed to configure ca instance Command 
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 
 1
 Configuration of CA failed
 #
 
 In the /var/log/ipaserver-install.log, I see this:
 
 :
 :
 Installing CA into /var/lib/pki/pki-tomcat.
 
 Installation failed.
 
 
 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI 
 subsystem 'CA' for instance 'pki-tomcat' already exists!
 
 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command 
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 
 1
 2014-04-28T11:43:46Z DEBUG   File 
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 
 622, in run_script
 return_value = main_function()
 
   File /usr/sbin/ipa-server-install, line 1074, in main
 dm_password, subject_base=options.subject)
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
 line 478, in configure_instance
 self.start_creation(runtime=210)
 
   File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, 
 line 364, in start_creation
 method()
 
   File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
 line 604, in __spawn_instance
 raise RUntimeError('Configuration of CA failed')
 :
 :
 
 So it looks like somehow this has gotten configured already. Possibly 
 Puppet copied over something it shouldn't have. What do I need to remove 
 to make this step work without removing so much that I render something 
 inoperable?
 Run uninstall several times. Each time uninstall might clean next portion 
 and untangle things so trying to do it several times pays off.
 Then check if there is a DS instance for PKI. If there is remove it and try 
 again.
 
 -- 
 Bret Wortman
 mime-attachment.png
 http://damascusgrp.com/
 http://about.me/wortmanbret
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA + Foreman 1.5

2014-04-28 Thread Jakub Hrozek

On Mon, Apr 28, 2014 at 05:23:18AM -0400, Stephen Benjamin wrote:

 - Original Message -
  From: Jakub Hrozek jhro...@redhat.com
  To: freeipa-users@redhat.com
  Sent: Monday, April 28, 2014 10:55:16 AM
  Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5

  On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
   - Original Message -
From: Jan Cholasta jchol...@redhat.com
To: Martin Kosek mko...@redhat.com, d...@redhat.com, Stephen
Benjamin stben...@redhat.com
Cc: freeipa-users@redhat.com
Sent: Friday, April 25, 2014 9:44:37 AM
Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5

AFAIK you can use ldap sudo provider with IPA, see e.g.
http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD

   I got this working, and seems to work across recent Fedora releases too.
   This at least removes the requirement on using the old bind password
   method.  Thanks!

  In recent Fedora releases, where the IPA sudo provider is available, the
  legacy LDAP provider should not be used. There might be problems with
  enumeration for instance when combining two different providers.

 Can I have a link then to how this is setup? Do you also
 need the LDAP URL's, nisdomain, etc?

man sssd-ipa should have a nice example of setting up the sssd.conf for
sudo_provider=ldap

 Or is it just one setting and done?

With sudo_provider=ipa, it's just that one line. You still need to
configure the nisdomain etc.

   Is there a way for sssd to use _srv_ for the krb5_server line?

  Yes, it should just work.

   Here's an updated Kickstart snippet:

   https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb

   If we know what the Syntax will be for sudo (or will it be default
   in 4.0?), then I can include the logic already not to do it manually.

  Sorry, I'm not sure I understand the question? With recent enough
  clients (6.6+, 7.0+, any supported Fedora) you should use
  sudo_provider=ipa, with older ones you should use sudo_provider=ldap

 It's been mentioned elsewhere in the thread that the ipa-client-install
 in some feature version will do this, if that's the case I shouldn't be
  doing in a kickstart snippet.

 Will it be like automount: ipa-client-automount, or will it be an install
 flag?  Does it exist yet?

Looks like this feature is not implemented completely yet:
https://fedorahosted.org/freeipa/ticket/3358

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Hardening freeipa on the internet

2014-04-28 Thread Petr Spacek

On 25.4.2014 11:00, Petr Spacek wrote:

On 25.4.2014 10:11, Martin Kosek wrote:

On 04/25/2014 09:50 AM, Andrew Holway wrote:

Hello,

I am having a think about running freeipa on the open seas for more
distributed organisations and would like to understand where the
weaknesses might be. I would almost certainly only make the ui
unavailable however I am unsure about the other services.

Would this be a workable?

Thanks,

Andrew

That's actually a very good question. I am currently working on a public
FreeIPA demo on Red Hat OpenStack platform which I will make available in
upcoming weeks and have few pointers for you:

1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as
open DNS resolver to avoid DNS amplification attacks.

Following extension to named.conf options should be a good start:

allow-transfer {none;};

This configuration applies only to zones defined in named.conf and not to
FreeIPA zones defined in LDAP.

Make sure that allow-transfer is configured for FreeIPA zones:
$ ipa dnszone-mod --allow-transfer=none; example.

allow-recursion {none;};
recursion no;
version [Secured];
rate-limit {
responses-per-second 15;

You may need to modify this value to fit your needs.

Further reading about DNS amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA13-088A

Further reading about Response Rate Limiting:
http://bkraft.fr/blog/bind_RRL_feature/

https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html

https://kb.isc.org/article/AA-00994/0

};

2) Prevention for NTP amplification attack

More info here:
https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks

Further reading about NTP amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA14-013A

Does anybody know about other precautions that should be made besides standard
hardening (SELinux, firewall, log audits)?

I wonder if Kerberos over UDP could have the same problem... Maybe only if you
have some principals with disabled pre-authentication. I don't know. Kerberos
is not listed on
http://www.us-cert.gov/ncas/alerts/TA14-017A ...

I realized that you probably want to disable anonymous access to LDAP. It will
prevent random strangers to enumerate all users in your database...

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

2014-04-28 Thread Rob Crittenden


Bret Wortman wrote:


On 04/28/2014 10:21 AM, Bret Wortman wrote:


On 04/28/2014 08:33 AM, Petr Viktorin wrote:


According to the error you're getting, there is a CA instance already
installed.
After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat



I tried, this, but no joy.

# pkidestroy -s CA -i pki-tomcat
Loading deployment configuration from /var/lib/pki/pki-tomcat
/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR   ... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.

Uninstallation complete.
#

And then when I tried to run ipa-server-install, I got the same error
again. I may just wipe the box and start over. It might take less time
overall.


Bret


This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also
dogtag-10.1.1-1).


From the ipa-server installation output the error looks the same, but 
the underlying error should be different when there isn't already a PKI 
instance.


If the PKI installer fails early enough we don't record that it was 
installed which is why ipa-server-install --uninstall doesn't remove it. 
We have a ticket open for this.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server



On 04/28/2014 10:48 AM, Rob Crittenden wrote:

Bret Wortman wrote:


On 04/28/2014 10:21 AM, Bret Wortman wrote:


On 04/28/2014 08:33 AM, Petr Viktorin wrote:


According to the error you're getting, there is a CA instance already
installed.
After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat



I tried, this, but no joy.

# pkidestroy -s CA -i pki-tomcat
Loading deployment configuration from /var/lib/pki/pki-tomcat
/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR   ... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.

Uninstallation complete.
#

And then when I tried to run ipa-server-install, I got the same error
again. I may just wipe the box and start over. It might take less time
overall.


Bret


This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also
dogtag-10.1.1-1).


From the ipa-server installation output the error looks the same, but 
the underlying error should be different when there isn't already a 
PKI instance.


If the PKI installer fails early enough we don't record that it was 
installed which is why ipa-server-install --uninstall doesn't remove 
it. We have a ticket open for this.


rob


So is there a recommended way to clean it up and get it working?




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Hardening freeipa on the internet

2014-04-28 Thread Andrew Holway

 I realized that you probably want to disable anonymous access to LDAP. It
 will prevent random strangers to enumerate all users in your database...

This sounds like a bug no? anonymous access to LDAP?



 --
 Petr^2 Spacek

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Hardening freeipa on the internet

On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote:
  I realized that you probably want to disable anonymous access to LDAP. It
  will prevent random strangers to enumerate all users in your database...
 
 This sounds like a bug no? anonymous access to LDAP?

Historically many Linux and Unix OSs did not authenticate to LDAP to
download POSIX info, so we allow by default to access a lot of the tree
anonymously.
We are in the process of changing how the permissions work in 4.0, and
will contextually close down a lot more of the tree letting the admin
more easily configure access.

So, no it is not technically a bug, but it is something you want to look
out for as an admin.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

2014-04-28 Thread Rob Crittenden


Bret Wortman wrote:


On 04/28/2014 10:48 AM, Rob Crittenden wrote:

Bret Wortman wrote:


On 04/28/2014 10:21 AM, Bret Wortman wrote:


On 04/28/2014 08:33 AM, Petr Viktorin wrote:


According to the error you're getting, there is a CA instance already
installed.
After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat



I tried, this, but no joy.

# pkidestroy -s CA -i pki-tomcat
Loading deployment configuration from /var/lib/pki/pki-tomcat
/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR   ... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.

Uninstallation complete.
#

And then when I tried to run ipa-server-install, I got the same error
again. I may just wipe the box and start over. It might take less time
overall.


Bret


This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also
dogtag-10.1.1-1).


From the ipa-server installation output the error looks the same, but
the underlying error should be different when there isn't already a
PKI instance.

If the PKI installer fails early enough we don't record that it was
installed which is why ipa-server-install --uninstall doesn't remove
it. We have a ticket open for this.

rob


So is there a recommended way to clean it up and get it working?


Re-run pkidestroy, then if the subsequent IPA install fails closely 
examine the logs to determine the reason. The problem in cases like this 
is that the first install fails and subsequent installs mask the 
original failure with this PKI re-install failure.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server



On 04/28/2014 11:08 AM, Bret Wortman wrote:


On 04/28/2014 10:48 AM, Rob Crittenden wrote:

Bret Wortman wrote:


On 04/28/2014 10:21 AM, Bret Wortman wrote:


On 04/28/2014 08:33 AM, Petr Viktorin wrote:


According to the error you're getting, there is a CA instance already
installed.
After uninstalling IPA, destroy it with:
pkidestroy -s CA -i pki-tomcat



I tried, this, but no joy.

# pkidestroy -s CA -i pki-tomcat
Loading deployment configuration from /var/lib/pki/pki-tomcat
/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.
pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from
security domain 'unknown'!
pkidestroy : ERROR   ... No security domain defined.
If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.

Uninstallation complete.
#

And then when I tried to run ipa-server-install, I got the same error
again. I may just wipe the box and start over. It might take less time
overall.


Bret


This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also
dogtag-10.1.1-1).


From the ipa-server installation output the error looks the same, but 
the underlying error should be different when there isn't already a 
PKI instance.


If the PKI installer fails early enough we don't record that it was 
installed which is why ipa-server-install --uninstall doesn't remove 
it. We have a ticket open for this.


rob


So is there a recommended way to clean it up and get it working?


Never mind; I found the bug (953488) which said to:

# pkidestroy -s CA -i pki-tomcat
ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
# rm -rf /var/log/pki/pki-tomcat
# rm -rf /etc/sysconfig/pki-tomcat
# rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
# rm -rf /var/lib/pki/pki-tomcat
# rm -rf /etc/pki/pki-tomcat
# ipa-server-install --uninstall

And re-run installation. This didn't work for me. Was there another bug 
that I missed?





smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server



On 04/28/2014 11:17 AM, Rob Crittenden wrote:

Bret Wortman wrote:

So is there a recommended way to clean it up and get it working?


Re-run pkidestroy, then if the subsequent IPA install fails closely 
examine the logs to determine the reason. The problem in cases like 
this is that the first install fails and subsequent installs mask the 
original failure with this PKI re-install failure.


rob


Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file 
(/tmp/tmpdCm6rt):

[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = 
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = 
pki_client_database_purge = False
pki_client_pkcs12_password = 
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = 
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = 
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from 
/tmp/tmpdCm6rt.

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg


Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR   ... server 
failed to restart


2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1
2014-04-28T15:24:46Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 622, in run_script

return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1074, in main
dm_password, subject_base=options.subject)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
478, in configure_instance

self.start_creation(runtime=210)

  File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, 
line 364, in start_creation

method()

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
604, in __spawn_instance

raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, 
exception: RuntimeError: Configuration of CA failed


And that's the end of the log. Nothing here looks terribly informative 
to me, and this is what the log looks like every time I look at it.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server

2014-04-28 Thread Rob Crittenden


Bret Wortman wrote:


On 04/28/2014 11:17 AM, Rob Crittenden wrote:

Bret Wortman wrote:

So is there a recommended way to clean it up and get it working?


Re-run pkidestroy, then if the subsequent IPA install fails closely
examine the logs to determine the reason. The problem in cases like
this is that the first install fails and subsequent installs mask the
original failure with this PKI re-install failure.

rob


Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server
instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpdCm6rt):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = 
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = 
pki_client_database_purge = False
pki_client_pkcs12_password = 
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = 
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = 
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpdCm6rt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg

Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR   ... server
failed to restart

2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit
status 1
2014-04-28T15:24:46Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 622, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-server-install, line 1074, in main
 dm_password, subject_base=options.subject)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
 self.start_creation(runtime=210)

   File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py,
line 364, in start_creation
 method()

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
604, in __spawn_instance
 raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed

And that's the end of the log. Nothing here looks terribly informative
to me, and this is what the log looks like every time I look at it.



The error is different whether there is an existing PKI instance or not.

The next set of logs to look at are in /var/log/pki. It says there is a 
startup failure so I'd start with /var/log/pki/pki-tomcat/catalina.out . 
Also interesting may be the pki-ca-spawn and debug logs found within 
that directory structure.


I'd also look for SELinux errors with ausearch -m AVC -ts recent

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error creating new freeipa-server



On 04/28/2014 11:52 AM, Rob Crittenden wrote:

Bret Wortman wrote:


On 04/28/2014 11:17 AM, Rob Crittenden wrote:

Bret Wortman wrote:

So is there a recommended way to clean it up and get it working?


Re-run pkidestroy, then if the subsequent IPA install fails closely
examine the logs to determine the reason. The problem in cases like
this is that the first install fails and subsequent installs mask the
original failure with this PKI re-install failure.

rob


Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server
instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpdCm6rt):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = 
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = 
pki_client_database_purge = False
pki_client_pkcs12_password = 
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = 
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = 
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f 
/tmp/tmpdCm6rt

2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpdCm6rt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg

Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR   ... server
failed to restart

2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit
status 1
2014-04-28T15:24:46Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 622, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-server-install, line 1074, in main
 dm_password, subject_base=options.subject)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
 self.start_creation(runtime=210)

   File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py,
line 364, in start_creation
 method()

   File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
604, in __spawn_instance
 raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed

And that's the end of the log. Nothing here looks terribly informative
to me, and this is what the log looks like every time I look at it.



The error is different whether there is an existing PKI instance or not.

The next set of logs to look at are in /var/log/pki. It says there is 
a startup failure so I'd start with 
*/var/log/pki/pki-tomcat/catalina.out* . Also interesting may be the 
pki-ca-spawn and debug logs found within that directory structure.


I'd also look for SELinux errors with ausearch -m AVC -ts recent
This did the trick. Something was hanging out on port 8443, though 
neither lsof nor netstat would show me what it was. I rebooted the 
server and then it proceeded past this without a hiccup.


Thanks, Rob and everyone else for helping me navigate the logs!


Bret


smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA

2014-04-28 Thread Simon Williams

I do have it working, but I have Atlassian Crowd sitting between FreeIPA
and the Google Apps log in.
On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote:

 On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote:
  On 04/28/2014 08:22 AM, Chris Whittle wrote:
   Ha! that was my thread about SAML vs GADS but there ended up not being
   any info on how to actually use GADS with Free IPA.  It dropped after
   Simo saying he was going to work on getting docs for ipsilon (which
   from the conversation and I can gather is basically SAML) and I asked
   for someone who had experience with GADS so I started a new one for
   simplification.
 
  I do not think we have a better answer for you other than what Martin
  mentioned and SAML IdP Simo is working on.

 note that any other SAML IdP that has support for LDAP may work, for
 example http://picketlink.org/ may work for you if you have experience
 in setting up jboss based applications and know how to make your way in
 configuring such software. (I can't help here really).

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Can't use ipa commands on brand new ipa server instance

I just got a new ipa server instantiated and haven't actually installed 
any users or hosts on it yet. No replicas. No migrated data.


Yet when I run any ipa commands from the command line, it behaves 
exactly as our older, troubled servers do and exits the login session 
immediately, whether I'm connected at the console or via ssh. Further, 
when I run strace to try to capture what might be going on, the behavior 
stops. Script also prevents commands from exiting, but this is really 
disconcerting. I was chalking this up to the fact that our database had 
become corrupted by our replication problems, but now I'm thinking it 
might be environmental, though our original IPA servers are running F18 
and this new instance is F20.


I need some stability here, and CLI is part of that. What might be 
causing the CLI to not work at all when coupled to a TTY device, as that 
seems to be the critical piece? Could this be related to the servers 
being VMs?



--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance



On 04/28/2014 01:19 PM, Bret Wortman wrote:
I just got a new ipa server instantiated and haven't actually 
installed any users or hosts on it yet. No replicas. No migrated data.


Yet when I run any ipa commands from the command line, it behaves 
exactly as our older, troubled servers do and exits the login session 
immediately, whether I'm connected at the console or via ssh. Further, 
when I run strace to try to capture what might be going on, the 
behavior stops. Script also prevents commands from exiting, but this 
is really disconcerting. I was chalking this up to the fact that our 
database had become corrupted by our replication problems, but now I'm 
thinking it might be environmental, though our original IPA servers 
are running F18 and this new instance is F20.


I need some stability here, and CLI is part of that. What might be 
causing the CLI to not work at all when coupled to a TTY device, as 
that seems to be the critical piece? Could this be related to the 
servers being VMs?


BTW, we have this running on F20 on a different network and it works 
just fine. The network on which the failures are occurring isn't 
internet-connected; is there something that's trying to connect back to 
redhat?


smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance

On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:
 On 04/28/2014 01:19 PM, Bret Wortman wrote:
  I just got a new ipa server instantiated and haven't actually 
  installed any users or hosts on it yet. No replicas. No migrated data.
 
  Yet when I run any ipa commands from the command line, it behaves 
  exactly as our older, troubled servers do and exits the login session 
  immediately, whether I'm connected at the console or via ssh. Further, 
  when I run strace to try to capture what might be going on, the 
  behavior stops. Script also prevents commands from exiting, but this 
  is really disconcerting. I was chalking this up to the fact that our 
  database had become corrupted by our replication problems, but now I'm 
  thinking it might be environmental, though our original IPA servers 
  are running F18 and this new instance is F20.
 
  I need some stability here, and CLI is part of that. What might be 
  causing the CLI to not work at all when coupled to a TTY device, as 
  that seems to be the critical piece? Could this be related to the 
  servers being VMs?
 
 BTW, we have this running on F20 on a different network and it works 
 just fine. The network on which the failures are occurring isn't 
 internet-connected; is there something that's trying to connect back to 
 redhat?

no.

What shell do you use ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance


bash.

On 04/28/2014 01:32 PM, Simo Sorce wrote:

On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:

On 04/28/2014 01:19 PM, Bret Wortman wrote:

I just got a new ipa server instantiated and haven't actually
installed any users or hosts on it yet. No replicas. No migrated data.

Yet when I run any ipa commands from the command line, it behaves
exactly as our older, troubled servers do and exits the login session
immediately, whether I'm connected at the console or via ssh. Further,
when I run strace to try to capture what might be going on, the
behavior stops. Script also prevents commands from exiting, but this
is really disconcerting. I was chalking this up to the fact that our
database had become corrupted by our replication problems, but now I'm
thinking it might be environmental, though our original IPA servers
are running F18 and this new instance is F20.

I need some stability here, and CLI is part of that. What might be
causing the CLI to not work at all when coupled to a TTY device, as
that seems to be the critical piece? Could this be related to the
servers being VMs?


BTW, we have this running on F20 on a different network and it works
just fine. The network on which the failures are occurring isn't
internet-connected; is there something that's trying to connect back to
redhat?

no.

What shell do you use ?

Simo.






smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance


On 04/28/2014 01:25 PM, Bret Wortman wrote:


On 04/28/2014 01:19 PM, Bret Wortman wrote:
I just got a new ipa server instantiated and haven't actually 
installed any users or hosts on it yet. No replicas. No migrated data.


Yet when I run any ipa commands from the command line, it behaves 
exactly as our older, troubled servers do and exits the login session 
immediately, whether I'm connected at the console or via ssh. 
Further, when I run strace to try to capture what might be going on, 
the behavior stops. Script also prevents commands from exiting, but 
this is really disconcerting. I was chalking this up to the fact that 
our database had become corrupted by our replication problems, but 
now I'm thinking it might be environmental, though our original IPA 
servers are running F18 and this new instance is F20.


I need some stability here, and CLI is part of that. What might be 
causing the CLI to not work at all when coupled to a TTY device, as 
that seems to be the critical piece? Could this be related to the 
servers being VMs?


BTW, we have this running on F20 on a different network and it works 
just fine. The network on which the failures are occurring isn't 
internet-connected; is there something that's trying to connect back 
to redhat?



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
No but i wonder what your DNS setup is? If it is a different subnet can 
it be that it sees some other Kerberos and/or LDAP server (AD for 
example) and gets confused?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance


 On 04/28/2014 01:32 PM, Simo Sorce wrote:
  On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:
  On 04/28/2014 01:19 PM, Bret Wortman wrote:
  I just got a new ipa server instantiated and haven't actually
  installed any users or hosts on it yet. No replicas. No migrated data.
 
  Yet when I run any ipa commands from the command line, it behaves
  exactly as our older, troubled servers do and exits the login session
  immediately, whether I'm connected at the console or via ssh. Further,
  when I run strace to try to capture what might be going on, the
  behavior stops. Script also prevents commands from exiting, but this
  is really disconcerting. I was chalking this up to the fact that our
  database had become corrupted by our replication problems, but now I'm
  thinking it might be environmental, though our original IPA servers
  are running F18 and this new instance is F20.
 
  I need some stability here, and CLI is part of that. What might be
  causing the CLI to not work at all when coupled to a TTY device, as
  that seems to be the critical piece? Could this be related to the
  servers being VMs?
 
  BTW, we have this running on F20 on a different network and it works
  just fine. The network on which the failures are occurring isn't
  internet-connected; is there something that's trying to connect back to
  redhat?
  no.
 
  What shell do you use ?

On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote:
 bash.

Does it make any difference if you redirect stdin before calling the
command ?

Simo.
 
-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance



On 04/28/2014 01:53 PM, Simo Sorce wrote:

On 04/28/2014 01:32 PM, Simo Sorce wrote:

On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:

On 04/28/2014 01:19 PM, Bret Wortman wrote:

I just got a new ipa server instantiated and haven't actually
installed any users or hosts on it yet. No replicas. No migrated data.

Yet when I run any ipa commands from the command line, it behaves
exactly as our older, troubled servers do and exits the login session
immediately, whether I'm connected at the console or via ssh. Further,
when I run strace to try to capture what might be going on, the
behavior stops. Script also prevents commands from exiting, but this
is really disconcerting. I was chalking this up to the fact that our
database had become corrupted by our replication problems, but now I'm
thinking it might be environmental, though our original IPA servers
are running F18 and this new instance is F20.

I need some stability here, and CLI is part of that. What might be
causing the CLI to not work at all when coupled to a TTY device, as
that seems to be the critical piece? Could this be related to the
servers being VMs?


BTW, we have this running on F20 on a different network and it works
just fine. The network on which the failures are occurring isn't
internet-connected; is there something that's trying to connect back to
redhat?

no.

What shell do you use ?

On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote:

bash.

Does it make any difference if you redirect stdin before calling the
command ?

Simo.
  
No, I found the problem. A power user had written a bash function that 
redefined ipa and dropped it into /etc/profile.d. We're about to have 
a little chat.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance