Re: [Freeipa-users] FreeIPA + Foreman 1.5
On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: - Original Message - From: Jan Cholasta jchol...@redhat.com To: Martin Kosek mko...@redhat.com, d...@redhat.com, Stephen Benjamin stben...@redhat.com Cc: freeipa-users@redhat.com Sent: Friday, April 25, 2014 9:44:37 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 AFAIK you can use ldap sudo provider with IPA, see e.g. http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD I got this working, and seems to work across recent Fedora releases too. This at least removes the requirement on using the old bind password method. Thanks! In recent Fedora releases, where the IPA sudo provider is available, the legacy LDAP provider should not be used. There might be problems with enumeration for instance when combining two different providers. Is there a way for sssd to use _srv_ for the krb5_server line? Yes, it should just work. Here's an updated Kickstart snippet: https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb If we know what the Syntax will be for sudo (or will it be default in 4.0?), then I can include the logic already not to do it manually. Sorry, I'm not sure I understand the question? With recent enough clients (6.6+, 7.0+, any supported Fedora) you should use sudo_provider=ipa, with older ones you should use sudo_provider=ldap ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA + Foreman 1.5
- Original Message - From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Monday, April 28, 2014 10:55:16 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: - Original Message - From: Jan Cholasta jchol...@redhat.com To: Martin Kosek mko...@redhat.com, d...@redhat.com, Stephen Benjamin stben...@redhat.com Cc: freeipa-users@redhat.com Sent: Friday, April 25, 2014 9:44:37 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 AFAIK you can use ldap sudo provider with IPA, see e.g. http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD I got this working, and seems to work across recent Fedora releases too. This at least removes the requirement on using the old bind password method. Thanks! In recent Fedora releases, where the IPA sudo provider is available, the legacy LDAP provider should not be used. There might be problems with enumeration for instance when combining two different providers. Can I have a link then to how this is setup? Do you also need the LDAP URL's, nisdomain, etc? Or is it just one setting and done? Is there a way for sssd to use _srv_ for the krb5_server line? Yes, it should just work. Here's an updated Kickstart snippet: https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb If we know what the Syntax will be for sudo (or will it be default in 4.0?), then I can include the logic already not to do it manually. Sorry, I'm not sure I understand the question? With recent enough clients (6.6+, 7.0+, any supported Fedora) you should use sudo_provider=ipa, with older ones you should use sudo_provider=ldap It's been mentioned elsewhere in the thread that the ipa-client-install in some feature version will do this, if that's the case I shouldn't be doing in a kickstart snippet. Will it be like automount: ipa-client-automount, or will it be an install flag? Does it exist yet? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA + Foreman 1.5
On 04/28/2014 11:23 AM, Stephen Benjamin wrote: - Original Message - From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Monday, April 28, 2014 10:55:16 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: - Original Message - From: Jan Cholasta jchol...@redhat.com To: Martin Kosek mko...@redhat.com, d...@redhat.com, Stephen Benjamin stben...@redhat.com Cc: freeipa-users@redhat.com Sent: Friday, April 25, 2014 9:44:37 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 AFAIK you can use ldap sudo provider with IPA, see e.g. http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD I got this working, and seems to work across recent Fedora releases too. This at least removes the requirement on using the old bind password method. Thanks! In recent Fedora releases, where the IPA sudo provider is available, the legacy LDAP provider should not be used. There might be problems with enumeration for instance when combining two different providers. Can I have a link then to how this is setup? Do you also need the LDAP URL's, nisdomain, etc? Or is it just one setting and done? Is there a way for sssd to use _srv_ for the krb5_server line? Yes, it should just work. Here's an updated Kickstart snippet: https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb If we know what the Syntax will be for sudo (or will it be default in 4.0?), then I can include the logic already not to do it manually. Sorry, I'm not sure I understand the question? With recent enough clients (6.6+, 7.0+, any supported Fedora) you should use sudo_provider=ipa, with older ones you should use sudo_provider=ldap It's been mentioned elsewhere in the thread that the ipa-client-install in some feature version will do this, if that's the case I shouldn't be doing in a kickstart snippet. Will it be like automount: ipa-client-automount, or will it be an install flag? Does it exist yet? It will be the default behaviour, that is, a flag will be available to turn it *off* (--no-sudo). Yes, patches are on review and close to being pushed (waiting for the CI coverage), it will be the part of the next upstream release. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Best practices for core servers
We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Any thoughts before I start setting these servers (VMs, most likely) up? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Best practices for core servers
On 28.4.2014 13:03, Bret Wortman wrote: We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Could you be more specific? I'm very interested in any feedback about IPA DNS! Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Error creating new freeipa-server
I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 07:52 AM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? Run uninstall several times. Each time uninstall might clean next portion and untangle things so trying to do it several times pays off. Then check if there is a DS instance for PKI. If there is remove it and try again. -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
Not to be thick, but what's the best way to check the DS instance for a pki entry? On 04/28/2014 07:57 AM, Dmitri Pal wrote: On 04/28/2014 07:52 AM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? Run uninstall several times. Each time uninstall might clean next portion and untangle things so trying to do it several times pays off. Then check if there is a DS instance for PKI. If there is remove it and try again. -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Google Apps Directory Sync and Free-IPA
I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
On 04/28/2014 08:11 AM, Chris Whittle wrote: I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users There was a thread last week. It had some hints. Also it ended up with Simo needing to put documentation about Ipsilon IdP so that we can show how to federate FreeIPA and Google but this is not done yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 08:06 AM, Bret Wortman wrote: Not to be thick, but what's the best way to check the DS instance for a pki entry? I do not remember the exact path and I do not have an instance handy. Something like /var/lib/dirsrv/PKI, do not want to mislead you. On 04/28/2014 07:57 AM, Dmitri Pal wrote: On 04/28/2014 07:52 AM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? Run uninstall several times. Each time uninstall might clean next portion and untangle things so trying to do it several times pays off. Then check if there is a DS instance for PKI. If there is remove it and try again. -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. On Mon, Apr 28, 2014 at 7:17 AM, Dmitri Pal d...@redhat.com wrote: On 04/28/2014 08:11 AM, Chris Whittle wrote: I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users There was a thread last week. It had some hints. Also it ended up with Simo needing to put documentation about Ipsilon IdP so that we can show how to federate FreeIPA and Google but this is not done yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
On 04/28/2014 08:22 AM, Chris Whittle wrote: Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. I do not think we have a better answer for you other than what Martin mentioned and SAML IdP Simo is working on. On Mon, Apr 28, 2014 at 7:17 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 04/28/2014 08:11 AM, Chris Whittle wrote: I've seen a lot of people have issues with making GADS work with FreeIPA. Does anyone have it working and care to share how? ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users There was a thread last week. It had some hints. Also it ended up with Simo needing to put documentation about Ipsilon IdP so that we can show how to federate FreeIPA and Google but this is not done yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 01:52 PM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
Great. I'll try that next. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Apr 28, 2014, at 8:33 AM, Petr Viktorin pvikt...@redhat.com wrote: On 04/28/2014 01:52 PM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
I thought that might be it and didn't see anything but will look again. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Apr 28, 2014, at 8:20 AM, Dmitri Pal d...@redhat.com wrote: On 04/28/2014 08:06 AM, Bret Wortman wrote: Not to be thick, but what's the best way to check the DS instance for a pki entry? I do not remember the exact path and I do not have an instance handy. Something like /var/lib/dirsrv/PKI, do not want to mislead you. On 04/28/2014 07:57 AM, Dmitri Pal wrote: On 04/28/2014 07:52 AM, Bret Wortman wrote: I'm trying to stand up a new ipa server on a clean box, and I keep getting this error so _something_ is amiss but I'm not sure what: : Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 Configuration of CA failed # In the /var/log/ipaserver-install.log, I see this: : : Installing CA into /var/lib/pki/pki-tomcat. Installation failed. 2014-04-28T11:43:46Z DEBUG stderr=pkispawn : ERROR PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-04-28T11:432:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpX8RW20' returned non-zero exit status 1 2014-04-28T11:43:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') : : So it looks like somehow this has gotten configured already. Possibly Puppet copied over something it shouldn't have. What do I need to remove to make this step work without removing so much that I render something inoperable? Run uninstall several times. Each time uninstall might clean next portion and untangle things so trying to do it several times pays off. Then check if there is a DS instance for PKI. If there is remove it and try again. -- Bret Wortman mime-attachment.png http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA + Foreman 1.5
On Mon, Apr 28, 2014 at 05:23:18AM -0400, Stephen Benjamin wrote: - Original Message - From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Monday, April 28, 2014 10:55:16 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: - Original Message - From: Jan Cholasta jchol...@redhat.com To: Martin Kosek mko...@redhat.com, d...@redhat.com, Stephen Benjamin stben...@redhat.com Cc: freeipa-users@redhat.com Sent: Friday, April 25, 2014 9:44:37 AM Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 AFAIK you can use ldap sudo provider with IPA, see e.g. http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD I got this working, and seems to work across recent Fedora releases too. This at least removes the requirement on using the old bind password method. Thanks! In recent Fedora releases, where the IPA sudo provider is available, the legacy LDAP provider should not be used. There might be problems with enumeration for instance when combining two different providers. Can I have a link then to how this is setup? Do you also need the LDAP URL's, nisdomain, etc? man sssd-ipa should have a nice example of setting up the sssd.conf for sudo_provider=ldap Or is it just one setting and done? With sudo_provider=ipa, it's just that one line. You still need to configure the nisdomain etc. Is there a way for sssd to use _srv_ for the krb5_server line? Yes, it should just work. Here's an updated Kickstart snippet: https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb If we know what the Syntax will be for sudo (or will it be default in 4.0?), then I can include the logic already not to do it manually. Sorry, I'm not sure I understand the question? With recent enough clients (6.6+, 7.0+, any supported Fedora) you should use sudo_provider=ipa, with older ones you should use sudo_provider=ldap It's been mentioned elsewhere in the thread that the ipa-client-install in some feature version will do this, if that's the case I shouldn't be doing in a kickstart snippet. Will it be like automount: ipa-client-automount, or will it be an install flag? Does it exist yet? Looks like this feature is not implemented completely yet: https://fedorahosted.org/freeipa/ticket/3358 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On 25.4.2014 11:00, Petr Spacek wrote: On 25.4.2014 10:11, Martin Kosek wrote: On 04/25/2014 09:50 AM, Andrew Holway wrote: Hello, I am having a think about running freeipa on the open seas for more distributed organisations and would like to understand where the weaknesses might be. I would almost certainly only make the ui unavailable however I am unsure about the other services. Would this be a workable? Thanks, Andrew That's actually a very good question. I am currently working on a public FreeIPA demo on Red Hat OpenStack platform which I will make available in upcoming weeks and have few pointers for you: 1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as open DNS resolver to avoid DNS amplification attacks. Following extension to named.conf options should be a good start: allow-transfer {none;}; This configuration applies only to zones defined in named.conf and not to FreeIPA zones defined in LDAP. Make sure that allow-transfer is configured for FreeIPA zones: $ ipa dnszone-mod --allow-transfer=none; example. allow-recursion {none;}; recursion no; version [Secured]; rate-limit { responses-per-second 15; You may need to modify this value to fit your needs. Further reading about DNS amplification attacks: http://www.us-cert.gov/ncas/alerts/TA13-088A Further reading about Response Rate Limiting: http://bkraft.fr/blog/bind_RRL_feature/ https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html https://kb.isc.org/article/AA-00994/0 }; 2) Prevention for NTP amplification attack More info here: https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks Further reading about NTP amplification attacks: http://www.us-cert.gov/ncas/alerts/TA14-013A Does anybody know about other precautions that should be made besides standard hardening (SELinux, firewall, log audits)? I wonder if Kerberos over UDP could have the same problem... Maybe only if you have some principals with disabled pre-authentication. I don't know. Kerberos is not listed on http://www.us-cert.gov/ncas/alerts/TA14-017A ... I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
Bret Wortman wrote: On 04/28/2014 10:21 AM, Bret Wortman wrote: On 04/28/2014 08:33 AM, Petr Viktorin wrote: According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat I tried, this, but no joy. # pkidestroy -s CA -i pki-tomcat Loading deployment configuration from /var/lib/pki/pki-tomcat /ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from security domain 'unknown'! pkidestroy : ERROR ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Uninstallation complete. # And then when I tried to run ipa-server-install, I got the same error again. I may just wipe the box and start over. It might take less time overall. Bret This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also dogtag-10.1.1-1). From the ipa-server installation output the error looks the same, but the underlying error should be different when there isn't already a PKI instance. If the PKI installer fails early enough we don't record that it was installed which is why ipa-server-install --uninstall doesn't remove it. We have a ticket open for this. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 10:48 AM, Rob Crittenden wrote: Bret Wortman wrote: On 04/28/2014 10:21 AM, Bret Wortman wrote: On 04/28/2014 08:33 AM, Petr Viktorin wrote: According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat I tried, this, but no joy. # pkidestroy -s CA -i pki-tomcat Loading deployment configuration from /var/lib/pki/pki-tomcat /ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from security domain 'unknown'! pkidestroy : ERROR ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Uninstallation complete. # And then when I tried to run ipa-server-install, I got the same error again. I may just wipe the box and start over. It might take less time overall. Bret This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also dogtag-10.1.1-1). From the ipa-server installation output the error looks the same, but the underlying error should be different when there isn't already a PKI instance. If the PKI installer fails early enough we don't record that it was installed which is why ipa-server-install --uninstall doesn't remove it. We have a ticket open for this. rob So is there a recommended way to clean it up and get it working? smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote: I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? Historically many Linux and Unix OSs did not authenticate to LDAP to download POSIX info, so we allow by default to access a lot of the tree anonymously. We are in the process of changing how the permissions work in 4.0, and will contextually close down a lot more of the tree letting the admin more easily configure access. So, no it is not technically a bug, but it is something you want to look out for as an admin. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
Bret Wortman wrote: On 04/28/2014 10:48 AM, Rob Crittenden wrote: Bret Wortman wrote: On 04/28/2014 10:21 AM, Bret Wortman wrote: On 04/28/2014 08:33 AM, Petr Viktorin wrote: According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat I tried, this, but no joy. # pkidestroy -s CA -i pki-tomcat Loading deployment configuration from /var/lib/pki/pki-tomcat /ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from security domain 'unknown'! pkidestroy : ERROR ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Uninstallation complete. # And then when I tried to run ipa-server-install, I got the same error again. I may just wipe the box and start over. It might take less time overall. Bret This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also dogtag-10.1.1-1). From the ipa-server installation output the error looks the same, but the underlying error should be different when there isn't already a PKI instance. If the PKI installer fails early enough we don't record that it was installed which is why ipa-server-install --uninstall doesn't remove it. We have a ticket open for this. rob So is there a recommended way to clean it up and get it working? Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 11:08 AM, Bret Wortman wrote: On 04/28/2014 10:48 AM, Rob Crittenden wrote: Bret Wortman wrote: On 04/28/2014 10:21 AM, Bret Wortman wrote: On 04/28/2014 08:33 AM, Petr Viktorin wrote: According to the error you're getting, there is a CA instance already installed. After uninstalling IPA, destroy it with: pkidestroy -s CA -i pki-tomcat I tried, this, but no joy. # pkidestroy -s CA -i pki-tomcat Loading deployment configuration from /var/lib/pki/pki-tomcat /ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/pki-tomcat. pkidestroy : WARNING ... this 'CA' entry will NOT be deleted from security domain 'unknown'! pkidestroy : ERROR ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Uninstallation complete. # And then when I tried to run ipa-server-install, I got the same error again. I may just wipe the box and start over. It might take less time overall. Bret This, BTW, is on F20 using freeipa 3.3.4-3 and pki-ca 10.1.1-1 (also dogtag-10.1.1-1). From the ipa-server installation output the error looks the same, but the underlying error should be different when there isn't already a PKI instance. If the PKI installer fails early enough we don't record that it was installed which is why ipa-server-install --uninstall doesn't remove it. We have a ticket open for this. rob So is there a recommended way to clean it up and get it working? Never mind; I found the bug (953488) which said to: # pkidestroy -s CA -i pki-tomcat ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! # rm -rf /var/log/pki/pki-tomcat # rm -rf /etc/sysconfig/pki-tomcat # rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat # rm -rf /var/lib/pki/pki-tomcat # rm -rf /etc/pki/pki-tomcat # ipa-server-install --uninstall And re-run installation. This didn't work for me. Was there another bug that I missed? smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 11:17 AM, Rob Crittenden wrote: Bret Wortman wrote: So is there a recommended way to clean it up and get it working? Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure. rob Okay, here's the log from when it starts configuring PKI: 2014-04-28T15:23:45Z DEBUG [2/22]: configuring certificate server instance 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file (/tmp/tmpdCm6rt): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki-backup_password = pki_client_database_dir = /tmp/tmp-rVoTR2 pki_client_database_password = pki_client_database_purge = False pki_client_pkcs12_password = pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca 2014-04-28T15:23:45Z DEBUG Starting external process 2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt 2014-04-28T15:23:45Z DEBUG Process finished, return code=1 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from /tmp/tmpdCm6rt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg Installation failed. 2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR ... server failed to restart 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1 2014-04-28T15:24:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed And that's the end of the log. Nothing here looks terribly informative to me, and this is what the log looks like every time I look at it. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
Bret Wortman wrote: On 04/28/2014 11:17 AM, Rob Crittenden wrote: Bret Wortman wrote: So is there a recommended way to clean it up and get it working? Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure. rob Okay, here's the log from when it starts configuring PKI: 2014-04-28T15:23:45Z DEBUG [2/22]: configuring certificate server instance 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file (/tmp/tmpdCm6rt): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki-backup_password = pki_client_database_dir = /tmp/tmp-rVoTR2 pki_client_database_password = pki_client_database_purge = False pki_client_pkcs12_password = pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca 2014-04-28T15:23:45Z DEBUG Starting external process 2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt 2014-04-28T15:23:45Z DEBUG Process finished, return code=1 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from /tmp/tmpdCm6rt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg Installation failed. 2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR ... server failed to restart 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1 2014-04-28T15:24:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed And that's the end of the log. Nothing here looks terribly informative to me, and this is what the log looks like every time I look at it. The error is different whether there is an existing PKI instance or not. The next set of logs to look at are in /var/log/pki. It says there is a startup failure so I'd start with /var/log/pki/pki-tomcat/catalina.out . Also interesting may be the pki-ca-spawn and debug logs found within that directory structure. I'd also look for SELinux errors with ausearch -m AVC -ts recent rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error creating new freeipa-server
On 04/28/2014 11:52 AM, Rob Crittenden wrote: Bret Wortman wrote: On 04/28/2014 11:17 AM, Rob Crittenden wrote: Bret Wortman wrote: So is there a recommended way to clean it up and get it working? Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure. rob Okay, here's the log from when it starts configuring PKI: 2014-04-28T15:23:45Z DEBUG [2/22]: configuring certificate server instance 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file (/tmp/tmpdCm6rt): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki-backup_password = pki_client_database_dir = /tmp/tmp-rVoTR2 pki_client_database_password = pki_client_database_purge = False pki_client_pkcs12_password = pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca 2014-04-28T15:23:45Z DEBUG Starting external process 2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt 2014-04-28T15:23:45Z DEBUG Process finished, return code=1 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from /tmp/tmpdCm6rt. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg Installation failed. 2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR ... server failed to restart 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1 2014-04-28T15:24:46Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/isntall/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RUntimeError('Configuration of CA failed') 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed And that's the end of the log. Nothing here looks terribly informative to me, and this is what the log looks like every time I look at it. The error is different whether there is an existing PKI instance or not. The next set of logs to look at are in /var/log/pki. It says there is a startup failure so I'd start with */var/log/pki/pki-tomcat/catalina.out* . Also interesting may be the pki-ca-spawn and debug logs found within that directory structure. I'd also look for SELinux errors with ausearch -m AVC -ts recent This did the trick. Something was hanging out on port 8443, though neither lsof nor netstat would show me what it was. I rebooted the server and then it proceeded past this without a hiccup. Thanks, Rob and everyone else for helping me navigate the logs! Bret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
I do have it working, but I have Atlassian Crowd sitting between FreeIPA and the Google Apps log in. On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote: On 04/28/2014 08:22 AM, Chris Whittle wrote: Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. I do not think we have a better answer for you other than what Martin mentioned and SAML IdP Simo is working on. note that any other SAML IdP that has support for LDAP may work, for example http://picketlink.org/ may work for you if you have experience in setting up jboss based applications and know how to make your way in configuring such software. (I can't help here really). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Can't use ipa commands on brand new ipa server instance
I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
bash. On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? Simo. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On 04/28/2014 01:25 PM, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users No but i wonder what your DNS setup is? If it is a different subnet can it be that it sees some other Kerberos and/or LDAP server (AD for example) and gets confused? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote: bash. Does it make any difference if you redirect stdin before calling the command ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On 04/28/2014 01:53 PM, Simo Sorce wrote: On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote: bash. Does it make any difference if you redirect stdin before calling the command ? Simo. No, I found the problem. A power user had written a bash function that redefined ipa and dropped it into /etc/profile.d. We're about to have a little chat. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
On Mon, 2014-04-28 at 14:05 -0400, Bret Wortman wrote: On 04/28/2014 01:53 PM, Simo Sorce wrote: On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote: bash. Does it make any difference if you redirect stdin before calling the command ? Simo. No, I found the problem. A power user had written a bash function that redefined ipa and dropped it into /etc/profile.d. We're about to have a little chat. lol! glad you found it :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't use ipa commands on brand new ipa server instance
Let me guess, ipa logs you out so you can go have a beer? On Mon, Apr 28, 2014 at 2:10 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 14:05 -0400, Bret Wortman wrote: On 04/28/2014 01:53 PM, Simo Sorce wrote: On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installed any users or hosts on it yet. No replicas. No migrated data. Yet when I run any ipa commands from the command line, it behaves exactly as our older, troubled servers do and exits the login session immediately, whether I'm connected at the console or via ssh. Further, when I run strace to try to capture what might be going on, the behavior stops. Script also prevents commands from exiting, but this is really disconcerting. I was chalking this up to the fact that our database had become corrupted by our replication problems, but now I'm thinking it might be environmental, though our original IPA servers are running F18 and this new instance is F20. I need some stability here, and CLI is part of that. What might be causing the CLI to not work at all when coupled to a TTY device, as that seems to be the critical piece? Could this be related to the servers being VMs? BTW, we have this running on F20 on a different network and it works just fine. The network on which the failures are occurring isn't internet-connected; is there something that's trying to connect back to redhat? no. What shell do you use ? On Mon, 2014-04-28 at 13:43 -0400, Bret Wortman wrote: bash. Does it make any difference if you redirect stdin before calling the command ? Simo. No, I found the problem. A power user had written a bash function that redefined ipa and dropped it into /etc/profile.d. We're about to have a little chat. lol! glad you found it :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
Thanks Simon I'm not sure it'll work for what I need I really wish someone had Google Apps Directory Sync either working or not working so I can either research more or strike it off my list On Mon, Apr 28, 2014 at 11:34 AM, Simon Williams simon.willi...@thehelpfulcat.com wrote: I do have it working, but I have Atlassian Crowd sitting between FreeIPA and the Google Apps log in. On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote: On 04/28/2014 08:22 AM, Chris Whittle wrote: Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. I do not think we have a better answer for you other than what Martin mentioned and SAML IdP Simo is working on. note that any other SAML IdP that has support for LDAP may work, for example http://picketlink.org/ may work for you if you have experience in setting up jboss based applications and know how to make your way in configuring such software. (I can't help here really). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL7 rc 64bit
Hi, Would it be expected that a RHEL7rc machine would be connectible to IPA on RHEL6.5? Just tried and it doesnt seem to be. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users