Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Saturday, 7 February 2015 1:40 AM To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution On 02/06/2015 06:59 AM, Les Stott wrote: Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### ### # 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Yes, tried this. But it was not enough. Endi/Matthew, do we have a bug/fix for this? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Full migration from 3.X to 4.X
Matt Wells wrote: I've seen many links and conversations about migrating from 3.X to 4.X; some with migrate-ds but nothing that said I did it and it worked. Perhaps my Google-Fu is failing me. So I thought I'd ask here, has anyone fully migrated? Systems, SSL certs, sudo and everything? What resources did you use? I'm moving to all new systems so this isn't an in-place upgrade. Right now I have two systems (at 3.X) and two more (at 4.X) waiting in the wings to take over. I see where I could get users and groups but what about the rest? Thanks to anyone who can point in the right direction. I'll keep poking on Google and if I find anything I'll be sure to respond to my own query. Migration is for moving from an LDAP system to IPA. To move between major versions the recommended path is to create a new master on the upgraded platform. Run them in tandem until you're satisfied that things are working and then retire the older version masters. Be sure to include a CA on one or more of the 4.x masters as well. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
-Original Message- From: Endi Sukma Dewata [mailto:edew...@redhat.com] Sent: Saturday, 7 February 2015 1:53 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014- May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] SASL(-13) authentication failure
Hello, My IPA servers are currently saying: Failed to get data from 'hostname.lan': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors [06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) We have 3 master replicas in operation. ipa2, ipa3, ipa4 and ipa1 we are decommissioning. After losing the CA on 2 nodes, we promoted ipa3 to master, and created a replica file, scped it to ipa4, installed it, and on ipa4 created ipa2. Because of design, 3 and 2 cant communicate with each other. I just stopped dirsrv and pki-ca on ipa1, so its possible it is creating issues. I cant determine where the credentials or how to get them changed as all the nodes are now having similar issues replicating. Bryan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User certificates with FreeIPA and another question.
On Fri, Feb 06, 2015 at 03:30:34PM +0100, Martin Kosek wrote: On 02/06/2015 12:53 AM, Christopher Young wrote: Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create another command-line based openssl CA that could issue these but using IPA as the root CA for those? As for FreeIPA plans, we plan to vastly improve our flexibility to process certificates in next upstream version - FreeIPA 4.2. In next version, one should be able to create other certificate profiles (from FreeIPA default service cert profile) or even subCAs to do what you want. As for current workarounds, you would have to issue and sign a for example NSS or openssl based subCA and then sign user certs there. But I would leave Fraser or Jan to tell if this would be really possible. Christopher, until profiles and subCAs are available in FreeIPA your options are: - Issue client certificates from the existing Dogtag CA, by using an appropriate profile and including the relevant information in the certificate request. Client certificates would be issued from the same CA as service certificates (but would have different keyUsage attributes, etc). - Same as above, but spawn a subordinate Dogtag CA instance for issuing the client certificates. - (Martin's suggestion:) Issue a subordinate signing certificate from the Dogtag CA and use OpenSSL or other CA software to issue client certificates. The first option is the easiest but would not be considered good practice because certificates intended for different client uses (e.g. web, VPN) should be issued from different CAs. But the latter options are heavyweight. Hope that helps, Fraser I'm just trying to provide a solution for situations where we would like to utilize client/user cert authentication for situations like secure apache directory access as well as user VPN certificates. Any advise or ideas are great appreciated. Thanks again! On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden rcrit...@redhat.com wrote: Christopher Young wrote: Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject: email=sblblabla@blabla.local) in order to use client SSL security on some things. I'm very new to FreeIPA, but have worked with external CAs in the past for similar requests, however this is my first entry into creating/running a localized CA within an organization. IPA doesn't issue user certificates yet, only server certificates. I was wondering if this is possible via the command line, and if so, how to go about submitting the request and receiving the certificate. Any guidance or assistance would be greatly appreciated! Additionally, just as a matter of cleanliness, is there any way possible to just completely wipe out the existence of a certificate/request from FreeIPA. I have done some trial-and-error and obviously have made mistakes that I'd prefer to clean up after. I've revoked those certs, however the perfectionist in me hates seeing them there. I'm quite certain the answer is 'no', but I thought I would ask anyway. Right, the answer is no. In fact it is a good thing that all certificates are accounted for. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] SASL(-13) authentication failure
I did a bit more digging into the issue, and realized that the ruv-id of ipa2 is different on only one of the servers of the 3. I am imaging I will need to run clean-ruv on inconsistent node. Bryan On Fri, Feb 6, 2015 at 10:11 PM, Bryan Pearson bwp.pear...@gmail.com wrote: Hello, My IPA servers are currently saying: Failed to get data from 'hostname.lan': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context tail -f /var/log/dirsrv/slapd-HOSTNAME-LAN/errors [06/Feb/2015:21:42:41 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [06/Feb/2015:21:42:41 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) We have 3 master replicas in operation. ipa2, ipa3, ipa4 and ipa1 we are decommissioning. After losing the CA on 2 nodes, we promoted ipa3 to master, and created a replica file, scped it to ipa4, installed it, and on ipa4 created ipa2. Because of design, 3 and 2 cant communicate with each other. I just stopped dirsrv and pki-ca on ipa1, so its possible it is creating issues. I cant determine where the credentials or how to get them changed as all the nodes are now having similar issues replicating. Bryan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Full migration from 3.X to 4.X
On Friday, February 06, 2015 05:14:57 PM Rob Crittenden wrote: Matt Wells wrote: I've seen many links and conversations about migrating from 3.X to 4.X; some with migrate-ds but nothing that said I did it and it worked. Perhaps my Google-Fu is failing me. So I thought I'd ask here, has anyone fully migrated? Systems, SSL certs, sudo and everything? What resources did you use? I'm moving to all new systems so this isn't an in-place upgrade. Right now I have two systems (at 3.X) and two more (at 4.X) waiting in the wings to take over. I see where I could get users and groups but what about the rest? Thanks to anyone who can point in the right direction. I'll keep poking on Google and if I find anything I'll be sure to respond to my own query. Migration is for moving from an LDAP system to IPA. To move between major versions the recommended path is to create a new master on the upgraded platform. Run them in tandem until you're satisfied that things are working and then retire the older version masters. Be sure to include a CA on one or more of the 4.x masters as well. Watch for this issue that I ran into: https://fedorahosted.org/pki/ticket/1235 -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Full migration from 3.X to 4.X
I've seen many links and conversations about migrating from 3.X to 4.X; some with migrate-ds but nothing that said I did it and it worked. Perhaps my Google-Fu is failing me. So I thought I'd ask here, has anyone fully migrated? Systems, SSL certs, sudo and everything? What resources did you use? I'm moving to all new systems so this isn't an in-place upgrade. Right now I have two systems (at 3.X) and two more (at 4.X) waiting in the wings to take over. I see where I could get users and groups but what about the rest? Thanks to anyone who can point in the right direction. I'll keep poking on Google and if I find anything I'll be sure to respond to my own query. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] one way AD trust relationship
On Thu, 05 Feb 2015, Nicolas Zin wrote: Hi, is it possible to create a one way AD trust relationship with FreeIPA/IDM 3.3? No. - From Windows I created an incoming one-way trust relationship, with a trust-secret - on Linux I use the trust-secret with ipa: ipa trust-add --type=ad ipawindows.mtl.sfl --trust-secret everything seems to be fine, but when I try kinit administra...@ipawindows.mtl.sfl kinit: KDC reply did not match expectations while getting initial credentials I tried others ways, but I wonder if it is possible to have a one-way trust relationship? One-way trust is not supported yet. I'm in the process of writing a set of design documents and opening tickets for various missing parts. We hope to get it done within the scope of FreeIPA 4.2. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trust with Active Directory fails
On Thu, 05 Feb 2015, Guertin, David S. wrote: I'm trying to set up a trust between IPA and Active Directory, and it keeps failing. The problem is the same as this one (https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but the solution is not. In that case, it was solved by enabling IPv6 in the kernel, and in this case IPv6 is already enabled. Here's what happens: # ipa trust-add --type=ad example.com ipa: ERROR: Cannot find specified domain or server name It looks like a DNS problem, and all the suggestions I've seen point to DNS, but from everything I can see, DNS appears to be working. I have the IPA domain set up as a subdomain (csns.example.com) of the AD domain (example.com). Our AD domain controllers are NOT set up as DNS servers -- we have external, independent DNS servers for that. (Could that be part of the problem?) I am running bind on the IPA server (which is running RHEL6), because all the documentation was written that way. It is set up as a delegation subdomain of our main domain. We don't require DNS to be tied to any specific party (IPA or AD), all we require is that all proper service records (SRV) are in place. For Active Directory cross-forest trusts to work, we need following records to be in place: _ldap._tcp.DOMAIN _kerberos._udp.DOMAIN _kerberos._tcp.DOMAIN _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN _ldap._tcp.dc._msdcs.DOMAIN _kerberos._udp.dc._msdcs.DOMAIN _kerberos._tcp.dc._msdcs.DOMAIN When you run ipa-adtrust-install, it will generate these records for IPA domain but when we perform trust, Samba libraries resolve these in AD domain too. Make sure they are properly configured. From the IPA server, dig finds the AD domain controllers: # dig SRV _ldap._tcp.example.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 SRV _ldap._tcp.example.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 8858 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.example.com. 600IN SRV0 100 389 dc1.example.com. _ldap._tcp.example.com. 600IN SRV0 100 389 dc2.example.com. _ldap._tcp.example.com. 600IN SRV0 100 389 dc3.example.com. _ldap._tcp.example.com. 600IN SRV0 100 389 dc4.example.com. _ldap._tcp.example.com. 600IN SRV0 100 389 dc5.example.com. _ldap._tcp.example.com. 600IN SRV0 100 389 dc6.example.com. ;; AUTHORITY SECTION: . 407417 IN NS b.root-servers.net. . 407417 IN NS a.root-servers.net. . 407417 IN NS h.root-servers.net. . 407417 IN NS f.root-servers.net. . 407417 IN NS m.root-servers.net. . 407417 IN NS k.root-servers.net. . 407417 IN NS l.root-servers.net. . 407417 IN NS g.root-servers.net. . 407417 IN NS e.root-servers.net. . 407417 IN NS j.root-servers.net. . 407417 IN NS i.root-servers.net. . 407417 IN NS d.root-servers.net. . 407417 IN NS c.root-servers.net. ;; Query time: 2 msec ;; SERVER: 140.233.1.7#53(140.233.1.7) ;; WHEN: Thu Feb 5 16:38:22 2015 ;; MSG SIZE rcvd: 503 And, with nslookup, I can do name lookups on the domain controllers and the DNS servers, and they all find the appropriate IP address. It all works the other way, too. From the domain controllers I can do nslookup on the IPA server. In fact, every nslookup or ping command I do on any hostname from anyway all works -- it's only the ipa trust-add command that's failing. I've set log level to 100 in /usr/share/ipa/smb.conf.empty, and here's the output in /var/log/httpd/error_log: lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty params.c:pm_process() - Processing configuration file /usr/share/ipa/smb.conf.empty Processing section [global] INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli:
Re: [Freeipa-users] one way AD trust relationship
On Fri, Feb 06, 2015 at 10:16:37AM +0200, Alexander Bokovoy wrote: On Thu, 05 Feb 2015, Nicolas Zin wrote: Hi, is it possible to create a one way AD trust relationship with FreeIPA/IDM 3.3? No. - From Windows I created an incoming one-way trust relationship, with a trust-secret - on Linux I use the trust-secret with ipa: ipa trust-add --type=ad ipawindows.mtl.sfl --trust-secret everything seems to be fine, but when I try kinit administra...@ipawindows.mtl.sfl kinit: KDC reply did not match expectations while getting initial credentials Nevertheless the error you see is not related to trust in the first place. kinit on Linux clients expects a Kerberos principal as argument which in general is case sensitive. I would expect that either kinit -C administra...@ipawindows.mtl.sfl or kinit administra...@ipawindows.mtl.sfl will work for you. But please note that this is not an indication that the trust is working in general. For this you should try to get a Kerberos service ticket for a service from your IPA domain e.g. with kvno. bye, Sumit I tried others ways, but I wonder if it is possible to have a one-way trust relationship? One-way trust is not supported yet. I'm in the process of writing a set of design documents and opening tickets for various missing parts. We hope to get it done within the scope of FreeIPA 4.2. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User certificates with FreeIPA and another question.
On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek mko...@redhat.com wrote: On 02/06/2015 12:53 AM, Christopher Young wrote: Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create another command-line based openssl CA that could issue these but using IPA as the root CA for those? As for FreeIPA plans, we plan to vastly improve our flexibility to process certificates in next upstream version - FreeIPA 4.2. In next version, one should be able to create other certificate profiles (from FreeIPA default service cert profile) or even subCAs to do what you want. nice. When do all these things land in RHEL? As for current workarounds, you would have to issue and sign a for example NSS or openssl based subCA and then sign user certs there. But I would leave Fraser or Jan to tell if this would be really possible. some examples on how to do that would be very helpful. I would love to authenticate users to mysql using our CA, for instance. -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M
Ran the suggested command from the primary (master) IPA: [root@ipaN1 ~]# ipa-replica-manage list -v ipaN1..local ipa-N2..local: replica last init status: None last init ended: None last update status: -1 - LDAP error: Can't contact LDAP server last update ended: None Then ran it from the replicant IPA: [root@ipa-N2 ~]# ipa-replica-manage list -v ipa-N2..local Directory Manager password: entered it as required ipaN1..local: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2015-02-06 14:10:43+00:00 Not sure if the last update status is current state or last line of a log when an update was attempted, but double checked this morning that the user in question from yesterday still showed up with an unmatched password expiration date in the GUI of the replicant IPA. So we stopped all IPA-related services on the master (# service ipa stop) waited a few, then restarted them (# service ipa start). Re-ran the query and the last update status message had not changed. We ran an ldapsearch on each IPA server querying for nsds5ReplConflict and each responded the same: # search result search: 2 result: 0 Success # numResponses: 1 Now we looked at the /etc/resolv.conf on the primary IP and found: search localdomain nameserver 8.8.8.8 so we manually edited the file (IPA primary is .206 and IPA replicant is .207): search .local nameserver 10.200.23.206 nameserver 10.200.23.207 and rebooted the server. When it came back up we checked the /etc/resolv.conf and it had changed back to the values as before the manual edit. I have never seen this resolver configuration file self-change behavior before on any Linux server and it confuses me. We edited the file again and rebooted again and it changed again. Interestingly after the third reboot, where the /etc/resolv.conf ultimately looked like this: [root@ipaN1 ~]# cat /etc/resolv.conf search localdomain nameserver 127.0.0.1 8.8.8.8 I was unable to ping an outside name: [root@ipaN1 ~]# ping yahoo.com ping: unknown host yahoo.com But I was able to ping the IPA replicant: [root@ipaN1 ~]# ping ipa-N2..local PING ipa-N2..local (10.200.23.207) 56(84) bytes of data. 64 bytes from ipaN2..local (10.200.23.207): icmp_seq=1 ttl=64 time=0.136 ms 64 bytes from ipaN2..local (10.200.23.207): icmp_seq=2 ttl=64 time=0.206 ms 64 bytes from ipaN2..local (10.200.23.207): icmp_seq=3 ttl=64 time=0.182 ms Just for chance I ran the query again and voila: [root@ipaN1 ~]# ipa-replica-manage list -v ipaN1..local ipa-N2..local: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None Replication took place. I checked the user in question through GUI on the IPA replicant and the password expiration now matches the IPA primary. What made the update finally happen? Why if the /etc/resolv.conf rewriting? Should it point to outside interfaces of localhost / localdomain? Will replication continue across future changes or will I have to massage this every time? This is so strange. Steven Auerbach Systems Administrator State University System of Florida Board of Governors 325 West Gaines Street Tallahassee, Florida 32399 (850) 245-9592 | Fax (850) 245-0419 steven.auerb...@flbog.edu | www.flbog.edu -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, February 05, 2015 4:10 PM To: Auerbach, Steven; IPA User Maillist (freeipa-users@redhat.com) Cc: Ouellet, Dan Subject: Re: [Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M Auerbach, Steven wrote: A user contacted me today for a password reset. I made the reset on the ipa-primary. The user opened a terminal session on an SSH Client to a server in the realm and logged in. They received the required immediate password change requirement and did so. They can log off and log back on that same server with their new password. They attempted to open a terminal shell to another server in the realm. Their new password is not accepted. Both servers the user is attempting to connect to have the nameserver resolution in the same order (resolv.conf). On the ipa-primary their password expiration is 90 days from today. On the ipa-replicant the password expiration is about 60 days out (I did this with them Jan 13^th also but they lost their password.). It has been an hour since the user logged on to the server and made their required change. 2 questions arise: How to safely update replicant with the password change without changing the primary/replicant
Re: [Freeipa-users] Real-time replication status (RFE)?
Check: https://gist.github.com/duncaninnes/c91985822be9782df581 which contains 2 scripts based on: http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmon itoring.html I just expanded it to cope with a list of servers, then version 2 sorts by last end, last start, hostname. This version allows me to see more clearly if a certain replication is out of date. Could have done a sort by column and added a refresh button, or automatic refresh, but that wasn't the immediate aim. Since then it's just stuck, so could do with some love from any suitably minded persons. It also doesn't gracefully handle situations where one server in the list is offline, or taking too long to respond. Both scripts are put in /var/www/cgi-bin on one of my IPA servers, and accessed via: https://ipa01.example.com/cgi-bin/monitor2.pl for example. Not sure if I modified the httpd configs - it's a while ago that I sorted it out. HTH Duncan -Original Message- From: Baird, Josh [mailto:jba...@follett.com] Sent: 05 February 2015 17:08 To: Innes, Duncan; Rob Crittenden; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? That would be great, thanks! Josh -Original Message- From: Innes, Duncan [mailto:duncan.in...@virginmoney.com] Sent: Thursday, February 05, 2015 11:34 AM To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: 05 February 2015 14:19 To: Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a replication health report for all masters/replicas. Ideally, this type of feature would be exposed in the UI and would also include information or insight into the status of any IPA - AD trust relationships. Am I missing a feature that already exists? If not, is there something like this on the IPA roadmap? This is being tracked in https://fedorahosted.org/freeipa/ticket/4390 It depends on some other work being done first. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 2/6/2015 8:39 AM, Martin Kosek wrote: Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin Yes, we have a ticket for this: https://fedorahosted.org/pki/ticket/1243 The default selinux-policy is version 3.7.19-231. It needs to be updated to at least version 3.7.19-260. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Real-time replication status (RFE)?
Innes, Duncan wrote: Check: https://gist.github.com/duncaninnes/c91985822be9782df581 which contains 2 scripts based on: http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmon itoring.html I just expanded it to cope with a list of servers, then version 2 sorts by last end, last start, hostname. This version allows me to see more clearly if a certain replication is out of date. Could have done a sort by column and added a refresh button, or automatic refresh, but that wasn't the immediate aim. Since then it's just stuck, so could do with some love from any suitably minded persons. It also doesn't gracefully handle situations where one server in the list is offline, or taking too long to respond. Both scripts are put in /var/www/cgi-bin on one of my IPA servers, and accessed via: https://ipa01.example.com/cgi-bin/monitor2.pl for example. Not sure if I modified the httpd configs - it's a while ago that I sorted it out. HTH Duncan We try to avoid using Directory Manager as much as possible which is one of the reasons we haven't done something like this already. I'd definitely recommend using startTLS for your bind, at a minimum. The issue starts with the fact that we don't have a hostgroup consisting of all IPA masters maintained automatically so there is no easy way to do delegation. You could do this manually if you wanted though, something like: # ipa hostgroup-add ipamasters --desc='Manual list of IPA masters' # ipa hostgroup-add-member --hosts=ipa1.example.com ipamasters # ipa hostgroup-add-member --hosts=ipa2.example.com ipamasters Now create a role that with a privilege to be able to read replication agreements (and add and delete them too, so be aware). # ipa role-add ipamasters --desc='IPA Masters' # ipa role-add-privilege --privileges='Replication Administrators' ipamasters # ipa role-add-member --hostgroup=ipamasters ipamasters You can test this with: # kinit -kt /etc/krb5.keytab # ldapsearch -Y GSSAPI -b 'cn=mapping tree,cn=config' '(objectclass=nsDS5ReplicationAgreement)' You'd just need to the ipamasters hostgroup up-to-date, and considering that this list probably stabilizes over time, shouldn't be a ton of effort. rob -Original Message- From: Baird, Josh [mailto:jba...@follett.com] Sent: 05 February 2015 17:08 To: Innes, Duncan; Rob Crittenden; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? That would be great, thanks! Josh -Original Message- From: Innes, Duncan [mailto:duncan.in...@virginmoney.com] Sent: Thursday, February 05, 2015 11:34 AM To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: 05 February 2015 14:19 To: Baird, Josh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Real-time replication status (RFE)? Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a replication health report for all masters/replicas. Ideally, this type of feature would be exposed in the UI and would also include information or insight into the status of any IPA - AD trust relationships. Am I missing a feature that already exists? If not, is there something like this on the IPA roadmap? This is being tracked in https://fedorahosted.org/freeipa/ticket/4390 It depends on some other work being done first. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both
Re: [Freeipa-users] User certificates with FreeIPA and another question.
On 02/06/2015 12:53 AM, Christopher Young wrote: Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create another command-line based openssl CA that could issue these but using IPA as the root CA for those? As for FreeIPA plans, we plan to vastly improve our flexibility to process certificates in next upstream version - FreeIPA 4.2. In next version, one should be able to create other certificate profiles (from FreeIPA default service cert profile) or even subCAs to do what you want. As for current workarounds, you would have to issue and sign a for example NSS or openssl based subCA and then sign user certs there. But I would leave Fraser or Jan to tell if this would be really possible. I'm just trying to provide a solution for situations where we would like to utilize client/user cert authentication for situations like secure apache directory access as well as user VPN certificates. Any advise or ideas are great appreciated. Thanks again! On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden rcrit...@redhat.com wrote: Christopher Young wrote: Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject: email=sblblabla@blabla.local) in order to use client SSL security on some things. I'm very new to FreeIPA, but have worked with external CAs in the past for similar requests, however this is my first entry into creating/running a localized CA within an organization. IPA doesn't issue user certificates yet, only server certificates. I was wondering if this is possible via the command line, and if so, how to go about submitting the request and receiving the certificate. Any guidance or assistance would be greatly appreciated! Additionally, just as a matter of cleanliness, is there any way possible to just completely wipe out the existence of a certificate/request from FreeIPA. I have done some trial-and-error and obviously have made mistakes that I'd prefer to clean up after. I've revoked those certs, however the perfectionist in me hates seeing them there. I'm quite certain the answer is 'no', but I thought I would ask anyway. Right, the answer is no. In fact it is a good thing that all certificates are accounted for. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution
On 02/06/2015 06:59 AM, Les Stott wrote: Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-ca-9.0.3-38.el6_6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-util-9.0.3-38.el6_6.noarch pki-silent-9.0.3-38.el6_6.noarch Selinux: Permissive when running a CA replica installation it fails because pki-cad cannot start due to selinux context issues. Samples from the ipareplica-ca-install.log... = 2015-02-05T08:20:04Z DEBUG stderr=[error] FAILED run_comman[ OK ]/service pki-cad restart pki-ca), exit status=1 output=Stopping pki-ca: /usr/bin/runcon: invalid context: unconfined_u:system_r:pki_ca_script_t:s0: Invalid argument 2015-02-05T08:20:04Z DEBUG duration: 6 seconds 2015-02-05T08:20:04Z DEBUG [3/16]: configuring certificate server instance # Attempting to connect to: sb1sys02.mydomain.com:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2015-02-05T08:20:04Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused == In short pki-cad fails to start and stops the installer. Reinstalling the pki-selinux rpm (found references in some other forum posts) via yum reinstall pki-selinux is not enough to help. The solution is as follows: yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools which takes components back to 9.0.3-32 then yum -y update pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools then (after cleaning up half installed pki components) ipa-ca-install /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg Then, the CA replication completes successfully. Regards, Les I saw this one around, e.g. in: http://www.redhat.com/archives/freeipa-devel/2014-May/msg00507.html Did you try reinstalling pki-selinux before ipa-server-install? Endi/Matthew, do we have a bug/fix for this? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project