Re: [Freeipa-users] admin password is always expired
Roderick Johnstone wrote: On 10/02/15 07:44, Dmitri Pal wrote: On 02/09/2015 05:35 PM, Roderick Johnstone wrote: Hi I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this. The admin account has expired and I'm trying to reset the password like this: # kadmin.local Authenticating as principal root/admin@REALM with password. kadmin.local: change_password admin@REALM Enter password for principal admin@REALM: Re-enter password for principal admin@REALM: Password for admin@REALM changed. kadmin.local: q where REALM is my realm. Then when I try to authenticate as admin: # kinit admin Password for admin@REALM: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials and the password is not reset. This is what the password policy looks like at the moment: kadmin.local: get_policy global_policy Policy: global_policy Maximum password life: 86400 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 0 Number of old keys kept: 0 Reference count: 0 Maximum password failures before lockout: 6 Password failure count reset interval: 0 days 00:01:00 Password lockout duration: 0 days 00:10:00 I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg: kadmin.local: modify_policy -maxlife 90 days global_policy modify_policy: Plugin does not support the operation while modifying policy global_policy. Am I on the right track to fixing the admin password problem? What am I doing wrong in trying to repair the password policy? Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring: kadmin.local: get_principal admin Principal: admin@REALM Expiration date: [never] Last password change: Mon Feb 09 18:28:09 GMT 2015 Password expiration date: Tue May 22 11:59:53 GMT 1906 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM) Last successful authentication: Mon Feb 09 18:27:00 GMT 2015 Last failed authentication: Mon Feb 09 18:25:24 GMT 2015 Failed password attempts: 0 Number of keys: 4 Key: vno 16, aes256-cts-hmac-sha1-96, Version 5 Key: vno 16, aes128-cts-hmac-sha1-96, Version 5 Key: vno 16, des3-cbc-sha1, Version 5 Key: vno 16, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] Thanks for any help in diagnosing this issue or fixing it. Roderick Johnstone Did you set password expiration for admin manually? ok, as far as I remember, I originally changed the global_policy and then encountered the problem described above. ie I couldn't authenticate as admin using: kinit admin In trying to resolve this I found a thread that suggested to change the admin password with: ldappasswd -x -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx Maybe this was a bad move? The attribute shows that it is 1906. This makes me think that you set your expiration to a big number. However the value rolls over in 2038. So you need to make sure what you set translates to a date before 2038. I suspect I did set the expiration to too big a number originally. After I was in the always expired loop I found a number of threads mentioning this wrap around issue and I have tried a number of things to fix it, so maybe I'm just making things worse. Why are you using kdamin.local? With IPA it is not supported. Out of ignorance I guess. I'm still finding my way into all this stuff! What is the recommended way to reset an admin password in ipa when you can't authenticate as admin? There is a bunch of IPA commands that do the same. But if kinit admin won't authenticate me, how can I use the IPA commands? How can I now reset the expiration date for admin when I can't authenticate as admin? The easiest path forward is to bind as Directory Manager and change the password expiration date for the admin user. Then you can use that user to more easily modify the password policy. You want to change krbPasswordExpiration. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. [root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v Directory Manager password: Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com ipa: INFO: AD Suffix is: DC=abc,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication Please suggest. Regards, /Prady -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
On 02/10/2015 10:59 AM, Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. /[root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v/ /Directory Manager password:/ // /Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com/ /ipa: INFO: AD Suffix is: DC=abc,DC=local/ /The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com/ /Windows PassSync entry exists, not resetting password/ /ipa: INFO: Added new sync agreement, waiting for it to become ready . . ./ /ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0/ /ipa: INFO: Agreement is ready, starting replication . . ./ /Starting replication, please wait until this has completed./ /[appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error]/ /Failed to start replication/ // Please suggest.// Regards, /Prady This is a very old documentation. Please use the latest documentation on the Red Hat portal. What IPA version and platform are you using? Do you really want to sync users? Have you considered a trust? Are you aware of that option which is preferred now? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
I have a freeipa installation of v4 on Fedora 21. I have a separate fileserver with freeipa packages installed from mkosek-freeipa-epel-7.repo on centos 7. I have: * created sambaSAMAccount,sambaGroupMapping UserObjects * created an entry for DNA plugin to populate them cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config * added a CoS template for sambaGroupType * added a CoS definition for sambaGroupType * used ipa-adtrust-install to create and populate ipaNTHash * checked with the creation of these attributes with an ldap browser all ok * put the fileserver machine on the domain * added necessary permission, previleges and roles * installed kerberos keytab on the fileserver * was able to retrieve ipaNTHash attribute with the keytab from samba server and now the only thing missing is to integrate the fileserver with the ipaserver. I don´t mind in using ipasam, but to install in on my centos7 fileserver, which only has samba installed and nothing else, it also pulls the whole freeipa-server package, and this is overkill just to get ipasam.so. So I'd like some help in compiling it separately. I am using standard samba server distributed with centos 7. So I tried to use passdb backend = ldapsam:ldap//ipaserver but samba tries to bind using admin user, and doesn't use keytab, even though I put dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab in smb.conf. So please help me in getting these two things done: 1. use samba with freeipa through ldap( I know it is worse than ipasam, but would be nice to know how to integrate freeipa with samba with ldap on systems where ipasam might not be available ) 2. compile an ipasam.so module so we can work on creating an rpm package in the future, since it is necessary to install ipasam.so separately. Kudos for the development team for this amazing software. Thanks in advance Free software philosophy : Information is for free. People are not. Contributors are priceless. Filosofia de software livre: Informação é de graça. Pessoas não são. Contribuidores não tem preço. Israel Vinícius Miranda -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
Hi, I am using the below version : ipa-server-3.0.0-42.el6.x86_64 What I want is to integrate AD with FreeIPA so in case of AD failure FreeIPA should able to handle the requests( might be temporary such as cache or something like that ). Regards, /Prady From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 10 February 2015 16:07 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 10:59 AM, Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. [root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v Directory Manager password: Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com ipa: INFO: AD Suffix is: DC=abc,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication Please suggest. Regards, /Prady This is a very old documentation. Please use the latest documentation on the Red Hat portal. What IPA version and platform are you using? Do you really want to sync users? Have you considered a trust? Are you aware of that option which is preferred now? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
On 02/10/2015 11:21 AM, Prady Dash wrote: Hi, I am using the below version : ipa-server-3.0.0-42.el6.x86_64 What I want is to integrate AD with FreeIPA so in case of AD failure FreeIPA should able to handle the requests( might be temporary such as cache or something like that ). This is not the use case that would be easy to make work. So are you planning to configure SSSD on clients to use AD and IPA domains in parallel? Regards, /Prady *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* 10 February 2015 16:07 *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 10:59 AM, Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. /[root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v/ /Directory Manager password:/ // /Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com/ /ipa: INFO: AD Suffix is: DC=abc,DC=local/ /The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com/ /Windows PassSync entry exists, not resetting password/ /ipa: INFO: Added new sync agreement, waiting for it to become ready . . ./ /ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0/ /ipa: INFO: Agreement is ready, starting replication . . ./ /Starting replication, please wait until this has completed./ /[appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error]/ /Failed to start replication/ // Please suggest. Regards, /Prady This is a very old documentation. Please use the latest documentation on the Red Hat portal. What IPA version and platform are you using? Do you really want to sync users? Have you considered a trust? Are you aware of that option which is preferred now? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
Hi, Use Case : We have a user group for VPN, So in a case of DR no one else would able to use VPN as AD is the SPOF, So what am trying to achieve if FreeIPA can help to hold the user data for this group might be temporary so that users could use VPN during AD failure. Is this possible ? Regards, /Prady From: Dmitri Pal [mailto:d...@redhat.com] Sent: 10 February 2015 17:09 To: Prady Dash; freeipa-users@redhat.com Subject: Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 11:21 AM, Prady Dash wrote: Hi, I am using the below version : ipa-server-3.0.0-42.el6.x86_64 What I want is to integrate AD with FreeIPA so in case of AD failure FreeIPA should able to handle the requests( might be temporary such as cache or something like that ). This is not the use case that would be easy to make work. So are you planning to configure SSSD on clients to use AD and IPA domains in parallel? Regards, /Prady From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: 10 February 2015 16:07 To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 10:59 AM, Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. [root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v Directory Manager password: Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com ipa: INFO: AD Suffix is: DC=abc,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication Please suggest. Regards, /Prady This is a very old documentation. Please use the latest documentation on the Red Hat portal. What IPA version and platform are you using? Do you really want to sync users? Have you considered a trust? Are you aware of that option which is preferred now? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. /[root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v/ /Directory Manager password:/ / / /Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com/ /ipa: INFO: AD Suffix is: DC=abc,DC=local/ /The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com/ /Windows PassSync entry exists, not resetting password/ /ipa: INFO: Added new sync agreement, waiting for it to become ready . . ./ /ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0/ /ipa: INFO: Agreement is ready, starting replication . . ./ /Starting replication, please wait until this has completed./ /[appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error]/ /Failed to start replication/ / / Please suggest.// LDAP error -11 is LDAP_CONNECT_ERROR so normally I'd suggest checking firewalls and such. The thing is though, IPA made an LDAP connection to find the AD Suffix so both connectivity and the CA provided are exercised successfully. I'd check the 389-ds access and error logs in /var/log/dirsrv/slapd-REALM/ You probably want to consider using AD trust instead of winsync if you haven't looked into it yet. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA
On 02/10/2015 12:14 PM, Prady Dash wrote: Hi, Use Case : We have a user group for VPN, So in a case of DR no one else would able to use VPN as AD is the SPOF, So what am trying to achieve if FreeIPA can help to hold the user data for this group might be temporary so that users could use VPN during AD failure. Is this possible ? This would be possible but would require reconfiguration of the VPN in case of problems with AD. It would also require for you to do a winsync of the user passwords keep passwords in sync. I am all for you using FreeIPA for this but seems like a much more work for you than to add another AD instance or use Samba 4 as a secondary DC. Regards, /Prady *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* 10 February 2015 17:09 *To:* Prady Dash; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 11:21 AM, Prady Dash wrote: Hi, I am using the below version : ipa-server-3.0.0-42.el6.x86_64 What I want is to integrate AD with FreeIPA so in case of AD failure FreeIPA should able to handle the requests( might be temporary such as cache or something like that ). This is not the use case that would be easy to make work. So are you planning to configure SSSD on clients to use AD and IPA domains in parallel? Regards, /Prady *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* 10 February 2015 16:07 *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] LDAP Connection error while Integrating AD with FreeIPA On 02/10/2015 10:59 AM, Prady Dash wrote: Hi, I am trying to integrate AD with FreeIPA. I was following the below document. https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf While configuring am facing the below error. /[root@appserver2 ~]# ipa-replica-manage connect --winsync --binddn cn=Administrator,cn=users,dc=abc,dc=local --bindpw XXX --passsync XX --passsync XXX --cacert /etc/openldap/certs/abc.cer ad.abc.local -v/ /Directory Manager password:/ // /Added CA certificate /etc/openldap/certs/ abc.cer to certificate database for appserver2.qinec.com/ /ipa: INFO: AD Suffix is: DC=abc,DC=local/ /The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=xyz,dc=com/ /Windows PassSync entry exists, not resetting password/ /ipa: INFO: Added new sync agreement, waiting for it to become ready . . ./ /ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0/ /ipa: INFO: Agreement is ready, starting replication . . ./ /Starting replication, please wait until this has completed./ /[appserver2.abc.com] reports: Update failed! Status: [-11 - LDAP error: Connect error]/ /Failed to start replication/ // Please suggest. Regards, /Prady This is a very old documentation. Please use the latest documentation on the Red Hat portal. What IPA version and platform are you using? Do you really want to sync users? Have you considered a trust? Are you aware of that option which is preferred now? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID '20150210125814': status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location='/etc/pki/testkey' certificate: type=FILE,location='/etc/pki/testcert' CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger () lut 10 13:57:04 fedora.box.net http://fedora.box.net certmonger[7845]: Request for certificate to be stored in file /etc/pki/testcert rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? Can you post your certmonger get-cert command? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] admin password is always expired
On 10/02/2015 14:36, Rob Crittenden wrote: Roderick Johnstone wrote: On 10/02/15 07:44, Dmitri Pal wrote: On 02/09/2015 05:35 PM, Roderick Johnstone wrote: Hi I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this. The admin account has expired and I'm trying to reset the password like this: # kadmin.local Authenticating as principal root/admin@REALM with password. kadmin.local: change_password admin@REALM Enter password for principal admin@REALM: Re-enter password for principal admin@REALM: Password for admin@REALM changed. kadmin.local: q where REALM is my realm. Then when I try to authenticate as admin: # kinit admin Password for admin@REALM: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials and the password is not reset. This is what the password policy looks like at the moment: kadmin.local: get_policy global_policy Policy: global_policy Maximum password life: 86400 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 0 Number of old keys kept: 0 Reference count: 0 Maximum password failures before lockout: 6 Password failure count reset interval: 0 days 00:01:00 Password lockout duration: 0 days 00:10:00 I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg: kadmin.local: modify_policy -maxlife 90 days global_policy modify_policy: Plugin does not support the operation while modifying policy global_policy. Am I on the right track to fixing the admin password problem? What am I doing wrong in trying to repair the password policy? Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring: kadmin.local: get_principal admin Principal: admin@REALM Expiration date: [never] Last password change: Mon Feb 09 18:28:09 GMT 2015 Password expiration date: Tue May 22 11:59:53 GMT 1906 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM) Last successful authentication: Mon Feb 09 18:27:00 GMT 2015 Last failed authentication: Mon Feb 09 18:25:24 GMT 2015 Failed password attempts: 0 Number of keys: 4 Key: vno 16, aes256-cts-hmac-sha1-96, Version 5 Key: vno 16, aes128-cts-hmac-sha1-96, Version 5 Key: vno 16, des3-cbc-sha1, Version 5 Key: vno 16, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] Thanks for any help in diagnosing this issue or fixing it. Roderick Johnstone Did you set password expiration for admin manually? ok, as far as I remember, I originally changed the global_policy and then encountered the problem described above. ie I couldn't authenticate as admin using: kinit admin In trying to resolve this I found a thread that suggested to change the admin password with: ldappasswd -x -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx Maybe this was a bad move? The attribute shows that it is 1906. This makes me think that you set your expiration to a big number. However the value rolls over in 2038. So you need to make sure what you set translates to a date before 2038. I suspect I did set the expiration to too big a number originally. After I was in the always expired loop I found a number of threads mentioning this wrap around issue and I have tried a number of things to fix it, so maybe I'm just making things worse. Why are you using kdamin.local? With IPA it is not supported. Out of ignorance I guess. I'm still finding my way into all this stuff! What is the recommended way to reset an admin password in ipa when you can't authenticate as admin? There is a bunch of IPA commands that do the same. But if kinit admin won't authenticate me, how can I use the IPA commands? How can I now reset the expiration date for admin when I can't authenticate as admin? The easiest path forward is to bind as Directory Manager and change the password expiration date for the admin user. Then you can use that user to more easily modify the password policy. You want to change krbPasswordExpiration. rob Rob Thanks for your reply. Your email came while I was working on this. I seem to have achieved the same result by doing: # ldapmodify -h localhost -x -W -D cn=directory manager -f krb.ldif where I used: # ldapsearch -x -b dc=xxx,dc=xxx to find the entry for dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx I then made krb.ldif that contains: dn: cn=global_policy,cn=XXX.XXX,cn=kerberos,dc=xxx,dc=xxx changetype: modify replace: krbMaxPwdLife krbMaxPwdLife: 864000 Then I was able to reset the password with kadmin.local as before. I see that your solution is much more direct.
[Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Renaming Sudo rule name
Hi All, Is there any way I can re-name the sudo rule name or copy the existing sudo rule to a new one. Regards Sanju Abraham =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Renaming Sudo rule name
On 02/10/2015 09:22 AM, Sanju A wrote: Hi All, Is there any way I can re-name the sudo rule name or copy the existing sudo rule to a new one. Hello, sorry, there is no support for that in FreeIPA API atm. But you can rename the rule directly using ldap modify. e.g.: dn: ipaUniqueID=a37f5faa-b0ff-11e4-a92e-001a4a22218e,cn=sudorules,cn=sudo,dc=example,dc=com changetype: modify replace: cn cn: newName Though, I'm not sure if it would cause some undesired side effects. https://fedorahosted.org/freeipa/ticket/2466 https://fedorahosted.org/freeipa/ticket/2911 HTH -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug with ipa-replica and external dns?
- Mail original - De: Martin Basti mba...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com, freeipa-users@redhat.com Envoyé: Mardi 10 Février 2015 14:02:30 Objet: Re: [Freeipa-users] bug with ipa-replica and external dns? On 10/02/15 10:42, Nicolas Zin wrote: Hi. I tried to install IDM 3.3 (RHEL7) without integrated DNS. It works fine until I begin to create a replica: root@srv-idm7-01 # ipa-replica-prepare srv-idm7-02.hq.company.com --ip-address 192.168.128.22 --no-reverse Directory Manager (existing master) password: You can't add a DNS record because DNS is not set up. The message is pretty clear: the DNS is not set up: for sure, it is externally managed. Should I consider it as a bug? Or is there something I did wrong? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 Hello, configure A/ and reverse records for srv-idm7-02.hq.company.com on your external DNS Then run just ipa-replica-prepare srv-idm7-02.hq.company.com It should work. HTH I have to check again, but I'm pretty sure that A and reverse were already configured (but no ), and I pointed to the correct external DNS server: I was tcpdumping it, and saw the requests. I will see if I remove the --ip-address it change something -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] bug with ipa-replica and external dns?
Hi. I tried to install IDM 3.3 (RHEL7) without integrated DNS. It works fine until I begin to create a replica: root@srv-idm7-01 # ipa-replica-prepare srv-idm7-02.hq.company.com --ip-address 192.168.128.22 --no-reverse Directory Manager (existing master) password: You can't add a DNS record because DNS is not set up. The message is pretty clear: the DNS is not set up: for sure, it is externally managed. Should I consider it as a bug? Or is there something I did wrong? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug with ipa-replica and external dns?
On 10/02/15 10:42, Nicolas Zin wrote: Hi. I tried to install IDM 3.3 (RHEL7) without integrated DNS. It works fine until I begin to create a replica: root@srv-idm7-01 # ipa-replica-prepare srv-idm7-02.hq.company.com --ip-address 192.168.128.22 --no-reverse Directory Manager (existing master) password: You can't add a DNS record because DNS is not set up. The message is pretty clear: the DNS is not set up: for sure, it is externally managed. Should I consider it as a bug? Or is there something I did wrong? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 Hello, configure A/ and reverse records for srv-idm7-02.hq.company.com on your external DNS Then run just ipa-replica-prepare srv-idm7-02.hq.company.com It should work. HTH -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] admin password is always expired
On 10/02/15 07:44, Dmitri Pal wrote: On 02/09/2015 05:35 PM, Roderick Johnstone wrote: Hi I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this. The admin account has expired and I'm trying to reset the password like this: # kadmin.local Authenticating as principal root/admin@REALM with password. kadmin.local: change_password admin@REALM Enter password for principal admin@REALM: Re-enter password for principal admin@REALM: Password for admin@REALM changed. kadmin.local: q where REALM is my realm. Then when I try to authenticate as admin: # kinit admin Password for admin@REALM: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials and the password is not reset. This is what the password policy looks like at the moment: kadmin.local: get_policy global_policy Policy: global_policy Maximum password life: 86400 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 0 Number of old keys kept: 0 Reference count: 0 Maximum password failures before lockout: 6 Password failure count reset interval: 0 days 00:01:00 Password lockout duration: 0 days 00:10:00 I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg: kadmin.local: modify_policy -maxlife 90 days global_policy modify_policy: Plugin does not support the operation while modifying policy global_policy. Am I on the right track to fixing the admin password problem? What am I doing wrong in trying to repair the password policy? Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring: kadmin.local: get_principal admin Principal: admin@REALM Expiration date: [never] Last password change: Mon Feb 09 18:28:09 GMT 2015 Password expiration date: Tue May 22 11:59:53 GMT 1906 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM) Last successful authentication: Mon Feb 09 18:27:00 GMT 2015 Last failed authentication: Mon Feb 09 18:25:24 GMT 2015 Failed password attempts: 0 Number of keys: 4 Key: vno 16, aes256-cts-hmac-sha1-96, Version 5 Key: vno 16, aes128-cts-hmac-sha1-96, Version 5 Key: vno 16, des3-cbc-sha1, Version 5 Key: vno 16, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] Thanks for any help in diagnosing this issue or fixing it. Roderick Johnstone Did you set password expiration for admin manually? ok, as far as I remember, I originally changed the global_policy and then encountered the problem described above. ie I couldn't authenticate as admin using: kinit admin In trying to resolve this I found a thread that suggested to change the admin password with: ldappasswd -x -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx Maybe this was a bad move? The attribute shows that it is 1906. This makes me think that you set your expiration to a big number. However the value rolls over in 2038. So you need to make sure what you set translates to a date before 2038. I suspect I did set the expiration to too big a number originally. After I was in the always expired loop I found a number of threads mentioning this wrap around issue and I have tried a number of things to fix it, so maybe I'm just making things worse. Why are you using kdamin.local? With IPA it is not supported. Out of ignorance I guess. I'm still finding my way into all this stuff! What is the recommended way to reset an admin password in ipa when you can't authenticate as admin? There is a bunch of IPA commands that do the same. But if kinit admin won't authenticate me, how can I use the IPA commands? How can I now reset the expiration date for admin when I can't authenticate as admin? Thanks. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug with ipa-replica and external dns? [SOLVED]
On 10.2.2015 12:29, Martin Basti wrote: option --ip-address adds the specified address (addresses IPA-4-1) into IPA DNS. IPA currently does not support updating external DNS servers, so that is reason why replica preparation did not work for you. Let me add that newer versions of FreeIPA should print following message: It is not possible to add a DNS record automatically because DNS is not managed by IPA. Please create DNS record manually and then omit --ip-address option. I hope this will clarify it :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug with ipa-replica and external dns?
great! works if I don't add --ip-address thanks! - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com À: Martin Basti mba...@redhat.com Cc: freeipa-users@redhat.com Envoyé: Mardi 10 Février 2015 14:14:13 Objet: Re: [Freeipa-users] bug with ipa-replica and external dns? - Mail original - De: Martin Basti mba...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com, freeipa-users@redhat.com Envoyé: Mardi 10 Février 2015 14:02:30 Objet: Re: [Freeipa-users] bug with ipa-replica and external dns? On 10/02/15 10:42, Nicolas Zin wrote: Hi. I tried to install IDM 3.3 (RHEL7) without integrated DNS. It works fine until I begin to create a replica: root@srv-idm7-01 # ipa-replica-prepare srv-idm7-02.hq.company.com --ip-address 192.168.128.22 --no-reverse Directory Manager (existing master) password: You can't add a DNS record because DNS is not set up. The message is pretty clear: the DNS is not set up: for sure, it is externally managed. Should I consider it as a bug? Or is there something I did wrong? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 Hello, configure A/ and reverse records for srv-idm7-02.hq.company.com on your external DNS Then run just ipa-replica-prepare srv-idm7-02.hq.company.com It should work. HTH I have to check again, but I'm pretty sure that A and reverse were already configured (but no ), and I pointed to the correct external DNS server: I was tcpdumping it, and saw the requests. I will see if I remove the --ip-address it change something -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bug with ipa-replica and external dns? [SOLVED]
On 10/02/15 12:22, Nicolas Zin wrote: great! works if I don't add --ip-address thanks! option --ip-address adds the specified address (addresses IPA-4-1) into IPA DNS. IPA currently does not support updating external DNS servers, so that is reason why replica preparation did not work for you. - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com À: Martin Basti mba...@redhat.com Cc: freeipa-users@redhat.com Envoyé: Mardi 10 Février 2015 14:14:13 Objet: Re: [Freeipa-users] bug with ipa-replica and external dns? - Mail original - De: Martin Basti mba...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com, freeipa-users@redhat.com Envoyé: Mardi 10 Février 2015 14:02:30 Objet: Re: [Freeipa-users] bug with ipa-replica and external dns? On 10/02/15 10:42, Nicolas Zin wrote: Hi. I tried to install IDM 3.3 (RHEL7) without integrated DNS. It works fine until I begin to create a replica: root@srv-idm7-01 # ipa-replica-prepare srv-idm7-02.hq.company.com --ip-address 192.168.128.22 --no-reverse Directory Manager (existing master) password: You can't add a DNS record because DNS is not set up. The message is pretty clear: the DNS is not set up: for sure, it is externally managed. Should I consider it as a bug? Or is there something I did wrong? Regards, Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 Hello, configure A/ and reverse records for srv-idm7-02.hq.company.com on your external DNS Then run just ipa-replica-prepare srv-idm7-02.hq.company.com It should work. HTH I have to check again, but I'm pretty sure that A and reverse were already configured (but no ), and I pointed to the correct external DNS server: I was tcpdumping it, and saw the requests. I will see if I remove the --ip-address it change something -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Heads up - FC20 softhsm -2.0.0b1-8 rpm from mkosek/freeipa copr appears to be broken
On 10.2.2015 01:23, Michael Lasevich wrote: To save a day of torture to those of you still on FC20 and using mkosek-freeipa copr repo - it appears that the package ( http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-20-x86_64/softhsm-2.0.0b1-8.fc20/softhsm-2.0.0b1-8.fc20.x86_64.rpm) is somehow broken. Once installed, you get Error: Could not load the library. no matter what you do with softhsm2-utll. You will also not going to be able to start/restart the ipa service because DNS is not functional. I have rebuilt the rpm from the source rpm and things seem to be working. Hope this helps someone to not have a day of hair pulling. You have been warned :-) Thank you for heads up! The problem was actually caused by obsolete version of OpenSSL in the COPR repo. It should work now (until Fedora updates repo do not build newer OpenSSL version again :-). Generally - please migrate to Fedora 21 to avoid this kind of problems :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] admin password is always expired
On 02/10/2015 12:00 PM, Roderick Johnstone wrote: On 10/02/15 07:44, Dmitri Pal wrote: On 02/09/2015 05:35 PM, Roderick Johnstone wrote: Hi I seem to have locked myself out of my ipa admin account (on RHEL 6.6). This is an evaluation instance so not too big a deal, but a good learning experience. I suspect its some changes that I made to the password policy that caused this. The admin account has expired and I'm trying to reset the password like this: # kadmin.local Authenticating as principal root/admin@REALM with password. kadmin.local: change_password admin@REALM Enter password for principal admin@REALM: Re-enter password for principal admin@REALM: Password for admin@REALM changed. kadmin.local: q where REALM is my realm. Then when I try to authenticate as admin: # kinit admin Password for admin@REALM: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password has expired while getting initial credentials and the password is not reset. This is what the password policy looks like at the moment: kadmin.local: get_policy global_policy Policy: global_policy Maximum password life: 86400 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 0 Number of old keys kept: 0 Reference count: 0 Maximum password failures before lockout: 6 Password failure count reset interval: 0 days 00:01:00 Password lockout duration: 0 days 00:10:00 I'm trying to set this back to the defaults in the hope that this allows me to reset the admin password properly, but I'm getting eg: kadmin.local: modify_policy -maxlife 90 days global_policy modify_policy: Plugin does not support the operation while modifying policy global_policy. Am I on the right track to fixing the admin password problem? What am I doing wrong in trying to repair the password policy? Actually when I do the following it looks strange that Policy is set to none, but maybe this is a red herring: kadmin.local: get_principal admin Principal: admin@REALM Expiration date: [never] Last password change: Mon Feb 09 18:28:09 GMT 2015 Password expiration date: Tue May 22 11:59:53 GMT 1906 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM) Last successful authentication: Mon Feb 09 18:27:00 GMT 2015 Last failed authentication: Mon Feb 09 18:25:24 GMT 2015 Failed password attempts: 0 Number of keys: 4 Key: vno 16, aes256-cts-hmac-sha1-96, Version 5 Key: vno 16, aes128-cts-hmac-sha1-96, Version 5 Key: vno 16, des3-cbc-sha1, Version 5 Key: vno 16, arcfour-hmac, Version 5 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] Thanks for any help in diagnosing this issue or fixing it. Roderick Johnstone Did you set password expiration for admin manually? ok, as far as I remember, I originally changed the global_policy and then encountered the problem described above. ie I couldn't authenticate as admin using: kinit admin In trying to resolve this I found a thread that suggested to change the admin password with: ldappasswd -x -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx Maybe this was a bad move? The attribute shows that it is 1906. This makes me think that you set your expiration to a big number. However the value rolls over in 2038. So you need to make sure what you set translates to a date before 2038. I suspect I did set the expiration to too big a number originally. After I was in the always expired loop I found a number of threads mentioning this wrap around issue and I have tried a number of things to fix it, so maybe I'm just making things worse. Why are you using kdamin.local? With IPA it is not supported. Out of ignorance I guess. I'm still finding my way into all this stuff! What is the recommended way to reset an admin password in ipa when you can't authenticate as admin? There is a bunch of IPA commands that do the same. But if kinit admin won't authenticate me, how can I use the IPA commands? How can I now reset the expiration date for admin when I can't authenticate as admin? Thanks. Roderick Resetting the password using ldappasswd won't help if the culprit is global or other IPA password policy. You can change the policy in LDAP as Directory Manager. It's located in: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com then you can try to kinit and set the new password. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.
On 02/09/2015 11:36 AM, Martin Kosek wrote: On 02/09/2015 05:16 PM, Chris Mohler wrote: On 02/09/2015 10:18 AM, Martin Kosek wrote: On 02/07/2015 12:27 AM, Chris Mohler wrote: I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos 6.6. It's currently the only master for my domain. I have about 4k user accounts on here and it's a live system called idm I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having. (clients can't auth unless service sssd is restarted multiple times 10 (User not known to the underlying authentication module) I think this is possibly unrelated and the topic for another thread. I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called ipa Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked in, so you can also use that platform if you are used to it. on the master idm I ran ipa-replica-prepare and transfered the file to the future replica ipa Then I ran the install replica script ipa-replica-install --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg Things went well until it failed [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 133 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress Update in progress yet not in progress [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Please help I'm getting nowhere by myself. Can you please look on the master you are replicating from and look for errors in /var/log/messages or DS errors log? Maybe you will see messages like ns-slapd: encoded packet size too big (xx 65536) that are know to pop up more with CentOS 6.6. Hi Martin, Thanks for the reply and help I appreciate it. Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked in, so you can also use that platform if you are used to it. Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally uncomfortable with either version. That Said. Is there any reason that I could or should not have a replica on a Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the more the merrier. It should just work. Just note that in case of Fedora Server, these are upstream/Fedora bits which are only tested upstream. So if you for example break something in Fedora 21 (not likely to happen though ;-) and then get the change *replicated* to RHEL production instance, I do not think Red Hat support would be happy with that. Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in your production RHEL instance is it would upgrade all the data for 4.2 level - which should get more downstream testing before Red Hat can rubber stamp it. TLDR; if you are happy with the upstream level of support (this list/IRC/Trac), knock yourself out :-) Can you please look on the master you are replicating from and look for errors in /var/log/messages or DS errors log? I tried to setup the replica again just now so I have some fresh logs. From the Dirserv error log [08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting up [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu [08/Feb/2015:22:14:50 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS requests [08/Feb/2015:22:14:50 -0500] - Listening on /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed: Server is unwilling to perform [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total update session. [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389) To be fair and not duplicate efforts I have had the following error [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is less than db size 12115968B; We recommend to increase the entry cache size nsslapd-cachememsize. To which I have asked another question how do I change the entry cache size https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html I now get additional errors which I would guess are possibly related. IMO, they this should not be related (should not break replication). I do not see anything useful in the error log though. Did you also check /var/log/messages for the errors log
[Freeipa-users] ipa group-add mixed case?
Hi, I recently deployed FreeIPA but I stumbled upon a problem with migrating my groups. The groups in our old system are mixed case. Such as MyGroup. The application that syncs these groups is case sensitive. The problem is that when i create these groups using the webgui or the ipa admin tool it gets created using lowercase. I was wondering if there is a way around this? Even perhaps changing a small part in the code. I tried looking into the code of the ipa admin tool but could not find the part that change the group name to lowercase. Any tips or help? Kind Regards, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa group-add mixed case?
David Dejaeghere wrote: Hi, I recently deployed FreeIPA but I stumbled upon a problem with migrating my groups. The groups in our old system are mixed case. Such as MyGroup. The application that syncs these groups is case sensitive. The problem is that when i create these groups using the webgui or the ipa admin tool it gets created using lowercase. I was wondering if there is a way around this? Even perhaps changing a small part in the code. I tried looking into the code of the ipa admin tool but could not find the part that change the group name to lowercase. Any tips or help? IPA has always forced lower-case group names. The value is stored in the cn attribute in LDAP which is case insensitive so allowing mixed-case would just cause confusion (because you can't have myGroup and MYgroup). I really wouldn't recommend changing the IPA source as it is going to be difficult to remember making the same change across all masters with each update, beyond the fact that it has never been tested. Who knows how compatible this will be internally. But in any case, in ipalib/plugins/group.py you'll find where the parameters are defined in takes_params. In the Str('cn') definition there is a normalizer: normalizer=lambda value: value.lower(), Remove or comment out this line and restart httpd. Good luck. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
On 02/10/2015 08:39 PM, Israel Miranda wrote: I have a freeipa installation of v4 on Fedora 21. I have a separate fileserver with freeipa packages installed from mkosek-freeipa-epel-7.repo on centos 7. I have: * created sambaSAMAccount,sambaGroupMapping UserObjects * created an entry for DNA plugin to populate them cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config * added a CoS template for sambaGroupType * added a CoS definition for sambaGroupType * used ipa-adtrust-install to create and populate ipaNTHash * checked with the creation of these attributes with an ldap browser all ok * put the fileserver machine on the domain * added necessary permission, previleges and roles * installed kerberos keytab on the fileserver * was able to retrieve ipaNTHash attribute with the keytab from samba server and now the only thing missing is to integrate the fileserver with the ipaserver. I don´t mind in using ipasam, but to install in on my centos7 fileserver, which only has samba installed and nothing else, it also pulls the whole freeipa-server package, and this is overkill just to get ipasam.so. So I'd like some help in compiling it separately. I am using standard samba server distributed with centos 7. So I tried to use passdb backend = ldapsam:ldap//ipaserver but samba tries to bind using admin user, and doesn't use keytab, even though I put dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab in smb.conf. So please help me in getting these two things done: 1. use samba with freeipa through ldap( I know it is worse than ipasam, but would be nice to know how to integrate freeipa with samba with ldap on systems where ipasam might not be available ) 2. compile an ipasam.so module so we can work on creating an rpm package in the future, since it is necessary to install ipasam.so separately. Kudos for the development team for this amazing software. Thanks in advance Free software philosophy : Information is for free. People are not. Contributors are priceless. Filosofia de software livre: Informação é de graça. Pessoas não são. Contribuidores não tem preço. Israel Vinícius Miranda Have you considered this: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA ? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trust with Active Directory fails
Well, that's a surprise! Since the ipv6 module is running, I had assumed that IPv6 is enabled: # lsmod | grep ipv6 ipv6 334932 0 I'll look into getting IPv6 enabled. (This is a RHEL6 server, which uses SysV init instead of systemd.) Thanks for your help. David Guertin Information Technology Services Middlebury College 700 Exchange St. Middlebury, VT 05753 (802)443-3143 From: Alexander Bokovoy aboko...@redhat.com Sent: Tuesday, February 10, 2015 2:51 AM To: Guertin, David S. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trust with Active Directory fails On Mon, 09 Feb 2015, Guertin, David S. wrote: Can you send me (off-list) logs as described in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_tr ust Alexander, Here are the log files you requested. Thanks, you have IPv6 protocol family disabled in your kernel. Samba opens its sockets using IPv6-enabled functions because system library is recommending that (see man page for IPv6). [2015/02/09 13:29:59.577360, 0, pid=3012, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:423(open_socket_in) open_socket_in(): socket() call failed: Address family not supported by protocol [2015/02/09 13:29:59.577485, 0, pid=3012, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:636(create_tcpip_socket) Failed to create socket on port 135! [2015/02/09 13:29:59.577523, 0, pid=3012, effective(0, 0), real(0, 0)] ../source3/rpc_server/epmd.c:202(start_epmd) Failed to open epmd tcpip sockets! As result, we are unable to proceed with the connection to local portmapper and cannot operate on the IPA's half of the trust. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#IPv6_stack_usage for details. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trust with Active Directory fails
For the record, here's the solution I came up with for RHEL6 (and presumably other SysV init-based systems): Its Linux kernel is 2.6, which does have IPv6 enabled. The ipv6 module is loaded. I had looked at those and assumed that everything was OK, but these two are not enough. I needed to edit /etc/modprobe/ipv6.conf and change ipv6 disable=1 to ipv6 disable=0. Now it works. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project