Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)
Le 05/06/2015 22:19, Endi Sukma Dewata a écrit : On 5/19/2015 3:54 AM, Thibaut Pouzet wrote: Hi, It appeared that the NSS DB had fips enabled due to the troubleshooting of an old problem : # modutil -dbdir /var/lib/pki-ca/alias/ -list Listing of PKCS #11 Modules --- 1. NSS Internal FIPS PKCS #11 Module slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB --- I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false And no longer have the stack trace in the debug logs while re-sumbitting the certificate with certmonger. This is a first step in this certificate renewal, as I still cannot renew it, I have a new error : status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. This looks like a chicken and egg problem, the certificate served on ipa_server:9443 is the one that needs to be renewed. I tried to step back in time when the certificate was still valid with no luck. So if anyone has an idea here... Cheers, Hi, Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself. I suppose you are following this instruction: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Could you post the full getcert list output? Also after you reset the clock back and try the renewal again could you post the error messages that you get? Hopefully the IPA team will be able to troubleshoot further. Thanks. Hi Endi, Indeed, this is still a problem for this server. I did not had any new idea on how to troubleshoot this issue unfortunately... Here is what you asked : With ntp running, date is now : $ sudo getcert list -c dogtag-ipa-renew-agent Number of certificates and requests being tracked: 9. Request ID '20150511123414': status: MONITORING stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Audit,O=ipa_domain expires: 2017-04-10 05:34:30 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123614': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=CA Subsystem,O=ipa_domain expires: 2015-04-09 04:58:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150511123705': status: MONITORING stuck: no key pair storage: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=IPA RA,O=ipa_domain expires: 2017-04-18 07:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150513074100': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='640188994674' certificate: type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=ipa_domain subject: CN=ipa_server,O=ipa_domain
[Freeipa-users] IPA and AD trusts
Hello! I need some clarification, because I already killed one of my replica twice... After new replica server installation, do I need to run ipa-adtrust-install on it? WBR, Alexander Frolushkin ?? ? ? ? ? ??? ?? ???, ??? ??? ??. ? ? ? ??? ??, ??? ?? ? ??? ???-, ? ?. ?? ?? ??? ? ?, ?? ?, ?, ??? ??? ??? ?? ? ??? ??? ? ? ? ?. ?? ??? ? , ??, ??? ??? ?? ? ??? ?? ?? ? ? ? ? ??? ? ? ??. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and AD trusts
On Tue, 09 Jun 2015, Alexander Frolushkin wrote: Hello! I need some clarification, because I already killed one of my replica twice... After new replica server installation, do I need to run ipa-adtrust-install on it? Once initial replication finished, yes, you need to run ipa-adtrust-install. It will set up proper configuration for this host. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and AD trusts
Thank you very much, I really missed this detail. Not good thing, this is not checked anywhere during replica installation... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, June 09, 2015 4:37 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and AD trusts On Tue, 09 Jun 2015, Alexander Frolushkin wrote: It's little sad for me, because after that my new replica fails to start after reboot, on smb: Jun 09 15:41:23 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:23.174023, 0] ipa_sam.c:4128(bind_callback_cleanup) Jun 09 15:41:23 nw-rhidm02 smbd[4692]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/nw-rhid...@unix.megafon.ru ^^ check your hostname, most likely you have broken one. It looks for cifs/nw-rhid...@unix.megafon.ru and most likely there is a key for cifs/nw-rhidm02.unix.megafon...@unix.megafon.ru. You cannot mix together fully-qualified and non-qualified hostnames. -- / Alexander Bokovoy Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and AD trusts
It's little sad for me, because after that my new replica fails to start after reboot, on smb: Jun 09 15:41:23 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:23.174023, 0] ipa_sam.c:4128(bind_callback_cleanup) Jun 09 15:41:23 nw-rhidm02 smbd[4692]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/nw-rhid...@unix.megafon.ru Jun 09 15:41:24 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:24.174961, 0] ipa_sam.c:4440(pdb_init_ipasam) Jun 09 15:41:24 nw-rhidm02 smbd[4692]: Failed to get base DN. Jun 09 15:41:24 nw-rhidm02 smbd[4692]: [2015/06/09 15:41:24.175187, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jun 09 15:41:24 nw-rhidm02 smbd[4692]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-MEGAFON-RU.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Jun 09 15:41:24 nw-rhidm02 systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jun 09 15:41:24 nw-rhidm02 systemd[1]: Failed to start Samba SMB Daemon. Jun 09 15:41:24 nw-rhidm02 systemd[1]: Unit smb.service entered failed state. Jun 09 15:41:26 nw-rhidm02 systemd[1]: Stopped Samba SMB Daemon. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, June 09, 2015 4:12 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA and AD trusts On Tue, 09 Jun 2015, Alexander Frolushkin wrote: Hello! I need some clarification, because I already killed one of my replica twice... After new replica server installation, do I need to run ipa-adtrust-install on it? Once initial replication finished, yes, you need to run ipa-adtrust-install. It will set up proper configuration for this host. -- / Alexander Bokovoy Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called Super Admin. On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called All privileges. I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : invalid 'permission': cannot add permission System: Read Automount Configuration with bindtype anonymous to a privilege I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
On 09/06/15 12:58, Martin Basti wrote: On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called Super Admin. On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called All privileges. I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : invalid 'permission': cannot add permission System: Read Automount Configuration with bindtype anonymous to a privilege I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin I reproduce this issue, IMO it is not related to permissions, but the search command itself, I will investigate. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
On 09/06/15 13:05, Martin Basti wrote: On 09/06/15 12:58, Martin Basti wrote: On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called Super Admin. On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called All privileges. I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : invalid 'permission': cannot add permission System: Read Automount Configuration with bindtype anonymous to a privilege I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin I reproduce this issue, IMO it is not related to permissions, but the search command itself, I will investigate. Indeed you were right, there is wrong filter, which is denied by ACI. Thank you for this bug report. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)
Le 09/06/2015 15:50, Rob Crittenden a écrit : Thibaut Pouzet wrote: Le 05/06/2015 22:19, Endi Sukma Dewata a écrit : Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself. I suppose you are following this instruction: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Could you post the full getcert list output? Also after you reset the clock back and try the renewal again could you post the error messages that you get? Hopefully the IPA team will be able to troubleshoot further. Thanks. Hi Endi, Indeed, this is still a problem for this server. I did not had any new idea on how to troubleshoot this issue unfortunately... Here is what you asked : With ntp running, date is now : $ sudo getcert list -c dogtag-ipa-renew-agent Thanks for including the full output. Are you restarting IPA when setting the date back? If not, you need to. rob Hi, Restarting IPA or not do not change anything : no logs, same error in getcert list Cheers, -- Thibaut Pouzet Lyra Network Ingénieur Systèmes et Réseaux (+33) 5 31 22 40 08 www.lyra-network.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] add suse 11 sp3 to ipa
hiWould you please let me know is it possible to add suse 11 sp3 to IPA? and how it is possible?Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)
Thibaut Pouzet wrote: Le 05/06/2015 22:19, Endi Sukma Dewata a écrit : Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself. I suppose you are following this instruction: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Could you post the full getcert list output? Also after you reset the clock back and try the renewal again could you post the error messages that you get? Hopefully the IPA team will be able to troubleshoot further. Thanks. Hi Endi, Indeed, this is still a problem for this server. I did not had any new idea on how to troubleshoot this issue unfortunately... Here is what you asked : With ntp running, date is now : $ sudo getcert list -c dogtag-ipa-renew-agent Thanks for including the full output. Are you restarting IPA when setting the date back? If not, you need to. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records
On 9.6.2015 13:54, Martin Basti wrote: On 09/06/15 13:05, Martin Basti wrote: On 09/06/15 12:58, Martin Basti wrote: On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called Super Admin. On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called All privileges. I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : invalid 'permission': cannot add permission System: Read Automount Configuration with bindtype anonymous to a privilege I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin I reproduce this issue, IMO it is not related to permissions, but the search command itself, I will investigate. Indeed you were right, there is wrong filter, which is denied by ACI. Thank you for this bug report. Ticket: https://fedorahosted.org/freeipa/ticket/5055 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project