Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

[Morgan Marodin]

Now all is ok :)

# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
---
Added Active Directory trust for realm "mydomain.com"
---
  Realm name: mydomain.com
  Domain NetBIOS name: MYDOMAIN
  Domain Security Identifier: S-x-x-xx-xx-xx-x
  SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x,
S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx,
S-x-x-xx, S-x-x-xx,
  S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x,
S-x-x, S-x-x, S-x-x-xx, S-x-x-xx
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Thanks for your support.
Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.

 Ok, after enabling debugging I have these logs:
 ---
 ==> /var/log/httpd/error_log <==
 INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
  scavenger: 100
  dns: 100
  ldb: 100
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'sasl-EXTERNAL' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:srv01.ipa.mydomain.com[,]
 s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
 0x7f8a3c224990
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
 s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0

 Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Schedule immediate event "tevent_req_trigger":
 0x7f7118a92cf0
 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0,
 0)]
 

Re: [Freeipa-users] Add objectclasses to computer schema

[Martin Basti]

On 09/09/2015 06:32 PM, Thomas Suiter wrote:


Is there an equivalent host/computer default objectclasses that there 
is for ipa config-mod –groupobjectclasses/--userobjectclasses ?  We 
are wanting to add some additional attributes to all of the servers, 
I’m able to add the object class to individual servers but not sure on 
the procedure so that all new servers automatically get the additional 
objectclasses when they are enrolled without having to manually add it.





Hello,

LDAP schema is replicated to all servers, you just need to add new 
objectclass definition via ldapadd.


Just adding changes to user99.ldif directly, may not be replicated, you 
need to add it online


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] attempting to restore IPA

[David Kupka]

Hello Steven!

I would like to help you but unfortunately I have no chance to guess 
what went wrong.


To help us help you please report any issue in a way described on 
FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting).


Most importantly we need the following:

1. Version of FreeIPA you are using.

2. Precise description of the problem.
Stating that "password does not work" is not specific enough. Does 
"kinit admin" fails? With what error message? What is in kdc log? Or 
does SSH login fails? Does the login on client using the restored server 
work?


3. Steps that you did before the problem occurred.
How was the mentioned backup created? Was the FreeIPA server reinstalled 
since the backup was taken? Was any password changed after the backup? 
Was any error/warning reported during the restore?


4. Logs.
Please include at least iparestore.log and DS and Kerberos logs.

Maybe some of the information I am missing here can be found in the 
thread you are responding to. But since you have changed the subject I 
assume you are solving another issue. In that case it makes sense to 
start completely new thread and provide all relevant information. 
Searching for them in older thread is not only time consuming but also 
may confuse us as they could be no longer valid and/or relevant.


Do not take me wrong I am just trying to show you how to ask with bigger 
change of solving the issue for you in less time.


Best regards,
David

On 10/09/15 01:41, Steven Jones wrote:

So to restore IPA I tried,

ipa-restore --data ipa-full-2015-09-10-10-28-11

and now I cannot loginopsie.

The admin user password doesnt work and neither do my own accounts.

NB I assume the  flag --data restores the user data/HBAC rules etc?

regards

Steven



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Prasun Gera]

OS: RHEL 7.1 w IDM

I'm seeing these messages in my master's log messages. I don't know if it's
related, but I think I started seeing them after I set up a replica.
Everything seems to be working fine, but I'm worried that things will break
if delta grows beyond a point. I tried steps in
https://access.redhat.com/solutions/35640, but it didn't really help. The
messages still appear regularly in the log.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Prasun Gera]

Thanks. I'm not virtualizing though. Should I still add it ?

On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway 
wrote:

> Hi,
>
> I assume you are virtualising.
>
> Try adding "tinker panic 0" to /etc/ntp.conf.
>
> It should make it tolerant to heavily drifting virtual clocks.
>
> Cheers,
>
> Andrew
>
> On 10 September 2015 at 13:46, Prasun Gera  wrote:
>
>> OS: RHEL 7.1 w IDM
>>
>> I'm seeing these messages in my master's log messages. I don't know if
>> it's related, but I think I started seeing them after I set up a replica.
>> Everything seems to be working fine, but I'm worried that things will break
>> if delta grows beyond a point. I tried steps in
>> https://access.redhat.com/solutions/35640, but it didn't really help.
>> The messages still appear regularly in the log.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS Server

[Günther J . Niederwimmer]

Hello,

what is the best way to include a external Nameserver for a IPA Host?

My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a 
extra Instance for a IPA Master Server and I have now to include the CNAMe 
Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other way 
to include this server?

Thanks for a answer,
-- 
mit freundlichen Grüssen / best regards,

 Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Andrew Holway]

Hi,

I assume you are virtualising.

Try adding "tinker panic 0" to /etc/ntp.conf.

It should make it tolerant to heavily drifting virtual clocks.

Cheers,

Andrew

On 10 September 2015 at 13:46, Prasun Gera  wrote:

> OS: RHEL 7.1 w IDM
>
> I'm seeing these messages in my master's log messages. I don't know if
> it's related, but I think I started seeing them after I set up a replica.
> Everything seems to be working fine, but I'm worried that things will break
> if delta grows beyond a point. I tried steps in
> https://access.redhat.com/solutions/35640, but it didn't really help. The
> messages still appear regularly in the log.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add objectclasses to computer schema

[Rob Crittenden]

Thomas Suiter wrote:
> Is there an equivalent host/computer default objectclasses that there is
> for ipa config-mod –groupobjectclasses/--userobjectclasses ?  We are
> wanting to add some additional attributes to all of the servers, I’m
> able to add the object class to individual servers but not sure on the
> procedure so that all new servers automatically get the additional
> objectclasses when they are enrolled without having to manually add it.

No, these lists exist only for users and groups.

A plugin to extend the host object to add objectclasses would be fairly
straightforward. Adding a similar option to the config would be slightly
more complex.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Andrew Holway]

Thats odd. You would normally not need it on bare metal. It could be broken
hardware.

On 10 September 2015 at 14:05, Prasun Gera  wrote:

> Thanks. I'm not virtualizing though. Should I still add it ?
>
> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway 
> wrote:
>
>> Hi,
>>
>> I assume you are virtualising.
>>
>> Try adding "tinker panic 0" to /etc/ntp.conf.
>>
>> It should make it tolerant to heavily drifting virtual clocks.
>>
>> Cheers,
>>
>> Andrew
>>
>> On 10 September 2015 at 13:46, Prasun Gera  wrote:
>>
>>> OS: RHEL 7.1 w IDM
>>>
>>> I'm seeing these messages in my master's log messages. I don't know if
>>> it's related, but I think I started seeing them after I set up a replica.
>>> Everything seems to be working fine, but I'm worried that things will break
>>> if delta grows beyond a point. I tried steps in
>>> https://access.redhat.com/solutions/35640, but it didn't really help.
>>> The messages still appear regularly in the log.
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Server

[Petr Spacek]

On 10.9.2015 15:38, Günther J. Niederwimmer wrote:
> Hello,
> 
> what is the best way to include a external Nameserver for a IPA Host?
> 
> My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup 
> a 
> extra Instance for a IPA Master Server and I have now to include the CNAMe 
> Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other 
> way 
> to include this server?

Hello,

I'm sorry but I do not understand what you mean by 'include'.

FreeIPA itself requires bunch of DNS records to be added to whatever DNS
server you use - FreeIPA DNS is just an optional thing.

For ordinary hosts/FreeIPA clients it is up to you how you configure DNS,
there is no enforced requirement from FreeIPA side.

If you need further information then please describe what exactly are you
trying to achieve, what steps you did and what does not work. Of course we
also need to know on which OS version are you trying it and which version of
ipa-server package do you have.

Have a nice day!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Vector/hi-res logo

[Alexander Bokovoy]

On Thu, 10 Sep 2015, Martin Kosek wrote:

On 09/08/2015 08:13 PM, Ian Pilcher wrote:

Now that I'm actually using IPA authentication for a few services within
my house, I'm going to set up a simple "start page" with a few links,
including a link to IPA web UI for password changes.  I'd like to use
the FreeIPA logo, but I've only been able to find very small and/or
fuzzy versions.

Does anyone know where I can find a high-resolution or vector version of
the logo?

Thanks!


This is interesting problem to have :-) The biggest bitmap image I have is

http://www.freeipa.org/images/freeipa/freeipa-logo.png

Maybe Petr Spacek has some better version, he was involved with the logo 
recently.

Mo did the original design and SVG is still available at her DeviantArt
page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] PKI-CAD service fails, IPA won't start

[Cassidy, James M.]

Hello:

So recently, we received some new workstations that I loaded with Ubuntu 12.04. 
The person who had this sysadmin position before me set up the IPA domain and 
had it running for quite some time. I went to add one of the systems to the 
domain through a script he created, something in the configuration failed so I 
performed an uninstall and was gonna return to it after I retool the script. 
However, since then IPA has failed to function for more than two minutes at a 
time. Upon a "ipactl start" it will start every service (even allowing IPA 
commands to be executed) until it hits the pki-cad service, where it hangs for 
a while, then seemingly hits a timeout limit and assumes that it fails. 
Sometimes it does fail, but ipactl doesn't react to this immediately, and it 
always seems to hit the timeout. Running a journalctl -f as soon as I can, I 
see the following:

Sep 10 14:40:42 [IPA server] systemd[1]: Reached target 389 Directory Server.
Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server [org 
name]
Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export 
KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv
Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server 
PKI-IPA
Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export 
KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv
Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server PKI-IPA..
Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server [org 
name]..
Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 KDC...
Sep 10 14:41:00 [IPA server] systemd[1]: Started Kerberos 5 KDC.
Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 Password-changing 
and Administration...
Sep 10 14:41:01 [IPA server] systemd[1]: Started Kerberos 5 Password-changing 
and Administration.
Sep 10 14:41:01 [IPA server] systemd[1]: Starting Berkeley Internet Name Domain 
(DNS)...
[huge wall of DNS config, completes successfully]
Sep 10 14:41:02 [IPA server] systemd[1]: Started Berkeley Internet Name Domain 
(DNS).
Sep 10 14:41:02 [IPA server] systemd[1]: Starting Host and Network Name Lookups.
Sep 10 14:41:02 [IPA server] systemd[1]: Reached target Host and Network Name 
Lookups.
Sep 10 14:41:02 [IPA server] systemd[1]: Started IPA memcached daemon, 
increases IPA server performance.
Sep 10 14:41:03 [IPA server] systemd[1]: Starting The Apache HTTP Server...
Sep 10 14:41:05 [IPA server] httpd[841]: [Thu Sep 10 14:41:05.050236 2015] 
[so:warn] [pid 841] AH01574: module nss_module is already loaded, skipping
Sep 10 14:41:06 [IPA server] systemd[1]: Started The Apache HTTP Server.
Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority 
Server.
Sep 10 14:41:06 [IPA server] systemd[1]: Reached target PKI Certificate 
Authority Server.
Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority 
Server pki-ca...
Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session 
opened for user pkiuser by (uid=0)
Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session 
closed for user pkiuser
Sep 10 14:41:07 [IPA server] named[828]: zone [subnet].in-addr.arpa/IN: sending 
notifies (serial 2012080892)
Sep 10 14:41:07 [IPA server] named[828]: zone [org name]/IN: sending notifies 
(serial 2012080918)
Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1
Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 2
Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1
Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1
Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1
Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 2
Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 1
Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 2
Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 3
Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): 
session opened for user pkiuser by (uid=0)
Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): 
session closed for user pkiuser
Sep 10 14:41:13 [IPA server] pkicontrol[1039]: /var/lib/pki-ca/pki-ca: line 
101: 

Re: [Freeipa-users] Vector/hi-res logo

[Martin Kosek]

On 09/08/2015 08:13 PM, Ian Pilcher wrote:
> Now that I'm actually using IPA authentication for a few services within
> my house, I'm going to set up a simple "start page" with a few links,
> including a link to IPA web UI for password changes.  I'd like to use
> the FreeIPA logo, but I've only been able to find very small and/or
> fuzzy versions.
> 
> Does anyone know where I can find a high-resolution or vector version of
> the logo?
> 
> Thanks!

This is interesting problem to have :-) The biggest bitmap image I have is

http://www.freeipa.org/images/freeipa/freeipa-logo.png

Maybe Petr Spacek has some better version, he was involved with the logo 
recently.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Prasun Gera]

The hardware is not very old (ivybridge). The entries appear every few
minutes in the log. The /etc/ntp.conf has not been modified manually. It
lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are also
a couple of additional local servers with the comment added by
/sbin/dhclient-script. The replica on the same network with an identical
ntp.conf file doesn't have these messages in the current log. However, if I
go back to a week, I see similar messages there too.  The ping to public
ntp servers varies from to a few ms to ~50 ms. The ping to local servers is
under 1 ms. I followed steps from the first link (ntpd -qg), and the
messages have stopped for now, but I suspect that they will reappear later.
That's what happened last time I tried that solution. This is the output
from ntpq -pn on the master:

 remote   refid  st t when poll reach   delay   offset
 jitter
==
+38.229.71.1 204.123.2.5  2 u   39   64  377   44.300  -1311.8
7.668
+64.6.144.6  128.252.19.1 2 u   25   64  377   38.184  -1327.6
 12.615
-129.250.35.251  200.98.196.212   2 u   30   64  377   14.649  -1318.8
7.079
 127.127.1.0 .LOCL.  10 l-   6400.0000.000
0.000
*localnetip1  localnetref1  2 u   55   64  3770.349  -1316.0   8.264
-localnetip2  localnetref23 u   64   64  3770.459  -1309.6  10.516


On Thu, Sep 10, 2015 at 5:27 AM, Andrew Holway 
wrote:

> If could be the server is trying to access the time server over a heavily
> congested network which could cause these types of problems.
>
>
> How old is the hardware?
> How often to these entries appear in the log?
> What is the ping / traceroute to the time server you are using?
> Are there any other machines on the same local network that are using this
> timeserver? Do they have problems?
>
>
>
>
> On 10 September 2015 at 14:18, Prasun Gera  wrote:
>
>> So I did a bit of googling and tinker panic 0 only makes sense for
>> virtual machines. Is there any way to confirm if it is indeed a hardware
>> issue ?
>>
>> On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway 
>> wrote:
>>
>>> Thats odd. You would normally not need it on bare metal. It could be
>>> broken hardware.
>>>
>>> On 10 September 2015 at 14:05, Prasun Gera 
>>> wrote:
>>>
 Thanks. I'm not virtualizing though. Should I still add it ?

 On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway  wrote:

> Hi,
>
> I assume you are virtualising.
>
> Try adding "tinker panic 0" to /etc/ntp.conf.
>
> It should make it tolerant to heavily drifting virtual clocks.
>
> Cheers,
>
> Andrew
>
> On 10 September 2015 at 13:46, Prasun Gera 
> wrote:
>
>> OS: RHEL 7.1 w IDM
>>
>> I'm seeing these messages in my master's log messages. I don't know
>> if it's related, but I think I started seeing them after I set up a
>> replica. Everything seems to be working fine, but I'm worried that things
>> will break if delta grows beyond a point. I tried steps in
>> https://access.redhat.com/solutions/35640, but it didn't really
>> help. The messages still appear regularly in the log.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>

>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificate add subject alt Name

[Youenn PIOLET]

Hi,

I'm not sure I understood all of your problem, but here are some
information that may help:
- First, you don't change a certificate, but you can revoke it a make a new
one
- If you need to add a SubjectAltName to a certificate, you may have
realized that the -D parameter makes the request to get rejected by FreeIPA
when you try this:

ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N
"CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL

You have to force FreeIPA to recognise the CNAME first.

$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

Then the ipa-getcert request will work.

I hope it helps (you or anyone else needing a subjectaltname in a
certificate).
Cheers,

--
Youenn Piolet
piole...@gmail.com


2015-09-09 18:12 GMT+02:00 Petr Spacek :

> On 5.9.2015 12:48, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > System CentOS 7.
> >
> > is it possible to change a certificate to add a subject alt name?
> >
> > My "Problem" is, I have a Mail Server with name smtp.example.com and the
> > correct service certificates smtp/smtp.example.com & imap/example.com
> now I
> > make in my DNS Server (is a external system) a new Record "imap IN CNAME
> smtp"
> > but this is now missing in the certificate?
> >
> > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I
> don’t
> > have a host/imap.example.com.
>
> I'm sorry but I do not see how this is related to DNS. It might not be
> related
> to IPA at all.
>
> IPA only issues the cert. If the cert contains both subjectAltNames then
> the
> problem is likely in your DNS configuration or in configuration on the
> application server side (where you installed the cert).
>
> Unfortunately I'm not able to tell you more without more details - what
> application you use, what versions, how did you it configured, etc.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Logging?

[Martin Kosek]

On 09/09/2015 09:50 PM, Janelle wrote:
> Hello,
> 
> I was wondering if anyone has played with thee extended logging of IPA and
> specifically SSSD and the kibana dashboards they put together. 
> https://www.freeipa.org/page/Centralized_Logging
> 
> I can't seem to get "clients" to send the login info
> (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see
> the data in the logs, and was wondering if anyone has any tips?
> 
> Thank you
> ~Janelle

Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were
involved more in the client parts.

What did you run for configuring the client? ipa-log-config from

https://github.com/pschiffe/ipa-log-config

?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Logging?

[Janelle]

On 9/10/15 7:55 AM, Martin Kosek wrote:

On 09/09/2015 09:50 PM, Janelle wrote:

Hello,

I was wondering if anyone has played with thee extended logging of IPA and
specifically SSSD and the kibana dashboards they put together.
https://www.freeipa.org/page/Centralized_Logging

I can't seem to get "clients" to send the login info
(https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see
the data in the logs, and was wondering if anyone has any tips?

Thank you
~Janelle

Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were
involved more in the client parts.

What did you run for configuring the client? ipa-log-config from

https://github.com/pschiffe/ipa-log-config

?

Hi Martin,

Yes, I did run the log config tool. It works flawlessly on the IPA 
servers, but although it claims it sets everything up on clients, I am 
seeing no actual data, even though, there is data in the logs 
themselves.. So I am busy trying to debug where rsyslog is missing 
something. I am more of a syslog-ng  person, so I am having to learn all 
the bits and pieces of rsyslog, and perhaps I am missing something.


To further help -- I have tried 2 methods of a client. One with a client 
that was "enrolled" via standard ipa-client-install, and another 
LDAP-only client, still using SSSD but only configured with LDAP 
settings for Auth.


~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Vector/hi-res logo

[Petr Spacek]

On 10.9.2015 17:22, Alexander Bokovoy wrote:
> On Thu, 10 Sep 2015, Martin Kosek wrote:
>> On 09/08/2015 08:13 PM, Ian Pilcher wrote:
>>> Now that I'm actually using IPA authentication for a few services within
>>> my house, I'm going to set up a simple "start page" with a few links,
>>> including a link to IPA web UI for password changes.  I'd like to use
>>> the FreeIPA logo, but I've only been able to find very small and/or
>>> fuzzy versions.
>>>
>>> Does anyone know where I can find a high-resolution or vector version of
>>> the logo?
>>>
>>> Thanks!
>>
>> This is interesting problem to have :-) The biggest bitmap image I have is
>>
>> http://www.freeipa.org/images/freeipa/freeipa-logo.png
>>
>> Maybe Petr Spacek has some better version, he was involved with the logo
>> recently.
> Mo did the original design and SVG is still available at her DeviantArt
> page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785

I've uploaded the SVG file I found somewhere to
http://www.freeipa.org/page/File:FreeIPA.svg
so we do not lose it over time :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

[Prasun Gera]

So I did a bit of googling and tinker panic 0 only makes sense for virtual
machines. Is there any way to confirm if it is indeed a hardware issue ?

On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway 
wrote:

> Thats odd. You would normally not need it on bare metal. It could be
> broken hardware.
>
> On 10 September 2015 at 14:05, Prasun Gera  wrote:
>
>> Thanks. I'm not virtualizing though. Should I still add it ?
>>
>> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway 
>> wrote:
>>
>>> Hi,
>>>
>>> I assume you are virtualising.
>>>
>>> Try adding "tinker panic 0" to /etc/ntp.conf.
>>>
>>> It should make it tolerant to heavily drifting virtual clocks.
>>>
>>> Cheers,
>>>
>>> Andrew
>>>
>>> On 10 September 2015 at 13:46, Prasun Gera 
>>> wrote:
>>>
 OS: RHEL 7.1 w IDM

 I'm seeing these messages in my master's log messages. I don't know if
 it's related, but I think I started seeing them after I set up a replica.
 Everything seems to be working fine, but I'm worried that things will break
 if delta grows beyond a point. I tried steps in
 https://access.redhat.com/solutions/35640, but it didn't really help.
 The messages still appear regularly in the log.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

[Craig White]

Following instructions from here...
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

RHEL6 server
# rpm -qa ipa-server
ipa-server-3.0.0-42.el6.x86_64

RHEL7 server
# rpm -q ipa-server
ipa-server-4.1.0-18.el7_1.4.x86_64

I am down to the part where I am trying to make the new RHEL7 server the master 
CA server

On the RHEL6 system, I
# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Number of certificates and requests being tracked: 8.
Request ID '20141022190721':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=STT.LOCAL
subject: CN=CA Subsystem,O=STT.LOCAL
expires: 2016-10-11 19:06:36 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

and the 'post-save' command is empty, doesn't track the page. Should I just 
ignore? I note that the output from this (save for different file path on 
RHEL6) indicates that the original RHEL6 is still CA Master
The CRL generation master can be determined by looking at CS.cfg on each CA:
# grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
ca.crl.MasterCRL.enableCRLUpdates=true


Also, when I set up the second new IPA master, do I also make it a CA?

Craig White
System Administrator
O 623-201-8179   M 602-377-9752

[cid:image001.png@01CF86FE.42D51630]

SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

[Gustavo Mateus]

Hi,

I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
users public ssh key.

Do I have to setup a binddn and bindpw in the ldap.conf file and use
/usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?

Thanks,
Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

[Prashant Bapat]

One way to do it is write a small script which will fetch the keys from
LDAP.

As for authentication, I make the SSH public key anonymously readable for
everyone.

On 11 September 2015 at 05:00, Gustavo Mateus 
wrote:

> Hi,
>
> I'm trying to setup my Amazon Linux instances to be able to fetch the IPA
> users public ssh key.
>
> Do I have to setup a binddn and bindpw in the ldap.conf file and use
> /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?
>
> Thanks,
> Gustavo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

[Morgan Marodin]

Sorry, I've read ipv6.disable=1 in this article
http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I
understood wrong this prerequisite and went directly to the next chapter,
in my mind I was conviced that IPv6 must be disabled :)

I will try with IPv6 enabled, and then I will tell you if it is ok.

Thanks, Morgan

2015-09-09 18:53 GMT+02:00 Alexander Bokovoy :

> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>
>> Hi Alexander
>>
>> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on
>> my
>> WIndows 2012.
>> I have read in a freeipa article to disable IPv6.
>>
> Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
> explicitly talks about not disabling IPv6.
>
> Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
> You can have a system without IPv6 addresses but do not disable the
> infrastructure. All contemporary networking applications are written
> with the idea that you can use IPv6-only functions and work on both IPv4
> and IPv6 at the same time. See ipv6(7) manual page:
>
> 
> IPv4 connections can be handled with the v6 API by using the
> v4-mapped-on-v6 address type; thus a program needs to support only this
> API type to support both protocols. This is handled transparently by the
> address handling functions in the C library.
>
> IPv4 and IPv6 share the local port space.  When you get an IPv4
> connection or packet to a IPv6 socket, its source address will be mapped
> to v6 and it will be mapped to v6.
> 
>
>
>
> I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>> new freeipa server, just installed, in the same network.
>> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>> I've installed bind in IPA that contains only ipa.mydomain.com zone.
>> In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>> delegation to linux server (192.168.0.65).
>>
>
>
> Do you have other question of my setup?
>> Let me know, thanks.
>> Morgan
>>
>>
>> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy :
>>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>>
>>> Hi Alexander.

 Ok, after enabling debugging I have these logs:
 ---
 ==> /var/log/httpd/error_log <==
 INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
  scavenger: 100
  dns: 100
  ldb: 100
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'sasl-EXTERNAL' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:srv01.ipa.mydomain.com[,]
 s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
 0x7f8a3c224990
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
 s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0
 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
 netmask=255.255.255.0

 Do you have IPv6 stack enabled?
>>>
>>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>>
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Schedule immediate event "tevent_req_trigger":
 0x7f7118a92cf0
 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0,
 0)]
 ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
 [2015/09/09 08:45:05.032353,  4, pid=11196, effective(21740,
 21740), real(21740, 0)]
 ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0
 [2015/09/09 08:45:05.032421,  2, pid=11196, effective(21740,
 21740), real(21740, 0), class=rpc_srv]
 ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
 user IPA\admin failed: No such file or directory

 I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
>>> has to be there.
>>>
>>> Can you explain what is your setup in detail?
>>>