Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Now all is ok :) # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: --- Added Active Directory trust for realm "mydomain.com" --- Realm name: mydomain.com Domain NetBIOS name: MYDOMAIN Domain Security Identifier: S-x-x-xx-xx-xx-x SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Thanks for your support. Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy: > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
Re: [Freeipa-users] Add objectclasses to computer schema
On 09/09/2015 06:32 PM, Thomas Suiter wrote: Is there an equivalent host/computer default objectclasses that there is for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I’m able to add the object class to individual servers but not sure on the procedure so that all new servers automatically get the additional objectclasses when they are enrolled without having to manually add it. Hello, LDAP schema is replicated to all servers, you just need to add new objectclass definition via ldapadd. Just adding changes to user99.ldif directly, may not be replicated, you need to add it online Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] attempting to restore IPA
Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1. Version of FreeIPA you are using. 2. Precise description of the problem. Stating that "password does not work" is not specific enough. Does "kinit admin" fails? With what error message? What is in kdc log? Or does SSH login fails? Does the login on client using the restored server work? 3. Steps that you did before the problem occurred. How was the mentioned backup created? Was the FreeIPA server reinstalled since the backup was taken? Was any password changed after the backup? Was any error/warning reported during the restore? 4. Logs. Please include at least iparestore.log and DS and Kerberos logs. Maybe some of the information I am missing here can be found in the thread you are responding to. But since you have changed the subject I assume you are solving another issue. In that case it makes sense to start completely new thread and provide all relevant information. Searching for them in older thread is not only time consuming but also may confuse us as they could be no longer valid and/or relevant. Do not take me wrong I am just trying to show you how to ask with bigger change of solving the issue for you in less time. Best regards, David On 10/09/15 01:41, Steven Jones wrote: So to restore IPA I tried, ipa-restore --data ipa-full-2015-09-10-10-28-11 and now I cannot loginopsie. The admin user password doesnt work and neither do my own accounts. NB I assume the flag --data restores the user data/HBAC rules etc? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in https://access.redhat.com/solutions/35640, but it didn't really help. The messages still appear regularly in the log. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
Thanks. I'm not virtualizing though. Should I still add it ? On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holwaywrote: > Hi, > > I assume you are virtualising. > > Try adding "tinker panic 0" to /etc/ntp.conf. > > It should make it tolerant to heavily drifting virtual clocks. > > Cheers, > > Andrew > > On 10 September 2015 at 13:46, Prasun Gera wrote: > >> OS: RHEL 7.1 w IDM >> >> I'm seeing these messages in my master's log messages. I don't know if >> it's related, but I think I started seeing them after I set up a replica. >> Everything seems to be working fine, but I'm worried that things will break >> if delta grows beyond a point. I tried steps in >> https://access.redhat.com/solutions/35640, but it didn't really help. >> The messages still appear regularly in the log. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS Server
Hello, what is the best way to include a external Nameserver for a IPA Host? My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a extra Instance for a IPA Master Server and I have now to include the CNAMe Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other way to include this server? Thanks for a answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
Hi, I assume you are virtualising. Try adding "tinker panic 0" to /etc/ntp.conf. It should make it tolerant to heavily drifting virtual clocks. Cheers, Andrew On 10 September 2015 at 13:46, Prasun Gerawrote: > OS: RHEL 7.1 w IDM > > I'm seeing these messages in my master's log messages. I don't know if > it's related, but I think I started seeing them after I set up a replica. > Everything seems to be working fine, but I'm worried that things will break > if delta grows beyond a point. I tried steps in > https://access.redhat.com/solutions/35640, but it didn't really help. The > messages still appear regularly in the log. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Add objectclasses to computer schema
Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, Im > able to add the object class to individual servers but not sure on the > procedure so that all new servers automatically get the additional > objectclasses when they are enrolled without having to manually add it. No, these lists exist only for users and groups. A plugin to extend the host object to add objectclasses would be fairly straightforward. Adding a similar option to the config would be slightly more complex. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
Thats odd. You would normally not need it on bare metal. It could be broken hardware. On 10 September 2015 at 14:05, Prasun Gerawrote: > Thanks. I'm not virtualizing though. Should I still add it ? > > On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway > wrote: > >> Hi, >> >> I assume you are virtualising. >> >> Try adding "tinker panic 0" to /etc/ntp.conf. >> >> It should make it tolerant to heavily drifting virtual clocks. >> >> Cheers, >> >> Andrew >> >> On 10 September 2015 at 13:46, Prasun Gera wrote: >> >>> OS: RHEL 7.1 w IDM >>> >>> I'm seeing these messages in my master's log messages. I don't know if >>> it's related, but I think I started seeing them after I set up a replica. >>> Everything seems to be working fine, but I'm worried that things will break >>> if delta grows beyond a point. I tried steps in >>> https://access.redhat.com/solutions/35640, but it didn't really help. >>> The messages still appear regularly in the log. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Server
On 10.9.2015 15:38, Günther J. Niederwimmer wrote: > Hello, > > what is the best way to include a external Nameserver for a IPA Host? > > My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup > a > extra Instance for a IPA Master Server and I have now to include the CNAMe > Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other > way > to include this server? Hello, I'm sorry but I do not understand what you mean by 'include'. FreeIPA itself requires bunch of DNS records to be added to whatever DNS server you use - FreeIPA DNS is just an optional thing. For ordinary hosts/FreeIPA clients it is up to you how you configure DNS, there is no enforced requirement from FreeIPA side. If you need further information then please describe what exactly are you trying to achieve, what steps you did and what does not work. Of course we also need to know on which OS version are you trying it and which version of ipa-server package do you have. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Vector/hi-res logo
On Thu, 10 Sep 2015, Martin Kosek wrote: On 09/08/2015 08:13 PM, Ian Pilcher wrote: Now that I'm actually using IPA authentication for a few services within my house, I'm going to set up a simple "start page" with a few links, including a link to IPA web UI for password changes. I'd like to use the FreeIPA logo, but I've only been able to find very small and/or fuzzy versions. Does anyone know where I can find a high-resolution or vector version of the logo? Thanks! This is interesting problem to have :-) The biggest bitmap image I have is http://www.freeipa.org/images/freeipa/freeipa-logo.png Maybe Petr Spacek has some better version, he was involved with the logo recently. Mo did the original design and SVG is still available at her DeviantArt page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PKI-CAD service fails, IPA won't start
Hello: So recently, we received some new workstations that I loaded with Ubuntu 12.04. The person who had this sysadmin position before me set up the IPA domain and had it running for quite some time. I went to add one of the systems to the domain through a script he created, something in the configuration failed so I performed an uninstall and was gonna return to it after I retool the script. However, since then IPA has failed to function for more than two minutes at a time. Upon a "ipactl start" it will start every service (even allowing IPA commands to be executed) until it hits the pki-cad service, where it hangs for a while, then seemingly hits a timeout limit and assumes that it fails. Sometimes it does fail, but ipactl doesn't react to this immediately, and it always seems to hit the timeout. Running a journalctl -f as soon as I can, I see the following: Sep 10 14:40:42 [IPA server] systemd[1]: Reached target 389 Directory Server. Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server [org name] Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv Sep 10 14:40:42 [IPA server] systemd[1]: Starting 389 Directory Server PKI-IPA Sep 10 14:40:42 [IPA server] systemd[1]: Ignoring invalid environment 'export KRB5_KTNAME=/etc/dirsrv/ds.keytab': /etc/sysconfig/dirsrv Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server PKI-IPA.. Sep 10 14:40:43 [IPA server] systemd[1]: Started 389 Directory Server [org name].. Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 KDC... Sep 10 14:41:00 [IPA server] systemd[1]: Started Kerberos 5 KDC. Sep 10 14:41:00 [IPA server] systemd[1]: Starting Kerberos 5 Password-changing and Administration... Sep 10 14:41:01 [IPA server] systemd[1]: Started Kerberos 5 Password-changing and Administration. Sep 10 14:41:01 [IPA server] systemd[1]: Starting Berkeley Internet Name Domain (DNS)... [huge wall of DNS config, completes successfully] Sep 10 14:41:02 [IPA server] systemd[1]: Started Berkeley Internet Name Domain (DNS). Sep 10 14:41:02 [IPA server] systemd[1]: Starting Host and Network Name Lookups. Sep 10 14:41:02 [IPA server] systemd[1]: Reached target Host and Network Name Lookups. Sep 10 14:41:02 [IPA server] systemd[1]: Started IPA memcached daemon, increases IPA server performance. Sep 10 14:41:03 [IPA server] systemd[1]: Starting The Apache HTTP Server... Sep 10 14:41:05 [IPA server] httpd[841]: [Thu Sep 10 14:41:05.050236 2015] [so:warn] [pid 841] AH01574: module nss_module is already loaded, skipping Sep 10 14:41:06 [IPA server] systemd[1]: Started The Apache HTTP Server. Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority Server. Sep 10 14:41:06 [IPA server] systemd[1]: Reached target PKI Certificate Authority Server. Sep 10 14:41:06 [IPA server] systemd[1]: Starting PKI Certificate Authority Server pki-ca... Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:06 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session opened for user pkiuser by (uid=0) Sep 10 14:41:07 [IPA server] runuser[958]: pam_unix(runuser-l:session): session closed for user pkiuser Sep 10 14:41:07 [IPA server] named[828]: zone [subnet].in-addr.arpa/IN: sending notifies (serial 2012080892) Sep 10 14:41:07 [IPA server] named[828]: zone [org name]/IN: sending notifies (serial 2012080918) Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:08 [IPA server] httpd[846]: GSSAPI client step 2 Sep 10 14:41:08 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 1 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:10 [IPA server] httpd[845]: GSSAPI client step 2 Sep 10 14:41:10 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:12 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): session opened for user pkiuser by (uid=0) Sep 10 14:41:12 [IPA server] runuser[1061]: pam_unix(runuser-l:session): session closed for user pkiuser Sep 10 14:41:13 [IPA server] pkicontrol[1039]: /var/lib/pki-ca/pki-ca: line 101:
Re: [Freeipa-users] Vector/hi-res logo
On 09/08/2015 08:13 PM, Ian Pilcher wrote: > Now that I'm actually using IPA authentication for a few services within > my house, I'm going to set up a simple "start page" with a few links, > including a link to IPA web UI for password changes. I'd like to use > the FreeIPA logo, but I've only been able to find very small and/or > fuzzy versions. > > Does anyone know where I can find a high-resolution or vector version of > the logo? > > Thanks! This is interesting problem to have :-) The biggest bitmap image I have is http://www.freeipa.org/images/freeipa/freeipa-logo.png Maybe Petr Spacek has some better version, he was involved with the logo recently. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
The hardware is not very old (ivybridge). The entries appear every few minutes in the log. The /etc/ntp.conf has not been modified manually. It lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are also a couple of additional local servers with the comment added by /sbin/dhclient-script. The replica on the same network with an identical ntp.conf file doesn't have these messages in the current log. However, if I go back to a week, I see similar messages there too. The ping to public ntp servers varies from to a few ms to ~50 ms. The ping to local servers is under 1 ms. I followed steps from the first link (ntpd -qg), and the messages have stopped for now, but I suspect that they will reappear later. That's what happened last time I tried that solution. This is the output from ntpq -pn on the master: remote refid st t when poll reach delay offset jitter == +38.229.71.1 204.123.2.5 2 u 39 64 377 44.300 -1311.8 7.668 +64.6.144.6 128.252.19.1 2 u 25 64 377 38.184 -1327.6 12.615 -129.250.35.251 200.98.196.212 2 u 30 64 377 14.649 -1318.8 7.079 127.127.1.0 .LOCL. 10 l- 6400.0000.000 0.000 *localnetip1 localnetref1 2 u 55 64 3770.349 -1316.0 8.264 -localnetip2 localnetref23 u 64 64 3770.459 -1309.6 10.516 On Thu, Sep 10, 2015 at 5:27 AM, Andrew Holwaywrote: > If could be the server is trying to access the time server over a heavily > congested network which could cause these types of problems. > > > How old is the hardware? > How often to these entries appear in the log? > What is the ping / traceroute to the time server you are using? > Are there any other machines on the same local network that are using this > timeserver? Do they have problems? > > > > > On 10 September 2015 at 14:18, Prasun Gera wrote: > >> So I did a bit of googling and tinker panic 0 only makes sense for >> virtual machines. Is there any way to confirm if it is indeed a hardware >> issue ? >> >> On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway >> wrote: >> >>> Thats odd. You would normally not need it on bare metal. It could be >>> broken hardware. >>> >>> On 10 September 2015 at 14:05, Prasun Gera >>> wrote: >>> Thanks. I'm not virtualizing though. Should I still add it ? On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway wrote: > Hi, > > I assume you are virtualising. > > Try adding "tinker panic 0" to /etc/ntp.conf. > > It should make it tolerant to heavily drifting virtual clocks. > > Cheers, > > Andrew > > On 10 September 2015 at 13:46, Prasun Gera > wrote: > >> OS: RHEL 7.1 w IDM >> >> I'm seeing these messages in my master's log messages. I don't know >> if it's related, but I think I started seeing them after I set up a >> replica. Everything seems to be working fine, but I'm worried that things >> will break if delta grows beyond a point. I tried steps in >> https://access.redhat.com/solutions/35640, but it didn't really >> help. The messages still appear regularly in the log. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] certificate add subject alt Name
Hi, I'm not sure I understood all of your problem, but here are some information that may help: - First, you don't change a certificate, but you can revoke it a make a new one - If you need to add a SubjectAltName to a certificate, you may have realized that the -D parameter makes the request to get rejected by FreeIPA when you try this: ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N "CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL You have to force FreeIPA to recognise the CNAME first. $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn Then the ipa-getcert request will work. I hope it helps (you or anyone else needing a subjectaltname in a certificate). Cheers, -- Youenn Piolet piole...@gmail.com 2015-09-09 18:12 GMT+02:00 Petr Spacek: > On 5.9.2015 12:48, Günther J. Niederwimmer wrote: > > Hello, > > > > System CentOS 7. > > > > is it possible to change a certificate to add a subject alt name? > > > > My "Problem" is, I have a Mail Server with name smtp.example.com and the > > correct service certificates smtp/smtp.example.com & imap/example.com > now I > > make in my DNS Server (is a external system) a new Record "imap IN CNAME > smtp" > > but this is now missing in the certificate? > > > > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I > don’t > > have a host/imap.example.com. > > I'm sorry but I do not see how this is related to DNS. It might not be > related > to IPA at all. > > IPA only issues the cert. If the cert contains both subjectAltNames then > the > problem is likely in your DNS configuration or in configuration on the > application server side (where you installed the cert). > > Unfortunately I'm not able to tell you more without more details - what > application you use, what versions, how did you it configured, etc. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Logging?
On 09/09/2015 09:50 PM, Janelle wrote: > Hello, > > I was wondering if anyone has played with thee extended logging of IPA and > specifically SSSD and the kibana dashboards they put together. > https://www.freeipa.org/page/Centralized_Logging > > I can't seem to get "clients" to send the login info > (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see > the data in the logs, and was wondering if anyone has any tips? > > Thank you > ~Janelle Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were involved more in the client parts. What did you run for configuring the client? ipa-log-config from https://github.com/pschiffe/ipa-log-config ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Logging?
On 9/10/15 7:55 AM, Martin Kosek wrote: On 09/09/2015 09:50 PM, Janelle wrote: Hello, I was wondering if anyone has played with thee extended logging of IPA and specifically SSSD and the kibana dashboards they put together. https://www.freeipa.org/page/Centralized_Logging I can't seem to get "clients" to send the login info (https://www.freeipa.org/images/6/65/Rek-user-logins.png) , even though I see the data in the logs, and was wondering if anyone has any tips? Thank you ~Janelle Thanks for feedback, I am CCing Peter Schiffer and Jakub Hrozek who were involved more in the client parts. What did you run for configuring the client? ipa-log-config from https://github.com/pschiffe/ipa-log-config ? Hi Martin, Yes, I did run the log config tool. It works flawlessly on the IPA servers, but although it claims it sets everything up on clients, I am seeing no actual data, even though, there is data in the logs themselves.. So I am busy trying to debug where rsyslog is missing something. I am more of a syslog-ng person, so I am having to learn all the bits and pieces of rsyslog, and perhaps I am missing something. To further help -- I have tried 2 methods of a client. One with a client that was "enrolled" via standard ipa-client-install, and another LDAP-only client, still using SSSD but only configured with LDAP settings for Auth. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Vector/hi-res logo
On 10.9.2015 17:22, Alexander Bokovoy wrote: > On Thu, 10 Sep 2015, Martin Kosek wrote: >> On 09/08/2015 08:13 PM, Ian Pilcher wrote: >>> Now that I'm actually using IPA authentication for a few services within >>> my house, I'm going to set up a simple "start page" with a few links, >>> including a link to IPA web UI for password changes. I'd like to use >>> the FreeIPA logo, but I've only been able to find very small and/or >>> fuzzy versions. >>> >>> Does anyone know where I can find a high-resolution or vector version of >>> the logo? >>> >>> Thanks! >> >> This is interesting problem to have :-) The biggest bitmap image I have is >> >> http://www.freeipa.org/images/freeipa/freeipa-logo.png >> >> Maybe Petr Spacek has some better version, he was involved with the logo >> recently. > Mo did the original design and SVG is still available at her DeviantArt > page: http://pookstar.deviantart.com/art/FreeIPA-logo-57616785 I've uploaded the SVG file I found somewhere to http://www.freeipa.org/page/File:FreeIPA.svg so we do not lose it over time :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM
So I did a bit of googling and tinker panic 0 only makes sense for virtual machines. Is there any way to confirm if it is indeed a hardware issue ? On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holwaywrote: > Thats odd. You would normally not need it on bare metal. It could be > broken hardware. > > On 10 September 2015 at 14:05, Prasun Gera wrote: > >> Thanks. I'm not virtualizing though. Should I still add it ? >> >> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway >> wrote: >> >>> Hi, >>> >>> I assume you are virtualising. >>> >>> Try adding "tinker panic 0" to /etc/ntp.conf. >>> >>> It should make it tolerant to heavily drifting virtual clocks. >>> >>> Cheers, >>> >>> Andrew >>> >>> On 10 September 2015 at 13:46, Prasun Gera >>> wrote: >>> OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in https://access.redhat.com/solutions/35640, but it didn't really help. The messages still appear regularly in the log. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master
Following instructions from here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html RHEL6 server # rpm -qa ipa-server ipa-server-3.0.0-42.el6.x86_64 RHEL7 server # rpm -q ipa-server ipa-server-4.1.0-18.el7_1.4.x86_64 I am down to the part where I am trying to make the new RHEL7 server the master CA server On the RHEL6 system, I # getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Number of certificates and requests being tracked: 8. Request ID '20141022190721': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin=OBSCURED certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=STT.LOCAL subject: CN=CA Subsystem,O=STT.LOCAL expires: 2016-10-11 19:06:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and the 'post-save' command is empty, doesn't track the page. Should I just ignore? I note that the output from this (save for different file path on RHEL6) indicates that the original RHEL6 is still CA Master The CRL generation master can be determined by looking at CS.cfg on each CA: # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true Also, when I set up the second new IPA master, do I also make it a CA? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateuswrote: > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Sorry, I've read ipv6.disable=1 in this article http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I understood wrong this prerequisite and went directly to the next chapter, in my mind I was conviced that IPv6 must be disabled :) I will try with IPv6 enabled, and then I will tell you if it is ok. Thanks, Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy: > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe >>> has to be there. >>> >>> Can you explain what is your setup in detail? >>>