Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Martin Kosek]

On 11/02/2015 05:48 PM, Martin Kosek wrote:
> Hello everyone,
> 
> Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The release
> adds a lot of new exiting functionality and we are eager to hear your thoughts
> on the release [1].
> 
> Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment and
> fails on updating the LDAP schema. The problem is tracked in Red Hat Bugzilla
> [2]. The problem is fixed in upstream project, the development team is now
> working on releasing FreeIPA upstream release 4.2.3 ASAP and also publishing 
> it
> as a 0-day update for Fedora 23. This situation should be resolved within
> couple days, when the released build hits the official Fedora repos and 
> mirrors.
> 
> Until the fixed FreeIPA version is released and in the Fedora repos, please
> wait with updating your existing FreeIPA installation.
> 
> We will keep you posted. We are very sorry for the inconvenience.
> 
> [1] http://www.freeipa.org/page/Releases/4.2.0
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
> 

The respective F23 updates are now heading to testing repo:

FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
pki-core: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Duplicate objects after 4.1 ipa-server upgrade

[Martin Kosek]

On 11/03/2015 12:05 AM, Andrew Krause wrote:
> After upgrading to 4.1 I have duplicated permission objects in my directory 
> with names including nsuniqueid.  Is it safe to delete all of these objects?  
> Somehow this is only causing an issue for a specific user hitting a specific 
> HBAC policy. 
> 
> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] 
> [hbac_eval_user_element] (0x0080): Parse error on [cn=Read PassSync Managers 
> Configuration+nsuniqueid=4ae3220f-4d2b11e5-a06ffcc2-215714a9 ..
> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_ctx_to_rules] 
> (0x0020): Could not construct eval request
> (Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] 
> [ipa_hbac_evaluate_rules] (0x0020): Could not construct HBAC rules
> 
> 
> This is causing authentication to fail for the user in question, and I would 
> like to get rid of these useless objects if they are no longer necessary.  

It looks like you had some replication problem in your network, or maybe
upgraded 2 FreeIPA instances at the same time, so they both generated
conflicting permissions?

In any case, it should be case to delete the permissions with nsuniqueid,
FreeIPA should generate the managed permissions from scratch anyway, if they
are missing and upgrade is run again.

More info on replication conflicts here:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html#Solving_Common_Replication_Conflicts-Solving_Naming_Conflicts

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] application specific passwords

[Colton]

Hi All,

I'm looking for further information on
https://fedorahosted.org/freeipa/ticket/4510 applicaiton specific
passwords.  Has anyone had luck setting up OTP alongside app specific
passwords in FreeIPA directly.

Unfortunately, without having even rudimentary gui tools for the end user I
can't see OTP being useful.  Many mail applications simply authenticate via
password each session and this would break those applications.  Even worse
basic http authentication won't last the length of a session and will
expire after the auth window has elapsed for a given password.

The use case that I'm most frustrated with is my owncloud sync clients.
Owncloud on the desktop seems to setup an adequate user session such that I
haven't had to reauthenticate the client.  The webdav viewer and the mobile
apps on the other hand both cause the user to immediately logout if they
use their otp to login (and potentially locks the user account based on too
many failed password attempts).

Any help on setting up OTP with app specific passwords on would be greatly
appreciated.

Thanks,
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Duplicate objects after 4.1 ipa-server upgrade

[Andrew Krause]

After upgrading to 4.1 I have duplicated permission objects in my directory 
with names including nsuniqueid.  Is it safe to delete all of these objects?  
Somehow this is only causing an issue for a specific user hitting a specific 
HBAC policy. 

(Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_eval_user_element] 
(0x0080): Parse error on [cn=Read PassSync Managers 
Configuration+nsuniqueid=4ae3220f-4d2b11e5-a06ffcc2-215714a9 ..
(Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_ctx_to_rules] 
(0x0020): Could not construct eval request
(Mon Nov  2 14:29:23 2015) [sssd[be[blue-shift.com]]] [ipa_hbac_evaluate_rules] 
(0x0020): Could not construct HBAC rules


This is causing authentication to fail for the user in question, and I would 
like to get rid of these useless objects if they are no longer necessary.  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Announcing FreeIPA 4.2.3

[Petr Vobornik]

The FreeIPA team would like to announce FreeIPA v4.2.3 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are 
available in the official COPR repository 
.


Fedora update: 
 and 
related pki-core update: 



== Highlights in 4.2.3 ==

FreeIPA 4.2.3 is a bugfix release to improve upgrade experience from 
FreeIPA 4.1 for Fedora 23 where Tomcat 8 was introduced.


=== Bug fixes ===
* fixed upgrade failures #5359, #5360 
 and 


* fixed regression in automember Web UI -  disappearing expression

=== Enhancements ===
* new French and German translations
* improved validation of Realm Domains,
* ipa-adtrust-install prints complete SRV records so that they are 
suitable for copy&pasting to zone files


== Upgrading ==
Upgrade instructions are available on upgrade page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.


== Detailed Changelog since 4.2.2 ==
=== David Kupka (1) ===
* comment: Add Documentation string to deduplicate function

=== Gabe Alford (2) ===
* Remove bind configuration detected question
* Warn if no installation found when running ipa-server-install --uninstall

=== Jan Cholasta (3) ===
* schema: do not derive ipaVaultPublicKey from ipaPublicKey
* upgrade: make sure ldap2 is connected in export_kra_agent_pem
* vault: fix private service vault creation

=== Martin Babinsky (4) ===
* remove ID overrides when deleting a user
* execute user-del pre-callback also during user preservation
* fix class teardown in user plugin tests
* always ask the resolver for the reverse zone when manipulating PTR records

=== Martin Bašti (7) ===
* CI TEST: Vault
* CI Test: add setup_kra options into install scripts
* Replace tab with space in test_user_plugin.py
* DNSSEC CI: wait until DS records is replicated
* DNSSEC: Remove service containers from LDAP after uninstalling
* DNSSEC: warn user if DNSSEC key master is not installed
* KRA: fix check that CA is installed

=== Milan Kubík (6) ===
* ipatests: add fuzzy instances for CA ACL DN and RDN
* ipatests: Add initial CAACLTracker implementation
* tests: add test to check the default ACL
* ipatests: CA ACL - added config templates
* ipatests: added unlock_principal_password and change_principal
* ipatests: CA ACL and cert profile functional test

=== Oleg Fayans (1) ===
* Fixed a timing issue with drill returning non-zero exitcode

=== Petr Voborník (2) ===
* Update .po files
* Become IPA 4.2.3

=== Petr Špaček (1) ===
* ipa-adtrust-install: Print complete SRV records

=== Stanislav Laznicka (1) ===
* Fixes disappearing automember expressions

=== Tomáš Babej (10) ===
* util: Add detect_dns_zone_realm_type helper
* realmdomains: Minor style and wording improvements
* realmdomains: Add validation that realmdomain being added is indeed 
from our realm
* realmdomains: Issue a warning when automated management of 
realmdomains failed
* realmdomains: Do not fail due the ValidationError when adding 
_kerberos TXT record

* tests: Amend result assertions in realmdomains tests
* idoverride: Ignore ValidationErrors when converting the anchor
* tests: Add tests for idoverride object integrity
* trusts: Make trust_show.get_dn raise properly formatted NotFound
* trustdomain: Perform validation of the trust domain first

--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Martin Kosek]

Hello everyone,

Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The release
adds a lot of new exiting functionality and we are eager to hear your thoughts
on the release [1].

Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment and
fails on updating the LDAP schema. The problem is tracked in Red Hat Bugzilla
[2]. The problem is fixed in upstream project, the development team is now
working on releasing FreeIPA upstream release 4.2.3 ASAP and also publishing it
as a 0-day update for Fedora 23. This situation should be resolved within
couple days, when the released build hits the official Fedora repos and mirrors.

Until the fixed FreeIPA version is released and in the Fedora repos, please
wait with updating your existing FreeIPA installation.

We will keep you posted. We are very sorry for the inconvenience.

[1] http://www.freeipa.org/page/Releases/4.2.0
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905

-- 
Martin Kosek 
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the recommended procedure for upgrading clients and servers to F23?

[Martin Kosek]

On 10/31/2015 06:54 PM, Fujisan wrote:
> Hi there,
> 
> F23 is coming out very soon and I'm wondering what machine I should upgrade
> first, the spa clients or the ipa servers?

It should not matter, for normal FreeIPA function. Older clients will not be
able to use new FreeIPA server features, but the old ones should work.

> In other words, can the ipa system work with ipa client upgraded to 4.2 and
> the servers still at 4.1.4?

Yes. Except that "ipa" command itself will not work as it cannot work older
server. You would need to use "ipa" command from the FreeIPA server itself or
some other machine with the same or lower version.

> Or do I have to upgrade the servers first?
> 
> And should I upgrade to freeipa 4.2 first and then upgrade the machines to
> F23?

More info here:
http://www.freeipa.org/page/Client#Compatibility

Before you start upgrading FreeIPA servers to Fedora 23, please wait until
https://bugzilla.redhat.com/show_bug.cgi?id=1274905
is fixed.

We would like to release a new FreeIPA version today or tomorrow and do the
Fedora 23 0day update with the fix. We are sorry for the inconvenience.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sync IPA and AD while using external CA

[mitra dehghan]

Hello,
This is the approach I have followed till now:
I edited /etc/openldap/ldap.conf as follow:
TLS_REQCERT allow
after restarting of dirsrv and using Active directoy's CA file in --cacert
switch it procceded making Sync agreement but failed to do update with this
error:

NSMMReplicationPlugin - agmt="cn=meToad-sercer.local.dc" (ad-server:389) :
Replication bind with SIMPLE auth failed: LDAP error -11 (connect error)
(TLS error -8174:security library: bad database.)

slapi_ldap_bind - Error: could not send startTLS request: error -11
(connect error) errno 0 (Success)

I would be glad if anyone could help me to resolve the error.

On Sat, Oct 31, 2015 at 11:37 AM, mitra dehghan 
wrote:

> Dear Rob,
> Thanks for your response:
>
>
> > Yes but which cert did you provider, the root CA contoso.com or the
> subordinate CA local.dc?
> Actually I was using active directory's certificate with --cacert switch
> in ipa-replica-manage
> Thanks to info you gave me about NSS I changed the approach.
> first: using certutil, I manually added root CA (contoso.com) and
> subordinate(local.dc) certificates in /etc/dirsrv/slapd-REALM database
> # certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "contoso.com CA" -t CT,,
> -a -i /path/to/contoso.pem
> # certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "local.dc CA" -t CT,, -a
> -i /path/to/localdc.pem
>
> then, following same approach, I added Active directory's certificate to
> the same db.
> # certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "active directory CA" -t
> ,, -a -i /path/to/ad.cer
> Note: since the original certificates were in .cer format and its same as
> .pem I just renamed certificates to .pem
>
> Now my db has 5 certificates in:
> a) root CA certificate (contoso.com)
> b) Subordinate CA (local.dc): issued to local.dc by contoso.com
> c) Active directory CA (ad): issued to active directory by local.dc
> d)IPA certificate:issued to IPA server by local.dc
> e)localhost certificate: issued to localhost by IPA server 's internal CA.
>
> finally I ran ipa-replica-manage:
> - using contoso.com CA in --cacert it says TLS error -8179: Peer's
> Certificate issuer is not recognized
> -using local.dc CA in --cacert it says TLS error -8157: Certificate
> extension not found.
> -using Active Directory CA in --cacert it says TLS error -8179: Peer's
> Certificate issuer is not recognized
>
>  I would be glad if you help me more with this issue!
>
> On Fri, Oct 30, 2015 at 5:17 PM, Rob Crittenden 
> wrote:
>
>> Please keep responses on the list
>>
>> mitra dehghan wrote:
>> > Thank you for your response.
>> > -First of all in section 15.5.1 of Red hat Enterprise Linux 6 Identity
>> > Management guide it says to copy both ad and IPA certificates in
>> > /etc/openldap/certs and i did the same. of course it worked when i was
>> > using internal CAs.
>>
>> Ok, it doesn't hurt anything, but for the purposes of ipa-replica-manage
>> it is a no-op.
>>
>>
>> > - I pass ad certificate in ipa-replica-manage command via --cacert
>> switch.
>>
>> Yes but which cert did you provider, the root CA contoso.com or the
>> subordinate CA local.dc?
>>
>> > - After all I would be glad if you could give me more info about NSS
>> > database. Is that kind of substitute for /etc/openldap/certs? would you
>> > please give me more details about configurations needed for that?
>>
>> The crypto library that 389-ds uses is NSS. This uses a database to
>> store certificates and keys rather than discrete files. The certutil
>> tool is used to manage this file (there is a brief man page).
>>
>> ipa-replica-manage will add the AD cert to 389-ds for you, but you can
>> add certs manually and I think it might help in this case:
>>
>> # certutil -A -d /etc/dirsrc/slapd-YOUR-REALM -n "contoso.com CA" -t
>> CT,, -a -i /path/to/contoso.pem
>> # certutil -A -d /etc/dirsrc/slapd-YOUR-REALM -n "local.dc CA" -t CT,,
>> -a -i /path/to/localdc.pem
>>
>> The -n option specifies a "nickname" to use for the certificate. You can
>> use pretty much anything you want but being descriptive helps.
>>
>> rob
>>
>> >
>> >
>> >
>> > On Wed, Oct 28, 2015 at 5:20 PM, Rob Crittenden > > > wrote:
>> >
>> > mitra dehghan wrote:
>> > > hello,
>> > > I want to implement and IPA server and Sync it with my 2012 ms ad.
>> > While
>> > > things go well using an internal CA in each server, I came across
>> kind
>> > > of problem when I want integrate solution with my PKI which is
>> already
>> > > serving the AD server.
>> > > I can install IPA with --external-ca switch. but when it comes to
>> > Sync.
>> > > agreement it says "TLS error -8179:Peer's Certificate issuer is
>> not
>> > > recognized."
>> > >
>> > > The architecture is:
>> > > - There is a root CA named contoso.com 
>> > 
>> > > - There is a subordinate CA named local.dc
>> > > - The certificates of AD and IPA server are both issued by
>> local.dc
>> 

Re: [Freeipa-users] IPA Replication not working for User and DNS

[Martin Basti]

On 02.11.2015 08:01, Yogesh Sharma wrote:

Listening:

[root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 
 636

Trying 172.16.32.10...
Connected to ipa-inf-prd-ng2-01.klikpay.int 
.

Escape character is '^]'.


Can you try also ldaps with ldapsearch?



/Best Regards,/
/__
/
/Yogesh Sharma
/
/Email: yks0...@gmail.com  | Web: 
www.initd.in  /

/
/
/RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/

  
 



On Mon, Nov 2, 2015 at 12:23 PM, Alexander Bokovoy 
mailto:aboko...@redhat.com>> wrote:


On Mon, 02 Nov 2015, Yogesh Sharma wrote:

Adding to this, I am able to do ldsearch from the server which
I am trying
to make replica.

[root@ipa-inf-prd-ng2-02 ~]# ldapsearch -x -H ldap://
ipa-inf-prd-ng2-01.klikpay.int
 -s base -b ''
namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

What about port 636? Replica install requires LDAPS.

-- 
/ Alexander Bokovoy





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Replication not working for User and DNS

[Yogesh Sharma]

Tried to re-enroll the replica however, getting the same error, though I am
able to connect to server.

=

Starting replication, please wait until this has completed.

[ipa-inf-prd-ng2-01.klikpay.int] reports: Update failed! Status: [-1  -
LDAP error: Can't contact LDAP server]

  [error] RuntimeError: Failed to start replication

=


[root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 389
Trying 172.16.32.10...
Connected to ipa-inf-prd-ng2-01.klikpay.int.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@ipa-inf-prd-ng2-02 ~]#



*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Fri, Oct 30, 2015 at 7:05 PM, Rob Crittenden  wrote:

> Yogesh Sharma wrote:
> > Team,
> >
> > Noticed that user created on IPA Master are not replicating on Replica.
> >
> > Also, we create a new Zone in Master, However we do not see the same in
> > replica server.
>
> You need to figure out why ipa-inf-prd-ng2-01.klikpay.int can't contact
> port 389 on ipa-inf-prd-ng2-02.klikpay.int. It may be someone threw up a
> firewall without telling you, or someone tweaked the rules on either of
> those boxes.
>
> Doing re-init, force-sync, etc is always going to fail if one can't talk
> to the other.
>
> rob
>
> >
> >
> > Below is the information:
> >
> > From Master:
> >
> > [root@ipa-inf-prd-ng2-01 ~]# ipa-replica-manage list -v
> > ipa-inf-prd-ng2-01.klikpay.int 
> > Directory Manager password:
> >
> > ipa-inf-prd-ng2-02.klikpay.int :
> > replica
> >   last init status: None
> >   last init ended: None
> >   last update status: -1 Unable to acquire replicaLDAP error: Can't
> > contact LDAP server
> >   last update ended: None
> > [root@ipa-inf-prd-ng2-01 ~]#
> >
> >
> >
> > From Replica:
> >
> >
> > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage list -v
> > ipa-inf-prd-ng2-02.klikpay.int 
> > Directory Manager password:
> >
> > ipa-inf-prd-ng2-01.klikpay.int :
> > replica
> >   last init status: None
> >   last init ended: None
> >   last update status: 0 Replica acquired successfully: Incremental
> > update succeeded
> >   last update ended: 2015-10-30 10:36:25+00:00
> > [root@ipa-inf-prd-ng2-02 ~]#
> >
> >
> > Though it says it is replicated (last update ended), We are not seeing
> > new users and the new DNS Zone which we created
> >
> >
> > I also tried force replication, though I can not see the new Changes:
> >
> > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage force-sync --from
> > ipa-inf-prd-ng2-01.klikpay.int 
> > Directory Manager password:
> >
> > ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int
> >  >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping
> > tree,cn=config schedule to 2358-2359 0 to force synch
> > ipa: INFO: Deleting schedule 2358-2359 0 from agreement
> > cn=meToipa-inf-prd-ng2-02.klikpay.int
> >  >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping
> > tree,cn=config
> > [root@ipa-inf-prd-ng2-02 ~]#
> >
> >
> > Once I do re-initialization, it gives "Can't Contact LDAP Server"
> >
> > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage re-initialize --from
> > ipa-inf-prd-ng2-01.klikpay.int 
> > Directory Manager password:
> >
> > ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int
> >  >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping
> > tree,cn=config schedule to 2358-2359 0 to force synch
> > ipa: INFO: Deleting schedule 2358-2359 0 from agreement
> > cn=meToipa-inf-prd-ng2-02.klikpay.int
> >  >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping
> > tree,cn=config
> >
> > [ipa-inf-prd-ng2-01.klikpay.int ]
> > reports: Update failed! Status: [-1  - LDAP error: Can't contact LDAP
> > server]
> >
> >
> >
> >
> > /Best Regards,/
> > /__
> > /
> > /Yogesh Sharma
> > /
> > /Email: yks0...@gmail.com  | Web: www.initd.in
> >  /
> > /
> > /
> > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/
> >
> >     <
> https://twitter.com/checkwithyogesh>  <
> http://google.com/+YogeshSharmaOnGooglePlus>
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project