date:20160118

On 01/15/2016 09:20 PM, Adam Kaczka wrote:
> Hello,
> 
> This has been bugging me for awhile but how do I turn off the
> "Authentication Required" prompt that pops up on the GUI when I login to
> IPA through browser?  I can cancel it and lands on the /ipa/ui page but I'd
> like to not see it by default.
> 
> Also I take it that the prompt is related to Kerberos login; is the prompt
> meant to be used as a 2 factor authentication for browser login?

CCing Petr to be aware of this question. But first, I would be curious - what
browser version do you use and what FreeIPA version do you use? Do you see the
same troubling behavior with FreeIPA demo [1]?

[1] http://www.freeipa.org/page/Demo

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-18 Thread Jan Cholasta


On 18.1.2016 09:07, Martin Kosek wrote:

On 01/15/2016 05:34 PM, Peter Pakos wrote:

On 15/01/2016 15:55, Rob Crittenden wrote:

I've re-run ipa-certupdate in verbose mode and I could see that it
removes all certificates in different databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
from /etc/pki/pki-tomcat/alias).


Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.


Is this a bug? Should this be logged somewhere so it can be looked into?


Yes, .




Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.


This sounds like a lot of manual work will be involved when it comes to renewal.

And without clear and up-to-date information and possibly step-by-step
instructions the effort needed to get this sorted is doubled.

Please note that it took us many hours to get a 3rd party SSL certificate
installed (you would think a very simple task). And the truth is that without
this mailing list and #freeipa channel we would still be stuck trying to get to
the bottom of this.



CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?


There's  for automatic CA 
certificate distribution and 
 and 
 for 
ipa-server-certinstall fixes.


If there's anything missing, pleaes file a new ticket.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clients with Multi Master IPA replication

Even if FreeIPA server does not control DNS, you can still setup proper DNS SRV
records to enable autodiscovery or client fallack.

Some hint what records are needed should be given at the end of
ipa-server-install. It uses this template:

https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/bind.zone.db.template

You can use it as a hint what records are expected (more DNS SRV records are
needed when/if you also configure Trusts with Active Directory).

On 01/17/2016 01:46 PM, Zeal Vora wrote:
> Thanks Nathan.
> 
> Actually, the FreeIPA servers are not serving DNS.  For this way, we will
> have to do it some other way ?
> 
> 
> 
> On Sun, Jan 17, 2016 at 5:16 PM, Nathan Peters <
> nathan.pet...@globalrelay.net> wrote:
> 
>> Hey Zeal,
>>
>>
>>
>> When you join a FreeIPA client to a domain, as long as you put the address
>> of at least one of the FreeIPA servers (if they are serving DNS) in the
>> /etc/resolv.conf file, they will use DNS to find FreeIPA servers.
>> Specifically they look for _SRV records.  I think they naturally prefer
>> hosts in the same subnet as them, but will talk to anything available if
>> nothing close answers.
>>
>>
>>
>> This applies both during the join process, and in regular operation.
>>
>>
>>
>> This way you don’t have to worry about messing with your DNS records,
>> FreeIPA handles it all for you.
>>
>>
>>
>> *From:* freeipa-users-boun...@redhat.com [mailto:
>> freeipa-users-boun...@redhat.com] *On Behalf Of *Zeal Vora
>> *Sent:* January-17-16 3:21 AM
>> *To:* freeipa-users@redhat.com
>> *Subject:* [Freeipa-users] Clients with Multi Master IPA replication
>>
>>
>>
>> Hi
>>
>>
>>
>> I have setup a multi-master IPA server.
>>
>>
>>
>> I was wondering for IPA Client, which URL should we add in to ?
>>
>>
>>
>> Should we setup a DNS entry with round robin ? But then if single Master
>> fails, the queries will still reach to it.
>>
>>
>>
>> What is the ideal way to implement in such scenarios ?
>>
>>
>>
>> Any help will be appreciated !
>>
>>
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Zeal
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

On 01/15/2016 05:17 PM, Peter Pakos wrote:
> Hi,
> 
> We've been testing FreeIPA system for a while now and we're getting closer to
> moving it into production.
> 
> I'm considering both CA-less and CA-ful installation types. I hope you guys 
> can
> help me make my mind and choose the right decision.
> 
> What are the pros and cons of each install type?

Hello Peter,

I am hoping that this is well explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options

Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/

> What exactly are we loosing if we choose CA-less install?

You will not be able to issue certificates by FreeIPA CA, easily generate host
certificates by ipa-client-install or renew them by certmonger which supports
FreeIPA CA.

> One of our requirements is to have a 3rd party HTTP and LDAP certificates
> installed - which install path would be more suitable?

I think both should work. Please see my recent mail:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00243.html

The FreeIPA Demo is running as CA-ful and with 3rd party HTTP certificate.

> I'm also thinking ahead, when it comes to renewing certificates when they
> expire in 1 year time, which install type would cause less problems?

In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.

> I've failed to find any useful info covering the above points, so if you know
> anything, please just let me know.

I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:

http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion

Honza, please let me know if I forget anything.

> 
> I would appreciate your input.
> 
> Thanks in advance.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

On 01/15/2016 05:34 PM, Peter Pakos wrote:
> On 15/01/2016 15:55, Rob Crittenden wrote:
>>> I've re-run ipa-certupdate in verbose mode and I could see that it
>>> removes all certificates in different databases (/etc/httpd/alias,
>>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
>>> from /etc/pki/pki-tomcat/alias).
>>
>> Yup, looks like this part is missing. Perhaps the assumption was that
>> the CA would be authoritative in this regard.
> 
> Is this a bug? Should this be logged somewhere so it can be looked into?
> 
>> Updating the CA certs you'd want to add them to LDAP, replacing the
>> older ones, and then ipa-certupdate will do the rest. You'd need to run
>> this on all clients and servers.
> 
> This sounds like a lot of manual work will be involved when it comes to 
> renewal.
> 
> And without clear and up-to-date information and possibly step-by-step
> instructions the effort needed to get this sorted is doubled.
> 
> Please note that it took us many hours to get a 3rd party SSL certificate
> installed (you would think a very simple task). And the truth is that without
> this mailing list and #freeipa channel we would still be stuck trying to get 
> to
> the bottom of this.
> 

CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

Hi Jeff and Janelle,

I am glad you got things working, but I am not convinced this is the best way
to do it. The proxy is needed for SSSD SSH integration (public keys and
fingerprints), if the proxy is buggy, we should fix. And in order to fix it, it
would be great to get our hands on the logs showing the fault - CCing Jakub and
Honza on this one.

Thanks for help,
Martin

On 01/18/2016 01:14 AM, Jeff Hallyburton wrote:
> Janelle,
> 
> The proxy suggestion was spot on.  After that things seem to work normally.
> 
> Thanks!
> 
> Jeff
> 
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
> 
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal:  https://my.bloomip.com 
> 
> On Sun, Jan 17, 2016 at 9:58 AM, Janelle  wrote:
> 
>> Hi,
>>
>> Try commenting out the proxy command in /etc/ssh/ssh_config
>>
>> The sssd proxy of ssh is buggy as can be.
>>
>> ~J
>>
>>> On Jan 17, 2016, at 05:24, Jakub Hrozek  wrote:
>>>
>>>
 On 16 Jan 2016, at 02:21, Jeff Hallyburton <
>> jeff.hallybur...@bloomip.com> wrote:

 Having finished setting up an ipa server and replica, we're trying to
>> test failover to ensure that HA works as expected.  We've been able to
>> verify the replication agreements and auto-discovery are working, and both
>> servers are picked up as expected at install time.

 That said, we're seeing some oddities with failover.  Once I shut down
>> the ipa service on the main ipa server, I get most requests completing
>> after about a 2 min window.  I am able to:

 1.  Authenticate to our jump server and get a kerberos ticket
 2.  kinit successfully as other users

 However, whenever I try to ssh to another system within our domain, ssh
>> breaks with the following error:

 $ ssh -vvv automation01
 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 5: Applying options for *
 debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy
>> -p 22 automation01
 debug1: permanently_drop_suid: 158701
 debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1
 debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type
>> -1
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_6.6.1
 ssh_exchange_identification: Connection closed by remote host
>>>
>>> Did you crank up debug level on the machine where sshd is running and
>> see if anything is logged then?
>>>

 Nothing is logged in either /var/log/messages or /var/log/secure when
>> this happens, so I'm unsure where to begin debugging.  Can you offer any
>> insight?

 Thanks,

 Jeff

 Jeff Hallyburton
 Strategic Systems Engineer
 Bloomip Inc.
 Web: http://www.bloomip.com

 Engineering Support: supp...@bloomip.com
 Billing Support: bill...@bloomip.com
 Customer Support Portal:  https://my.bloomip.com
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.3.0 replica installation fails with AttributeError: 'NameSpace' object has no attribute 'rpcclient'

2016-01-18 Thread Martin Basti


Hello,

sorry for troubles.

This is probably this bug: https://fedorahosted.org/freeipa/ticket/5562

It has been fixed, fix will be in IPA 4.3.1



On 17.01.2016 09:48, Nathan Peters wrote:


In case anyone is having the same issue, I was able to work around this.

I found that if I first installed a Fedora 23 Freeipa 4.2.3 replica, 
it did not complain about the missing attribute.  I assume it added it 
during the 4.2.3 installations because after I had replaced all CentOS 
7 domain controllers with Fedora 23 domain controllers, I was able to 
perform the upgrade to Fedora 30.


*From:*freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Nathan Peters

*Sent:* January-16-16 2:13 PM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] FreeIPA 4.3.0 replica installation fails 
with AttributeError: 'NameSpace' object has no attribute 'rpcclient'


I’m attempting to add a Fedora 23 Server as a replica in a FreeIPA 
4.2.0 CentOS 7.2 domain so I can begin migrating my domain to 4.3.0 
and Fedora.


Because the domain is still domain level 0, I’ve prepared the replica 
file on the old CA master (4.2.0) and installed it on the new Fedora 
replica and installed the freeipa-server and freeipa-server-dns 
packages from the 4.3.0 COPR repository.


When I attempt the ipa-replica-install command, it fails with 
AttributeError: 'NameSpace' object has no attribute 'rpcclient'


--- debugging info including console and log ---

[root@dc2-ipa-dev-van yum.repos.d]# ipa-replica-install --mkhomedir 
--setup-ca --setup-dns --no-forwarders 
/var/lib/ipa/replica-info-dc2-ipa-dev-van.mydomain.net.gpg


WARNING: conflicting time synchronization service 'chronyd' will

be disabled in favor of ntpd

Directory Manager (existing master) password:

Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR'NameSpace' 
object has no attribute 'rpcclient'


ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information


[root@dc2-ipa-dev-van yum.repos.d]# cat /var/log/ipareplica-install.log

2016-01-16T22:06:04Z DEBUG Logging to /var/log/ipareplica-install.log

2016-01-16T22:06:04Z DEBUG ipa-replica-install was invoked with 
arguments 
['/var/lib/ipa/replica-info-dc2-ipa-dev-van.mydomain.net.gpg'] and 
options: {  'no_dns_sshfp': None, 'skip_schema_check': None, 
'setup_kra': None, 'ip_addresses': None, 'mkhomedir': True, 
'no_pkinit': None, 'http_cert_files': None, 'no_n tp': None, 
'verbose': False, 'no_forwarders': True, 'keytab': None, 
'ssh_trust_dns': None, 'domain_name': None, 'http_cert_name': None, 
'dirsrv_cert_files': N  one, 'no_dnssec_validation': None, 
'no_reverse': None, 'pkinit_cert_files': None, 'unattended': False, 
'auto_reverse': None, 'auto_forwarders': None, 'no_host _dns': None, 
'no_sshd': None, 'no_ui_redirect': None, 'dirsrv_config_file': None, 
'forwarders': None, 'pkinit_cert_name': None, 'setup_ca': True, 
'realm_name'  : None, 'skip_conncheck': None, 'no_ssh': None, 
'dirsrv_cert_name': None, 'quiet': False, 'server': None, 'setup_dns': 
True, 'host_name': None, 'log_file': No  ne, 'reverse_zones': None, 
'allow_zone_overlap': None}


2016-01-16T22:06:04Z DEBUG IPA version 4.3.0-1.fc23

2016-01-16T22:06:04Z DEBUG Starting external process

2016-01-16T22:06:04Z DEBUG args=/usr/sbin/selinuxenabled

2016-01-16T22:06:04Z DEBUG Process finished, return code=1

2016-01-16T22:06:04Z DEBUG stdout=

2016-01-16T22:06:04Z DEBUG stderr=

2016-01-16T22:06:04Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'


2016-01-16T22:06:04Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'


2016-01-16T22:06:04Z DEBUG httpd is not configured

2016-01-16T22:06:04Z DEBUG kadmin is not configured

2016-01-16T22:06:04Z DEBUG dirsrv is not configured

2016-01-16T22:06:04Z DEBUG pki-tomcatd is not configured

2016-01-16T22:06:04Z DEBUG install is not configured

2016-01-16T22:06:04Z DEBUG krb5kdc is not configured

2016-01-16T22:06:04Z DEBUG ntpd is not configured

2016-01-16T22:06:04Z DEBUG named is not configured

2016-01-16T22:06:04Z DEBUG ipa_memcached is not configured

2016-01-16T22:06:04Z DEBUG filestore is tracking no files

2016-01-16T22:06:04Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'


2016-01-16T22:06:04Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'


2016-01-16T22:06:04Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'


2016-01-16T22:06:04Z DEBUG Starting external process

2016-01-16T22:06:04Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS

2016-01-16T22:06:04Z DEBUG Process finished, return code=0

2016-01-16T22:06:04Z DEBUG stdout=VirtualHost configuration:

*:8443 dc2-ipa-dev-van.mydomain.net (/etc/httpd/conf.d/nss.conf:83)

2016-01-16T22:06:04Z

Re: [Freeipa-users] Announcing FreeIPA 4.3.0 - demo

2016-01-18 Thread Petr Spacek

On 15.1.2016 16:01, Martin Kosek wrote:
> Yeah, I think we should produce a How To on FreeIPA.org as this is what many
> people would look for. It was slightly tricky as there were 2 hickups 
> involved:
> * SELinux policy bug (WIP)
> * ipa-cacert-manage bug where I had to comment one line
> 
> Petr/Jan, would you like to create the How To, since you provided me the
> instructions?

I would rather wait until the two bugs are fixed. If we produce howto and say
'setenforce 0' and comment out this if and that one ... people will copy that
around to some blogs and we will never get rid of that.

Petr^2 Spacek

> 
> On 01/15/2016 03:47 PM, Prasun Gera wrote:
>> This is great. Can you post instructions for getting Let's Encrypt working
>> on 4.2.x ? I had created a thread, but I eventually got stuck, and it felt
>> a bit risky to modify low level things on a production system.
>>
>> This is the thread for reference:
>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00048.html
>>
>> I got as far as adding the root cert manually, but it still didn't work
>> after that.
>>
>> On Fri, Jan 15, 2016 at 4:16 AM, Martin Kosek  wrote:
>>
>>> On 12/18/2015 06:24 PM, Petr Vobornik wrote:
 The FreeIPA team would like to announce FreeIPA v4.3.0 release!

 It can be downloaded from http://www.freeipa.org/page/Downloads. The
>>> builds are
 available for Fedora rawhide. Builds for Fedora 23 are available in the
 official COPR repository
 .

 This announcement is also available at
 .

 == Highlights in 4.3.0 ==
 * Simplified management of replication topology - control and display
>>> your
 topology from CLI and UI
 * Simplified replica installation - install replica without ''replica
>>> package''
 via OTP, keytab or privileged user credentials. The new method is called
 ''replica promotion'' as it adds FreeIPA server capability to existing
>>> or new
 client
 ...
>>>
>>> FreeIPA demo [1] was upgraded to version 4.3.0. Compared to previous Demo
>>> version (4.2.x), you can now see the new Topology tab in "IPA Server"
>>> section,
>>> to get information about the FreeIPA servers in the realm, including a very
>>> thrilling Topology Graph :-)
>>>
>>> The Apache service was also updated to use a trusted certificate from Let's
>>> Encrypt, so you no longer need to waive the nasty Certificate Warning.
>>> Thanks
>>> to Petr Spacek and Jan Cholasta for helping me setting it up.
>>>
>>> [1] http://www.freeipa.org/page/Demo-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-18 Thread Peter Pakos


On 18/01/2016 08:15, Jan Cholasta wrote:

CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?


There's  for automatic CA
certificate distribution and
 and
 for
ipa-server-certinstall fixes.

If there's anything missing, pleaes file a new ticket.


I think that covers everything.

Thank you.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-certupdate not installing root certificates in /etc/pki/pki-tomcat/alias/

2016-01-18 Thread Jan Cholasta


Hi Peter,

On 18.1.2016 01:32, Peter Pakos wrote:

Hi,

I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL
certificates installed for HTTP/LDAP.

When I run "ipa-certupdate" I can see that the 3rd party root
certificates are being removed from databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from
/etc/pki/pki-tomcat/alias).

Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias,
the service pki-tomcatd is unable to start up.

This is the complete process I'm following to install 3rd party
certificate (please let me know if I'm doing anything wrong):

### 3rd party SSL certificate install ##

# Gandi *.ipa.wandisco.com certificate chain
# AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem
-> star.ipa.wandisco.com.crt

$ openssl verify -verbose -CAfile <(cat AddTrust.pem
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

# Bug in ipa-cacert-manage, comment out lines 349-352
$ vim
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py

$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
USERTrustRSAAddTrustCA -t C,C,C
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
GandiStandardSSLCA2 -t C,C,C

# Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT
CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY
AREN'T
$ ipa-certupdate

# Create PKCS12 certificate file including private key and full chain
$ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat
AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name
'GandiWildcardIPA'

# Install PKCS12 certificate to LDAP and HTTP databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
star.ipa.wandisco.com.pfx
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx

# Stop IPA
$ ipactl stop

# Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to
new certificate
# Replace:
nsSSLPersonalitySSL: Server-Cert
# with:
nsSSLPersonalitySSL: GandiWildcardIPA

# Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
# Replace:
NSSNickname Server-Cert
# with:
NSSNickname GandiWildcardIPA

# Start IPA
$ ipactl start

#

In order to fix this, I have to manually add root certificates to the
database:

$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a <
AddTrust.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t
C,C,C -a < USERTrustRSAAddTrustCA.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t
C,C,C -a < GandiStandardSSLCA2.pem

Should this not be done automatically by ipa-certupdate?


It should: .



Are the above steps correct for installing 3rd party certificates in
FreeIPA 4.2? Should I change anything?


Looks OK to me.



We are planning to move these nodes into production very soon, any help
would be much appreciated!


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

On Mon, Jan 18, 2016 at 09:27:23AM +0100, Martin Kosek wrote:
> Hi Jeff and Janelle,
> 
> I am glad you got things working, but I am not convinced this is the best way
> to do it. The proxy is needed for SSSD SSH integration (public keys and
> fingerprints), if the proxy is buggy, we should fix. And in order to fix it, 
> it
> would be great to get our hands on the logs showing the fault - CCing Jakub 
> and
> Honza on this one.

Yes, if you see issues with the proxy, by all means file bugs..

> 
> Thanks for help,
> Martin
> 
> On 01/18/2016 01:14 AM, Jeff Hallyburton wrote:
> > Janelle,
> > 
> > The proxy suggestion was spot on.  After that things seem to work normally.
> > 
> > Thanks!
> > 
> > Jeff
> > 
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> > 
> > Engineering Support: supp...@bloomip.com
> > Billing Support: bill...@bloomip.com
> > Customer Support Portal:  https://my.bloomip.com 
> > 
> > On Sun, Jan 17, 2016 at 9:58 AM, Janelle  wrote:
> > 
> >> Hi,
> >>
> >> Try commenting out the proxy command in /etc/ssh/ssh_config
> >>
> >> The sssd proxy of ssh is buggy as can be.
> >>
> >> ~J
> >>
> >>> On Jan 17, 2016, at 05:24, Jakub Hrozek  wrote:
> >>>
> >>>
>  On 16 Jan 2016, at 02:21, Jeff Hallyburton <
> >> jeff.hallybur...@bloomip.com> wrote:
> 
>  Having finished setting up an ipa server and replica, we're trying to
> >> test failover to ensure that HA works as expected.  We've been able to
> >> verify the replication agreements and auto-discovery are working, and both
> >> servers are picked up as expected at install time.
> 
>  That said, we're seeing some oddities with failover.  Once I shut down
> >> the ipa service on the main ipa server, I get most requests completing
> >> after about a 2 min window.  I am able to:
> 
>  1.  Authenticate to our jump server and get a kerberos ticket
>  2.  kinit successfully as other users
> 
>  However, whenever I try to ssh to another system within our domain, ssh
> >> breaks with the following error:
> 
>  $ ssh -vvv automation01
>  OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
>  debug1: Reading configuration data /etc/ssh/ssh_config
>  debug1: /etc/ssh/ssh_config line 5: Applying options for *
>  debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy
> >> -p 22 automation01
>  debug1: permanently_drop_suid: 158701
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1
>  debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type
> >> -1
>  debug1: Enabling compatibility mode for protocol 2.0
>  debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>  ssh_exchange_identification: Connection closed by remote host
> >>>
> >>> Did you crank up debug level on the machine where sshd is running and
> >> see if anything is logged then?
> >>>
> 
>  Nothing is logged in either /var/log/messages or /var/log/secure when
> >> this happens, so I'm unsure where to begin debugging.  Can you offer any
> >> insight?
> 
>  Thanks,
> 
>  Jeff
> 
>  Jeff Hallyburton
>  Strategic Systems Engineer
>  Bloomip Inc.
>  Web: http://www.bloomip.com
> 
>  Engineering Support: supp...@bloomip.com
>  Billing Support: bill...@bloomip.com
>  Customer Support Portal:  https://my.bloomip.com
>  --
>  Manage your subscription for the Freeipa-users mailing list:
>  https://www.redhat.com/mailman/listinfo/freeipa-users
>  Go to http://freeipa.org for more info on the project
> >>>
> >>>
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>
> > 
> > 
> > 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free-IPA failover succeeds, but ssh is broken?


On Fri, 15 Jan 2016, Jeff Hallyburton wrote:

Having finished setting up an ipa server and replica, we're trying to test
failover to ensure that HA works as expected.  We've been able to verify
the replication agreements and auto-discovery are working, and both servers
are picked up as expected at install time.

That said, we're seeing some oddities with failover.  Once I shut down the
ipa service on the main ipa server, I get most requests completing after
about a 2 min window.  I am able to:

1.  Authenticate to our jump server and get a kerberos ticket
2.  kinit successfully as other users

However, whenever I try to ssh to another system within our domain, ssh
breaks with the following error:

$ ssh -vvv automation01

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 5: Applying options for *

debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 automation01

debug1: permanently_drop_suid: 158701

debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

ssh_exchange_identification: Connection closed by remote host


Nothing is logged in either /var/log/messages or /var/log/secure when this
happens, so I'm unsure where to begin debugging.  Can you offer any insight?

Do you have, by chance either on the client or on automation01 a locale
that doesn't exist on either one? For example, a fr_FR locale on the
client which is missing on the server?

By default sshd configuration allows to accept certain environmental
variables when client connection comes in:

/etc/ssh/sshd_config:
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

/etc/ssh/ssh_config:
# Send locale-related environment variables
	SendEnv LANG 
	SendEnv XMODIFIERS


There is a bug in the proxy command -- it tries to enable localized
error messages and if that step fails, the proxy tool exits with an
error code which is visible as 


ssh_exchange_identification: Connection closde by remote host

I think we fixed this in newer SSSD versions already.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-18 Thread Ludwig Krispenz



On 01/18/2016 04:47 AM, Nathan Peters wrote:


This is another issue I'm not sure how to debug or solve in 4.3.0.  A 
failed replica installation left a replica with stuff in the tree, but 
not configured properly on the localhost.  I did ipa-server-install 
--uninstall as suggested by the installation program and it deleted 
the local copy of the data, but did not clean the tree.


Now all subsequent installations are failing with some duplicate entry 
error.


All packages are up to date so this is not the pki-ca 10.2.6-13 fix 
issue.  I've checked the whole tree for any references to the old copy 
of the master but I can't find them.


That error log is typically unhelpful as it doesn't tell me what entry 
or where it is looking or finding a duplicate or I would just go 
delete it myself.



look at the DS access log, you should see an ADD operation with
RESULT  err=68 tag=105


2016-01-18T03:29:55Z DEBUG Fetching nsDS5ReplicaId from master 
[attempt 1/5]


2016-01-18T03:29:55Z DEBUG Successfully updated nsDS5ReplicaId.

2016-01-18T03:29:55Z DEBUG Traceback (most recent call last):

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 447, in start_creation


run_step(full_msg, method)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 437, in run_step


method()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", 
line 413, in __setup_replica


repl.setup_promote_replication(self.master_fqdn)

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 1589, in setup_promote_replication


self.basic_replication_setup(r_conn, r_id, self.repl_man_dn, None)

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 983, in basic_replication_setup


self.replica_config(conn, replica_id, repldn)

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 467, in replica_config


conn.add_entry(entry)

File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1442, in add_entry


self.conn.add_s(str(entry.dn), list(attrs.items()))

File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__

self.gen.throw(type, value, traceback)

File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
947, in error_handler


raise errors.DuplicateEntry()

DuplicateEntry: This entry already exists

2016-01-18T03:29:55Z DEBUG   [error] DuplicateEntry: This entry 
already exists


2016-01-18T03:29:55Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, 
in execute


return_value = self.run()

File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 
318, in run


cfgr.run()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 310, in run


self.execute()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 332, in execute


for nothing in self._executor():

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 372, in __runner


self._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception


six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner


step()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in 


step = lambda: next(self.__gen)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from


six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from


value = gen.send(prev_value)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 571, in _configure


next(executor)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 372, in __runner


self._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 449, in _handle_exception


self.__parent._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception


six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 446, in _handle_exception


super(ComponentBase, self)._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception


six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner


step()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in 


step = lambda: next(self.__gen)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from


six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from


value = gen.send(prev_value)

File

Re: [Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

On Mon, Jan 18, 2016 at 10:54:42AM +0200, Alexander Bokovoy wrote:
> I think we fixed this in newer SSSD versions already.

Yes, but in master only, we haven't released the fix yet:
https://fedorahosted.org/sssd/ticket/2785

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

On Mon, Jan 18, 2016 at 06:02:43PM +0100, Lukas Slebodnik wrote:
> On (12/01/16 11:11), Lukas Slebodnik wrote:
> >On (12/01/16 08:25), Zoske, Fabian wrote:
> >>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far 
> >>no differences.
> >>
> >Then please provide sssd logfiles (1.13.3) from client
> >and also log files from sssd on freeipa server (sssd on freeipa
> >server is used indirectly by extop plugin in 389-ds)
> >
> >Please provide log files from the same time when you reproduced an issue.
> >
> Thank you very much for log files.
> 
> Authentication on client failed Due to following error:
> (Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 
> [sss_child_krb5_trace_cb] (0x4000): [992] 1452772716.736098: Sending request 
> (173 bytes) to EUROIMMUN.TEST (master)
> 
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [get_and_save_tgt] 
> (0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [map_krb5_error] 
> (0x0020): 1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] 
> (0x0200): Received error code 1432158209
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [pack_response_packet] 
> (0x2000): response packet size: [4]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] 
> (0x4000): Response sent.
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
> krb5_child completed successfully
> 
> 
> Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?
> 
> It is possible that sssd wrote snippet to the directory
> /var/lib/sss/pubconf/krb5.include.d/
> but this directory is not included in krb5.conf.
> 
> $ grep includedir /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> BTW you can test the same operation as sssd did from command line.
> 
> KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test
> 
> or is this principal name an enterprise name?

IIRC this came up in a private conversation, too. In short, enterprise
principals are not supported in a IPA-AD trust scenario, but one can
work around that by using:
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
and thus tricking sssd into 'deriving' the UPN from the domain name.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-18 Thread Nathan Peters

I assume you mean look at the DS log on the machine being installed?

There is no "err=68" anywhere in the access file :

[root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]# grep "err=68" access
[root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]#


Here is the last few lines of the latest attempt to join so we can see time for 
context : 

[27/43]: restarting directory server
  [28/43]: setting up initial replication
  [error] DuplicateEntry: This entry already exists
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORThis entry already 
exists
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information
[root@dc2-ipa-dev-van dirsrv]# tail /var/log/ipareplica-install.log
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1442, in 
add_entry
self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 947, in 
error_handler
raise errors.DuplicateEntry()

2016-01-18T17:28:33Z DEBUG The ipa-replica-install command failed, exception: 
DuplicateEntry: This entry already exists
2016-01-18T17:28:33Z ERROR This entry already exists
2016-01-18T17:28:33Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

And here is the access log (for some reason access is in PST and the install 
log is in UTC, but the equivalent time was 9:28:33

The last add result before the installation crash appears to be this one (which 
appears to happen successfully): 

[18/Jan/2016:09:28:32 -0800] conn=2 op=10 ADD dn="cn=Peer 
Master,cn=mapping,cn=sasl,cn=config"
[18/Jan/2016:09:28:32 -0800] conn=2 op=10 RESULT err=0 tag=105 nentries=0 
etime=0
[18/Jan/2016:09:28:32 -0800] conn=2 op=11 UNBIND

As you can see from the logs below, the server keeps running ,and I have 
included another entry almost a minute after the crash, so it is obviously 
still logging, but just doesn't seem to log the failure.

Also included is the ldapsearch of that branch on the master : 

[root@dc1-ipa-dev-nvan slapd-MYDOMAIN-NET]# ldapsearch -D "cn=directory 
manager" -W -b "cn=mapping,cn=sasl,cn=config"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-18 Thread Rob Crittenden

Nathan Peters wrote:
> I assume you mean look at the DS log on the machine being installed?\

I think he meant on the master that generated the prepare file. There
may be some left-over, unexpected entry.

rob

> 
> There is no "err=68" anywhere in the access file :
> 
> [root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]# grep "err=68" access
> [root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]#
> 
> 
> Here is the last few lines of the latest attempt to join so we can see time 
> for context : 
> 
> [27/43]: restarting directory server
>   [28/43]: setting up initial replication
>   [error] DuplicateEntry: This entry already exists
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThis entry already 
> exists
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
> more information
> [root@dc2-ipa-dev-van dirsrv]# tail /var/log/ipareplica-install.log
>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1442, in 
> add_entry
> self.conn.add_s(str(entry.dn), list(attrs.items()))
>   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> self.gen.throw(type, value, traceback)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 947, in 
> error_handler
> raise errors.DuplicateEntry()
> 
> 2016-01-18T17:28:33Z DEBUG The ipa-replica-install command failed, exception: 
> DuplicateEntry: This entry already exists
> 2016-01-18T17:28:33Z ERROR This entry already exists
> 2016-01-18T17:28:33Z ERROR The ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log for more information
> 
> And here is the access log (for some reason access is in PST and the install 
> log is in UTC, but the equivalent time was 9:28:33
> 
> The last add result before the installation crash appears to be this one 
> (which appears to happen successfully): 
> 
> [18/Jan/2016:09:28:32 -0800] conn=2 op=10 ADD dn="cn=Peer 
> Master,cn=mapping,cn=sasl,cn=config"
> [18/Jan/2016:09:28:32 -0800] conn=2 op=10 RESULT err=0 tag=105 nentries=0 
> etime=0
> [18/Jan/2016:09:28:32 -0800] conn=2 op=11 UNBIND
> 
> As you can see from the logs below, the server keeps running ,and I have 
> included another entry almost a minute after the crash, so it is obviously 
> still logging, but just doesn't seem to log the failure.
> 
> Also included is the ldapsearch of that branch on the master : 
> 
> [root@dc1-ipa-dev-nvan slapd-MYDOMAIN-NET]# ldapsearch -D "cn=directory 
> manager" -W -b "cn=mapping,cn=sasl,cn=config"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base

Re: [Freeipa-users] FreeRadius and FreeIPA

2016-01-18 Thread Arthur Fayzullin

Thank for such good explanation! that has pointed my search.
 I have succeed in integration freeradius with freeipa by help of
William Brown and his blog. Thanks to Him :-)
Links to related articles in his blog:
first part: https://firstyear.id.au/entry/22
second part: https://firstyear.id.au/entry/45

with a little difference taken from this guide:
http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
I additionally defined
base_dn =
server =
parameters in /etc/raddb/mods-enabled/ldap file.

everything works fine. now it would be fine to define different admin
level for different users on different network devices.
But anyway everything works!!! Thanks to all!

1 little question left: what does
ipa radiusproxy-add
command do? what is its purpose? why everything works without it?

14.12.2015 15:12, Alexander Bokovoy пишет:
> On Wed, 09 Dec 2015, Randy Morgan wrote:
>> Hello,
>>
>> We are setting up our wireless to authenticate against FreeRadius and
>> FreeIPA.  I am looking for any instructions on how to integrate
>> radius with IPA.  We can get them talking via kerberos, but when we
>> have a wireless client attempt to authenticate against them, the
>> password gets stripped out and only the username gets passed on,
>> resulting in a failed logon attempt.
>>
>> As we have studied the problem we have identified the communication
>> protocols used by wireless to pass on the user credentials to
>> radius.  Wireless uses EAP as it's primary protocol.  We are running
>> Xirrus wireless APs and from what we can learn, they act only as a
>> pass through conduit for the client.  Ideally we would like them to
>> speak PEAP TTLS, this would allow kerberos to process from the client
>> to the IPA server, we are still researching this.
>>
>> Are there any instructions on how to integrate FreeRadius 3.0.10 with
>> FreeIPA 3.3.5?  Any help would be appreciated.
> We see this question asked periodically. What we ask always prior to
> answering it is what it would be used for? What authentication
> mechanisms RADIUS is supposed to provide to its clients?
>
> FreeRADIUS authenticating against IPA is easy. However, depending on
> what authentication mechanisms are required it will be either not
> possible to achieve or will definitely degrade security of the setup.
>
> A general approach is to use following setup to use PAP authentication:
>  1. Installing the 'freeradius-ldap' rpm from yum
>  2. chmod 775 /etc/raddb/certs (so radiusd can write cert files)
>  3. Change your 'authorize' and 'authenticate' sections of
>  /etc/raddb/radiusd.conf to:
>   authorize {
>ldap
>  }
>  authenticate {
>Auth-Type LDAP {
>ldap
>}
>  }
>
> During PAP a plaintext password is passed to the RADIUS server
> (encrypted with a weak MD5 shared secret).
>
> When the RADIUS server receives the users plaintext password in the
> conventional configuration it simply compares the received password with
> the stored password. The issue with IPA is there is no stored plaintext
> password to compare to, therefore you cannot use conventional PAP with
> IPA.
>
> But FreeRADIUS permits you to do other things with PAP besides just
> comparing the received password against the stored password for the
> user. You can instruct FreeRADIUS to use what they call an
> "authentication oracle", or at the risk of loose terminology to "proxy"
> the authentication to another authentication server (not to be confused
> with radius proxy where the radius transaction is proxied to another
> radius server).
>
> There are two authentication oracles FreeRADIUS can use
>
> * LDAP
> * Kerberos
>
> In this scenario the plantext password received by the RADIUS server is
> used to authenticate against the oracle. For LDAP it does a simple bind.
> For Kerberos it does a kinit. If the authentication succeeds the RADIUS
> server ACK's the PAP. The thing to note here is this is still occurring
> with PAP but no password comparison is being performed.
>
> There is a third "oracle" FreeRADIUS can utilize, namely Active
> Directory, but in this case the protocol is not PAP, the ntlm_auth
> helper from Samba is used instead with the RADIUS server communicating
> with ntlm_auth which communicates with AD.
>
> The suggestion of using strong passwords is always a good idea. The
> password transmission between the client and the radius server only
> enjoys weak protection so a strong password is especially important.
> Communication between the RADIUS server and it's oracles can be quite
> strong and is generally not a concern if things are configured properly.
>
> Now, there is an issue if you would want to authenticate Windows clients
> using MS CHAPv2 because that implies that FreeRADIUS would want to fetch
> a weak NTLM hash to do negotiation on its own side.
>
> To achieve that, one would need to give up the hashes to FreeRADIUS
> instance. We consider them weak as they can

Re: [Freeipa-users] ipa-certupdate not installing root certificates in /etc/pki/pki-tomcat/alias/

2016-01-18 Thread Peter Pakos


On 18/01/2016 08:37, Jan Cholasta wrote:

Are the above steps correct for installing 3rd party certificates in
FreeIPA 4.2? Should I change anything?


Looks OK to me.


Thanks for verifying my instructions.

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

2016-01-18 Thread Peter Pakos


On 18/01/2016 08:06, Martin Kosek wrote:

I am hoping that this is well explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options

Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/


Thanks for the docs.

I'm trying to get my head around this... if I have a working CA-ful 
FreeIPA setup and then install 3rd party SSL certificates for HTTP/LDAP 
only (including 3 root CA certs from the chain) - does this replace 
original self-signed CA that FreeIPA generated (and becomes External CA 
install) or does CA stay untouched and I can still take advantage of all 
the goodies that come with CA-ful install like automatic certificates 
renewals (apart from HTTP/LDAP ones)?


Or does this became a multi CA install?

BTW, I can see that the root certificates are getting added to 
/etc/ipa/ca.crt.



I'm also thinking ahead, when it comes to renewing certificates when they
expire in 1 year time, which install type would cause less problems?


In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.


So in my CA-ful install with 3rd party SSL certificate installed, how 
would the renewal look?


I understand that I would have to install new HTTP/LDAP certificates 
manually as they were signed by external CA, but would all certificates 
issued by FreeIPA CA still renew automatically?



I've failed to find any useful info covering the above points, so if you know
anything, please just let me know.


I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:

http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion


Thank you, your help is much appreciated!

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

On 01/18/2016 12:05 PM, Peter Pakos wrote:
> On 18/01/2016 08:06, Martin Kosek wrote:
>> I am hoping that this is well explained here:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
>>
>>
>> Some useful notes are also Dmitri Pal's blog post:
>> http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
> 
> Thanks for the docs.
> 
> I'm trying to get my head around this... if I have a working CA-ful FreeIPA
> setup and then install 3rd party SSL certificates for HTTP/LDAP only 
> (including
> 3 root CA certs from the chain) - does this replace original self-signed CA
> that FreeIPA generated (and becomes External CA install) or does CA stay
> untouched and I can still take advantage of all the goodies that come with
> CA-ful install like automatic certificates renewals (apart from HTTP/LDAP 
> ones)?
> 
> Or does this became a multi CA install?
> 
> BTW, I can see that the root certificates are getting added to 
> /etc/ipa/ca.crt.

You should be still able to benefit from all the goodies the CA-ful FreeIPA
has. As you noticed above, all root CA certs should be added to ca.crt (see
help for ipa-certupdate tool), it is used to update certs on server/client and
add the new CA certificates.

>>> I'm also thinking ahead, when it comes to renewing certificates when they
>>> expire in 1 year time, which install type would cause less problems?
>>
>> In CA-ful installation, client certificates or FreeIPA CA subsystem
>> certificates should just renew automatically. In CA-less, you need to take 
>> care
>> to renew them manually with your 3rd party certificate provider.
> 
> So in my CA-ful install with 3rd party SSL certificate installed, how would 
> the
> renewal look?

All certificates issued by FreeIPA CA should be renewed automatically by
certmonger (if configured). External certificates should needs to be renewed
manually. Honza, does certmonger already warns about non-IPA certificates that
are getting close to expiration date or is this rather an RFE for future?

> I understand that I would have to install new HTTP/LDAP certificates manually
> as they were signed by external CA, but would all certificates issued by
> FreeIPA CA still renew automatically?

They should, yes.

>>> I've failed to find any useful info covering the above points, so if you 
>>> know
>>> anything, please just let me know.
>>
>> I think the important point is that even if you choose to install with 
>> CA-less
>> for now, you can switch to CA-ful later via ipa-ca-install:
>>
>> http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
> 
> Thank you, your help is much appreciated!
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-18 Thread Petr Vobornik


On 01/18/2016 11:04 AM, Ludwig Krispenz wrote:


On 01/18/2016 04:47 AM, Nathan Peters wrote:


This is another issue I'm not sure how to debug or solve in 4.3.0.  A
failed replica installation left a replica with stuff in the tree, but
not configured properly on the localhost.  I did ipa-server-install
--uninstall as suggested by the installation program and it deleted
the local copy of the data, but did not clean the tree.

Now all subsequent installations are failing with some duplicate entry
error.

All packages are up to date so this is not the pki-ca 10.2.6-13 fix
issue.  I've checked the whole tree for any references to the old copy
of the master but I can't find them.

That error log is typically unhelpful as it doesn't tell me what entry
or where it is looking or finding a duplicate or I would just go
delete it myself.


look at the DS access log, you should see an ADD operation with
RESULT  err=68 tag=105


According to code it's most likely
 cn=replica,cn=$DOMAIN_SUFFIX,cn=mapping tree,cn=config

I don't know why it happens because installer should add it only if the 
entry does not exist. Would be worth to check the DS access log if base 
search(which should happen before the add) for the dn fails or succeeds.




2016-01-18T03:29:55Z DEBUG Fetching nsDS5ReplicaId from master
[attempt 1/5]

2016-01-18T03:29:55Z DEBUG Successfully updated nsDS5ReplicaId.

2016-01-18T03:29:55Z DEBUG Traceback (most recent call last):

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 447, in start_creation

run_step(full_msg, method)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 437, in run_step

method()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 413, in __setup_replica

repl.setup_promote_replication(self.master_fqdn)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1589, in setup_promote_replication

self.basic_replication_setup(r_conn, r_id, self.repl_man_dn, None)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 983, in basic_replication_setup

self.replica_config(conn, replica_id, repldn)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 467, in replica_config

conn.add_entry(entry)

File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1442, in add_entry

self.conn.add_s(str(entry.dn), list(attrs.items()))

File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__

self.gen.throw(type, value, traceback)

File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
947, in error_handler

raise errors.DuplicateEntry()

DuplicateEntry: This entry already exists

2016-01-18T03:29:55Z DEBUG   [error] DuplicateEntry: This entry
already exists

2016-01-18T03:29:55Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
in execute

return_value = self.run()

File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
318, in run

cfgr.run()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 310, in run

self.execute()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 332, in execute

for nothing in self._executor():

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner

self._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception

six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner

step()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 

step = lambda: next(self.__gen)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 81, in run_generator_with_yield_from

six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 59, in run_generator_with_yield_from

value = gen.send(prev_value)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 571, in _configure

next(executor)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 372, in __runner

self._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 449, in _handle_exception

self.__parent._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception

six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 446, in _handle_exception

super(ComponentBase, self)._handle_exception(exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 394, in _handle_exception

six.reraise(*exc_info)

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 362, in __runner

step()

File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 359, in 

step = lambda: next(self.__gen)

File

Re: [Freeipa-users] GID, groups and ipa group-show

2016-01-18 Thread Petr Spacek

On 15.1.2016 15:55, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 15.1.2016 08:48, David Kupka wrote:
>>> On 14/01/16 22:09, Rob Crittenden wrote:
 Prasun Gera wrote:
> This is an old thread, but I can confirm that this is still an issue on
> RHEL 7.2 + 4.2. This creates problems when there are roles associated
> with groups, but group membership through GID is broken. I had migrated
> all old NIS accounts into ipa. I then added the host enrollment role to
> a particular group. Now, unless I add the users to the group explicitly,
> they won't get the role, even if their gid is the same as the gid of the
> group.

 The user GIDNumber just sets the default group for POSIX. If you do
 groups on the user I'll bet it shows correctly.

 For the purposes of IPA access control, as you've seen, the user must
 have a memberOf for a given group, either directly or indirectly.

 rob

>>>
>>> Exactly, but the question is, shouldn't IPA add this membership 
>>> automatically?
>>> (Of course, only in case IPA has group with this GID.)
>>
>> IMHO we should. Currently, the user effectively has different group 
>> membership
>> on POSIX systems and non-POSIX systems which read only member attribute. I
>> think that this is surprising and inconsistent.
> 
> Seems like next step is to open the RFE.
> 
> I wouldn't characterize it as POSIX vs non-POSIX as that could confuse
> things. It is just that if the user doesn't have a UPG then they
> probably don't have a memberOf for their GID group.

https://fedorahosted.org/freeipa/ticket/5613

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issue with fresh install of FreeRADIUS

2016-01-18 Thread William Brown

On Wed, 2016-01-06 at 10:06 -0500, Anthony Cheng wrote:
> Hi all,
> 
> Just did a fresh install of FreeRADIUS following this guide on a
> Centos 7 box - http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadi
> us_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
> 
> Local testing with radtest works, however radiusd have issues.  I do
> find it odd that these line indicated success:
> 
> Process: 1270 ExecStartPre=/bin/chown -R radiusd.radiusd
> /var/run/radiusd (code=exited, status=0/SUCCESS)
> 

Does your radius server depend on your ipa instance? 

If so there is a bug open at the moment that freeradius should start
AFTER ipa.service / dirsrv.target. At the moment radiusd starts before
them, and will fail to start as it cannot connect to the directory
server. 



-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

2016-01-18 Thread William Brown

On Mon, 2016-01-18 at 22:01 +1000, William Brown wrote:
> So as a result, they CAN do
> vlan assignment based on tags in the access-accept packet, but it's a
> hack.

Sorry, I should say "They don't use the tags in the access-accept" they
use an out-of-band mechanism to transmit the vlan id rather than the
radius access-accept. 


-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane



signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

2016-01-18 Thread William Brown

On Mon, 2016-01-18 at 16:22 +0500, Arthur Fayzullin wrote:
> Thank for such good explanation! that has pointed my search.
>  I have succeed in integration freeradius with freeipa by help of
> William Brown and his blog. Thanks to Him :-)
> Links to related articles in his blog:
> first part: https://firstyear.id.au/entry/22
> second part: https://firstyear.id.au/entry/45
> 

Sorry, my certs are based on my IPA domain. Try these links if you dont
want to temporarily accept.

http://firstyear.id.au/entry/22
http://firstyear.id.au/entry/45

> 
> everything works fine. now it would be fine to define different admin
> level for different users on different network devices.
> But anyway everything works!!! Thanks to all!

With the setup that I have here you cannot do this. mschapv2 doesn't
let you insert vlan tags to the NAS, so as a result you can't do this.
The way that cisco access points and other vendors get around this, is
that they generally have a wireless controller that does part of the
hankshake seperately to the NAS itself. So as a result, they CAN do
vlan assignment based on tags in the access-accept packet, but it's a
hack.

If you want to do vlan assignment without access to cisco specific
hardware, you'll need to use something that isn't eap. However, most
devices require customer profiles in this scenarios (Windows, ios, osx
etc). TTLS for example, cannot be configured on windows out of box, and
ios / osx require enterprise deployment profiles iirc.

You could always setup multiple SSID's, have them each auth to a
different radius service (default, inner-tunnel ... make a new set)

Then you can have

* wifi -> inner-tunnel
* wifi-admin -> inner-tunnel-admin

You can define different authentication rules then, because you can
specify different requirements for group memberships at this point.

Hope this helps,

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

On Mon, 18 Jan 2016, Arthur Fayzullin wrote:

Thank for such good explanation! that has pointed my search.
I have succeed in integration freeradius with freeipa by help of
William Brown and his blog. Thanks to Him :-)
Links to related articles in his blog:
first part: https://firstyear.id.au/entry/22
second part: https://firstyear.id.au/entry/45

with a little difference taken from this guide:
http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
I additionally defined
base_dn =
server =
parameters in /etc/raddb/mods-enabled/ldap file.

everything works fine. now it would be fine to define different admin
level for different users on different network devices.
But anyway everything works!!! Thanks to all!

1 little question left: what does
ipa radiusproxy-add
command do? what is its purpose? why everything works without it?

This is for the other direction -- when 2FA tokens are defined in an
external daemon that provides RADIUS interface to check against them.

You don't need this if you want your RADIUS server to perform 2FA checks
against FreeIPA, you want to define it only if your FreeIPA server
should perform Kerberos authentication against that external RADIUS
server.

14.12.2015 15:12, Alexander Bokovoy пишет:

On Wed, 09 Dec 2015, Randy Morgan wrote:

Hello,

We are setting up our wireless to authenticate against FreeRadius and
FreeIPA. I am looking for any instructions on how to integrate
radius with IPA. We can get them talking via kerberos, but when we
have a wireless client attempt to authenticate against them, the
password gets stripped out and only the username gets passed on,
resulting in a failed logon attempt.

As we have studied the problem we have identified the communication
protocols used by wireless to pass on the user credentials to
radius. Wireless uses EAP as it's primary protocol. We are running
Xirrus wireless APs and from what we can learn, they act only as a
pass through conduit for the client. Ideally we would like them to
speak PEAP TTLS, this would allow kerberos to process from the client
to the IPA server, we are still researching this.

Are there any instructions on how to integrate FreeRadius 3.0.10 with
FreeIPA 3.3.5? Any help would be appreciated.

We see this question asked periodically. What we ask always prior to
answering it is what it would be used for? What authentication
mechanisms RADIUS is supposed to provide to its clients?

FreeRADIUS authenticating against IPA is easy. However, depending on
what authentication mechanisms are required it will be either not
possible to achieve or will definitely degrade security of the setup.

A general approach is to use following setup to use PAP authentication:
1. Installing the 'freeradius-ldap' rpm from yum
2. chmod 775 /etc/raddb/certs (so radiusd can write cert files)
3. Change your 'authorize' and 'authenticate' sections of
/etc/raddb/radiusd.conf to:
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}

During PAP a plaintext password is passed to the RADIUS server
(encrypted with a weak MD5 shared secret).

When the RADIUS server receives the users plaintext password in the
conventional configuration it simply compares the received password with
the stored password. The issue with IPA is there is no stored plaintext
password to compare to, therefore you cannot use conventional PAP with
IPA.

But FreeRADIUS permits you to do other things with PAP besides just
comparing the received password against the stored password for the
user. You can instruct FreeRADIUS to use what they call an
"authentication oracle", or at the risk of loose terminology to "proxy"
the authentication to another authentication server (not to be confused
with radius proxy where the radius transaction is proxied to another
radius server).

There are two authentication oracles FreeRADIUS can use

* LDAP
* Kerberos

In this scenario the plantext password received by the RADIUS server is
used to authenticate against the oracle. For LDAP it does a simple bind.
For Kerberos it does a kinit. If the authentication succeeds the RADIUS
server ACK's the PAP. The thing to note here is this is still occurring
with PAP but no password comparison is being performed.

There is a third "oracle" FreeRADIUS can utilize, namely Active
Directory, but in this case the protocol is not PAP, the ntlm_auth
helper from Samba is used instead with the RADIUS server communicating
with ntlm_auth which communicates with AD.

The suggestion of using strong passwords is always a good idea. The
password transmission between the client and the radius server only
enjoys weak protection so a strong password is especially important.
Communication between the RADIUS server and it's oracles can be quite
strong and is generally not a concern if things are configured properly.

Now, there is an issue if you would want to authenticate Windows clients
using

Re: [Freeipa-users] FreeIPA 4.3.0 Replica Installation fails with the hostname is not the primary hostname

2016-01-18 Thread Petr Spacek

On 18.1.2016 04:23, Nathan Peters wrote:
> 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a primary 
> hostname for localhost
> 2016-01-18T03:00:07Z DEBUG Primary hostname for localhost: 
> dc2-ipa-dev-van.mydomain.net
> 2016-01-18T03:00:07Z DEBUG Search DNS for dc2-ipa-dev-van.mydomain.net
> 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is not a 
> CNAME
> 2016-01-18T03:00:07Z DEBUG Check reverse address of 10.21.0.98
> 2016-01-18T03:00:07Z DEBUG Found reverse name: dc2-ipa-dev-van.mydomain.net
> 2016-01-18T03:00:07Z DEBUG Check if dc1-ipa-dev-nvan.mydomain.net is a 
> primary hostname for localhost
> --> This line here is strange > 2016-01-18T03:00:07Z DEBUG Primary 
> hostname for localhost: dc1-ipa-dev-nvan.mydomain.net.mydomain.net
> 2016-01-18T03:00:07Z DEBUG   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
> execute
> return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
> in run
> cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 308, in run
> self.validate()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 317, in validate
> for nothing in self._validator():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 372, in __runner
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 394, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 362, in __runner
> step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 359, in 
> step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
> in run_generator_with_yield_from
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
> in run_generator_with_yield_from
> value = gen.send(prev_value)
>  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 549, 
> in _configure
> next(validator)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 372, in __runner
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 449, in _handle_exception
> self.__parent._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 394, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 446, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 394, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 362, in __runner
> step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 359, in 
> step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
> in run_generator_with_yield_from
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
> in run_generator_with_yield_from
> value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 
> 63, in _install
> for nothing in self._installer(self.parent):
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>  line 1551, in main
> promote_check(self)
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>  line 372, in decorated
> func(installer)
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>  line 394, in decorated
> func(installer)
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>  line 980, in promote_check
> installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
> line 168, in verify_fqdn
> "Please check /etc/hosts or DNS name resolution" % (host_name, 
> ex_name[0]))
> 
> 2016-01-18T03:00:07Z DEBUG The ipa-replica-install command failed, exception: 
> HostLookupError: The host name dc1-ipa-dev-nvan.mydomain.net does not match 
> the primary host name dc1-ipa-dev-nvan.mydomain.net.mydomain.net. Please 
> check /etc/hosts or DNS name resolution
> 2016-01-18T03:00:07Z ERROR The host name dc1-ipa-dev-nvan.mydomain.net does 
> not match the primary host name dc1-ipa-dev-nvan.mydomain.net.mydomain.net. 
> Please check /etc/hosts or DNS name resolution
> 2016-01-18T03:00:07Z ERROR The ipa-replica-install command failed. See 
>

Re: [Freeipa-users] FreeIPA 4.3.0 Replica Installation fails with the hostname is not the primary hostname

2016-01-18 Thread Nathan Peters

Actually I was able to solve this one, but the error logging could certainly be 
improved to indicate what is actually happening

Here is the actual issue along with the sequence of events: 

1. DNS check for local host to be joined checks forward, cname, and PTR records 
against result of `hostname` command, those all came back ok

2. A second check is performed and I believe it is being performed on an 
existing FreeIPA server (in this case it was my CA master), but the logs say " 
DEBUG Check if dc1-ipa-dev-nvan.mydomain.net is a primary hostname for 
localhost" even though this check is actually being performed remotely on the 
Master.  It almost seems like the log entry from the master is forwarded to use 
and that's why it says 'localhost' or something...

3. It performs the same forward, CNAME, and PTR checks as it did against the 
localhost, but doesn't log those checks.  It fails on the PTR check because 
there actually was a second invalid PTR entry for 
dc1-ipa-dev-nvan.mydomain.net.mydomain.net.  You can see from the logs that it 
actually warned us it was about to do a PTR check on the localhost  " DEBUG 
Check reverse address of  10.21.0.98".  But when it performs the remote check 
on the master, it just does the check without informing us what is about to 
happen, and because it claims that host is 'localhost' if the 2 hostnames are 
similar, you may not even realize its not performing the check locally

Since the underlying technical issue that caused this was an actual invalid PTR 
record, the removal of the PTR record solved the issue; however, it would be 
nice if the logs let us know that 2nd PTR check was actually remote, not local, 
and if it logged that it was about to perform a PTR check so we could 
accurately know what the cause of the failure was.

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: January-18-16 4:23 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA 4.3.0 Replica Installation fails with the 
hostname is not the primary hostname

On 18.1.2016 04:23, Nathan Peters wrote:
> 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a 
> primary hostname for localhost 2016-01-18T03:00:07Z DEBUG Primary 
> hostname for localhost: dc2-ipa-dev-van.mydomain.net 
> 2016-01-18T03:00:07Z DEBUG Search DNS for dc2-ipa-dev-van.mydomain.net 
> 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is 
> not a CNAME 2016-01-18T03:00:07Z DEBUG Check reverse address of 
> 10.21.0.98 2016-01-18T03:00:07Z DEBUG Found reverse name: 
> dc2-ipa-dev-van.mydomain.net 2016-01-18T03:00:07Z DEBUG Check if 
> dc1-ipa-dev-nvan.mydomain.net is a primary hostname for localhost
> --> This line here is strange > 2016-01-18T03:00:07Z DEBUG 
> --> Primary hostname for localhost: 
> --> dc1-ipa-dev-nvan.mydomain.net.mydomain.net
> 2016-01-18T03:00:07Z DEBUG   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
> execute
> return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
> in run
> cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 308, in run
> self.validate()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 317, in validate
> for nothing in self._validator():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 372, in __runner
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 394, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 362, in __runner
> step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 359, in 
> step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
> in run_generator_with_yield_from
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
> in run_generator_with_yield_from
> value = gen.send(prev_value)
>  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 549, 
> in _configure
> next(validator)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 372, in __runner
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 449, in _handle_exception
> self.__parent._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 394, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
> 446, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
>   File

Re: [Freeipa-users] Browser login to IPA "Authentication Required" prompt

2016-01-18 Thread Petr Vobornik


On 01/18/2016 04:34 PM, Petr Vobornik wrote:

On 01/18/2016 04:01 PM, Adam Kaczka wrote:

This happens with FreeIPA version 4.2.0 and also version 3.0.0 with
latest
Chrome (47.0.2526.111 m) and IE 11 (11.63.10586.0).  The issue does not
occur with FF (43.0.4).  I tried the demo page and same thing happened.

Also when using IE the login prompt is the Windows Security domain login
prompt.


Hello Adam,

First I thought that it might be caused by a custom apache auth modules
or by installed gssntlmssp.

I tried Chrome 47.0.2526.106 on Fedora with FreeIPA demo[1] and it
doesn't show the dialog for me.

Have you done any special browser configuration related to authentication?

Does it happen on both Linux and Windows or just on Windows?


Rob just reported, https://fedorahosted.org/freeipa/ticket/5614





On Mon, Jan 18, 2016 at 3:20 AM Martin Kosek  wrote:


On 01/15/2016 09:20 PM, Adam Kaczka wrote:

Hello,

This has been bugging me for awhile but how do I turn off the
"Authentication Required" prompt that pops up on the GUI when I
login to
IPA through browser?  I can cancel it and lands on the /ipa/ui page but

I'd

like to not see it by default.

Also I take it that the prompt is related to Kerberos login; is the

prompt

meant to be used as a 2 factor authentication for browser login?


CCing Petr to be aware of this question. But first, I would be curious -
what
browser version do you use and what FreeIPA version do you use? Do
you see
the
same troubling behavior with FreeIPA demo [1]?

[1] http://www.freeipa.org/page/Demo







--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-18 Thread Lukas Slebodnik

On (12/01/16 11:11), Lukas Slebodnik wrote:
>On (12/01/16 08:25), Zoske, Fabian wrote:
>>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no 
>>differences.
>>
>Then please provide sssd logfiles (1.13.3) from client
>and also log files from sssd on freeipa server (sssd on freeipa
>server is used indirectly by extop plugin in 389-ds)
>
>Please provide log files from the same time when you reproduced an issue.
>
Thank you very much for log files.

Authentication on client failed Due to following error:
(Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 [sss_child_krb5_trace_cb] 
(0x4000): [992] 1452772716.736098: Sending request (173 bytes) to 
EUROIMMUN.TEST (master)

(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [get_and_save_tgt] 
(0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [map_krb5_error] (0x0020): 
1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x0200): 
Received error code 1432158209
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [pack_response_packet] 
(0x2000): response packet size: [4]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x4000): 
Response sent.
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
krb5_child completed successfully


Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?

It is possible that sssd wrote snippet to the directory
/var/lib/sss/pubconf/krb5.include.d/
but this directory is not included in krb5.conf.

$ grep includedir /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

BTW you can test the same operation as sssd did from command line.

KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test

or is this principal name an enterprise name?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-


I’m coming back to this thread for consistency, but is a result of me running 
ipactl on the system we got working a couple of hours ago. See email titled 
"idoverride-add gives incorrect, inconsistant results?" for leadup.

Anyway, ipactl restart fails, again.


[root@vmts-linuxidm ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
inconsistRestarting winbind Service
Restarting ipa-otpd Service
Starting smb Service
Job for smb.service failed because the control process exited with error code. 
See "systemctl status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl


Gah. Look in the samba log, and it's exactly the same issue.

Right.

[root@vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxx

The log file for this installation can be found in 
/var/log/ipaserver-install.log
==
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility 
plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with 
trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

Huh?

[root@vmts-linuxidm ~]# kdestroy
[root@vmts-linuxidm ~]# kinit admin
kinit: Cannot contact any KDC for realm 'UNIX.CO.ORG.AU' while getting initial 
credentials

I check, and sure enough, dir...@unix.co.org.au has stopped again (should I 
call it 389, dirsrv, ldap or slapd? They are all the same thing, right?).

I restart dirsrv, and try restarting smb, no joy. I try running 
ipa-adtrust-install again, without luck. I restart krb5kdc manually (sc start 
krb5kdc), and try all the above again, with no luck. 

kdestroy has a lovely little pause, but kinit admin fails.

Some of the other errors I've received:

ipa-adtrust-install

There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Must have Kerberos credentials to setup AD trusts on serve

klist
klist: Credentials cache keyring 'persistent:0:0' not found


Ok, so I try sc start krb5kdc and that works. Now klist still returns the above 
error, but kinit admin works. And ipa-adtrust-install works as it did this AM 
(output at end for reference).

FWIW:

 - I can now browse the IPA server via a web browser.
 - I can retrieve credentials for those that I've already retrieved credentials 
for (id testu...@co.org.au works)
 - I can't retrieve new credentials (id testuser_...@co.org.au does not work 
("no such user")
 - if I sc --failed:

  UNITLOAD  ACTIVE SUBDESCRIPTION
● ipa.service loadedfailed failed Identity, Policy, Audit
● kadmin.service  loadedfailed failed Kerberos 5 Password-changing and 
Administration
● smb.service loadedfailed failed Samba SMB Daemon

 - None of these will start on their own (with sc start .service)
 - trying to start ipa fails with the added bonus of shutting down krb5kdc / 
kadmin / dir...@domain.org.au as well? I'm finding I'm needing to restart these 
services after attempting an ipa start. Which is failing on smb still. 
 - krb5kdc also doesn't start.

I am so confused. Earlier in the day when it was "working", I noticed that 
there was a service running called ipa.memchached - I presume that's why I can 
get some id's and not others and can browse via web (well, that just means 
tomcat started correctly, right?). ipa.memcached has disappeared from the list 
of running services when I sc now. 


So. How can I create a situation where when I restart ipa, for whatever reason, 
this doesn't happen again?

Secondary question: given that I have missed something seemingly integral, is 
there a document that describes the post install setup process I should go 
through to stop this error from re-occurring?

Cheers
L.




Notes:
root@vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxx

The log file for this installation can be found in 
/var/log/ipaserver-install.log
==
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP

[Freeipa-users] idoverride-add gives incorrect, inconsistant results?

Since I got the service back up and running, I was continuing my tests/learning 
by following the steps on the V4 Migrating existing environments to Trust page:

http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#How_to_Test



[root@vmts-linuxidm ~]# id testu...@co.org.au
uid=1750693931(testu...@co.org.au) gid=1750693931(testu...@co.org.au) 
groups=1750693931(testu...@co.org.au),1750687326(bioinf-st...@co.org.au)


Success and joy.


[root@vmts-linuxidm ~]# ipa idoverrideuser-add 'Default Trust View' 
testu...@co.org.au --uid 1506
---
Added User ID override "testu...@co.org.au"
---
  Anchor to override: testu...@co.org.au
  UID: 1506



Great.


[root@vmts-linuxidm ~]# sudo systemctl restart sssd 

[root@vmts-linuxidm ~]# id testu...@co.org.au
uid=1750693931(testu...@co.org.au) gid=1750693931(testu...@co.org.au) 
groups=1750693931(testu...@co.org.au),1750687326(bioinf-st...@co.org.au)


Huh? The documentation linked to above says that uid should now be 1506?

I went searching in the website - took me a while to find it, but it was there 
- see attached image. The uid had been updated *somewhere*, but the id command 
wasn't seeing it.

Maybe a full ipa restart would help?

Ipactl restart

And samba is failing again. Ouch. Brb.

L.




This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message-
> From: Simpson Lachlan


I've rebooted the machine, confirmed that FreeIPA isn't functioning (nothing
in the browser, nothing in sc).

I run

sc start dirsrv@UNIX-CO-ORG-AU.service
ipactl start

Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Starting smb Service
Job for smb.service failed because the control process exited with error
code. See "systemctl status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl


The samba problem again, great. We know how to fix that.

ipa-adtrust-install --netbios-name=UNIX

Finishes successfully.

Browser doesn't work, cli doesn't work, nothing works.

OK.

I run this list of commands successfully:

ipctl stop
sc start dirsrv@UNIX-CO-ORG-AU.service
sc start krb5kdc
sc start kadmin
kdestroy
kinit admin
sc start ipa_memcached
sc start httpd
sc restart pki-tomcatd.target
ipa-adtrust-install --netbios-name=UNIX


sc --failed shows:
- ipa.service loaded failed failed Identity, Policy, Audit
- smb.service loaded failed failed Samba SMB Daemon

An attempt to start smb fails as per ipaNTSecurityIdentifier error that I got 
yesterday.
An attempt to start ipa manually (sc start ipa) fails as per above, but also
brings down all working services, requiring that they be restarted manually if
needed for future testing.

Final note. When I run ipa-adtrust-install --netbios-name=UNIX I get what
looks like a success message, although the output contains the following,
neither of which I can fully understand:

DNS management was not enabled at install time.
Add the following service records to your DNS server for DNS zone
unix.co.org.au:
 - _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
 - _ldap._tcp.dc._msdcs
 - _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
 - _kerberos._tcp.dc._msdcs
 - _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
 - _kerberos._udp.dc._msdcs


(my unix.co.org.au DNS is managed upstream by the AD PDC, presumably this
is dealt with?)

and

 [22/23]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
  [23/23]: adding SIDs to existing users and groups
Done configuring CIFS.

(no idea?)


Cheers
L.

This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

2016-01-18 Thread Jan Cholasta


On 18.1.2016 12:42, Martin Kosek wrote:

On 01/18/2016 12:05 PM, Peter Pakos wrote:

On 18/01/2016 08:06, Martin Kosek wrote:

I am hoping that this is well explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options


Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/


Thanks for the docs.

I'm trying to get my head around this... if I have a working CA-ful FreeIPA
setup and then install 3rd party SSL certificates for HTTP/LDAP only (including
3 root CA certs from the chain) - does this replace original self-signed CA
that FreeIPA generated (and becomes External CA install) or does CA stay
untouched and I can still take advantage of all the goodies that come with
CA-ful install like automatic certificates renewals (apart from HTTP/LDAP ones)?

Or does this became a multi CA install?

BTW, I can see that the root certificates are getting added to /etc/ipa/ca.crt.


You should be still able to benefit from all the goodies the CA-ful FreeIPA
has. As you noticed above, all root CA certs should be added to ca.crt (see
help for ipa-certupdate tool), it is used to update certs on server/client and
add the new CA certificates.


I'm also thinking ahead, when it comes to renewing certificates when they
expire in 1 year time, which install type would cause less problems?


In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.


So in my CA-ful install with 3rd party SSL certificate installed, how would the
renewal look?


All certificates issued by FreeIPA CA should be renewed automatically by
certmonger (if configured). External certificates should needs to be renewed
manually. Honza, does certmonger already warns about non-IPA certificates that
are getting close to expiration date or is this rather an RFE for future?


It's an RFE, covered by my "certmonger everywhere" proposal: 
 
(the part about uniform certmonger configuration).





I understand that I would have to install new HTTP/LDAP certificates manually
as they were signed by external CA, but would all certificates issued by
FreeIPA CA still renew automatically?


They should, yes.


I've failed to find any useful info covering the above points, so if you know
anything, please just let me know.


I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:

http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion


Thank you, your help is much appreciated!






--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail


On Tue, 19 Jan 2016, Simpson Lachlan wrote:

-Original Message-
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-



I’m coming back to this thread for consistency, but is a result of me
running ipactl on the system we got working a couple of hours ago. See
email titled "idoverride-add gives incorrect, inconsistant results?"
for leadup.

Anyway, ipactl restart fails, again.


[root@vmts-linuxidm ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
inconsistRestarting winbind Service
Restarting ipa-otpd Service
Starting smb Service
Job for smb.service failed because the control process exited with error code. See "systemctl 
status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl


Gah. Look in the samba log, and it's exactly the same issue.

Right.

[root@vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxx

The log file for this installation can be found in 
/var/log/ipaserver-install.log
==
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
 * Configure Samba
 * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility 
plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with 
trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

Huh?

[root@vmts-linuxidm ~]# kdestroy
[root@vmts-linuxidm ~]# kinit admin
kinit: Cannot contact any KDC for realm 'UNIX.CO.ORG.AU' while getting initial 
credentials

I check, and sure enough, dir...@unix.co.org.au has stopped again
(should I call it 389, dirsrv, ldap or slapd? They are all the same
thing, right?).

I restart dirsrv, and try restarting smb, no joy. I try running
ipa-adtrust-install again, without luck. I restart krb5kdc manually (sc
start krb5kdc), and try all the above again, with no luck.

kdestroy has a lovely little pause, but kinit admin fails.

Some of the other errors I've received:

ipa-adtrust-install

There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Must have Kerberos credentials to setup AD trusts on serve

klist
klist: Credentials cache keyring 'persistent:0:0' not found


Ok, so I try sc start krb5kdc and that works. Now klist still returns
the above error, but kinit admin works. And ipa-adtrust-install works
as it did this AM (output at end for reference).

FWIW:

- I can now browse the IPA server via a web browser.
- I can retrieve credentials for those that I've already retrieved credentials 
for (id testu...@co.org.au works)
- I can't retrieve new credentials (id testuser_...@co.org.au does not work ("no 
such user")
- if I sc --failed:

 UNITLOAD  ACTIVE SUBDESCRIPTION
● ipa.service loadedfailed failed Identity, Policy, Audit
● kadmin.service  loadedfailed failed Kerberos 5 Password-changing and 
Administration
● smb.service loadedfailed failed Samba SMB Daemon

- None of these will start on their own (with sc start .service)



- trying to start ipa fails with the added bonus of shutting down
krb5kdc / kadmin / dir...@domain.org.au as well? I'm finding I'm
needing to restart these services after attempting an ipa start. Which
is failing on smb still.



- krb5kdc also doesn't start.

I am so confused. Earlier in the day when it was "working", I noticed
that there was a service running called ipa.memchached - I presume
that's why I can get some id's and not others and can browse via web
(well, that just means tomcat started correctly, right?). ipa.memcached
has disappeared from the list of running services when I sc now.


So. How can I create a situation where when I restart ipa, for whatever
reason, this doesn't happen again?

Secondary question: given that I have missed something seemingly
integral, is there a document that describes the post install setup
process I should go through to stop this error from re-occurring?

Let's start from the beginning:

- What distribution you are running?
- What IPA packages are installed?
- What 389-ds-base package is installed?
- What slapi-nis package is installed?

It looks like if things are working for "few hours" and then stop, this
means 389-ds did crash somehow. There were several cases where it might
crash but they were fixed and latest releases have no known crashes,
either with RHEL

Re: [Freeipa-users] idoverride-add gives incorrect, inconsistant results?

On Tue, Jan 19, 2016 at 12:23:39AM +, Simpson Lachlan wrote:
> Since I got the service back up and running, I was continuing my 
> tests/learning by following the steps on the V4 Migrating existing 
> environments to Trust page:
> 
> http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#How_to_Test
> 
> 
> 
> [root@vmts-linuxidm ~]# id testu...@co.org.au
> uid=1750693931(testu...@co.org.au) gid=1750693931(testu...@co.org.au) 
> groups=1750693931(testu...@co.org.au),1750687326(bioinf-st...@co.org.au)
> 
> 
> Success and joy.
> 
> 
> [root@vmts-linuxidm ~]# ipa idoverrideuser-add 'Default Trust View' 
> testu...@co.org.au --uid 1506
> ---
> Added User ID override "testu...@co.org.au"
> ---
>   Anchor to override: testu...@co.org.au
>   UID: 1506
> 
> 
> 
> Great.
> 
> 
> [root@vmts-linuxidm ~]# sudo systemctl restart sssd 
> 
> [root@vmts-linuxidm ~]# id testu...@co.org.au
> uid=1750693931(testu...@co.org.au) gid=1750693931(testu...@co.org.au) 
> groups=1750693931(testu...@co.org.au),1750687326(bioinf-st...@co.org.au)
> 
> 
> Huh? The documentation linked to above says that uid should now be 1506?

What sssd version?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> This error says you don't have 'Default SMB Group' with a SID in it.
> Re-run ipa-adtrust-install to re-create working setup.
> 
> ipa-adtrust-install will attempt to fix those parts that are missing.


Ok. I have web access. Thank you for your help!

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message-
> From: Simpson Lachlan
> Sent: Tuesday, 19 January 2016 9:46 AM
> To: 'Alexander Bokovoy'
> Cc: freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] IPA wont start, all services fail
> 
> > -Original Message-
> > From: Alexander Bokovoy [mailto:aboko...@redhat.com] This error says
> > you don't have 'Default SMB Group' with a SID in it.
> > Re-run ipa-adtrust-install to re-create working setup.
> >
> > ipa-adtrust-install will attempt to fix those parts that are missing.
> 
> 
> Ok. I have web access. Thank you for your help!

By which I mean, it all seems to be working now.

Thanks.

L.  
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail


On Mon, 18 Jan 2016, Simpson Lachlan wrote:

[root@vmts-linuxidm ~]# systemctl status smb.service -l
● smb.service - Samba SMB Daemon
  Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: 
disabled)
  Active: failed (Result: exit-code) since Tue 2016-01-19 08:20:14 AEDT; 43s ago
 Process: 14240 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, 
status=1/FAILURE)
Main PID: 14240 (code=exited, status=1/FAILURE)
  Status: "Starting process..."

smbd[14240]: [2016/01/19 08:20:14.288659,  0] 
ipa_sam.c:3654(get_fallback_group_sid)
smbd[14240]:   Missing mandatory attribute ipaNTSecurityIdentifier.
smbd[14240]: [2016/01/19 08:20:14.288716,  0] ipa_sam.c:4606(pdb_init_ipasam)
smbd[14240]:   Cannot find SID of fallback group.
smbd[14240]: [2016/01/19 08:20:14.288734,  0] 
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
smbd[14240]:   pdb backend 
ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-co-ORG-AU.socket did not correctly 
init (error was NT_STATUS_INVALID_PARAMETER)
systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Samba SMB Daemon.
systemd[1]: Unit smb.service entered failed state.
systemd[1]: smb.service failed.


Same error as previously:

[2016/01/19 08:26:31,  0] ../source3/smbd/server.c:1241(main)
 smbd version 4.2.3 started.
 Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/01/19 08:26:32.037071,  0] ipa_sam.c:3654(get_fallback_group_sid)
 Missing mandatory attribute ipaNTSecurityIdentifier.
[2016/01/19 08:26:32.037122,  0] ipa_sam.c:4606(pdb_init_ipasam)
 Cannot find SID of fallback group.
[2016/01/19 08:26:32.037140,  0] 
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
 pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not 
correctly init (error was NT_STATUS_INVALID_PARAMETER)


My reading is that I haven't got the SIDs properly aligned for any user
(including the admin user set up when installing freeipa) since joining
the domain, and samba is failing on that. Can I retrospectively add
SIDs to an entry?

This error says you don't have 'Default SMB Group' with a SID in it.
Re-run ipa-adtrust-install to re-create working setup.

ipa-adtrust-install will attempt to fix those parts that are missing.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA wont start, all services fail