Re: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate

[Rob Crittenden]

Joseph Timothy Foley wrote:

Hi Rob.
You are right that I should be able to just update it on our second
server.  What happened was I was trying to see if the certificate would
work on the install process since I couldn't figure out the renewal.
This did not work, which is why I just sent out an update of my new LDAP
error.
If I understand you correctly, I somehow need to add the new trust chain
to both sides.  How would I go about doing that?


The cert I just got from StartSSL came as a zip file containing a bunch 
of zip files. One was something like ApacheSomething.zip which contained 
two PEM files: the intermediate CA and the server cert.


Using 389-ds as an example, you'd do something like to add the new 
server certificate:


# certutil -A -n Server-Cert -d /etc/dirsrv/slapd-REALM -t u,u,u -a -i 
/path/to/2_my.domain.crt


To add the intermediate CA:

# certutil -A -n "StartCom Class 1 DV Server CA" -d 
/etc/dirsrv/slapd-REALM  -t CT,CT, -a -i /path/to/1_root_bundle.crt


The nickname may vary. This is the subject of the intermediate that 
issued my cert as an example. You can do something like:


# openssl x509 -text -in /path/to/1_root_bundle.crt |grep Subject

And use that as inspiration for the nickname. It just needs to be a 
unique string, but using something relevant is often helpful (e.g. you 
can use foo but will you know what that is next year).


Verify that the updated cert works:

# certutil -V -u V -d /etc/dirsrv/slapd-REALM -n Server-Cert
certutil: certificate is valid

Restart the dirsrv process to pick up the new cert.

rob



Joe
--
Dr. Joseph T. Foley  Assistant Professor,  Reykjavik
University +354-599-6569





On 3/22/16 1:44 PM, "Rob Crittenden"  wrote:


Joseph Timothy Foley wrote:

Hi Rob.

To add to this mess, I seem to have somehow confused the LDAP
certificate configuration in the process of setting up a replicant
(ipa.cs.ru.is) with my new StartSSL (personal) certificate.  The
previous certificate was a corporate Level2 certificate.  Trying to use
the old certificate (which expires tomorrow) doesn't seem to put it back
in working order.


I thought you just needed to update the certificate. Why are you
creating a new replica?

My own StartSSL Server cert expires in a month and I just renewed it
this morning. They have a new subordinate CA, that might be part of the
problem (both sides need to trust it). I'd look in the access log of the
remote 389-ds server to see what error it threw (and the local one too I
suppose).

But really, you should be able to replace the certs using certutil, not
re-install the whole thing.

rob



This is what I did to make the pkcs file:

cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt
cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt  (the ca-bundle is
the root_bundle.crt they now send you in a zip file)

openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey
private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is

ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin X
--dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin X ipa.cs.ru.is

Then copied it to ipa.cs.ru.is and ran
ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg

Everything looks fine until:
[24/38]: setting up initial replication
Starting replication, please wait until this has completed.

[ipa2.cs.ru.is] reports: Update failed! Status: [-11  - LDAP error:
Connect error]

[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORFailed to
start replication


Looking at the setup log in /var/log/ipareplica-install.log:

2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa2.cs.ru.is:389 conn=
2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId.
2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from
SchemaCache
2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache
url=ldaps://ipa.cs.ru.is:636 conn=
2016-03-22T08:49:24Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
  method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
377, in __setup_replica
  r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1014, in setup_replication
  raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication

2016-03-22T08:49:24Z DEBUG   [error] RuntimeError: Failed to start
replication
2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432
2016-03-22T08:49:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
   

Re: [Freeipa-users] Removing the requirement to add domain to users login

[Simpson Lachlan]

Stacy

With regard to you first problem, IIRC you can have it default to a single 
domain – it doesn’t matter which. Users from the other domain, will need to 
login via the

u...@my.other.domain.com

I had exactly this problem. If you want to change it, it’s the 
default_domain_suffix option.

Cheers
L.


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Redmond, Stacy
Sent: Wednesday, 23 March 2016 12:44 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Removing the requirement to add domain to users login

I have been tasked with setting up an IPA AD trust.  I have my ipa server 
setup, the trust is setup, and appears to be working for the most part.  I have 
two problems.  I would like for users to login with userid only.  Right now I 
can only login using userid@ad_domain   I am hoping there is some way to just 
have it search that domain as well as the default ipa domain

I will add my other problem, but am willing to send a second email to the group 
if needed.  When I login to my linux client and type id, I see lots of groups 
but they don’t all match the member of list I pull using an ldap search of AD.

IPA Server:  RHEL 7.2  ipa 4.2
Client:  RHEL 7.2
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Removing the requirement to add domain to users login

[Redmond, Stacy]

I have been tasked with setting up an IPA AD trust.  I have my ipa server 
setup, the trust is setup, and appears to be working for the most part.  I have 
two problems.  I would like for users to login with userid only.  Right now I 
can only login using userid@ad_domain   I am hoping there is some way to just 
have it search that domain as well as the default ipa domain

I will add my other problem, but am willing to send a second email to the group 
if needed.  When I login to my linux client and type id, I see lots of groups 
but they don't all match the member of list I pull using an ldap search of AD.

IPA Server:  RHEL 7.2  ipa 4.2
Client:  RHEL 7.2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Samba Integration with AD Trust

[Baird, Josh]

Hi all,

I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7).  I have a 
kerberos trust established between IPA and AD.  I have followed the 
instructions on the wiki [1], but had some questions and problems specifically 
related to share permissions:

I'm having trouble with shares where I need to grant access to a specific AD 
user/group.  I have tried this and other variations with no success:

[shared]
path = /home/shared
writable = yes
browsable = yes
valid users = testsa...@ad.domain.lan

I have also tried:

valid users = ad\testsamba
vaild users= @ad\testsamba
valid users= @testsa...@ad.domain.lan


What is the proper way to allow specific AD groups access to the Samba share?  
I also tried nesting an external group in a POSIX group with no success.  
Should I be using something other than 'valid users'?

 [1] http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

Thanks,

Josh

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

[Brad Bendy]

Im having some issues applying these patches with dependencies. But on
a side note, this needs to be applied to the client machines as well
the IPA server itself, correct?


Thanks

On Mon, Mar 14, 2016 at 8:54 AM, Brad Bendy  wrote:
> I see that now, thanks for the link. Ill give those patches a whirl.
>
> On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose  wrote:
>> On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote:
>>> HI,
>>>
>>> I have OTP setup and working just fine for logging into any servers,
>>> when attempting to run any command with sudo I get a "First factor:"
>>> prompt, I have entered my normal password but it fails. This only
>>> happens when OTP is on, with OTP off sudo works like you would think.
>>
>> This is a know issue, please see
>> https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case
>> you use CentOS/RHEL7 you can find a test build at
>> http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 .
>>
>> bye,
>> Sumit
>>>
>>> The logs on the machine im trying to sudo show:
>>>
>>> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=181863
>>> auid=181863 ses=8
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> msg='op=PAM:authentication grantors=? acct="myusername"
>>> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
>>>
>>> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=181863
>>> auid=181863 ses=8
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> msg='cwd="/" cmd="su" terminal=pts/0 res=failed'
>>>
>>> Which it not being much help at all, on the IPA server itself im
>>> seeing nothing in the log when I run sudo, I do though when I login as
>>> my normal user.
>>>
>>> Google appears to have zero results on this, any clues what else I can
>>> check? Seems odd to me!
>>>
>>> Thanks
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renewing an externally signed HTTP/LDAP certificate

[Rob Crittenden]

Joseph Timothy Foley wrote:

Hi Rob.

To add to this mess, I seem to have somehow confused the LDAP
certificate configuration in the process of setting up a replicant
(ipa.cs.ru.is) with my new StartSSL (personal) certificate.  The
previous certificate was a corporate Level2 certificate.  Trying to use
the old certificate (which expires tomorrow) doesn't seem to put it back
in working order.


I thought you just needed to update the certificate. Why are you 
creating a new replica?


My own StartSSL Server cert expires in a month and I just renewed it 
this morning. They have a new subordinate CA, that might be part of the 
problem (both sides need to trust it). I'd look in the access log of the 
remote 389-ds server to see what error it threw (and the local one too I 
suppose).


But really, you should be able to replace the certs using certutil, not 
re-install the whole thing.


rob



This is what I did to make the pkcs file:

cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt
cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt  (the ca-bundle is
the root_bundle.crt they now send you in a zip file)

openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey
private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is

ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin X
--dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin X ipa.cs.ru.is

Then copied it to ipa.cs.ru.is and ran
ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg

Everything looks fine until:
   [24/38]: setting up initial replication
Starting replication, please wait until this has completed.

[ipa2.cs.ru.is] reports: Update failed! Status: [-11  - LDAP error:
Connect error]

   [error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORFailed to
start replication


Looking at the setup log in /var/log/ipareplica-install.log:

2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa2.cs.ru.is:389 conn=
2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId.
2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from
SchemaCache
2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache
url=ldaps://ipa.cs.ru.is:636 conn=
2016-03-22T08:49:24Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
377, in __setup_replica
 r_bindpw=self.dm_password)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1014, in setup_replication
 raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication

2016-03-22T08:49:24Z DEBUG   [error] RuntimeError: Failed to start
replication
2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432
2016-03-22T08:49:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
 return_value = self.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
311, in run
 cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run
 self.execute()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute
 for nothing in self._executor():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
 util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
 raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
 value = gen.send(prev_value)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure
 executor.next()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
 self.__parent._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
 util.raise_exc_info(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
 super(ComponentBase, self)._handle_exception(exc_info)
   File 

Re: [Freeipa-users] Certificate profiles and CA ACLs for service principals

[earsdown]

Hi Fraser, Martin and Alexander,

Thanks for looking into this! For what it's worth, I think for this 
particular use case, I'm leaning more towards Alexander when he said:



I don't think you need to group services this way. For managing
services, and this means being able to issue certificates/keytabs for
them, we have hosts. By default a host that a service belongs to is
capable to modify userCertificate attribute of the service already, so 
I

would expect it to be able to issue certificates with subject principal
corresponding to the service.



If CAACL would follow the same logic by allowing hosts that manage
services to issue certificates with subject principals corresponding to
these services, that should be enough because, after all, these host
objects already have write permissions and can upload whatever
certificates they like to the service objects.
--
/ Alexander Bokovoy


Personally, I was very surprised when I discovered that, even though a 
host principal may manage a service principal, it is currently unable to 
request a certificate for that service principal if the service 
principal doesn't have specific access to the certificate profile, even 
though the host principal may have access to the same certificate 
profile. In my mind the CA ACL should be evaluated against the identity 
of the requestor, not the issuee. As long as the requestor is allowed to 
request on behalf of the issuee (achieved via the managedby attribute), 
then it should work. Now, if I used the credentials of the service 
principal directly (say, with a service keytab) to make the request 
(supposing the service principal wasn't listed in the CA ACL), then 
denying the request would be the expected behaviour (imo of course).


Okay, so even though Alexander's suggestion might be more intuitive, 
implementing service groups might be more feasible from a technical 
standpoint, and I'm fairly sure this use case would also be solved by 
implementing service groups. But, it would be painful without automember 
regexp rules, so please don't forget this :D


Cheers!

On 2016-03-22 20:50, Fraser Tweedale wrote:

On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote:

On 03/22/2016 05:55 AM, Fraser Tweedale wrote:
> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote:
...
> To my fellow FreeIPA developers: are service groups a sensible RFE?
> Is there a reason why they have not been implemented?

It *is* sensible RFE and it was actually already filed!

https://fedorahosted.org/freeipa/ticket/5277

Please feel free to add yourself to CC to receive updates or even help 
us with

implementation.

Thanks,
Martin


Good to know... I've added myself to Cc and also filed an RFE for
enhancing CA ACLs with service groups once #5277 is implemented:
https://fedorahosted.org/freeipa/ticket/5753

Cheers,
Fraser


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Lock screen when Smart Card is removed.

[Sumit Bose]

On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
> Hi Sumit,
> 
> It has been a week and I am following up with you on the lock screen issue.
> Have you had any progress?  If so, I am hoping implementing the fix will be
> quick and easy.

Thank you for your patience. Please find a test build for RHEL/CentOS
7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 .

Besides the updated version of SSSD you should replace
/etc/pam.d/smartcard-auth with

 /etc/pam.d/smartcard-auth =
authrequired  pam_env.so
authsufficientpam_sss.so allow_missing_name
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so


session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so
===

and /etc/dconf/db/distro.d/10-authconfig

= /etc/dconf/db/distro.d/10-authconfig =
[org/gnome/login-screen]
enable-fingerprint-authentication=false

[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
===

and /etc/dconf/db/distro.d/locks/10-authconfig-locks

== /etc/dconf/db/distro.d/locks/10-authconfig-locks ===
/org/gnome/login-screen/enable-fingerprint-authentication
/org/gnome/settings-daemon/peripherals/smartcard
===

and call 'dconf update' to get the new setting loaded. Finally it might
be a good idea to restart gdm to make sure the new setting and PAM
configuration is really active although I would expect that gdm is able
to pick up the changes at run-time.

Any feedback, good or bad, is welcome.

bye,
Sumit

> 
> Thanks,
> 
> *Michael Rainey*
> 
> On 03/11/2016 02:32 AM, Sumit Bose wrote:
> >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> >>Greetings,
> >>
> >>I have been adding systems to my new domain and utilizing the smart card
> >>login feature.  To date the smart card login feature is working very well.
> >>However, my group has been trying to implement locking the screen when the
> >>smart card is removed, but have not been successful at making it work.  Does
> >>anyone have any suggestions as to what it would take to enable locking the
> >>screen when the smart card is removed.
> >This requires a better integration with gdm which is currently WIP
> >(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please
> >ping me in about a week about this again, then I might have done some
> >more testing.
> >
> >bye,
> >Sumit
> >
> >>Thank you in advance.
> >>-- 
> >>*Michael Rainey*
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

[Troels Hansen]

- On Mar 22, 2016, at 12:34 PM, Petr Spacek pspa...@redhat.com wrote:

> 
> Have you tried
> # ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb'
> ?
> 
> I suspect that Bash is playing escaping game with you.
> 

Same result..

ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb'
ipa: ERROR: LIFX\032Bulb: DNS resource record not found

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

[Petr Spacek]

On 22.3.2016 11:21, Troels Hansen wrote:
>>
>> web ui uses API command:
>> {"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]}
>>
>> Could you check what is yours?
>> 1. open developer tool in browser (usually F12)
>> 2. Network tab
>> 3. Refresh the page, look at new request to ipa/session/json
>> 4. examine "Request Payload"
>> some old example in FF:
>> https://pvoborni.fedorapeople.org/images/devtools.png
> 
> 
> Mine seems to show the exact same thing:
> 
> 
> {"method":"dnsrecord_show","params":[["casalogic.lan.","LIFX\\032Bulb"],{"all":true}]}
> 
> 
> My version reports {"version":"2.156"}]}
> 
> Tried FF and Chrome, but same result in both.
> 
> However:
> 
> # ipa dnsrecord-show casalogic.lan. LIFX\032Bulb
> ipa: ERROR: LIFX032Bulb: DNS resource record not found
> # ipa dnsrecord-show casalogic.lan. "LIFX Bulb"
> ipa: ERROR: LIFX\032Bulb: DNS resource record not found

Have you tried
# ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb'
?

I suspect that Bash is playing escaping game with you.

Petr^2 Spacek

> 
> But: 
> # ipa dnsrecord-find casalogic.lan
> ..
>   Record name: LIFX\032Bulb
>   A record: 192.168.20.252
>   TXT record: "009143ca16c9890339c7ec33825e0da5ce"
> .
> 
> # ipa --version
> VERSION: 4.2.0, API_VERSION: 2.156
> 
> 
> 
>> I would say that there weren't any changes in 4.2 -> 4.3 it this area.
>> So not sure why the behavior in your case is opposite.
>>
>> Anyway it suggests minor encoding issue.
>> --
>> Petr Vobornik
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

[Troels Hansen]

> 
> web ui uses API command:
> {"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]}
> 
> Could you check what is yours?
> 1. open developer tool in browser (usually F12)
> 2. Network tab
> 3. Refresh the page, look at new request to ipa/session/json
> 4. examine "Request Payload"
> some old example in FF:
> https://pvoborni.fedorapeople.org/images/devtools.png


Mine seems to show the exact same thing:


{"method":"dnsrecord_show","params":[["casalogic.lan.","LIFX\\032Bulb"],{"all":true}]}


My version reports {"version":"2.156"}]}

Tried FF and Chrome, but same result in both.

However:

# ipa dnsrecord-show casalogic.lan. LIFX\032Bulb
ipa: ERROR: LIFX032Bulb: DNS resource record not found
# ipa dnsrecord-show casalogic.lan. "LIFX Bulb"
ipa: ERROR: LIFX\032Bulb: DNS resource record not found

But: 
# ipa dnsrecord-find casalogic.lan
..
  Record name: LIFX\032Bulb
  A record: 192.168.20.252
  TXT record: "009143ca16c9890339c7ec33825e0da5ce"
.

# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156



> I would say that there weren't any changes in 4.2 -> 4.3 it this area.
> So not sure why the behavior in your case is opposite.
> 
> Anyway it suggests minor encoding issue.
> --
> Petr Vobornik

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate profiles and CA ACLs for service principals

[Fraser Tweedale]

On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote:
> On 03/22/2016 05:55 AM, Fraser Tweedale wrote:
> > On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote:
> ...
> > To my fellow FreeIPA developers: are service groups a sensible RFE?
> > Is there a reason why they have not been implemented?
> 
> It *is* sensible RFE and it was actually already filed!
> 
> https://fedorahosted.org/freeipa/ticket/5277
> 
> Please feel free to add yourself to CC to receive updates or even help us with
> implementation.
> 
> Thanks,
> Martin
>
Good to know... I've added myself to Cc and also filed an RFE for
enhancing CA ACLs with service groups once #5277 is implemented:
https://fedorahosted.org/freeipa/ticket/5753

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

[Petr Vobornik]

On 03/22/2016 09:59 AM, Troels Hansen wrote:

I have noticed a bug in the IPA webinterface,  under DNS Zones -> and clicking
on a zone that contains a DNS record containig space (\032)

Currently, I get: "LIFX\032Bulb: DNS resource record not found"

However, after clicking OK, it displays the rest of the records.

Its in no way a pretty DNS record, but still working.
The reason for it being there is that I have enabled ddns updates from out DHCP
server, and it works without any problems, except this crappy WIFI light bulb.

The DNS record is in the IPA database:

Record name: LIFX\032Bulb
A record: 192.168.20.252
TXT record: "009143ca16c9890339c7ec33825e0da5ce"

I can dig it:
# dig "LIFX Bulb.casalogic.lan" A
..
;; ANSWER SECTION:
LIFX\032Bulb.casalogic.lan. 1800 INA192.168.20.252

However, something goes wrong in the web interface.

I'm running IPA 4.2.0

--

Med venlig hilsen

*Troels Hansen*


Tried it to reproduce on 4.3 development branch. It works for me in Web 
UI. But I get the error in CLI:


$ ipa dnsrecord-find my.zone.test.
... other records ...
  Record name: LIFX\032Bulb
  A record: 10.34.58.132
  TXT record: 009143ca16c9890339c7ec33825e0da5ce


$ ipa dnsrecord-show my.zone.test. LIFX\032Bulb
ipa: ERROR: LIFX032Bulb: DNS resource record not found

$ ipa dnsrecord-show my.zone.test. "LIFX Bulb"
  Record name: LIFX\032Bulb
  A record: 10.34.58.132
  TXT record: 009143ca16c9890339c7ec33825e0da5ce

web ui uses API command:
{"method":"dnsrecord_show","params":[["my.zone.test.","LIFX\\032Bulb"],{"all":true,"rights":true,"structured":true,"version":"2.163"}]}

Could you check what is yours?
1. open developer tool in browser (usually F12)
2. Network tab
3. Refresh the page, look at new request to ipa/session/json
4. examine "Request Payload"
some old example in FF: 
https://pvoborni.fedorapeople.org/images/devtools.png



I would say that there weren't any changes in 4.2 -> 4.3 it this area. 
So not sure why the behavior in your case is opposite.


Anyway it suggests minor encoding issue.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

[Troels Hansen]

I have noticed a bug in the IPA webinterface, under DNS Zones -> and clicking 
on a zone that contains a DNS record containig space (\032) 

Currently, I get: "LIFX\032Bulb: DNS resource record not found" 

However, after clicking OK, it displays the rest of the records. 

Its in no way a pretty DNS record, but still working. 
The reason for it being there is that I have enabled ddns updates from out DHCP 
server, and it works without any problems, except this crappy WIFI light bulb. 

The DNS record is in the IPA database: 

Record name: LIFX\032Bulb 
A record: 192.168.20.252 
TXT record: "009143ca16c9890339c7ec33825e0da5ce" 

I can dig it: 
# dig "LIFX Bulb.casalogic.lan" A 
.. 
;; ANSWER SECTION: 
LIFX\032Bulb.casalogic.lan. 1800 IN A 192.168.20.252 

However, something goes wrong in the web interface. 

I'm running IPA 4.2.0 

-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate profiles and CA ACLs for service principals

[Martin Kosek]

On 03/22/2016 05:55 AM, Fraser Tweedale wrote:
> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote:
...
> To my fellow FreeIPA developers: are service groups a sensible RFE?
> Is there a reason why they have not been implemented?

It *is* sensible RFE and it was actually already filed!

https://fedorahosted.org/freeipa/ticket/5277

Please feel free to add yourself to CC to receive updates or even help us with
implementation.

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project