Re: [Freeipa-users] How to remove bad cert renewal from certmonger?

2016-04-22 Thread Rob Crittenden 

Tikkanen, Tuomo (Nokia - FI/Espoo) wrote:

Hello all,

I tried to renew the server HTTP certificates for two freeipa servers so
that certs would have Subject Alternative Name (SAN) fields for all the
addresses they have (two DNS names and IPs). I won't go to the details
why this is required, but I started with ipa2 (slave) and immediately
got problems. Some I managed to solve, but there is now problem to which
I have not found any solution.

How to remove from certmonger a renewal request that has a bad
certificate request in it?

What I did was:

# ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain"
-D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A
"10.22.199.253" -A "10.10.1.253"

This led to a problem that ipa2.lab-management-domain server was not as
host in the freeipa. Added the needed info:

# ipa host-add ipa2.lab-management-domain
# ipa service-add HTTP/ipa2.lab-management-domain --force
# ipa service-add-host HTTP/lab-management-domain --host
ipa2.lab-management-domain

Then I ran the above resubmit command again.

This time the there was an error related to the -D "10.22.199.253" and
-D "10.10.1.253" fields. And because it is not possible to use ipa
host-add "10.22.199.253" I decided just to drop the -D fields with IP
addresses, but left the -A options. And ran the resubmit command again.

Now the error in ipa-getcert list command changed to tell that IP
Address is forbidden:

# ipa-getcert list -i "20160212110456"
...
Request ID '20160212110456':
 status: MONITORING
 ca-error: Server at https://ipa2.lab-public-domain/ipa/xml
denied our request, giving up: 2100 (RPC failed at server.  Insufficient
access: Subject alt name type IP Address is forbidden).
 stuck: no
...

That is the state where I now have stuck. I have tried the ipa-getcert
resubmit command without any -D or -A fields but the error stays there.

I took the "csr=" value from the file
/var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request
file. Using openssl I can see that it still contains SAN attribute with
IP addresses and two odd fields that probably are there because of those
-D "IP" fields I had at the beginning:

# openssl req -in /tmp/request -text -noout
.
 X509v3 Subject Alternative Name:
 DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain,
othername:, othername:, IP
Address:10.22.199.253, IP Address:10.10.1.253
.

Repetitio est mater studiorum:

How I can clean this defective state of certmonger?


# ipa-getcert stop-tracking -i 20160212110456



Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA Server-Certs?


Not without changing code. IP address SAN are explicitly forbidden: 
Subject alt name type IP Address is forbidden


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to remove bad cert renewal from certmonger?

2016-04-22 Thread Tikkanen, Tuomo (Nokia - FI/Espoo) 

Hello all,

I tried to renew the server HTTP certificates for two freeipa servers so 
that certs would have Subject Alternative Name (SAN) fields for all the 
addresses they have (two DNS names and IPs). I won't go to the details 
why this is required, but I started with ipa2 (slave) and immediately 
got problems. Some I managed to solve, but there is now problem to which 
I have not found any solution.


How to remove from certmonger a renewal request that has a bad 
certificate request in it?


What I did was:

# ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain" 
-D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A 
"10.22.199.253" -A "10.10.1.253"


This led to a problem that ipa2.lab-management-domain server was not as 
host in the freeipa. Added the needed info:


# ipa host-add ipa2.lab-management-domain
# ipa service-add HTTP/ipa2.lab-management-domain --force
# ipa service-add-host HTTP/lab-management-domain --host 
ipa2.lab-management-domain


Then I ran the above resubmit command again.

This time the there was an error related to the -D "10.22.199.253" and 
-D "10.10.1.253" fields. And because it is not possible to use ipa 
host-add "10.22.199.253" I decided just to drop the -D fields with IP 
addresses, but left the -A options. And ran the resubmit command again.


Now the error in ipa-getcert list command changed to tell that IP 
Address is forbidden:


# ipa-getcert list -i "20160212110456"
...
Request ID '20160212110456':
status: MONITORING
ca-error: Server at https://ipa2.lab-public-domain/ipa/xml 
denied our request, giving up: 2100 (RPC failed at server.  Insufficient 
access: Subject alt name type IP Address is forbidden).

stuck: no
...

That is the state where I now have stuck. I have tried the ipa-getcert 
resubmit command without any -D or -A fields but the error stays there.


I took the "csr=" value from the file 
/var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request 
file. Using openssl I can see that it still contains SAN attribute with 
IP addresses and two odd fields that probably are there because of those 
-D "IP" fields I had at the beginning:


# openssl req -in /tmp/request -text -noout
.
X509v3 Subject Alternative Name:
DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain, 
othername:, othername:, IP 
Address:10.22.199.253, IP Address:10.10.1.253

.

Repetitio est mater studiorum:

How I can clean this defective state of certmonger?


Second question if/when the above urgent problem is solved:

Is there any way to get IP address to SAN field for the IPA Server-Certs?

The system is Centos7(.2) with and freeipa is installed from the repository:

# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
# yum list installed | grep ipa
ipa-admintools.x86_64  4.2.0-15.el7_2.6@updates
ipa-client.x86_64  4.2.0-15.el7_2.6@updates
ipa-python.x86_64  4.2.0-15.el7_2.6@updates
ipa-server.x86_64  4.2.0-15.el7_2.6@updates
ipa-server-dns.x86_64  4.2.0-15.el7_2.6@updates
libipa_hbac.x86_64 1.13.0-40.el7_2.1   @updates
python-iniparse.noarch 0.4-9.el7   @anaconda
python-libipa_hbac.x86_64  1.13.0-40.el7_2.1   @updates
sssd-ipa.x86_641.13.0-40.el7_2.1   @updates

BR,

--
Tuomo Tikkanen (a) nokia com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-22 Thread Ask Stack 
MartinThanks for the reply.
tail -f /var/log/krb5kdc.log | grep client1.example.com  had nothing during a 
failed ipa client install and plenty activities during a good install. 
And sorry, I missed a big piece of information. Debug log showed ipa-getkeytab: 
../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: 
Assertion `res != ((void *)0)' failed.
Basically /etc/krb5.keytab didn't get created. 
I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the 
ipa-client-install without it. I tested install twenty times and no failure. 
ca.crt I provide and ipa-client-install downloaded are identical.  

On Friday, April 22, 2016 3:09 AM, Martin Babinsky  
wrote:
 

 On 04/21/2016 11:14 PM, Ask Stack wrote:
> Half the time ipa-client-install will fail at getting the TGT.  Google
> showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
> TGT . I reduced
> _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
> '_kerberos._udp' to one server entry only. But it didn't help to reduce
> the failure rate. Thanks for your help.
>
>
> cleint
> ipa-client-3.0.0-47.el6_7.2.x86_64
>
> server
> ipa-server-3.0.0-47.el6_7.1.x86_64
>
> ipa-client-install --hostname=client1.example.com
> --server=ipa-server.example.com --domain=example.com -N --mkhomedir
> --unattended -p ipa...@example.com -w 'password1'
> --ca-cert-file=/etc/ipa/ca.crt -d
> ...
> ...
> Enrolled in IPA realm EXAMPLE.COM
> args=kdestroy
> stdout=
> stderr=
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> args=/usr/bin/kinit -k -t /etc/krb5.keytab
> host/client1.example@example.com
> stdout=
> stderr=kinit: Generic preauthentication failure while getting initial
> credentials
>
> Failed to obtain host TGT.
>
>
>
>
>
>
Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log

-- 
Martin^3 Babinsky


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA & Yubikey

2016-04-22 Thread Jeremy Utley 
Hello all!

I'm quite close to reaching the ideal point with our new FreeIPA setup, but
one thing that is standing in the way is 2FA.  I know FreeIPA has support
for Google Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over
the phone-based systems, but a lot of the docs regarding Yubikey seem to
either be out-dated, or not real clear (at least to me).  So I'd like to
ask a few questions to make sure I'm understanding correctly.

1) It looks like the normal setup of a Yubikey is to plug it into a machine
and run the "ipa otptoken-add-yubikey" command.  This implies that the
machine that sets up the Yubikey needs to be part of the FreeIPA domain,
which presents somewhat of a problem for us, as our current IPA setup has
no desktops, and is in a remote "lights-out" datacenter an hour's drive
from our office.  I did see a post recently in the archives of someone
figuring out how to set up a Yubikey via the web interface (
https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) -
would this be viable?

2) Does the otptoken-add-yubikey command actually change the programming of
the Yubikey, or does it simply read it's configuration?  We have some users
who are already using a Yubikey for personal stuff, and we'd like to allow
those users to continue to use their existing Yubikey to auth to our IPA
domain, but if the add command changes the programming of the key, that may
not be possible without using the second slot, and if users are already
using the second slot, they are out of luck.

3) Does Yubikey auth require talking to the outside world to function?  Our
IPA setup is within a secure zone, with no direct connectivity to the
outside world, so if this is necessary, it would be a possible deal-breaker
for these.


Thanks for your time in answering these questions!

Jeremy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-04-22 Thread Carlos R Laguna 

El 21/04/16 a las 15:37, Alexander Bokovoy escribió:

On Thu, 21 Apr 2016, Timo Aaltonen wrote:


Howdy!

 Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1!
The biggest feature of this version is that it also supports replication
by client promotion to replica master. IPA on Debian/Ubuntu has been a
single-master thing until now..

FreeIPA is in the community-supported section of the package archive
called "universe". What this means is that it's not officially supported
by Canonical, but the community. While I and some others have tried to
poke it from every angle we can, it might still have hidden bugs that
need fixing, so feel free to try it out and report any issues you might
find on Launchpad!


ps. Debian unstable will have 4.3.1 once the package has gone through
the NEW queue because the packaging got split in certain ways

This is really exciting news!

Thanks Timo and everyone who made it possible!


Awesome  news



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client password authentication failed

2016-04-22 Thread Jakub Hrozek 
On Fri, Apr 22, 2016 at 08:29:06PM +0530, Rakesh Rajasekharan wrote:
> Hi There,
> 
> I have successfully set up and running freeipa in my environment.
> 
> I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47
> 
> This set up works fine for majority of servers. But just on one host I am
> unable to authenticate the users.
> 
> it gives me password denied
> 
> Below is the error from /var/log/secure
> 
> Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13
> user=q-testuser
> Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213
> user=q-testuser
> Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for
> user q-testuser: 4 (System error)
> 
> 
> and in my krb5_child.log, i see the below lines,
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
> krb5_child started.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
> (0x1000): total buffer size: [171]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
> (0x0100): cmd [241] uid [114201] gid [114201] validate [true]
> enterprise principal [false] offline [false] UPN [q-testu...@xyz.com]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_114201_XX] old_ccname:
> [FILE:/tmp/krb5cc_114201_RjJBN2] keytab: [/etc/krb5.keytab]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
> (0x0200): Switch user to [114201][114201].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
> (0x0200): Switch user to [0][0].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [FILE:/tmp/krb5cc_114201_RjJBN2] and is not active and TGT is  valid.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2...@xyz.com]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [find_principal_in_keytab] (0x4000): Trying to find principal host/
> 10.2.2...@xyz.com in keytab.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [match_principal]
> (0x1000): Principal matched to the sample (host/10.2.2...@xyz.com).
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [become_user]
> (0x0200): Trying to become user [114201][114201].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x2000):
> Running as [114201][114201].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup]
> (0x2000): Running as [114201][114201].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
> Will perform online auth
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [XYZ.COM]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting
> initial credentials for q-testu...@xyz.com
> 
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM
> 
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving
> host/10.2.2...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM
> \@XYZ.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with
> result: -1765328243/Matching credential not found
> 
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending
> request (185 bytes) to XYZ.COM
> 
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating
> TCP connection to stream 10.0.4.175:88
> 
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
>

[Freeipa-users] ipa-client password authentication failed

2016-04-22 Thread Rakesh Rajasekharan 
Hi There,

I have successfully set up and running freeipa in my environment.

I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47

This set up works fine for majority of servers. But just on one host I am
unable to authenticate the users.

it gives me password denied

Below is the error from /var/log/secure

Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for
user q-testuser: 4 (System error)


and in my krb5_child.log, i see the below lines,
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
krb5_child started.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x1000): total buffer size: [171]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x0100): cmd [241] uid [114201] gid [114201] validate [true]
enterprise principal [false] offline [false] UPN [q-testu...@xyz.com]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_114201_XX] old_ccname:
[FILE:/tmp/krb5cc_114201_RjJBN2] keytab: [/etc/krb5.keytab]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
(0x0200): Switch user to [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds]
(0x0200): Switch user to [0][0].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[k5c_check_old_ccache] (0x4000): Ccache_file is
[FILE:/tmp/krb5cc_114201_RjJBN2] and is not active and TGT is  valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2...@xyz.com]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[find_principal_in_keytab] (0x4000): Trying to find principal host/
10.2.2...@xyz.com in keytab.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [match_principal]
(0x1000): Principal matched to the sample (host/10.2.2...@xyz.com).
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [become_user]
(0x0200): Trying to become user [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x2000):
Running as [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup]
(0x2000): Running as [114201][114201].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400):
Will perform online auth
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [tgt_req_child]
(0x1000): Attempting to get a TGT
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [get_and_save_tgt]
(0x0400): Attempting kinit for realm [XYZ.COM]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting
initial credentials for q-testu...@xyz.com

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving
host/10.2.2...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM
\@XYZ.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with
result: -1765328243/Matching credential not found

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending
request (185 bytes) to XYZ.COM

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating
TCP connection to stream 10.0.4.175:88

(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP
request to stream 10.
krb5_child.log (END)


can someone please advice , what seems to go wrong here.


Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] RoundRobin - Cname - 2 servers with same services

2016-04-22 Thread Gady Notrica 
Hello World,

I am trying to enable roundrobin on freeipa. I have 2 servers providing same 
service (http). I am trying to give it a friendly name so that when user what 
to access it, they can land on any one of the 2 servers.

But IPA dns doesn't want to let me create CName that has the same name but 2 
different destination.

How do I go around this?

Thanks,

Gady

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-22 Thread Martin Babinsky 

On 04/21/2016 11:14 PM, Ask Stack wrote:

Half the time ipa-client-install will fail at getting the TGT.  Google
showed posts like, Bug 845691 – ipa-client-install Failed to obtain host
TGT . I reduced
_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp'
'_kerberos._udp' to one server entry only. But it didn't help to reduce
the failure rate. Thanks for your help.


cleint
ipa-client-3.0.0-47.el6_7.2.x86_64

server
ipa-server-3.0.0-47.el6_7.1.x86_64

ipa-client-install --hostname=client1.example.com
--server=ipa-server.example.com --domain=example.com -N --mkhomedir
--unattended -p ipa...@example.com -w 'password1'
--ca-cert-file=/etc/ipa/ca.crt -d
...
...
Enrolled in IPA realm EXAMPLE.COM
args=kdestroy
stdout=
stderr=
args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/client1.example@example.com
stdout=
stderr=kinit: Generic preauthentication failure while getting initial
credentials

Failed to obtain host TGT.







Hello,

can you please provide KDC log from the server you are enrolling 
against? IIRC it should be in /var/log/krb5kdc.log


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP and time step size

2016-04-22 Thread Prashant Bapat 
Hi,

We have been using the OTP feature of FreeIPA extensively for users to
login to the web UI. Now we are rolling out an external service using the
LDAP authentication based on FreeIPA and OTP.

End users typically login rarely to the web UI. Only to update their SSH
keys once in 90 days.

However to the new service based on FreeIPA's LDAP they would be logging in
multiple times daily.

Here is an observation: FreeIPA's OTP mechanism is very stringent in
requiring the current token to be inside the 30 second window. Because of
this there might be a sizable percentage of users who will have to retry
login. Obviously, this is a bad user experience.

As per the RFC-6238  section 5.2,
we could allow 1 time step and make the user experience better.

Can this be done by changing a config or does it involve a
patch/code-change. Any pointers to this appreciated.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] concurrent requests to ipalib app giving network error

2016-04-22 Thread Martin Basti 



On 21.04.2016 18:46, Oğuz Yarımtepe wrote:

Hi,

I have a REST API that is using the ipalib and written with Falcon.
Below is the code or you can check it online here: 
http://paste.ubuntu.com/15966308/


from __future__ import print_function
from bson import json_util
import json
import falcon

from ipalib import api as ipaapi
from api.utils.utils import parse_json, check_connection
from api import settings

class Calls(object):

#@falcon.before(check_connection)
def on_post(self, req, resp):

result_json = parse_json(req)
command_name = result_json["command_name"]
params = result_json["params"]

if not hasattr(ipaapi.env, "conf"):
#TODO: add kinit oguz for exceptional case
 ipaapi.bootstrap_with_global_options(context='satcloud_api')
ipaapi.finalize()

if ipaapi.env.in_server:
ipaapi.Backend.ldap2.connect()
else:
ipaapi.Backend.rpcclient.connect()

#import ipdb
#ipdb.set_trace()

command=ipaapi.Command
command_result=getattr(command,command_name)

#resp.set_cookie('api_status_cookie', 'True')
if not params:
resp.body = json.dumps(command_result())
resp.status = falcon.HTTP_200
else:
if type(params) == dict:
arguments = []
kwargs = dict()
for key, value in params.iteritems():
if "arg" in key:
arguments.append(value)
else:
kwargs[key]=value
try:
#for datetime serialization problems better to use 
bson

dump = command_result(*arguments, **kwargs)
resp.body = json.dumps(dump, 
default=json_util.default)
#resp.body = json.dumps(command_result(*arguments, 
**kwargs))

resp.status = falcon.HTTP_200
except UnicodeDecodeError:
resp.body = json.dumps(dump, 
default=json_util.default, encoding='latin1')

resp.status = falcon.HTTP_200
except Exception as e:
resp.status = falcon.HTTP_BAD_REQUEST
resp.body = json.dumps({"description": e.message, 
"title": "Dublicate entry"})
#raise 
falcon.HTTPBadRequest(title="Dublicate entry",

#  description=e,
#  href=settings.__docs__)
else:
dump = command_result(params)
resp.body = json.dumps(dump, default=json_util.default)
#resp.body = json.dumps(command_result(params))
resp.status = falcon.HTTP_200


Basically i am making concurrent calls to this rest api and i am getting

Network error: http://paste.ubuntu.com/15966347/

ipa: INFO: Forwarding 'user_find' to json server 
'https://ipa.foo.com/ipa/json'
ipa: INFO: Forwarding 'netgroup_find' to json server 
'https://ipa.foo.com/ipa/json'
[pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} 
[Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes 
in 227 msecs (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0)

Traceback (most recent call last):
  File "falcon/api.py", line 213, in falcon.api.API.__call__ 
(falcon/api.c:2521)
  File "falcon/api.py", line 182, in falcon.api.API.__call__ 
(falcon/api.c:2118)

  File "./api/resources/ipa/calls.py", line 38, in on_post
resp.body = json.dumps(command_result())
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
443, in __call__

ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
761, in run

return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 
782, in forward
return self.Backend.rpcclient.forward(self.name 
, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in 
forward

raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 
'https://ipa.foo.com/ipa/json': Internal Server Error
[pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} 
[Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in 
1421 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)



This is how a concurrent request is being sent:
#!/usr/bin/env python

from multiprocessing import Process, Pool
import time
import urllib2

def millis():
  return int(round(time.time() * 1000))

def http_get(url):
  start_time = millis()
  request = urllib2.Request(url, headers={"Content-Type": 
"application/json", "Origin": "http://ipa.foo.com;, "Authorization": 
"{'token':