[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

2016-06-20 Thread Martin Štefany 
Hello all,

I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems
while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA
domain. I will appreciate any help whatsoever.
IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest
updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest
updates.

I started by looking to the journal:
jún 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection
from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 
...
jún 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:  denied  { name_connect
} for  pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
jún 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c03e syscall=42
success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0
ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand
/usr/bin/sss_ssh_authorizedkeys martin failed, status 1
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin
from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped]
...
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect
from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods
available [preauth]
jún 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx
port 22543 [preauth]

which was weird, because the same key would nicely work elsewhere (on any other
CentOS 7.2 system, while no Fedora 23 system would work as I have figured out)

I have tried putting SELinux into permissive mode, or generating custom module
with custom policy allowing this, but it doesn't help, and even tcpdump capture
doesn't capture anything when such connection to 'somewhere' port 80 is opened.

I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command.
Fedora 23:
# sss_ssh_authorizedkeys martin
Error looking up public keys

CentOS 7.2:
# sss_ssh_authorizedkeys martin
ssh-rsa AAA...
ssh-rsa AAA...
ssh-ed25519 AAA...
ssh-rsa AAA...
ssh-rsa B3NzaC1yc2EDAQABAAABAQCsox... (???) -->> this is one is not in
LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present
in dc=stefany,dc=eu tree or in compat tree

So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and
CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these
failures:
==> /var/log/sssd/sssd_ssh.log <==
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received
client version [0].
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered
version [0].
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200):
name 'martin' matched without domain, user is martin

==> /var/log/sssd/sssd_stefany.eu.log <==
(Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info]
(0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin]

==> /var/log/sssd/sssd_ssh.log <==
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.
(Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
decode_and_add_base64_data failed.

And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So
Fedora 23 fails because of some extra validation in SSSD...

I can't tell where this invalid base64 stuff is coming from, and yes, I have
stopped both IPA servers, run sss_cache -E on both of them and on clients, and
started IPA servers serially one by one, the invalid key is still there.

I have a plan B to delete the account, put it back and see if it cleans up, but
I would prefer to figure out what is actually wrong here and what's introducing
the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere

Thank you in advance!

Kind regards,
Martin







signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

2016-06-20 Thread Sean Hogan 

Also seeing this in the upgrade log on the first master but not on the 7
ipas.

ERROR Failed to restart named: Command '/sbin/service named restart '
returned non-zero exit status 7


which led me to

https://bugzilla.redhat.com/show_bug.cgi?id=895298





Sean Hogan






From:   Sean Hogan/Durham/IBM@IBMUS
To: freeipa-users 
Date:   06/20/2016 11:46 AM
Subject:Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem
Sent by:freeipa-users-boun...@redhat.com



Hi All..

I thought we fixed this issue by rebooting the KVM host but it is showing
again. Our First Master IPA is being rebooted 2 -5 times a day now just to
keep it alive.

What we are seeing:

God@FirstMaster log]# kinit admin
kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting
initial credentials

DNS is not working as nslookup is failing to a replica think once we
lose DNS it all goes down hill which makes sense.

[god@FirstMaster log]# ipactl stop -> Just hangs forever.. no replies..
no error.. nothing

I try service named stop and nothing happens

I have the box hard shutdown from KVM console. Reboot it and it works for a
little while but eventually back to same behavior.

At this point I can service named stop and it responds... ipactl status and
it responds.. but when if I try service named restart I get

[god@FirstMaster log]# service named stop
Stopping named: ..

[god@Firstmaster log]# service named start
Starting named: [FAILED]

[god@FirstMaster log]# service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named dead but pid file exists

Rebooted box and it is hung on shutting down domain-local and never fully
shuts down.. have to get it hard shutdown again.
During an attempt to gracefully shut down we see this

Shutting Down dirsrv:
PKI-IPA OK
DOMAIN-LOCAL FAILED
*** Error: 1 instance(s) unsuccessfully stopped FAILED

Then it moves on to shut other things down and returns to dirsrv
Shutting Down dirsrv:
PKI-IPAserver already stopped FAILED {Makes sense.. it died earlier}
DOMAIN-LOCAL... {this sits here til we hard shutdown}



bind-libs-9.8.2-0.47.rc1.el6.x86_64
bind-9.8.2-0.47.rc1.el6.x86_64
bind-utils-9.8.2-0.47.rc1.el6.x86_64


ipa-client-3.0.0-50.el6.1.x86_64
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
sssd-ipa-1.13.3-22.el6.x86_64


/var/log/dirsrv/slapd-DOMAIN-LOCAL
[20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110
starting up
[20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=domain,dc=local
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV
[database RUV] does not contain element [{replica 7} 55ca26a90007
5688d8e60017] which is present in RUV [changelog max RUV]
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: for replica dc=domain,dc=local
there were some differences between the changelog max RUV and the database
RUV. If there are obsolete elements in the database RUV, you should remove
them using the CLEANALLRUV task. If they are not obsolete, you should check
their status to see why there are no changes from those servers in the
changelog.
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_495' not found)) errno 2 (No such file or directory)
[20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin -
agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not found))
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

2016-06-20 Thread Sean Hogan 

Hi All..

  I thought we fixed this issue by rebooting the KVM host but it is showing
again.  Our First Master IPA is being rebooted 2 -5 times a day now just to
keep it alive.

What we are seeing:

God@FirstMaster log]# kinit admin
kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting
initial credentials

DNS is not working as nslookup is failing to a replica think once we
lose DNS it all goes down hill which makes sense.

[god@FirstMaster log]# ipactl stop  -> Just hangs forever.. no
replies.. no error.. nothing

I try service named stop and nothing happens

I have the box hard shutdown from KVM console.  Reboot it and it works for
a little while but eventually back to same behavior.

At this point I can service named stop and it responds... ipactl status and
it responds.. but when if I try service named restart I get

[god@FirstMaster log]# service named stop
Stopping named: ..

[god@Firstmaster log]# service named start
Starting named:[FAILED]

[god@FirstMaster log]# service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named dead but pid file exists

Rebooted box and it is hung on shutting down domain-local and never fully
shuts down.. have to get it hard shutdown again.
During an attempt to gracefully shut down we see this

Shutting Down dirsrv:
  PKI-IPA  OK
  DOMAIN-LOCALFAILED
  *** Error: 1 instance(s) unsuccessfully stopped   FAILED

Then it moves on to shut other things down and returns to dirsrv
Shutting Down dirsrv:
  PKI-IPAserver already stopped
FAILED  {Makes sense.. it died earlier}
  DOMAIN-LOCAL...
{this sits here til we hard shutdown}



bind-libs-9.8.2-0.47.rc1.el6.x86_64
bind-9.8.2-0.47.rc1.el6.x86_64
bind-utils-9.8.2-0.47.rc1.el6.x86_64


ipa-client-3.0.0-50.el6.1.x86_64
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
sssd-ipa-1.13.3-22.el6.x86_64


/var/log/dirsrv/slapd-DOMAIN-LOCAL
[20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110
starting up
[20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=domain,dc=local
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV
[database RUV] does not contain element [{replica 7} 55ca26a90007
5688d8e60017] which is present in RUV [changelog max RUV]
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: for replica dc=domain,dc=local
there were some differences between the changelog max RUV and the database
RUV.  If there are obsolete elements in the database RUV, you should remove
them using the CLEANALLRUV task.  If they are not obsolete, you should
check their status to see why there are no changes from those servers in
the changelog.
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_495' not found)) errno 2 (No such file or directory)
[20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin -
agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_495' not found))
[20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1.domain.local@DOMAIN.LOCAL] in
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
for requested realm)
[20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_495' not found)) errno 2 (No such file or directory)

Re: [Freeipa-users] ldap entry from an plugin

2016-06-20 Thread gheorghita . butnaru 
i like that plugin but, for my purpose, i just need something simple:

1. two options for users to select their wanted networks and to add their
mac addresses ( done already, fully functional).
2. with that input i want to make an entry , like i sad, for dhcp server
important to say is that i already have that input in the corresponding
attr in ldap but i want to build an special entry for dhcp like in my next
example

for example if an user selects network Net1 and Mac address
aa:aa:aa:aa:aa:aa i will need something like this in directory:

dn: cn=userid, cn=192.168.1.0, cn=Net1,
cn=config,dc=dhcp,dc=example,dc=com
cn: userid
objectClass: top
objectClass: dhcpHost
objectClass: dhcpOptions
dhcpHWAddress: ethernet aa:aa:aa:aa:aa:aa

Network IP is unique and correspond to that network
everything else that i need for an working dhcp is already in directory.

> On (20/06/16 20:20), gheorghita.butn...@tuiasi.ro wrote:
>>yes i did, started from there.
>>
>>i have two new fields in user details and works as expected.
>>now, based on those new entries i need to make an entry in ldap like this
>>one:
>>
>>dn: cn=userid, cn=192.168.1.0, cn=shared_net_name,
>>cn=config,dc=dhcp,dc=example,dc=com
>>cn: userid
>>objectClass: top
>>objectClass: dhcpHost
>>objectClass: dhcpOptions
>>dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa
>>
>>shared_net_name, dhcpHWAddress - added by users in those new fields.
>>I was thinking that i can do it on the same plugin file but i don't know
>>how exactly how to do it
>
> If you want to enhace FreeIPA with DHCP
> the I will recommend you to look into freeipa-user archives.
> https://www.redhat.com/archives/freeipa-users/2016-May/msg00211.html
> https://github.com/jefferyharrell/IPA-dhcp
>
> LS
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap entry from an plugin

2016-06-20 Thread Lukas Slebodnik 
On (20/06/16 20:20), gheorghita.butn...@tuiasi.ro wrote:
>yes i did, started from there.
>
>i have two new fields in user details and works as expected.
>now, based on those new entries i need to make an entry in ldap like this
>one:
>
>dn: cn=userid, cn=192.168.1.0, cn=shared_net_name,
>cn=config,dc=dhcp,dc=example,dc=com
>cn: userid
>objectClass: top
>objectClass: dhcpHost
>objectClass: dhcpOptions
>dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa
>
>shared_net_name, dhcpHWAddress - added by users in those new fields.
>I was thinking that i can do it on the same plugin file but i don't know
>how exactly how to do it

If you want to enhace FreeIPA with DHCP
the I will recommend you to look into freeipa-user archives.
https://www.redhat.com/archives/freeipa-users/2016-May/msg00211.html
https://github.com/jefferyharrell/IPA-dhcp

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldap entry from an plugin

2016-06-20 Thread gheorghita . butnaru 
yes i did, started from there.

i have two new fields in user details and works as expected.
now, based on those new entries i need to make an entry in ldap like this
one:

dn: cn=userid, cn=192.168.1.0, cn=shared_net_name,
cn=config,dc=dhcp,dc=example,dc=com
cn: userid
objectClass: top
objectClass: dhcpHost
objectClass: dhcpOptions
dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa

shared_net_name, dhcpHWAddress - added by users in those new fields.
I was thinking that i can do it on the same plugin file but i don't know
how exactly how to do it
>
>
> On 20.06.2016 18:12, gheorghita.butn...@tuiasi.ro wrote:
>> Hello,
>>
>> I have an small plugin that adds two new fields in user details. Based
>> on
>> those, i need to make an new entry in directory, like i will do with
>> ldapmodify for example ( http://pastebin.com/ZSEA64k8 )
>>
>> basically every time when an user modifies those new attrs i need to
>> make
>> an entry.
>> i have an small function that takes the content of attr that was added
>> by
>> user in webUI. With that function i have all infos i want for my new
>> entry:
>> dn, cn, object classes, attr.
>>
>> how can i add those infos from that function to ldap?
>>
>> Thanks,
>> Gheorghita
>>
>>
> Hello, did you read this document how to extend freeIPA?
>
> https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-06-20 Thread Günther J . Niederwimmer 
Hello,

Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek:
> On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
> > hello,
> > 
> > Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
> >> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
> >>> Hello,
> >>> 
> >>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
>  On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
> > Hello List,
> > 
> > Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
> >> On 16.6.2016 21:51, Lukas Slebodnik wrote:
> >>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
>  Hello
>  
>  on my system the ods-exporter i mean have a problem.
>  
>  I have this in the logs
>  CentOS 7.(2) ipa 4.3.1
>  
>  Jun 16 11:38:28 ipa ipa-ods-exporter: raise
>  errors.ACIError(info=info)
>  Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
>  Insufficient
>  access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
>  failure.
>  Minor code may provide more information (Ticket expired)
>  
> >>> ^^
> >>>  
> >>>  Here seems to be a reason why it failed.
> >>>  But I can't help you more.
> >> 
> >> Lukas is right. Interesting, this should never happen :-)
> > 
> > this have I also found ;-)
> > 
> >> Please enable debugging using procedure
> >> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_re
> >> tu
> >> rn
> >> s_n o_data and check logs after next ipa-ods-exporter restart.
> >> Thank you!
> > 
> > OK,
> > 
> > I attache the messages log?
> > 
> > I mean this is a problem with my DNS ?
>  
>  Hello,
>  can you check kerberos status of ipa-ods-exporter service in webUI?
>  
>  identity/services/ipa-ods-exported/
>  There should be kerberos status in right top corner in details view
> >>> 
> >>> I have a
> >>> identity/services/ipa-ods-exporter/..
> >>> 
> >>> with a "Kerberos Key Present, Service Provisioned"
> >>> 
> >>> but no Certificate ?
> >> 
> >> Can you try,
> >> 
> >> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
> >> ipa-ods-exporter/$(hostname)
> > 
> > OK
> > I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
> > exporter/$(hostname)"
> > 
> > written on one line!! is this OK.
> > 
> >> and do ldapsearch
> >> # ldapsearch -Y GSSAPI
> > 
> > and also ldapsearch is OK
> > 
> >> It should show us if keytab is okay
> > 
> > But the Error is present :-(.
> 
> We need to see precise error. Please copy it into the e-mail.

that is it.

Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.login_password() at '/session/login_password'
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.xmlserver() at '/xml'
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.jsonserver_session() at '/session/json'
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.sync_token() at '/session/sync_token'
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.jsonserver_kerb() at '/json'
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 
0:20:00
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Mounting 
ipaserver.rpcserver.change_password() at '/session/change_password'
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-
ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/
opendnssec/tmp/ipa-ods-exporter.ccache
Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success
Jun 20 18:43:35 ipa python2: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Ticket expired)
Jun 20 18:43:35 ipa ipa-ods-exporter: Traceback (most recent call last):
Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-
exporter", line 656, in 
Jun 20 18:43:35 ipa ipa-ods-exporter: ldap.gssapi_bind()
Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/

Re: [Freeipa-users] ldap entry from an plugin

2016-06-20 Thread Martin Basti 



On 20.06.2016 18:12, gheorghita.butn...@tuiasi.ro wrote:

Hello,

I have an small plugin that adds two new fields in user details. Based on
those, i need to make an new entry in directory, like i will do with
ldapmodify for example ( http://pastebin.com/ZSEA64k8 )

basically every time when an user modifies those new attrs i need to make
an entry.
i have an small function that takes the content of attr that was added by
user in webUI. With that function i have all infos i want for my new
entry:
dn, cn, object classes, attr.

how can i add those infos from that function to ldap?

Thanks,
Gheorghita



Hello, did you read this document how to extend freeIPA?

https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ldap entry from an plugin

2016-06-20 Thread gheorghita . butnaru 
Hello,

I have an small plugin that adds two new fields in user details. Based on
those, i need to make an new entry in directory, like i will do with
ldapmodify for example ( http://pastebin.com/ZSEA64k8 )

basically every time when an user modifies those new attrs i need to make
an entry.
i have an small function that takes the content of attr that was added by
user in webUI. With that function i have all infos i want for my new
entry:
dn, cn, object classes, attr.

how can i add those infos from that function to ldap?

Thanks,
Gheorghita


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: IPA certificates not renewing

2016-06-20 Thread Marc Wiatrowski 
Thanks for the reply Rob,

So should fixing replication be more than running a re-initialize?   I've
tried this with no luck.  Still the same errors in renewing the IPA certs.

status: CA_UNREACHABLE
ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: EXCEPTION (Certificate serial number 0x3ffe000f not found))

Is there a procedure for getting these serial numbers back in to the
system? or manually recreating somehow?

I was able to clear 4301 error.  One ipaCert needed to be updated.

thanks

On Thu, Jun 16, 2016 at 10:22 AM, Rob Crittenden 
wrote:

> Marc Wiatrowski wrote:
>
>> Thanks Rob,
>>
>> Any suggestions on how make the CA aware of the current serial number?
>>
>
> Serial numbers are dolled out like uid numbers, by the 389-ds DNA Plugin.
> So each CA that has ever issued a certificate has its own range, hence the
> quite different serial number values.
>
> Given that some issued certificates are unknown it stands to reason that
> replication is broken between one or more masters. Fixing that should
> resolve (most of) the other issues.
>
> Also started seeing the following error from two of the servers,
>> spider01b and spider01o, but not spider01a when to navigate in the web
>> gui.  Though it doesn't appear to stop me from doing anything.
>>
>> IPA Error 4301
>> Certificate operation cannot be completed: EXCEPTION (Invalid Crential.)
>>
>
> Dogtag does some of its access control by comparing the incoming client
> certificate with an expected value in its LDAP database, in this case
> uid=ipara,ou=People,o=ipaca. There you'll find a copy of the client
> certificate and a description field that contains the expected serial #,
> subject and issuer.
>
> These are out-of-whack if you're getting Invalid Credentials. It could be
> a number of things so I'd proceed cautiously. Given you have a working
> master I'd use that as a starting point.
>
> Look at the the RA cert is in /etc/httpd/alias:
>
> # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
>
> See if it is the same on all masters, it should be.
>
> If it is, look at the uid=ipara entry on all the masters. Again, should be
> the same.
>
> Note that fixing this won't address any replication issues.
>
> rob
>
>
>> Marc
>>
>> On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski > > wrote:
>>
>>
>>
>> On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden
>> > wrote:
>>
>> Marc Wiatrowski wrote:
>>
>> Hello, I'm having issues with the 3 ipa certificates of type
>> CA: IPA
>> renewing on 2 of 3 replicas.  Particularly on the 2 that are
>> not the CA
>> master.  The other 5 certificates from getcert list do renew
>> and all
>> certificates on the CA master do look to renew.
>>
>> Both servers running
>> ipa-server-3.0.0-50.el6.centos.1.x86_64  I've done
>> full updates and rebooted.
>>
>>
>> Can you check on the replication status for each CA?
>>
>> $ ipa-csreplica-manage list -v ipa.example.com
>> 
>>
>> The hostname is important because including that will show the
>> agreements that host has. Do this for each master with a CA.
>>
>> The CA being asked to do the renewal is unaware of the current
>> serial number so it is refusing to proceed.
>>
>> rob
>>
>>
>>
>> [root@spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net
>> 
>> Directory Manager password:
>>
>> spider01b.iglass.net 
>>last init status: None
>>last init ended: None
>>last update status: 0 Replica acquired successfully: Incremental
>> update succeeded
>>last update ended: 2016-06-14 17:49:16+00:00
>> spider01o.iglass.net 
>>last init status: None
>>last init ended: None
>>last update status: 0 Replica acquired successfully: Incremental
>> update started
>>last update ended: 2016-06-14 17:55:20+00:00
>>
>> [root@spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net
>> 
>> Directory Manager password:
>>
>> spider01a.iglass.net 
>>last init status: None
>>last init ended: None
>>last update status: 0 Replica acquired successfully: Incremental
>> update started
>>last update ended: 2016-06-14 17:57:44+00:00
>> spider01b.iglass.net 
>>last init status: None
>>last init ended: None
>>last update status: 0 Replica acquired successfully: Incremental
>> update started
>>last update ended:

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

2016-06-20 Thread lejeczek 



On 10/06/16 11:23, Alexander Bokovoy wrote:

On Fri, 10 Jun 2016, lejeczek wrote:

On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote:

On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
>
> there is a master IPA which in some weird way puts AD 
users into

> its ldap
> catalog. I say weird cause there is no trust nor other 
sync

> established,
> there was a trust agreement, one way type, but now 
'trust-find'

> shows
> nothing, that trust was removed.
>
> but still when I create a user @AD DS a second later I 
see it in

> IPA's ldap,
> eg.
>
> dn: 
uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private 


> ,dc=c
>  cnr,dc=aaa,dc=private,dc=dom
>
> how to trace the culprit config responsible for this?

Check the DN, this is not the IPA tree (cn=account), but 
the compat

tree
(cn=compat) populated by the slapi-nis plugin. The 
intent is to make

the
AD users available to non-SSSD clients that can only use 
LDAP as an

interface.

any chance this plugin gets included without user/admin 
intention, eg.

during migrate-ds ?
The slapi-nis plugin is enabled by default when IPA is 
installed because

ou=sudoers tree is emulated by the slapi-nis.

is ipa toolkit or I have to go directly to ldap to 
de/activate

plugin(s) ?

See ipa-compat-manage

I've set up another replica, configuration on sssd and kdc 
site virtually identical, nsswith too, ipa-compat-manage 
etc. No trusts traces on both ends.
Master still(after reboot and sss_cache cleanup) receives, 
or rather pulls AD's users, whereas replica(s) don't.

This is hilarious, but how is this possible?
I add a user @AD DC and on master I ldapsearch and first few 
lines are:


dn: cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local
objectClass: extensibleObject
cn: compat

dn: 
cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local

objectClass: extensibleObject
cn: users

dn: 
uid=bootc...@ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local

objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: ccnr boot
gidNumber: 1952400513
gecos: ccnr boot
ipaAnchorUUID:: 
OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT

 ExMzQ=
uidNumber: 1952401134
loginShell: /bin/bash
homeDirectory: /home/bootc...@ccnr.priv.my.dom.local
uid: bootc...@ccnr.priv.my.dom.local

dn: 
uid=testc...@ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local

objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: ccnr tester
gidNumber: 1952400513
gecos: ccnr tester
ipaAnchorUUID:: 
OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT

 ExMzM=
uidNumber: 1952401133
loginShell: /bin/bash
homeDirectory: /home/testc...@ccnr.priv.my.dom.local
uid: testc...@ccnr.priv.my.dom.local

could it be that "compat" part happens only on master? I 
mean - should only happen on master?(even though replicas 
use ipa-compat-manage)

regards,
L.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory password sync fails with RC 34

2016-06-20 Thread Rich Megginson 

On 06/18/2016 05:47 AM, Toby Gale wrote:


Hello,

After successfully adding a 'winsync' agreement and loading AD data 
into FreeIPA I am trying to configure the password sync software on 
the domain controllers.


I have installed the certificates and can successfully bind from the 
domain controller using ldp.exe and the 
'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.


I have edited the registry to increase logging, by setting 
'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am 
seeing the error:


06/17/16 08:47:32: Backoff time expired.  Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax



Take a look at the 389/dirsrv access log on your linux host at 
/var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error 
corresponding to this - it should be at the same approximate date/time 
(make sure you check your time zones) and the RESULT line should have err=34



06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms

When I run the query from the CLI, it is successful:

$ ldapsearch -x -h ldaps://localhost -p 636 -D 
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 
'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' 
'(ntuserdomainid=some.user)'


Can anyone help me resolve this?

Thanks.





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

2016-06-20 Thread Tomasz Torcz 
On Sat, Jun 18, 2016 at 11:02:23PM -0400, Rob Crittenden wrote:
> > 
> >Most of the functions work, but 5) I cannot get 
> > Authentication→Certificates
> > list:
> > 
> > On okda, going to Certificates list yields ”Certificate operation cannot be 
> > completed: Unable to communicate with CMS (Internal Server Error)”
> > and error_log contains:
> > [Sat Jun 18 18:59:10.523796 2016] [wsgi:error] [pid 748083] 
> > falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse
> > [Sat Jun 18 18:59:11.244206 2016] [wsgi:error] [pid 748083] ipa: DEBUG: 
> > HTTP Response code: 500
> > [Sat Jun 18 18:59:11.248305 2016] [wsgi:error] [pid 748083] ipa: ERROR: 
> > ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS 
> > (Internal Server Error)
> > [Sat Jun 18 18:59:11.336576 2016] [wsgi:error] [pid 748083] ipa: DEBUG: 
> > WSGI wsgi_execute PublicError: Traceback (most recent call last):
> > [Sat Jun 18 18:59:11.336895 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in 
> > wsgi_execute
> > [Sat Jun 18 18:59:11.337011 2016] [wsgi:error] [pid 748083] result = 
> > self.Command[name](*args, **options)
> > [Sat Jun 18 18:59:11.337086 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
> > [Sat Jun 18 18:59:11.337156 2016] [wsgi:error] [pid 748083] ret = 
> > self.run(*args, **options)
> > [Sat Jun 18 18:59:11.337241 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
> > [Sat Jun 18 18:59:11.337311 2016] [wsgi:error] [pid 748083] return 
> > self.execute(*args, **options)
> > [Sat Jun 18 18:59:11.337373 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 819, in 
> > execute
> > [Sat Jun 18 18:59:11.337417 2016] [wsgi:error] [pid 748083] 
> > result=self.Backend.ra.find(options)
> > [Sat Jun 18 18:59:11.337455 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1861, 
> > in find
> > [Sat Jun 18 18:59:11.337493 2016] [wsgi:error] [pid 748083] 
> > detail=e.msg)
> > [Sat Jun 18 18:59:11.337566 2016] [wsgi:error] [pid 748083]   File 
> > "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1331, 
> > in raise_certificate_operation_error
> > [Sat Jun 18 18:59:11.337653 2016] [wsgi:error] [pid 748083] raise 
> > errors.CertificateOperationError(error=err_msg)
> > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] 
> > CertificateOperationError: Certificate operation cannot be completed: 
> > Unable to communicate with CMS (Internal Server Error)
> > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: 
> > [jsonserver_session] ad...@pipebreaker.pl: cert_find(version=u'2.164'): 
> > CertificateOperationError
> > 
> >How to fix those?
> 
> You'll need to look at the dogtag debug log for the reason it threw a 500,
> it's in /var/log/pki-tomcat/ca or something close to that.


  I've looked into the logs but I'm not wiser.  Is there a setting to get
rid of java traceback from logs and get more useful messages?  There seem
to be a problem with SSL connection to port 636, maybe because it seems to use
expired certificate?

$ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl x509 
-noout
depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
verify error:num=10:certificate has expired
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
DONE



Log from /var/log/pki/pki-tomcat/ca/system:

0.localhost-startStop-1 - [18/Jun/2016:18:54:09 CEST] [8] [3] In Ldap (bound) 
connection pool to host okda.pipebreaker.pl port 636, Cannot connect to LDAP 
server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket 
(-1)



Log from /var/log/pki/pki-tomcat/ca/debug:

[18/Jun/2016:18:54:03][localhost-startStop-1]: 

[18/Jun/2016:18:54:03][localhost-startStop-1]: =  DEBUG SUBSYSTEM 
INITIALIZED   ===
[18/Jun/2016:18:54:03][localhost-startStop-1]: 

[18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: restart at 
autoShutdown? false
[18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: autoShutdown crumb 
file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: about to look for 
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: found 
cert:auditSigningCert cert-pki-ca
[18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: done init id=debug

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-06-20 Thread Petr Spacek 
On 18.6.2016 15:03, Günther J. Niederwimmer wrote:
> hello,
> 
> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti:
>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti:
 On 17.06.2016 12:54, Günther J. Niederwimmer wrote:
> Hello List,
>
> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek:
>> On 16.6.2016 21:51, Lukas Slebodnik wrote:
>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote:
 Hello

 on my system the ods-exporter i mean have a problem.

 I have this in the logs
 CentOS 7.(2) ipa 4.3.1

 Jun 16 11:38:28 ipa ipa-ods-exporter: raise
 errors.ACIError(info=info)
 Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError:
 Insufficient
 access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
 failure.
 Minor code may provide more information (Ticket expired)

>>> ^^
>>>  
>>>  Here seems to be a reason why it failed.
>>>  But I can't help you more.
>>
>> Lukas is right. Interesting, this should never happen :-)
>
> this have I also found ;-)
>
>> Please enable debugging using procedure
>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_retu
>> rn
>> s_n o_data and check logs after next ipa-ods-exporter restart.
>> Thank you!
>
> OK,
>
> I attache the messages log?
>
> I mean this is a problem with my DNS ?

 Hello,
 can you check kerberos status of ipa-ods-exporter service in webUI?

 identity/services/ipa-ods-exported/
 There should be kerberos status in right top corner in details view
>>>
>>> I have a
>>> identity/services/ipa-ods-exporter/..
>>>
>>> with a "Kerberos Key Present, Service Provisioned"
>>>
>>> but no Certificate ?
>>
>> Can you try,
>>
>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
>> ipa-ods-exporter/$(hostname)
> 
> OK
> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-
> exporter/$(hostname)" 
> 
> written on one line!! is this OK.
> 
>  
>> and do ldapsearch
>> # ldapsearch -Y GSSAPI
> 
> and also ldapsearch is OK
> 
>> It should show us if keytab is okay
> 
> But the Error is present :-(.

We need to see precise error. Please copy it into the e-mail.

It would be awesome if you could follow general rules for bug reporting:
http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html

Besides other things it would allow us to help you in shorter time.

Have a nice day!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project