date:20160626

Re: [Freeipa-users] nss unrecognized name alert with SAN name

2016-06-26 Thread John Obaterspok

Hi,

I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName
to work.
F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't
work any more. Is there any chance 1.0.14 will make it in as an F24 update?
(I can add karma if needed)

-- john

2016-04-25 19:26 GMT+02:00 John Obaterspok :

> Thanks Rob!
>
> I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server
> and it works like a charm.
>
> Thanks,
>
>john
>
> 2016-04-25 16:47 GMT+02:00 Rob Crittenden :
>
>> John Obaterspok wrote:
>>
>>>
>>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale >> >:
>>>
>>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
>>>  > 2016-02-06 23:29 GMT+01:00 Rob Crittenden >> >:
>>>
>>>  >
>>>  > > John Obaterspok wrote:
>>>  > >
>>>  > >> Hi,
>>>  > >>
>>>  > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
>>> ipa.my.lan
>>>  > >>
>>>  > >> I recently started to get nss error "SSL peer has no
>>> certificate for the
>>>  > >> requested DNS name." when I'm accesing my
>>> https://gitserver.my.lan
>>>  > >>
>>>  > >> Previously this worked fine if I had set "git config --global
>>>  > >> http.sslVerify false" according to
>>>  > >>
>>>
>>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>>  > >>
>>>  > >> Now I tried to solve this by adding a SubjectAltName to the
>>>  > >> HTTP/ipa.my.lan certitficate like this:
>>>  > >>
>>>  > >> status: MONITORING
>>>  > >> stuck: no
>>>  > >> key pair storage:
>>>  > >>
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>  > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>  > >> certificate:
>>>  > >>
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>  > >> Certificate DB'
>>>  > >> CA: IPA
>>>  > >> issuer: CN=Certificate Authority,O=MY.LAN
>>>  > >> subject: CN=ipa.my.lan,O=MY.LAN
>>>  > >> expires: 2018-02-06 19:24:52 UTC
>>>  > >> dns: gitserver.my.lan,ipa.my.lan
>>>  > >> principal name: http/ipa.my@my.lan
>>>  > >> key usage:
>>>  > >>
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>  > >> eku: id-kp-serverAuth,id-kp-clientAuth
>>>  > >> pre-save command:
>>>  > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>  > >> track: yes
>>>  > >> auto-renew: yes
>>>  > >>
>>>  > >> But I still get the below error:
>>>  > >>
>>>  > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>>>  > >> * SSL peer has no certificate for the requested DNS name
>>>  > >>
>>>  > >
>>>  > > What version of mod_nss? It recently added support for SNI. You
>>> can try
>>>  > > turning it off by adding NSSSNI off to
>>> /etc/httpd/conf.d/nss.conf but I'd
>>>  > > imagine you were already relying on it.
>>>  > >
>>>  > >
>>>  > Hi,
>>>  >
>>>  > Turning it off didn't help
>>>  >
>>>  > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
>>>  > I noticed it worked if I set "ServerName gitserver.my.lan" in
>>>  > gitserver.conf, but then I got the NAME ALERT when accessing
>>> ipa.my.lan.
>>>  >
>>>  > I then tried to put ipa.conf in  but then I
>>> got error
>>>  > about SSL_ERROR_RX_RECORD_TOO_LONG
>>>  >
>>>  > gitserver.conf has this:
>>>  >
>>>  > 
>>>  > DocumentRoot /opt/wwwgit
>>>  > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
>>>  > SetEnv GIT_HTTP_EXPORT_ALL
>>>  > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>>>  > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
>>>  >
>>>  > ServerName gitserver.my.lan
>>>  >
>>>  >   
>>>  >   Options Indexes
>>>  >   AllowOverride None
>>>  >   Require all granted
>>>  >  
>>>  >
>>>  >  
>>>  >   Options Indexes
>>>  >   AllowOverride None
>>>  >   Require all granted
>>>  >  
>>>  >
>>>  > 
>>>  >   #SSLRequireSSL
>>>  >   AuthType Kerberos
>>>  >   AuthName "Kerberos Login"
>>>  >   KrbAuthRealm MY.LAN
>>>  >   Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>>  >   KrbMethodNegotiate on
>>>  >   KrbMethodK5Passwd off # Set to on to query for pwd if
>>> negotiation
>>>  > failed due to no ticket available
>>>  >   KrbSaveCredentials on
>>>  >   KrbVerifyKDC on
>>>  >   KrbServiceName HTTP/ipa.my@my.lan
>>>  >
>>>  >   AuthLDAPUrl
>>>

[Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

2016-06-26 Thread Supratik Goswami

Hi

I am using ipa-server-4.2.0  in my environment, it is having winsync
agreement with the AD server.
I want to move all new users to "Stage Users" state automatically when they
are synced from the AD, can anyone please guide me on how to achieve it?

Any help is highly appreciated.

-- 
Warm Regards

Supratik
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] disaster recovery

2016-06-26 Thread Robert Story

Hello,

I was running a single ipa instance on Centos 7 for a small lab
(ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted.
I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I
restored. ipa server didn't start, and wanted me to run
ipa-server-upgrade. This failed, and I see this in the log:

2016-06-25T23:16:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at 
'/json'
2016-06-25T23:16:37Z DEBUG session_auth_duration: 0:20:00
2016-06-25T23:16:37Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2016-06-25T23:16:37Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 47, in run
server.upgrade_check(self.options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1573, in upgrade_check
sys.exit(1)

2016-06-25T23:16:37Z DEBUG The ipa-server-upgrade command failed, exception: 
SystemExit: 1


I tried starting dirsrv@DOMAIN manually, and I get thisin the dirsrv log:


[26/Jun/2016:01:46:54 -0400] - 389-Directory/1.3.4.0 B2016.175.1716 starting up
[26/Jun/2016:01:46:54 -0400] - WARNING: changelog: entry cache size 2097152B is 
less than db size 143196160B; We recommend to increase the entry cache size 
nsslapd-cachememsize.
[26/Jun/2016:01:46:54 -0400] - Detected Disorderly Shutdown last time Directory 
Server was running, recovering database.
[26/Jun/2016:01:46:55 -0400] - libdb: BDB2506 file userRoot/id2entry.db has LSN 
4336/2969724, past end of log at 1/176
[26/Jun/2016:01:46:56 -0400] - libdb: BDB2507 Commonly caused by moving a 
database from one database environment
[26/Jun/2016:01:46:56 -0400] - libdb: BDB2508 to another without clearing the 
database LSNs, or by removing all of
[26/Jun/2016:01:46:56 -0400] - libdb: BDB2509 the log files from a database 
environment
[26/Jun/2016:01:46:57 -0400] - dbp->open("userRoot/id2entry.db") failed: 
Invalid argument (22)
[26/Jun/2016:01:46:57 -0400] - dblayer_instance_start fail: Invalid argument 
(22)
[26/Jun/2016:01:46:57 -0400] - libdb: BDB2506 file ipaca/id2entry.db has LSN 
4336/2990140, past end of log at 1/288
[26/Jun/2016:01:46:57 -0400] - libdb: BDB2507 Commonly caused by moving a 
database from one database environment
[26/Jun/2016:01:46:57 -0400] - libdb: BDB2508 to another without clearing the 
database LSNs, or by removing all of
[26/Jun/2016:01:46:57 -0400] - libdb: BDB2509 the log files from a database 
environment
[26/Jun/2016:01:46:57 -0400] - dbp->open("ipaca/id2entry.db") failed: Invalid 
argument (22)
[26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument 
(22)
[26/Jun/2016:01:46:58 -0400] - libdb: BDB2506 file changelog/id2entry.db has 
LSN 4336/2921967, past end of log at 1/288
[26/Jun/2016:01:46:58 -0400] - libdb: BDB2507 Commonly caused by moving a 
database from one database environment
[26/Jun/2016:01:46:58 -0400] - libdb: BDB2508 to another without clearing the 
database LSNs, or by removing all of
[26/Jun/2016:01:46:58 -0400] - libdb: BDB2509 the log files from a database 
environment
[26/Jun/2016:01:46:58 -0400] - dbp->open("changelog/id2entry.db") failed: 
Invalid argument (22)
[26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument 
(22)
[26/Jun/2016:01:46:58 -0400] - start: Failed to start databases, err=22 Invalid 
argument


So I'm trying to figure out if I can salvage this restored VM, or if I need
to reinstall from scratch; and if I do reinstall, am I going to be able to
restore my old data somehow. I have a funny feeling that there are
important files in /var/log and/or /var/run and I'm up the creek without a
paddle.

And yes, once I have a working system again I'm going to set up a replica
to help avoid this mess in the future.

Robert

-- 
Senior Software Engineer @ Parsons


pgpqjqKpupzeO.pgp
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

[Freeipa-users] disaster recovery

3 matches

Site Navigation

Mail list logo

Footer information