Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one
pgb205 wrote: so initially the setup was with ipa-server-03 having replication to ipa-server-02 i have then decomissioned ipa-server-03 and setup a new one with the same name. right now replication is between ipa-server-03 and ipa-server-01 but i would want to add another replication agreement 02 and 03 same as before but am getting the error message. Details, need details. What does decommissioned mean? What commands did you run? How were the current agreements created? ipa-replica-manage, automatically when one was created as a replica of another? All systems are centos 7 so I'd expect freeipa to be the latest version. Latest doesn't mean anything, especially if someone finds this thread in the future. rpm -q ipa-server rob *From:* Rob Crittenden *To:* Martin Basti ; pgb205 ; Freeipa-users *Sent:* Friday, August 5, 2016 9:28 AM *Subject:* Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one Martin Basti wrote: > > > On 05.08.2016 05:24, pgb205 wrote: >> my previous setup was >> srv2->replica >> srv1->srv2 >> >> I have removed replica and set it up with the one with identical hostname. >> Now I have replication from srv1->replica >> and am trying to create another agreement from srv2=>replica >> but i am getting the error message above. My guess is that old >> hostname is there somewhere >> but ipa-replica-manage del command does not produce any results. >> >> > > Hello, > > I don't see the error message you are referring This is an IPA 3.0 error message from ticket https://fedorahosted.org/freeipa/ticket/3105 What do you mean you removed it and setup an identical one? Did you do this with ipa-replica-install? ipa-replica-manage is looking up the masters and it doesn't consider replica a master which is why it is throwing this error. I'd double-check that replication is working properly. On each master run: ipa-replica-manage list -v `hostname` And really, ipa-replica-manage list should show a list of all known masters. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one
so initially the setup waswith ipa-server-03 having replication to ipa-server-02i have then decomissioned ipa-server-03 and setup a new one with the same name.right now replication is between ipa-server-03 and ipa-server-01 but i would want to add anotherreplication agreement 02 and 03 same as before but am getting the error message. All systems are centos 7 so I'd expect freeipa to be the latest version. From: Rob Crittenden To: Martin Basti ; pgb205 ; Freeipa-users Sent: Friday, August 5, 2016 9:28 AM Subject: Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one Martin Basti wrote: > > > On 05.08.2016 05:24, pgb205 wrote: >> my previous setup was >> srv2->replica >> srv1->srv2 >> >> I have removed replica and set it up with the one with identical hostname. >> Now I have replication from srv1->replica >> and am trying to create another agreement from srv2=>replica >> but i am getting the error message above. My guess is that old >> hostname is there somewhere >> but ipa-replica-manage del command does not produce any results. >> >> > > Hello, > > I don't see the error message you are referring This is an IPA 3.0 error message from ticket https://fedorahosted.org/freeipa/ticket/3105 What do you mean you removed it and setup an identical one? Did you do this with ipa-replica-install? ipa-replica-manage is looking up the masters and it doesn't consider replica a master which is why it is throwing this error. I'd double-check that replication is working properly. On each master run: ipa-replica-manage list -v `hostname` And really, ipa-replica-manage list should show a list of all known masters. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured with --setup-ca option) and replica- ipa02 (configured without --setup-ca) option. We use a script ipa clients to the server, when we tried to add new ipa clients, we are getting error, *ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)* What we have noticed is, memberPrincipal: HTTP/ipa02.teloip@teloip.net missing on both master and replica servers IPA Master, [root@ipa01 ~]# ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net memberPrincipal: HTTP/ipa01.teloip@teloip.net cn: ipa-http-delegation # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ~]# IPA Replica, [root@ipa02 /]# ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: ipa-http-delegation memberPrincipal: HTTP/ipa01.teloip@teloip.net ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Your help is highly appreciated, Linov Suresh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Querying the dir srv
On 08/04/2016 06:43 PM, Sean Hogan wrote: > Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any > specific > ldap viewer to view the internals? I was looking at apache dir studio I think > it > was... but needs java and I don't want to add java > to a server that does not have it increasing the mitigation/vulnerability > factor > of the box. > > I ran ipa host-find --all > and noticed this setting in the list > Keytab: True > > I am thinking Keytab entry = enroll true That is correct. Entrolled == true in Web UI means has_keytab in CLI which means that the host object has krbprincipalkey LDAP attribute set. > > Sean Hogan > > > > > Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On > 08/04/2016 > 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 09:08:40 AM---On > 08/04/2016 11:31 AM, Sean Hogan wrote: > > > From: Ben Lipton > To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users > Date: 08/04/2016 09:08 AM > Subject: Re: [Freeipa-users] Querying the dir srv > > > > > > On 08/04/2016 11:31 AM, Sean Hogan wrote: > > > > Hi All, > > > > Where can I find information about the IPA schema as in what = what in > > the dir srv? I do not have a ldap viewer. > > I am looking to pull specific info from it such as a list of servers > > that have enrolled = true and have been playing with ldapsearch to no > > avail. > > > > You could try something like 'ipa -show --all ' to > see the dn of the associated LDAP object for a particular IPA entity. > This would give you a sense of what tree to ldapsearch. You could try > adding the --raw flag as well to see the LDAP attributes of the object. > > # ipa user-show --all admin >dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain > [...] > # ldapsearch -xLLL -D cn='Directory manager' -w > -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | > perl -p0e 's/\n //g' | less > > You can also take a look at > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 > for a list of LDAP entities that act as containers for IPA objects > (subtrees to search under). > > Someone else may have some better ideas, but maybe this can get you started. > > Ben > > > > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one
Martin Basti wrote: On 05.08.2016 05:24, pgb205 wrote: my previous setup was srv2->replica srv1->srv2 I have removed replica and set it up with the one with identical hostname. Now I have replication from srv1->replica and am trying to create another agreement from srv2=>replica but i am getting the error message above. My guess is that old hostname is there somewhere but ipa-replica-manage del command does not produce any results. Hello, I don't see the error message you are referring This is an IPA 3.0 error message from ticket https://fedorahosted.org/freeipa/ticket/3105 What do you mean you removed it and setup an identical one? Did you do this with ipa-replica-install? ipa-replica-manage is looking up the masters and it doesn't consider replica a master which is why it is throwing this error. I'd double-check that replication is working properly. On each master run: ipa-replica-manage list -v `hostname` And really, ipa-replica-manage list should show a list of all known masters. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and FIPS 140-2
Are you now asking about when upstream version is FIPS compliant or some downstream distribution? If you are asking about RHEL, as indicated by https://bugzilla.redhat.com/show_bug.cgi?id=1125174 the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is too late to add it there. However, as Rob mentioned, it would really great if you file a support case (if we are talking about RHEL) and get it linked to that bug. Due to the interest, it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt and you may also receive updates on development status. Martin On 08/04/2016 06:40 PM, Michael Sean Conley wrote: > Is there any indication of a timeframe for it to become FIPS compliant? If we > are talking weeks, rather than years... > > *Michael Sean Conley* > > > Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23 AM---Michael > Sean Conley wrote: > Does ANYONE have any experienRob Crittenden ---08/04/2016 > 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any experience > getting IPA to work with FIPS? > > From: Rob Crittenden > To: Michael Sean Conley , > freeipa-users@redhat.com > Date: 08/04/2016 11:37 AM > Subject: Re: [Freeipa-users] IPA and FIPS 140-2 > > --- > > > > Michael Sean Conley wrote: >> Does ANYONE have any experience getting IPA to work with FIPS? >> >> We're trying desperately to get this going, as we have some requirements >> that the Identity Management Tool we choose must be FIPS 140-2 compliant. > > No, it doesn't work in FIPS mode yet. If you open a support case with > Red Hat your case can be added to > https://bugzilla.redhat.com/show_bug.cgi?id=1125174 > > While most, if not all, of the individual components can run in FIPS > mode there are a lot of moving parts to coordinate to ensure they comply > with the FIPS Security Policy and to handle some corner cases in the > management framework. > > rob > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Querying the dir srv
On 04.08.2016 18:43, Sean Hogan wrote: Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any specific ldap viewer to view the internals? I was looking at apache dir studio I think it was... but needs java and I don't want to add java to a server that does not have it increasing the mitigation/vulnerability factor of the box. I ran ipa host-find --all and noticed this setting in the list Keytab: True I am thinking Keytab entry = enroll true Sean Hogan You can use also --raw option together with --all to see raw LDAP values I use apache directory studio and ldapsearch Martin Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On 08/04/2016 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 09:08:40 AM---On 08/04/2016 11:31 AM, Sean Hogan wrote: > From: Ben Lipton To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users Date: 08/04/2016 09:08 AM Subject: Re: [Freeipa-users] Querying the dir srv On 08/04/2016 11:31 AM, Sean Hogan wrote: > > Hi All, > > Where can I find information about the IPA schema as in what = what in > the dir srv? I do not have a ldap viewer. > I am looking to pull specific info from it such as a list of servers > that have enrolled = true and have been playing with ldapsearch to no > avail. > You could try something like 'ipa -show --all ' to see the dn of the associated LDAP object for a particular IPA entity. This would give you a sense of what tree to ldapsearch. You could try adding the --raw flag as well to see the LDAP attributes of the object. # ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain [...] # ldapsearch -xLLL -D cn='Directory manager' -w -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | perl -p0e 's/\n //g' | less You can also take a look at https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 for a list of LDAP entities that act as containers for IPA objects (subtrees to search under). Someone else may have some better ideas, but maybe this can get you started. Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one
On 05.08.2016 05:24, pgb205 wrote: my previous setup was srv2->replica srv1->srv2 I have removed replica and set it up with the one with identical hostname. Now I have replication from srv1->replica and am trying to create another agreement from srv2=>replica but i am getting the error message above. My guess is that old hostname is there somewhere but ipa-replica-manage del command does not produce any results. Hello, I don't see the error message you are referring Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project