Re: [Freeipa-users] sssd.conf - the server and host-client relationship

[Lachlan Musicman]

My translations of your comments are in line, if you could correct, I'd
appreciate that.

On 20 September 2016 at 17:11, Lukas Slebodnik  wrote:

> >--
> >[domain/unixdev.etc]
> >ignore_group_members = True
> It was probably set as a result of performance tuning.
>
> >ldap_purge_cache_timeout = 0
> That's default since 1.13.0
>
> >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> that's specific option for sssd on IPA server
>


I presume your comment suggests ignore_group_members is no longer needed,
and since the lpct=0 is now default, then subdomain_inherit is also
superfluous?



> >selinux_provider = none
> It was probably set as a workaround of bug which have been already
> fixed.
>

We set this because of an error in libsemanage, but I think that was an
upstream (selinux) issue?
https://www.redhat.com/archives/freeipa-users/2016-July/msg00244.html

Not sure if I should disable just yet - was this fixed?


>
> >ipa_server_mode = True
> that's specific option for sssd on IPA server
>
>
I take it that this means it's still used.



> >sudo_provider = ldap
> >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
> >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
> >ldap_sasl_mech = GSSAPI
> >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
> >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
> >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au
> Previous 7 options are not required since sssd-1.10
>

Yep, I added those because of disconnect between the different info sources
made it hard to tell what was canonical, so I followed the red hat guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html

mostly because I didn't quite understand the sssd-sudo man page (because
sometimes I find man pages obtuse), but also there was an inconsistency
with the local man page and the die.net mirror
https://linux.die.net/man/5/sssd-sudo and this howto
https://blog-rcritten.rhcloud.com/?p=52


> >
> >[sssd]
> >config_file_version = 2
> >domains = unixdev.etc
> >
> >[nss]
> >memcache_timeout = 600
> This option is se by ipa-*-install on ipa server mode.
>

These I will leave.

Cheers
L.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] down master still in ldap, prevents re-enrolement

[pgb205]

topology prior to deletion
master1<->master2
master2 deleted with ipa-server --uninstall command
During re-installation I get error that the replication agreement still exists 
on master1.I do see this using ipa-replica-manage list.
Tried deleting replication agreement withipa-replica-manage disconnect but 
receive 'no such replication agreement exist'
Force deletion and cleanup do not workreceive unexpected error: Server is 
unwilling to perform: database is read-only 

removing directly from ldap gives me: ldapdelete -r -x -D "cn=Directory 
Manager" -W 'cn=fqdn,cn=masters,cn=ipa,cn=etc,dc=domain,dc=com'
Enter LDAP Password:ldap_delete: Server is unwilling to perform 
(53)ldap_delete: Server is unwilling to perform (53)        additional info: 
database is read-only
But I am not sure if I'm not using correct path or if it's something else.
Might be related to  Bug 826677 – IPA cannot remove disconnected replica data 
to reconnect
  
|  
|   |  
Bug 826677 – IPA cannot remove disconnected replica data to reconnect
   |  |

  |

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication issues (was Me Again)

[Ian Harding]

On 09/21/2016 11:43 AM, Rob Crittenden wrote:
> Ian Harding wrote:
>> I used to have a lot of replicas, but like a house of cards, it all came
>> crashing down.
>>
>> I was down to two, that seemed to be replicating, but last few days I've
>> noticed that they haven't always been.
>>
>> freeipa-sea.bpt.rocks is where we do all our admin.
>> seattlenfs.bpt.rocks is also up and running and can be used for
>> authentication.
>>
>> When I noticed that logins were failing after password changes I did
>>
>> ipa-replica-manage re-initialize --from=freeipa-sea.bpt.rocks
> 
> Note that this is the hammer approach. Diagnosing the underlying issues
> would probably be best.
> 
> What is the output of:
> 
> $ rpm -q 389-ds-base freeipa-server
> 
> (or ipa-server depending on distro).
> 
> That will give us the info needed to suggest what else to look for.
> 
> rob
> 

Hammer sounds pretty good.

# rpm -q 389-ds-base ipa-server
389-ds-base-1.3.4.0-33.el7_2.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64

>>
>> on seattlenfs.bpt.rocks and replication appeared to be working again.
>>
>> Well it happened again, and this time I peeked at the dirsrv errors log
>> and saw some scary things having to do with the CA.
>>
>> [19/Sep/2016:02:55:50 -0700] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>> -1 (Can't contact LDAP server) ((null)) errno 0 (Success)
>> [19/Sep/2016:02:55:50 -0700] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
>> (Can't contact LDAP server)
>> [19/Sep/2016:02:55:50 -0700] NSMMReplicationPlugin -
>> agmt="cn=meTofreeipa-sea.bpt.rocks" (freeipa-sea:389): Replication bind
>> with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
>> [19/Sep/2016:02:56:04 -0700] NSMMReplicationPlugin -
>> agmt="cn=meTofreeipa-sea.bpt.rocks" (freeipa-sea:389): Replication bind
>> with GSSAPI auth resumed
>> [20/Sep/2016:10:18:25 -0700] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=bpt,dc=rocks is going offline;
>> disabling replication
>> [20/Sep/2016:10:18:26 -0700] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to access
>> the database
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Workers finished;
>> cleaning up...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Workers cleaned up.
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Indexing complete.
>> Post-processing...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Generating
>> numsubordinates (this may take several minutes to complete)...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Generating
>> numSubordinates complete.
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Gathering ancestorid
>> non-leaf IDs...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Finished gathering
>> ancestorid non-leaf IDs.
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Creating ancestorid
>> index (new idl)...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Created ancestorid index
>> (new idl).
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Flushing caches...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Closing files...
>> [20/Sep/2016:10:18:29 -0700] - import userRoot: Import complete.
>> Processed 1324 entries in 3 seconds. (441.33 entries/sec)
>> [20/Sep/2016:10:18:29 -0700] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=bpt,dc=rocks is coming online;
>> enabling replication
>> [20/Sep/2016:10:18:29 -0700] NSMMReplicationPlugin - replica_reload_ruv:
>> Warning: new data for replica dc=bpt,dc=rocks does not match the data in
>> the changelog.
>>   Recreating the changelog file. This could affect replication with
>> replica's  consumers in which case the consumers should be reinitialized.
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=groups,cn=compat,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=computers,cn=compat,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=ng,cn=compat,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> ou=sudoers,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=users,cn=compat,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
>> [20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
>> cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
>> 

Re: [Freeipa-users] Replication issues (was Me Again)

[Rob Crittenden]

Ian Harding wrote:

I used to have a lot of replicas, but like a house of cards, it all came
crashing down.

I was down to two, that seemed to be replicating, but last few days I've
noticed that they haven't always been.

freeipa-sea.bpt.rocks is where we do all our admin.
seattlenfs.bpt.rocks is also up and running and can be used for
authentication.

When I noticed that logins were failing after password changes I did

ipa-replica-manage re-initialize --from=freeipa-sea.bpt.rocks


Note that this is the hammer approach. Diagnosing the underlying issues 
would probably be best.


What is the output of:

$ rpm -q 389-ds-base freeipa-server

(or ipa-server depending on distro).

That will give us the info needed to suggest what else to look for.

rob



on seattlenfs.bpt.rocks and replication appeared to be working again.

Well it happened again, and this time I peeked at the dirsrv errors log
and saw some scary things having to do with the CA.

[19/Sep/2016:02:55:50 -0700] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 0 (Success)
[19/Sep/2016:02:55:50 -0700] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1
(Can't contact LDAP server)
[19/Sep/2016:02:55:50 -0700] NSMMReplicationPlugin -
agmt="cn=meTofreeipa-sea.bpt.rocks" (freeipa-sea:389): Replication bind
with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[19/Sep/2016:02:56:04 -0700] NSMMReplicationPlugin -
agmt="cn=meTofreeipa-sea.bpt.rocks" (freeipa-sea:389): Replication bind
with GSSAPI auth resumed
[20/Sep/2016:10:18:25 -0700] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=bpt,dc=rocks is going offline;
disabling replication
[20/Sep/2016:10:18:26 -0700] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access
the database
[20/Sep/2016:10:18:29 -0700] - import userRoot: Workers finished;
cleaning up...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Workers cleaned up.
[20/Sep/2016:10:18:29 -0700] - import userRoot: Indexing complete.
Post-processing...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Generating
numsubordinates (this may take several minutes to complete)...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Generating
numSubordinates complete.
[20/Sep/2016:10:18:29 -0700] - import userRoot: Gathering ancestorid
non-leaf IDs...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Finished gathering
ancestorid non-leaf IDs.
[20/Sep/2016:10:18:29 -0700] - import userRoot: Creating ancestorid
index (new idl)...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Created ancestorid index
(new idl).
[20/Sep/2016:10:18:29 -0700] - import userRoot: Flushing caches...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Closing files...
[20/Sep/2016:10:18:29 -0700] - import userRoot: Import complete.
Processed 1324 entries in 3 seconds. (441.33 entries/sec)
[20/Sep/2016:10:18:29 -0700] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=bpt,dc=rocks is coming online;
enabling replication
[20/Sep/2016:10:18:29 -0700] NSMMReplicationPlugin - replica_reload_ruv:
Warning: new data for replica dc=bpt,dc=rocks does not match the data in
the changelog.
  Recreating the changelog file. This could affect replication with
replica's  consumers in which case the consumers should be reinitialized.
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
ou=sudoers,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=bpt,dc=rocks does not exist
[20/Sep/2016:10:18:29 -0700] NSACLPlugin - The 

Re: [Freeipa-users] FreeIPA client installation on ubuntu, 14.04

[Sebastien Julliot]

Hello Deepak,

If you know in advance what infos you want to enter input, you can try
putting them in a file "inputs" and execute
apt-get install freeipa-client -y < inputs
 

> I am trying to install freeipa client on my ubuntu client via ansible
> script. I have "apt-get update" and "apt-get install freeipa-client -y"
> these basic commands added in my playbook but the problem is when i run
> "apt-get install freeipa-client" with or without -y option it opens up
> some graphical interface confirming the IPA realm and other details. I
> did not find any option with in "apt-get install freeipa-client"to make
> it deployment unattended. Can anyone please tell me the how i can
> automate ipa-client installation on ubuntu?



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

[Alexander Bokovoy]

On Wed, 21 Sep 2016, Brook, Andy [CRI] wrote:

On 9/16/16, 12:02 PM, "Alexander Bokovoy"  wrote:

   On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
   >You can replace actual hostnames/realm names/IP addresses by something 
more generic
   >in the output when sending to the list, but please do it consistently.
   >
   >I’m sorry. I thought I had been consistent when making changes, but
   >from your response, it looks like I wasn’t. I’m sorry about that. I got
   >yelled at by our security team last time we sent logs to a public list
   >that had any type of identifiable information in them, so it’s sort of
   >a new process for me. I think I have it down now.
   >
   >The results of the commands are here: http://pastebin.com/PRwr7wv6
   So IPA side works fine -- on IPA client you can kinit as AD user and
   then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
   request a service ticket to cifs/... service. That's good.

   You need to identify what happens on AD side. A possible issue is that
   name suffix routing to IPA domain is disabled.

   Can you provide output of netdom.exe run on Windows side:

 netdom trust addom.domain /namesuffixes: ipa.domain

   You should get something like example 28 on the page
   https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

Thank you for this. I went to run the command and kept getting an
“Incorrect parameter” error. After that I talked to one of our Active
Directory admins and he mentioned that we are working on resolving a
disjoint namespace error on addom. I don’t understand enough about it,
but do know that it can cause issues with Kerberos authentication
across domains. That should get fixed soon. Once that gets fixed, I’ll
test again.

I have one more related question. The instruction page states that
NTLMSSP authentication isn’t working as of yet, as well as you
mentioned it earlier in this thread. Is there a bug or feature request
that is tracking that?

https://fedorahosted.org/sssd/ticket/2012 is a tracker. We have
gss-ntlmssp implemented but it depends on winbindd and there are things
which are not done yet in making sssd/winbindd co-working.

We had few talks about possible ways to integrate around that topic at
SambaXP 2016 conference:
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Simo_Sorce-SambaAndLinuxDistributionsLetsIntegrateBetter.pdf
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumit_Bose-WinbindAndSSSDCanTheyBeFriends/

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

[Korey Chapman]

On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek  wrote:
> On 09/21/2016 02:13 AM, Korey Chapman wrote:
>
> Hello list,
>
> I'm currently attempting to add a second CA server to our IPA cluster (all
> servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
> try to setup the CA (ipa-replica-install with --setup-ca or
> ipa-replica-install followed by ipa-ca-install). The only useful thing in
> the logs is an error about a missing key for "trust_flags" in the pki setup.
> Our infrastructure uses FreeIPA with an external CA.
>
> Any ideas/help would be greatly appreciated. Here are the logs snips from my
> most recent attempt:
>
> Command output snip from "ipa-replica-install
> /root/replica-info-auth-002.XXX.gpg --setup-ca"
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/24]: creating certificate server user
>   [2/24]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
> logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
> failed
>
>
> Log snip from ipareplica-install.log:
>
> 2016-09-20T23:42:27Z DEBUG Starting external process
> 2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpYofMPt'
> 2016-09-20T23:42:31Z DEBUG Process finished, return code=1
> 2016-09-20T23:42:31Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160920234227.log
> Loading deployment configuration from /tmp/tmpYofMPt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
>
> 2016-09-20T23:42:31Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>   InsecureRequestWarning)
> Traceback (most recent call last):
>   File "/bin/pki", line 254, in 
> cli.execute(sys.argv)
>   File "/bin/pki", line 240, in execute
> module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
> execute
> module.execute(module_args)
>   File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
> execute
> trust_flags = cert_info['trust_flags']
> KeyError: 'trust_flags'
>
>
> --
> Korey
>
>
> Hi Korey,
>
> could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

Nothing really useful I see in the spawn log:
2016-09-20 23:42:31 pkispawn: DEBUG... Error Type:
CalledProcessError
2016-09-20 23:42:31 pkispawn: DEBUG... Error Message:
Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C',
'/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file',
'/tmp/ca.p12', '--pkcs12-password-file',
'/tmp/tmps5OOav/password.txt', '--no-user-certs']' returned non-zero
exit status 1
2016-09-20 23:42:31 pkispawn: DEBUG...   File
"/usr/sbin/pkispawn", line 597, in main
rv = scriptlet.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py",
line 104, in spawn
no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in
import_pkcs12
subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
raise CalledProcessError(retcode, cmd)

>
> It might also be helpful verify if correct trust flags are set in nssdb:
> certutil -d /etc/pki/pki-tomcat/alias/ -L
>

Run on the source ipa server (current CA server):
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

XXX Certificate Authority CT,c,
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u


Run on the destination ipa server:
$ certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

[Natxo Asenjo]

hi Petr,

On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik  wrote:

> On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
>
> > When I try to resubmit certificates from certmonger they still hit the
> kdc01 web
> > server, so the requests hang on an status: CA_UNREACHABLE
> >  ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.
> > Certificate operation cannot be completed: Failure decoding Certificate
> Signing
> > Request).
>
> Where does it happen? On arbitrary client which was installed in a past
> against the removed kdc01?
>

yes.


>
> If so could you look into /etc/ipa/default.conf and change host option
> from kdc01 to the 7.2 IPA sever?
>
>
ok, done.

In fact, change both the domain as the xmlrpc_uri directives in the global
section was necessary. Now It worked :-)

So, what should be the correct value for dns discovery for both directives
using dns discovery?

thanks!
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

[Brook, Andy [CRI]]

On 9/16/16, 12:02 PM, "Alexander Bokovoy"  wrote:

On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
>You can replace actual hostnames/realm names/IP addresses by something 
more generic
>in the output when sending to the list, but please do it consistently.
>
>I’m sorry. I thought I had been consistent when making changes, but
>from your response, it looks like I wasn’t. I’m sorry about that. I got
>yelled at by our security team last time we sent logs to a public list
>that had any type of identifiable information in them, so it’s sort of
>a new process for me. I think I have it down now.
>
>The results of the commands are here: http://pastebin.com/PRwr7wv6
So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.

You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.

Can you provide output of netdom.exe run on Windows side:

  netdom trust addom.domain /namesuffixes: ipa.domain

You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

Thank you for this. I went to run the command and kept getting an “Incorrect 
parameter” error. After that I talked to one of our Active Directory admins and 
he mentioned that we are working on resolving a disjoint namespace error on 
addom. I don’t understand enough about it, but do know that it can cause issues 
with Kerberos authentication across domains. That should get fixed soon. Once 
that gets fixed, I’ll test again. 

I have one more related question. The instruction page states that NTLMSSP 
authentication isn’t working as of yet, as well as you mentioned it earlier in 
this thread. Is there a bug or feature request that is tracking that? 

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu




This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

[Petr Vobornik]

On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
> hi,
> 
> I followed the instructions here: 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
> 
> and now after some issues I have a replica with both pki and dns data running 
> centos 7.
> 
> So now I have 3 replicas:
> 
> centos 6.8:
> kdc01.unix.iriszorg.nl 
> kdc02.unix.iriszorg.nl 
> 
> centos 7.2
> kdc03.unix.iriszorg.nl 
> 
> The replica was created with an agreement to kdc01.unix.iriszorg.nl 
>  which was the master for crl updates. I 
> followed 
> the steps to disabled crlcache and crlupdates on the kdc01 and to enable them 
> on 
> the kdc03.
> 
> So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and uncommented
> 
> # Only enable this on servers that are not generating a CRL
> RewriteRule ^/ipa/crl/MasterCRL.bin 
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
>  
> [L,R=301,NC]
> 
> and on the kdc03 i commented this out:
> 
> # Only enable this on servers that are not generating a CRL
> #RewriteRule ^/ipa/crl/MasterCRL.bin 
> https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
>  
> [L,R=301,NC]
> 
> 
> When I try to resubmit certificates from certmonger they still hit the kdc01 
> web 
> server, so the requests hang on an status: CA_UNREACHABLE
>  ca-error: Server failed request, will retry: 4301 (RPC failed at server. 
>  
> Certificate operation cannot be completed: Failure decoding Certificate 
> Signing 
> Request).

Where does it happen? On arbitrary client which was installed in a past
against the removed kdc01?

If so could you look into /etc/ipa/default.conf and change host option
from kdc01 to the 7.2 IPA sever?

If this is correct then IMO it is quite a serious bug which needs to be
fixed (i.e. DNS discovery needs to be used).
> 
> 
> Which was the problem on a recent thread on the list (trying to get rid of 
> this 
> replica now to fix this problem as well).
> 
> So something is not redirecting properly and I would appreciate your 
> assistance.
> 
> TIA.
> --
> Groeten,
> natxo
> 

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

[Tomas Krizek]

On 09/21/2016 02:13 AM, Korey Chapman wrote:

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster 
(all servers Centos 7.2 with IPA 4.2.0). However, it is failing no 
matter how I try to setup the CA (ipa-replica-install with --setup-ca 
or ipa-replica-install followed by ipa-ca-install). The only useful 
thing in the logs is an error about a missing key for "trust_flags" in 
the pki setup. Our infrastructure uses FreeIPA with an external CA.


Any ideas/help would be greatly appreciated. Here are the logs snips 
from my most recent attempt:


Command output snip from "ipa-replica-install 
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpYofMPt'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more 
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed



Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpYofMPt'

2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file: 
/var/log/pki/pki-ca-spawn.20160920234227.log

Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.


Installation failed.


2016-09-20T23:42:31Z DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in 
cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 
195, in execute

module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, 
in execute

trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


--
Korey



Hi Korey,

could you check if there is any more info in /var/log/pki/pki-ca-spawn log?

It might also be helpful verify if correct trust flags are set in nssdb: 
certutil -d /etc/pki/pki-tomcat/alias/ -L


Finally, can you check that LDAPS is running on port 636 on the replica 
where you're trying to install the CA (i.e. by nmap localhost)?


--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users can't login to IPA client

[Jakub Hrozek]

On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote:
> Hello,
> 
> I'm having troubles with AD users authentication on IPA client.
> I have 3 VMs in my test inveronment:
> win-dc.windc.local 10.1.97.122 - AD DC server 2012R2
> fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA
> wks.demo.loc 10.1.97.121 - IPA client
> 
> I have done IPA AD trust setup
> https://www.freeipa.org/page/Active_Directory_trust_setup
> 
> AD user can access IPA server:
> login as: Administrator@windc.local
> Administrator@windc.local@10.1.97.120's password:
> Last login: Wed Sep 21 13:59:36 2016 from 192.168.70.26
> Could not chdir to home directory /home/windc.local/administrator: No such
> file or directory
> -sh-4.3$
> 
> IPA user can login IPA client:
> login as: admin
> admin@10.1.97.121's password:
> Last login: Wed Sep 21 16:12:31 2016 from 192.168.70.26
> [admin@wks ~]$
> 
> 
> But AD user can't access IPA client:
> login as: Administrator@windc.local
> Administrator@windc.local@10.1.97.121's password:
> Access denied
> 
> On another hand, ID works correct for AD users:
> [root@wks ~]# id Administrator@windc.local
> uid=429000500(administrator@windc.local)
> gid=429000500(administrator@windc.local)
> groups=429000500(administrator@windc.local),429000520(group policy creator
> owners@windc.local),429000519(enterprise admins@windc.local),429000513(domain
> users@windc.local),429000518(schema admins@windc.local),429000512(domain
> admins@windc.local)
> 
> I have attached logs
> (Last login time is 17:29-17:30)

The domain logs say the authentication takes too long, it might be
due to processing the PAC. Try increasing the authentication timeout
(krb5_auth_timeout).
> 
> 
> Any help would be appreciated!
> 
> 
> -- 
> Best regards,
> Alexander K





> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

I got it fixed my adding these in my playbook







  - command: sudo env DEBIAN_FRONTEND=noninteractive
- shell: "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y"
Thanks,Deepak
> Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: tjaal...@ubuntu.com
> Date: Wed, 21 Sep 2016 14:40:17 +0300
> 
> On 21.09.2016 11:34, Deepak Dimri wrote:
> > Thanks Timo,
> > 
> > The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y"
> > command works on the terminal but within ansible playbook i am getting 
> > 
> > [Errno 2] No such file or directory", "rc": 2}  when adding
> > command: DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y
> > 
> > 
> > any idea how can i get this resolved for ansible?  i tried
> > "export DEBIAN_FRONTEND=noninteractive" and then "apt-get install
> > freeipa-client -y"  but that did not help either still getting [Errno 2]
> > No such file or directory", "rc": 2} 
> 
> no idea about that, but you could also preseed the debconf priority
> beforehand and then run apt-get, something like:
> 
> echo 'debconf debconf/priority select critical' > /tmp/preseed
> debconf-set-selections /tmp/preseed
> apt-get ...
> 
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 2FA using FreeIPA

[Deepak Dimri]

hi LS,
I am using IPA Server - VERSION: 4.2.0, API_VERSION: 2.156sssd version on my 
IPA server: 1.13.0sssd version on my IPA client (ubuntu): 1.11.8
I have new "testhip2user" created in IPA Server with 2FA enabled. My 
/etc/ssh/sshd_config has this entry 







AuthorizedKeysFile  %h/.ssh/authorized_keys







#ChallengeResponseAuthentication no







PasswordAuthentication noMatch User testhip2user
AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam
When i am trying to ssh with private key of testhip2user into IPA client then 
this what i see in ssh auth.log as keep getting prompted for password and then 
it end with permission denied error








Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: error: Disabled method "password" 
in AuthenticationMethods list "publickey,password:pam"
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: Authentication methods list 
"publickey,password:pam" contains disabled method, skipping
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: error: Disabled method "password" 
in AuthenticationMethods list "publickey,password:pam" [preauth]
Sep 21 12:42:04 ip-172-31-30-146 sshd[7530]: Authentication methods list 
"publickey,password:pam" contains disabled method, skipping [preauth]Sep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=50-201-125-254-static.hfc.comcastbusiness.net  user=testhip2userSep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=50-201-125-254-static.hfc.comcastbusiness.net user=testhip2userSep 21 
12:42:50 ip-172-31-30-146 sshd[7533]: pam_sss(sshd:auth): received for user 
testhip2user: 6 (Permission denied)Sep 21 12:42:53 ip-172-31-30-146 sshd[7530]: 
error: PAM: Authentication failure for testhip2user from 
50-201-125-254-static.hfc.comcastbusiness.net





















Thanks for your time and helping me with this
Best Regards,Deepak
> Date: Fri, 16 Sep 2016 10:43:26 +0200
> From: lsleb...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 2FA using FreeIPA
> 
> On (13/09/16 03:49), Deepak Dimri wrote:
> >Hi All,
> >I have below lines added to my sshd_config file for testuser.  
> >
> >
> >
> >Match User testuser
> >AuthenticationMethods publickey,password:pam 
> > publickey,keyboard-interactive:pam
> >I have OTP enable for tapuser in IPA and i am able to login to GUI using the 
> >password + OTP.  However when i try to ssh i am getting prompted for first 
> >factor then second factor and then it ends with "Permission denied 
> >(keyboard-interactive)." error.  What could be wrong here? 
> >Regards,Deepak
> >
> Please provide versions of freeIPA server packages, version of sssd.
> And it would be good to seed the exact output of ssh authentication.
> 
> LS
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CA Fails to build Replica (w/External CA)

[Korey Chapman]

Hello list,

I'm currently attempting to add a second CA server to our IPA cluster (all
servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I
try to setup the CA (ipa-replica-install with --setup-ca or
ipa-replica-install followed by ipa-ca-install). The only useful thing in
the logs is an error about a missing key for "trust_flags" in the pki
setup. Our infrastructure uses FreeIPA with an external CA.

Any ideas/help would be greatly appreciated. Here are the logs snips from
my most recent attempt:

Command output snip from "ipa-replica-install
/root/replica-info-auth-002.XXX.gpg --setup-ca"
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/24]: creating certificate server user
  [2/24]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpYofMPt''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
failed


Log snip from ipareplica-install.log:

2016-09-20T23:42:27Z DEBUG Starting external process
2016-09-20T23:42:27Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpYofMPt'
2016-09-20T23:42:31Z DEBUG Process finished, return code=1
2016-09-20T23:42:31Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160920234227.log
Loading deployment configuration from /tmp/tmpYofMPt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-09-20T23:42:31Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/bin/pki", line 254, in 
cli.execute(sys.argv)
  File "/bin/pki", line 240, in execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 195, in
execute
module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/pkcs12.py", line 222, in
execute
trust_flags = cert_info['trust_flags']
KeyError: 'trust_flags'


-- 
Korey
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Central logging docker image

[Johan Petersson]

Hi,

When i was evaluating the configuration of the central logging proof of concept 
docker image described here: https://www.freeipa.org/page/Centralized_Logging i 
noticed that the rsyslog mmnormalization rules did not work properly and failed 
to parse keywords. Elasticsearch indexes does not get properly filled. This 
lead to the visualizations and dashboards are broken in Kibana.

The reason is that custom repos was being used to install newer version of 
rsyslog, rsyslog-mmnormalize and rsyslog-elasticsearch (8.8.0-2), liblognorm 
(1.1.1-1 and liblogging (1.0.4-4).

These repos do not work anymore since the content has been removed.

The repos are:
https://copr-be.cloud.fedoraproject.org/results/jhrozek/rsyslog
https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblognorm
https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblogging

Liblognorm version in RHEL 7 are normally 0.3.7.

It would be of interest if these newer versions could be made available for 
RHEL 7 in the near future since they would make RHEL 7 as a log server platform 
much more interesting.

This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Timo Aaltonen]

On 21.09.2016 11:34, Deepak Dimri wrote:
> Thanks Timo,
> 
> The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y"
> command works on the terminal but within ansible playbook i am getting 
> 
> [Errno 2] No such file or directory", "rc": 2}  when adding
> command: DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y
> 
> 
> any idea how can i get this resolved for ansible?  i tried
> "export DEBIAN_FRONTEND=noninteractive" and then "apt-get install
> freeipa-client -y"  but that did not help either still getting [Errno 2]
> No such file or directory", "rc": 2} 

no idea about that, but you could also preseed the debconf priority
beforehand and then run apt-get, something like:

echo 'debconf debconf/priority select critical' > /tmp/preseed
debconf-set-selections /tmp/preseed
apt-get ...


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica added, but clients still try renewing certificates with old master

[Natxo Asenjo]

hi,

I followed the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

and now after some issues I have a replica with both pki and dns data
running centos 7.

So now I have 3 replicas:

centos 6.8:
kdc01.unix.iriszorg.nl
kdc02.unix.iriszorg.nl

centos 7.2
kdc03.unix.iriszorg.nl

The replica was created with an agreement to kdc01.unix.iriszorg.nl which
was the master for crl updates. I followed the steps to disabled crlcache
and crlupdates on the kdc01 and to enable them on the kdc03.

So in the kdc01 I edited /etc/httpd/conf.d/ipa-pki-proxy.conf and
uncommented

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
[L,R=301,NC]

and on the kdc03 i commented this out:

# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin
https://kdc03.unix.iriszorg.nl/ca/ee/ca/getCRL?op=getCRL=MasterCRL
[L,R=301,NC]


When I try to resubmit certificates from certmonger they still hit the
kdc01 web server, so the requests hang on an status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).


Which was the problem on a recent thread on the list (trying to get rid of
this replica now to fix this problem as well).

So something is not redirecting properly and I would appreciate your
assistance.

TIA.
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

Thanks Timo,
The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" command 
works on the terminal but within ansible playbook i am getting [Errno 2] No 
such file or directory", "rc": 2}  when adding command: 
DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y
any idea how can i get this resolved for ansible?  i tried "export 
DEBIAN_FRONTEND=noninteractive" and then "apt-get install freeipa-client -y"  
but that did not help either still getting [Errno 2] No such file or 
directory", "rc": 2} 
Thanks again,Deepak

> Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: tjaal...@ubuntu.com
> Date: Wed, 21 Sep 2016 10:26:41 +0300
> 
> On 21.09.2016 09:41, Deepak Dimri wrote:
> > Hi All,
> > 
> > I am trying to install freeipa client on my ubuntu client via ansible
> > script. I have "apt-get update" and "apt-get install freeipa-client -y"
> > these basic commands added in my playbook but the problem is when i run
> > "apt-get install freeipa-client" with or without -y option it opens up
> > some graphical interface confirming the IPA realm and other details. I
> > did not find any option with in "apt-get install freeipa-client"to make
> > it deployment unattended. Can anyone please tell me the how i can
> > automate ipa-client installation on ubuntu?
> > 
> > The same process works fine with RHEL using yum but i am unable to do so
> > for ubuntu with apt-get
> 
> the dialog is from krb5-common, and you can skip it with
> 
> DEBIAN_FRONTEND=noninteractive apt-get install ...
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH public user's key stored in AD POSIX attribute

[Sumit Bose]

On Wed, Sep 21, 2016 at 09:47:12AM +0200, Jan Karásek wrote:
> Hi, 
> 
> I have a question about the IPA-AD trust scenario where POSIX attributes are 
> store in AD. 

Although I describe some possible solution below I wonder if using IPA
overrides which allow to add public ssh keys for AD user would work for
you as well? 

> 
> I would like to know if it's possible to store public SSH user key in Active 
> Directory in some user's object attribute - the same way as uidNumber or 
> loginShell. I can't find any suitable attribute for ssh in AD schema but the 
> uidNumber,gidNumber and others are already presented (win2012). 

In general it is possible either extend the schema or use an existing
attribute, see e.g.
https://social.technet.microsoft.com/Forums/en-US/8aa28e34-2007-49fe-a689-e28e19b2757b/is-there-a-way-to-link-ssh-key-in-ad?forum=winserverDS
for details.

But given the recent activities in areas of Powershell and OpenSSH for
Windows I wonder if there might be some "official" attributes coming
sooner or later. Currently I'm not aware of any plans here but maybe
other readers on the list have more insight here?

> 
> So is there any chance to extend AD schema and let the IPA server get public 
> ssh user's key from AD the same way as other POSIX attributes ? Is it IPA 
> ready for that and how that attribute should be named in AD ? 

You have to configure SSSD on the IPA server to read the attribute and
forward it to the clients, for this you need (at least) to add

[domain/EXAMPLE]
ldap_user_extra_attrs = adAttributeName:sshPublicKey

(see sssd-ldap man page for details)

bye,
Sumit

> 
> Thanks, 
> 
> Jan 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSH public user's key stored in AD POSIX attribute

[Jan Karásek]

Hi, 

I have a question about the IPA-AD trust scenario where POSIX attributes are 
store in AD. 

I would like to know if it's possible to store public SSH user key in Active 
Directory in some user's object attribute - the same way as uidNumber or 
loginShell. I can't find any suitable attribute for ssh in AD schema but the 
uidNumber,gidNumber and others are already presented (win2012). 

So is there any chance to extend AD schema and let the IPA server get public 
ssh user's key from AD the same way as other POSIX attributes ? Is it IPA ready 
for that and how that attribute should be named in AD ? 

Thanks, 

Jan 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Timo Aaltonen]

On 21.09.2016 09:41, Deepak Dimri wrote:
> Hi All,
> 
> I am trying to install freeipa client on my ubuntu client via ansible
> script. I have "apt-get update" and "apt-get install freeipa-client -y"
> these basic commands added in my playbook but the problem is when i run
> "apt-get install freeipa-client" with or without -y option it opens up
> some graphical interface confirming the IPA realm and other details. I
> did not find any option with in "apt-get install freeipa-client"to make
> it deployment unattended. Can anyone please tell me the how i can
> automate ipa-client installation on ubuntu?
> 
> The same process works fine with RHEL using yum but i am unable to do so
> for ubuntu with apt-get

the dialog is from krb5-common, and you can skip it with

DEBIAN_FRONTEND=noninteractive apt-get install ...

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd party Cert install now IPA total broken

[Florence Blanc-Renaud]

On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote:

Hello.

Thanks for the first help,

Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:

On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:

Hello,
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is
total
broken?



ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install
root.crt


I mean this is the wrong cert I installed :-(.

Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")


Hi,

ipa-cacert-manage install *adds* the CA certificate to the list of CA 
certs (it does not replace the CA cert), meaning that it can be run 
multiple times with different certificates. After this step, you can 
find all your CA certificates in the ldap server, below 
cn=certificates,cn=ipa,cn=etc,$BASEDN


So in your case, you can re-run this command, this time with the right 
CA cert. Then do not forget to run ipa-certupdate on all the ipa 
replicas/clients in order to install the new CA cert on the relevant NSS 
databases. It is important to run ipa-certupdate before IPA services are 
restarted with the new certs (otherwise ipa-certupdate cannot contact 
the LDAP server to download the new certificates).


If you forgot to run ipa-certupdate on the clients, I guess you can fix 
this by installing the new CA cert in /etc/ipa/nssdb with C,, flags.


HTH,
Flo


ipa-certupdate

ipa-server-certinstall -w -d ipa_3rd_ca.p12


This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxx


I create this p12 with key.pem, cert.pem root.crt


now i create a new p12 with I hope the correct certs

I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.

This p12 I Installed on the first master with

pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W 

pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W x

I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
/dsl.ldif

Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT


afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Why is ipa-ods-exporter Service always STOPPED ??

The next I Test a login on the Web UI from IPA, this is now also working ;-)


the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).

Have I to repeat this all on the second Master ?

and what is the correct way to inform the clients ?

Thanks again for a answer,


Hi,

there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)

Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).

If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.

Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.

Hope this helps,
Flo.


the kerberos don't start anymore ?
The Error Is

 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
 realm>
'4GJN.COM'

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I 

[Freeipa-users] FreeIPA client installation on ubuntu 14.04

[Deepak Dimri]

Hi All,
I am trying to install freeipa client on my ubuntu client via ansible script. I 
have "apt-get update" and "apt-get install freeipa-client -y" these basic 
commands added in my playbook but the problem is when i run "apt-get install 
freeipa-client" with or without -y option it opens up some graphical interface 
confirming the IPA realm and other details. I did not find any option with in 
"apt-get install freeipa-client"to make it deployment unattended. Can anyone 
please tell me the how i can automate ipa-client installation on ubuntu?
The same process works fine with RHEL using yum but i am unable to do so for 
ubuntu with apt-get
Thanks,Deepak
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project