[Freeipa-users] kinit: admin account getting locked out frequently

2016-09-29 Thread Rakesh Rajasekharan 
Hi All ,

In my FreeIPA setup, I frequently seeing this error "kinit: Clients
credentials have been revoked while getting initial credentials" while i
try "kinit admin"

I have tried decreasing the "--failinterval" and increasing the "--maxfail"
values

However, I still continue to see this error and it does not get unlocked.

I have to manually unlock using "modprinc -unlock ad...@xyz.com"

In the history on the IPA admin server.. I do not see any instances of
"kinit admin" being run.

Is there anything else that I should check to trace the cause of this.


Thanks.

Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
Thanks Florence and Rob! The replica worked after adding the certs during
the replica preparation.

Now I got several IPA clients installed with user authentication(ssh login
with the users in IPA) working after some work. However, one of them failed
during login with the following messages in syslog:

Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache
permissions incorrect
Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
check failed
Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
check failed

I tried this on ipaclient3:
# kinit admin
# ipa-getkeytab -s ipa1.example.com -p host/ipaclient3.example.com -k
/etc/krb5.keytab
No help.

I also tried this on ipaclient3(which I don't think is relevant to the krb5
error):
# wget -O /etc/ipa/ca.crt https://ipa1.example.com/ipa/config/ca.crt
# certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt

Any idea about such krb5 issue? Thanks again!



On Thu, Sep 29, 2016 at 9:36 AM, Florence Blanc-Renaud 
wrote:

> On 09/29/2016 02:12 PM, Rob Crittenden wrote:
>
>> beeth beeth wrote:
>>
>>> Hi Florence,
>>>
>>> I previously tried option a) and failed(need to find out why later), but
>>> I was able to successfully reinstall the server and the client with
>>> option b), thanks a lot! So when it says "Installing Without a CA", it
>>> means without a "embeded CA"(the IPA's own CA), is that right?
>>>
>>> Another main problem comes up for option b): now I am going to install
>>> the replica server(ipa2), if I do the same as I did before:
>>>
>>> [root@ipa1 ~]# ipa-replica-prepare ipa2.example.com
>>> 
>>>
>>> copy the gpg file from ipa1 to ipa2
>>>
>>> [root@ipa2 ~]# ipa-replica-install
>>> /var/lib/ipa/replica-info-ipa2.example.com.gpg
>>>
>>> Then I believe the Apache on ipa2(the replica server) will use the
>>> Verisign certificate with the same hostname(DN): ipa1.example.com
>>> , NOT ipa2.example.com
>>> , hence the users who visit
>>> https://ipa2.example.com will experience security warning from the
>>> browser, as expected...
>>> What could be a solution for this?
>>>
>>> Thanks again!
>>>
>>>
>>> On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud >> > wrote:
>>>
>>> On 09/29/2016 11:43 AM, beeth beeth wrote:
>>>
>>> Thanks for the quick response Florence!
>>>
>>> My goal is the use a 3rd party certificate(such as Verisign
>>> cert) for
>>> Web UI(company security requirement), in fact we are not
>>> required to use
>>> 3rd party certificate for the LDAP server, but as I mentioned
>>> earlier, I
>>> couldn't make the new Verisign cert to work with the Web UI,
>>> without
>>> messing up the IPA function(after I updated the nss.conf to use
>>> the new
>>> cert in the /etc/httpd/alias db, the ipa_client_install failed).
>>> So I
>>> tried to follow the Redhat instruction, to see if I can get the
>>> Verisign
>>> cert installed at the most beginning, without using FreeIPA's
>>> own/default certificate), but I got the CSR question.
>>>
>>> I did install IPA without a CA, by following the instruction at
>>>
>>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>
>>> >> >,
>>> but failed to restart HTTPD. When and how can I provide the
>>> 3rd-party
>>> certificate? Could you please point me a document about the
>>> detail?
>>>
>>> Hi,
>>>
>>> you need first to clarify if you want FreeIPA to act as a CA or not.
>>> The setup will depend on this choice.
>>>
>>> - option a) FreeIPA with an embedded CA:
>>> you can install FreeIPA with a self-signed CA, then follow the
>>> instructions at
>>>
>>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>
>>> 
>>> in order to replace the WebUI certificate. Please note that there
>>> were some bugs in ipa-server-certinstall, preventing httpd from
>>> starting (Ticket #4786 [1]). The workaround is to manually update
>>> nss.conf (as you did) and manually import the CA certificate into
>>> /etc/pki/pki-tomcat/alias, for instance with
>>> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
>>> -t C,,
>>>
>>>
>>> - option b) Free IPA without CA
>>> the installation instructions are in Installing without a CA [2].
>>> You will provide the certificate that will be used by both the LDAP
>>> server and the WebUI in the command options.
>>>
>>
>> You'd need either a separate certificate or one with multiple subject
>> alternative names, one for each master. I also imagine you'd need to
>>

[Freeipa-users] HBAC rules stop working

2016-09-29 Thread Orion Poplawski 

server:
ipa-server-4.2.0-15.sl7_2.19.x86_64
sssd-1.13.0-40.el7_2.12.x86_64

client:
sssd-1.14.1-3.el7.centos.x86_64

AD trust - users are in AD.  HBAC rule in place for client to allow a 
user to login/ssh/su/etc.


This seems to have happened a couple times now, and again today after 
rebooting the IPA server.  sssd was denying the user to ssh into the 
client by pam rules.  Logged on to the IPA server and disabled and then 
re-enabled the HBAC rule for the client and then was able to log back in 
again.  Has anyone else seen this before?


client sssd_pam just went from:

(Thu Sep 29 19:30:40 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [6]: Permission denied.


to

(Thu Sep 29 19:37:04 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [0]: Success.


so I assume I'll need to collect debug logs from sssd on the server next 
time.


--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA DivisionFAX: 303-415-9702
3380 Mitchell Lane  or...@cora.nwra.com
Boulder, CO 80301  http://www.cora.nwra.com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica created with expired certs

2016-09-29 Thread Jim Richard 
Can I and how…

delete all certs for all hosts

I mean, we only use FreeIPA for user login/sssd

That said, do we even need those certs?



     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 29, 2016, at 8:53 PM, Jim Richard  wrote:
> 
> another interesting thing, my httpd/error_logs are constantly getting spammed 
> with: (I removed the stuff between the single quotes)
> 
> Notice those names don’t match, should they? 
> 
> Me thinks not since those “principal=“ items are ALMOST all hosts that no 
> longer exist in the FreeIPA system. I rare few do exist.
> 
> So, that’s weird :)
> 
> [Thu Sep 29 20:44:59 2016] [error] ipa: INFO: 
> host/aerospike-cl1-203.nym1.placeiq@placeiq.net 
> : 
> cert_request(u’………..', 
> principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq@placeiq.net 
> ', 
> add=True): CertificateOperationError
> 
> [Thu Sep 29 20:45:06 2016] [error] ipa: INFO: 
> host/aerospike-cl2-210.nym1.placeiq@placeiq.net 
> : 
> cert_request(u’………..', 
> principal=u'host/017.prod07.nym1.placeiq@placeiq.net 
> ', 
> add=True): CertificateOperationError
> 
> [Thu Sep 29 20:45:09 2016] [error] ipa: INFO: 
> host/adsgateway-14.nym1.placeiq@placeiq.net 
> : 
> cert_request(u’...', 
> principal=u'host/025.prod07.nym1.placeiq@placeiq.net 
> ', 
> add=True): CertificateOperationError
> 
> [Thu Sep 29 20:45:29 2016] [error] ipa: INFO: 
> host/ttsandbox-022.nym1.placeiq@placeiq.net 
> : 
> cert_request(u’….', 
> principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq@placeiq.net 
> ', 
> add=True): CertificateOperationError
> 
> 
> 
> 
> 
> 
>    
> Jim Richard  
>   
>     
>    
>  
> 
> SYSTEM ADMINISTRATOR III
> (646) 338-8905  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
>

Re: [Freeipa-users] Replica created with expired certs

2016-09-29 Thread Jim Richard 
another interesting thing, my httpd/error_logs are constantly getting spammed 
with: (I removed the stuff between the single quotes)

Notice those names don’t match, should they? 

Me thinks not since those “principal=“ items are ALMOST all hosts that no 
longer exist in the FreeIPA system. I rare few do exist.

So, that’s weird :)

[Thu Sep 29 20:44:59 2016] [error] ipa: INFO: 
host/aerospike-cl1-203.nym1.placeiq@placeiq.net: cert_request(u’………..', 
principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq@placeiq.net', add=True): 
CertificateOperationError

[Thu Sep 29 20:45:06 2016] [error] ipa: INFO: 
host/aerospike-cl2-210.nym1.placeiq@placeiq.net: cert_request(u’………..', 
principal=u'host/017.prod07.nym1.placeiq@placeiq.net', add=True): 
CertificateOperationError

[Thu Sep 29 20:45:09 2016] [error] ipa: INFO: 
host/adsgateway-14.nym1.placeiq@placeiq.net: cert_request(u’...', 
principal=u'host/025.prod07.nym1.placeiq@placeiq.net', add=True): 
CertificateOperationError

[Thu Sep 29 20:45:29 2016] [error] ipa: INFO: 
host/ttsandbox-022.nym1.placeiq@placeiq.net: cert_request(u’….', 
principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq@placeiq.net', add=True): 
CertificateOperationError






     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 29, 2016, at 8:11 AM, Rob Crittenden  wrote:
> 
> Natxo Asenjo wrote:
>> hi Jim,
>> 
>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard > > wrote:
>> 
>>Thanks Rob, that worked.
>> 
>>Still on the subject of certs, any idea how to solve this error:
>> 
>>Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>certificate/key database is in an old, unsupported format.
>> 
>>I see that in the gui when querying hosts as well as from cli when I
>>ipa-show or ipa-find
>> 
>> 
>> I have had this too, and we did not find a solution (search my recent
>> posts on the archives). As a workaround I have created replicas and
>> decommissioned the older replicas.
> 
> On the one hand I'm glad this fixed it for you. On the other it is a rather 
> unsatisfying answer. Unfortunately NSS doesn't always provide the most 
> context with its error messages. This error is usually seen when one tries to 
> open a non-existent database, which in this case is a very strange thing, 
> especially since it goes from working to non-working in the same apache 
> process over a few minutes.
> 
> I'm not sure how I'd troubleshoot this if it were easily reproducible. I 
> suspect we'd need to figure out which database cannot be found (most likely 
> /etc/httpd/alias) and go from there. An strace is a brute-force way to see 
> the file open but finding the right process to attach to is a bit of an art.
> 
> rob
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

2016-09-29 Thread Jim Richard 
Hi Paul, 3.0.0 on Centos 6.8


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka  wrote:
> 
> Hello,
> 
> which version of FreeIPA do you use?
> On 09/28/2016 12:42 AM, Jim Richard wrote:
>> When I try to look at hosts under the hosts tab. ipactl restart or just 
>> restarting httpd seems to clear it up for a short period.
>> 
>> Three replicas in the environment, it only happens when I look at hosts 
>> using the GUI at one of the three replicas.
>> 
>> 
>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
>> database is in an old, unsupported format.
>> 
>> 
>>     Jim Richard    
>>    
>> 
>> SYSTEM ADMINISTRATOR III
>> (646) 338-8905  
>>  
>> 
>> 
>> 
>> 
>> 
> 
> -- 
> Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] external groups and /etc/group

2016-09-29 Thread Rusty Shackleford 
On Thu, Sep 29, 2016 at 4:47 PM, Jakub Hrozek  wrote:

>
> I think you are looking for:
> https://sourceware.org/glibc/wiki/Proposals/GroupMerging
>

Well that's a bummer. Thanks for getting back to me.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15

2016-09-29 Thread Marco Antonio Carcano 

Hi all,

I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 
(7.2.1511) and I’m no more able to list certificates using the web ui


when I go on “Authentication”,  “Certificates” and chose “Certificates” 
I got the following error


Certificate operation cannot be completed: Unable to communicate with 
CMS (Internal Server Error)


and tomcat logs contain the following exception:

Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet Resteasy
java.lang.ClassNotFoundException: 
com.netscape.ca.CertificateAuthorityApplication
at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
at 
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28
at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95)
at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at 
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

So it complains it cannot find class 
com.netscape.ca.CertificateAuthorityApplication - that’s right


The funny thing is that command line works like a charm

pa caacl-find

1 CA ACL matched

  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert

Number of entries returned 1
——

ipa cert-show
Serial number: 1
  Certificate: 
MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0

VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5
…
iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T
t7A9
  Subject: CN=Certificate Authority,O=ME.LOCAL
  Issuer: CN=Certificate Authority,O=ME.LOCAL
  Not Before: Tue Dec 02 08:05:42 2014 UTC
  Not After: Sat Dec 02 08:05:42 2034 UTC
  Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e
  Fingerprint (SHA1): 
74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33

  Serial number (hex): 0x1
  Serial number: 1

By the way, the weird thing is that before migrating I added a replica 
node (so a fresh installation of FreeIPA 4.2.0-15) and the replica works 
perfectly, without this problem


It seems to be a problem somehow related to the upgrade process

How can I manage? Any suggestion? By the way, does anybody know which 
JAR contains com.netscape.ca.CertificateAuthorityApplication? I suppose 
it was /usr/share/java/pki/pki-ca.jar, but it contains only 
CertificateAuthority class:


jar tf

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Natxo Asenjo 
On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden > > wrote:
>>
>>
>> It's hard to say, it may in fact not be a problem.
>>
>> It is really a matter of what service the certificate(s) are related
>> to. I'd look at the serial numbers and then correlate those to the
>> issued certificates.
>>
>> I'd also do a service-find on the hostname to see if any services
>> have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>>   $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> 
>> --
>> 2 certificates matched
>> --
>>Serial number (hex): 0x3FFE0002
>>Serial number: 1073610754
>>Status: VALID
>>Subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>
>>Serial number (hex): 0x3FFE0003
>>Serial number: 1073610755
>>Status: VALID
>>Subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>> 
>> Number of entries returned 2
>> 
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>
> I'd check the Apache log to find the cert_request call to see if you can
> see if there are any issues raised. It should be doing a cert_revoke at the
> same time.
>
> Can you should how this certificate is being tracked?
>

sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2018-09-30 10:13:17 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2018-09-30 20:41:28 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929

and in the error_log:
[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl:

Re: [Freeipa-users] external groups and /etc/group

2016-09-29 Thread Jakub Hrozek 
On Thu, Sep 29, 2016 at 04:35:58PM -0400, Rusty Shackleford wrote:
> If I create an external group in freeIPA and add a user to that group, does
> that mean if that group exists on a host in /etc/group that the user will
> be a member of that group on that host? I've been trying to achieve that
> result but am failing and I don't know if I'm failing because I
> misunderstand what an external group is for, if I've missed a config option
> somewhere in freeipa or sssd, or if I'm simply using software that is too
> old. I'm using ipa-server-3.0.0-50.el6.centos.2 and sssd-1.13.3-22.el6_8.4
> from the centos 6 updates repo.

I think you are looking for:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] external groups and /etc/group

2016-09-29 Thread Rusty Shackleford 
If I create an external group in freeIPA and add a user to that group, does
that mean if that group exists on a host in /etc/group that the user will
be a member of that group on that host? I've been trying to achieve that
result but am failing and I don't know if I'm failing because I
misunderstand what an external group is for, if I've missed a config option
somewhere in freeipa or sssd, or if I'm simply using software that is too
old. I'm using ipa-server-3.0.0-50.el6.centos.2 and sssd-1.13.3-22.el6_8.4
from the centos 6 updates repo.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica created with expired certs

2016-09-29 Thread Natxo Asenjo 
hi,

On Thu, Sep 29, 2016 at 2:11 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> hi Jim,
>>
>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard > > wrote:
>>
>> Thanks Rob, that worked.
>>
>> Still on the subject of certs, any idea how to solve this error:
>>
>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>> certificate/key database is in an old, unsupported format.
>>
>> I see that in the gui when querying hosts as well as from cli when I
>> ipa-show or ipa-find
>>
>>
>> I have had this too, and we did not find a solution (search my recent
>> posts on the archives). As a workaround I have created replicas and
>> decommissioned the older replicas.
>>
>
> On the one hand I'm glad this fixed it for you. On the other it is a
> rather unsatisfying answer. Unfortunately NSS doesn't always provide the
> most context with its error messages. This error is usually seen when one
> tries to open a non-existent database, which in this case is a very strange
> thing, especially since it goes from working to non-working in the same
> apache process over a few minutes.
>

I totally agree. I did not have enough time to investigate it further
because I'm changing jobs, so I really wanted to leave a working situation
behind me.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 98, Issue 84

2016-09-29 Thread Alexander Bokovoy 

On to, 29 syys 2016, Sébastien Julliot wrote:

Hello everyone,


I am trying to integrate a samba server over my freeipa install. For the
moment, basics first,

the samba server is on the same machine as freeipa (which fqdn is
"freeipa2.ljll.math.upmc.fr").

Yet I am unable to make it work correctly following the official howto
.

/I must precise that I am running on an Ubuntu 16.04 server./

Here are the steps :

0) ipa-adtrust-install

   -> everything correct

No, it is not.

Read this:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249

All your errors are due to mix of Heimdal and MIT Kerberos libraries in
the same process namespace.


There is no solution for Ubuntu atm.


1) installing required packages

   -> needed to change the names to "apt-get install freeipa-client libwbclient-sssd 
samba samba-client" but worked fine

2) |ipa-client-install --mkhomedir|

   -> as we are on the same server, ipa-client is already installed

3) |ipa service-add cifs/freeipa2.ljll.math.upmc.fr|

||

   -> seems to be working fine, yet not doing it gives the exact same results 
later ..

4) |ipa-getkeytab -s freeipa2.ljll.math.upmc.fr -p
cifs/freeipa2.ljll.math.upmc.fr -k /etc/samba/samba.keytab|

|-> OK|

|5) Editing /etc/samba/smb.conf|

|6) enabling samba /home sharing -> no selinux here so nothing to do 7)
restart samba -> OK |

After getting a kerberos ticket, `|smbclient -k -L
freeipa2.ljll.math.upmc.fr` gives :

|

||krb5_init_context failed (invalid argument)

smb_krb5_context_init_basic failed (invalid argument)

Failed to initialize kerberos context! (invalid argument)

session setup failed: NT_STATUS_NO_MEMORY



Editing /etc/samba/smb.conf to comment the `security = ads` line makes
it more verbose:

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

Domain=[LJLL] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

   Sharename   Type  Comment

   -     ---

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

   print$  Disk  Printer Drivers

   shared  Disk

   IPC$IPC   IPC Service (freeipa2 server (Samba, Ubuntu))

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

Domain=[LJLL] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

   Server   Comment

   ----

   FREEIPA2 freeipa2 server (Samba, Ubuntu)

   WorkgroupMaster

   ----

   LJLL


Does anyone have ideas how to solve this ?

Many thanks in advance,
Sebastien.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 98, Issue 84

2016-09-29 Thread Sébastien Julliot 
Hello everyone,


I am trying to integrate a samba server over my freeipa install. For the
moment, basics first,

the samba server is on the same machine as freeipa (which fqdn is
"freeipa2.ljll.math.upmc.fr").

Yet I am unable to make it work correctly following the official howto
.

/I must precise that I am running on an Ubuntu 16.04 server./

Here are the steps :

0) ipa-adtrust-install

-> everything correct

1) installing required packages

-> needed to change the names to "apt-get install freeipa-client 
libwbclient-sssd samba samba-client" but worked fine

2) |ipa-client-install --mkhomedir|

-> as we are on the same server, ipa-client is already installed

3) |ipa service-add cifs/freeipa2.ljll.math.upmc.fr|

||

-> seems to be working fine, yet not doing it gives the exact same results 
later ..

4) |ipa-getkeytab -s freeipa2.ljll.math.upmc.fr -p
cifs/freeipa2.ljll.math.upmc.fr -k /etc/samba/samba.keytab|

|-> OK|

|5) Editing /etc/samba/smb.conf|

|6) enabling samba /home sharing -> no selinux here so nothing to do 7)
restart samba -> OK |

After getting a kerberos ticket, `|smbclient -k -L
freeipa2.ljll.math.upmc.fr` gives :

|

||krb5_init_context failed (invalid argument)

smb_krb5_context_init_basic failed (invalid argument)

Failed to initialize kerberos context! (invalid argument)

session setup failed: NT_STATUS_NO_MEMORY



Editing /etc/samba/smb.conf to comment the `security = ads` line makes
it more verbose:

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

Domain=[LJLL] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Sharename   Type  Comment

-     ---

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

print$  Disk  Printer Drivers

shared  Disk  

IPC$IPC   IPC Service (freeipa2 server (Samba, Ubuntu))

krb5_init_context failed (Argument invalide)

smb_krb5_context_init_basic failed (Argument invalide)

Domain=[LJLL] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Server   Comment

----

FREEIPA2 freeipa2 server (Samba, Ubuntu)

WorkgroupMaster

----

LJLL


Does anyone have ideas how to solve this ?

Many thanks in advance,
Sebastien.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-29 Thread Prasun Gera 
I need to set SELinux to enforcing to get the relevant SSSD logs, right ?

On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose  wrote:

> On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> > I started seeing some selinux errors on one of my RHEL 7 clients recently
> > (possibly after a recent yum update ?), which prevents users from logging
> > in with passwords. I've put SELinux in permissive mode for now. Logs
> follow
>
> This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
> Would you mind adding your findings and the SSSD logs as described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
> ticket.
>
> Thank you.
>
> bye,
> Sumit
>
> >
> >
> > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on
> the
> > key Unknown.
> >
> > *  Plugin catchall (100. confidence) suggests
> > **
> >
> > If you believe that krb5_child should be allowed read access on the
> Unknown
> > key by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Contextsystem_u:system_r:sssd_t:s0
> > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > Target ObjectsUnknown [ key ]
> > Sourcekrb5_child
> > Source Path   /usr/libexec/sssd/krb5_child
> > Port  
> > Host  
> > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > Target RPM Packages
> > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > Selinux Enabled   True
> > Policy Type   targeted
> > Enforcing ModePermissive
> > Host Name example.com
> > Platform  Linux example.com 4.4.19-1.el7.x86_64
> >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > x86_64
> > Alert Count   38
> > First Seen2016-09-28 18:37:43 EDT
> > Last Seen 2016-09-28 22:08:41 EDT
> > Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> > Raw Audit Messages
> > type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
> >  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key
> permissive=0
> >
> >
> > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891
> pid=8272
> > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0
> key=(null)
> >
> > Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> >
> > 
> 
> >
> > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on
> the
> > key Unknown.
> >
> > *  Plugin catchall (100. confidence) suggests
> > **
> >
> > If you believe that krb5_child should be allowed view access on the
> Unknown
> > key by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Contextsystem_u:system_r:sssd_t:s0
> > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > Target ObjectsUnknown [ key ]
> > Sourcekrb5_child
> > Source Path   /usr/libexec/sssd/krb5_child
> > Port  
> > Host  
> > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > Target RPM Packages
> > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > Selinux Enabled   True
> > Policy Type   targeted
> > Enforcing ModePermissive
> > Host Name example.com
> > Platform  Linux example.com 4.4.19-1.el7.x86_64
> >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > x86_64
> > Alert Count   10
> > First Seen2016-09-28 18:40:00 EDT
> > Last Seen 2016-09-28 22:08:41 EDT
> > Local ID  22ec0970-9447-444a-9631-69749e4e7226
> > Raw Audit Messages
> > type=AVC

Re: [Freeipa-users] Certificate format error reported by GUI

2016-09-29 Thread Pavel Vomacka 

Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



 	Jim Richard 	 
 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 









--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud 

On 09/29/2016 02:12 PM, Rob Crittenden wrote:

beeth beeth wrote:

Hi Florence,

I previously tried option a) and failed(need to find out why later), but
I was able to successfully reinstall the server and the client with
option b), thanks a lot! So when it says "Installing Without a CA", it
means without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install
the replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com


copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the
Verisign certificate with the same hostname(DN): ipa1.example.com
, NOT ipa2.example.com
, hence the users who visit
https://ipa2.example.com will experience security warning from the
browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud > wrote:

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign
cert) for
Web UI(company security requirement), in fact we are not
required to use
3rd party certificate for the LDAP server, but as I mentioned
earlier, I
couldn't make the new Verisign cert to work with the Web UI,
without
messing up the IPA function(after I updated the nss.conf to use
the new
cert in the /etc/httpd/alias db, the ipa_client_install failed).
So I
tried to follow the Redhat instruction, to see if I can get the
Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

,
but failed to restart HTTPD. When and how can I provide the
3rd-party
certificate? Could you please point me a document about the
detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not.
The setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP


in order to replace the WebUI certificate. Please note that there
were some bugs in ipa-server-certinstall, preventing httpd from
starting (Ticket #4786 [1]). The workaround is to manually update
nss.conf (as you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
-t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2].
You will provide the certificate that will be used by both the LDAP
server and the WebUI in the command options.


You'd need either a separate certificate or one with multiple subject
alternative names, one for each master. I also imagine you'd need to
provide this certificate at replica preparation time if you've installed
without a CA.

Yes, that's right. You can use the command ipa-replica-prepare with the 
options --dirsrv-cert-file / --dirsrv-pin and --http-cert-file / 
--http-pin to provide the replica's certificate and key. They will be 
embedded in the replica file and used during the replica installation.


Flo.


rob



HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786

[2]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca











--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo Rule not working

2016-09-29 Thread Jeff Goddard 
I had a similar issue. To see the details and solution search the list for:
Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1


Jeff

On Thu, Sep 29, 2016 at 4:22 AM, Deepak Dimri 
wrote:

> Hi All,
>
> I have added sudo rule  having allowed command for sudo su for a test
> user. When i login with this test user to my IPA client (ubuntu). I am
> getting a message that "the user is not in the sudoers file.  This
> incident will be reported." and it works fine if i add the user to sudoers
> file then the user can switch to sudo and is able to run all the commands
> even the commands i have included in "deny" list in my IPA server.
>
>
> Do we need to have  user/group added sudoers list for IPA sudo rule to
> work? if so then how can i make it work with IPA sudo rules?
>
>
> Thanks,
>
> Deepak
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] oVirt 3.6 and Fedora 24: How to change display resolution from 1024 x 768?

2016-09-29 Thread Richard Harmonson 
Sorry folks! Sent to the wrong list.

Please disregard.

On Thu, Sep 29, 2016 at 6:10 AM, Richard Harmonson <
richard.harmon...@gmail.com> wrote:

> I am unable to change the display for a Fedora 24 Workstation using Gnome
> 3.20 from its default 1024 x 768. I, also, tried a number of spins but the
> behavior persist. Installing on a physical desktop does not reproduce the
> symptom. Installing CentOS 7 does not reproduce the symptom.
>
> Under the virtual machine "Applications" it shows:
>
> kernel-4.7.4-200.fc24
> ovirt-guest-agent-common-1.0.12-3.fc24
> xorg-x11-drv-qxl-0.1.4-7.fc24
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] oVirt 3.6 and Fedora 24: How to change display resolution from 1024 x 768?

2016-09-29 Thread Richard Harmonson 
I am unable to change the display for a Fedora 24 Workstation using Gnome
3.20 from its default 1024 x 768. I, also, tried a number of spins but the
behavior persist. Installing on a physical desktop does not reproduce the
symptom. Installing CentOS 7 does not reproduce the symptom.

Under the virtual machine "Applications" it shows:

kernel-4.7.4-200.fc24
ovirt-guest-agent-common-1.0.12-3.fc24
xorg-x11-drv-qxl-0.1.4-7.fc24
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Rob Crittenden 

beeth beeth wrote:

Hi Florence,

I previously tried option a) and failed(need to find out why later), but
I was able to successfully reinstall the server and the client with
option b), thanks a lot! So when it says "Installing Without a CA", it
means without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install
the replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com


copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the
Verisign certificate with the same hostname(DN): ipa1.example.com
, NOT ipa2.example.com
, hence the users who visit
https://ipa2.example.com will experience security warning from the
browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud > wrote:

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign
cert) for
Web UI(company security requirement), in fact we are not
required to use
3rd party certificate for the LDAP server, but as I mentioned
earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use
the new
cert in the /etc/httpd/alias db, the ipa_client_install failed).
So I
tried to follow the Redhat instruction, to see if I can get the
Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

,
but failed to restart HTTPD. When and how can I provide the
3rd-party
certificate? Could you please point me a document about the detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not.
The setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

in order to replace the WebUI certificate. Please note that there
were some bugs in ipa-server-certinstall, preventing httpd from
starting (Ticket #4786 [1]). The workaround is to manually update
nss.conf (as you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
-t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2].
You will provide the certificate that will be used by both the LDAP
server and the WebUI in the command options.


You'd need either a separate certificate or one with multiple subject 
alternative names, one for each master. I also imagine you'd need to 
provide this certificate at replica preparation time if you've installed 
without a CA.


rob



HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786

[2]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica created with expired certs

2016-09-29 Thread Rob Crittenden 

Natxo Asenjo wrote:

hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard > wrote:

Thanks Rob, that worked.

Still on the subject of certs, any idea how to solve this error:

Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.

I see that in the gui when querying hosts as well as from cli when I
ipa-show or ipa-find


I have had this too, and we did not find a solution (search my recent
posts on the archives). As a workaround I have created replicas and
decommissioned the older replicas.


On the one hand I'm glad this fixed it for you. On the other it is a 
rather unsatisfying answer. Unfortunately NSS doesn't always provide the 
most context with its error messages. This error is usually seen when 
one tries to open a non-existent database, which in this case is a very 
strange thing, especially since it goes from working to non-working in 
the same apache process over a few minutes.


I'm not sure how I'd troubleshoot this if it were easily reproducible. I 
suspect we'd need to figure out which database cannot be found (most 
likely /etc/httpd/alias) and go from there. An strace is a brute-force 
way to see the file open but finding the right process to attach to is a 
bit of an art.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
Hi Florence,

I previously tried option a) and failed(need to find out why later), but I
was able to successfully reinstall the server and the client with option
b), thanks a lot! So when it says "Installing Without a CA", it means
without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install the
replica server(ipa2), if I do the same as I did before:

[root@ipa1 ~]# ipa-replica-prepare ipa2.example.com

copy the gpg file from ipa1 to ipa2

[root@ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the Verisign
certificate with the same hostname(DN): ipa1.example.com, NOT
ipa2.example.com, hence the users who visit https://ipa2.example.com will
experience security warning from the browser, as expected...
What could be a solution for this?

Thanks again!


On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud 
wrote:

> On 09/29/2016 11:43 AM, beeth beeth wrote:
>
>> Thanks for the quick response Florence!
>>
>> My goal is the use a 3rd party certificate(such as Verisign cert) for
>> Web UI(company security requirement), in fact we are not required to use
>> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
>> couldn't make the new Verisign cert to work with the Web UI, without
>> messing up the IPA function(after I updated the nss.conf to use the new
>> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
>> tried to follow the Redhat instruction, to see if I can get the Verisign
>> cert installed at the most beginning, without using FreeIPA's
>> own/default certificate), but I got the CSR question.
>>
>> I did install IPA without a CA, by following the instruction at
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
>> but failed to restart HTTPD. When and how can I provide the 3rd-party
>> certificate? Could you please point me a document about the detail?
>>
> Hi,
>
> you need first to clarify if you want FreeIPA to act as a CA or not. The
> setup will depend on this choice.
>
> - option a) FreeIPA with an embedded CA:
> you can install FreeIPA with a self-signed CA, then follow the
> instructions at https://www.freeipa.org/page/U
> sing_3rd_part_certificates_for_HTTP/LDAP in order to replace the WebUI
> certificate. Please note that there were some bugs in
> ipa-server-certinstall, preventing httpd from starting (Ticket #4786 [1]).
> The workaround is to manually update nss.conf (as you did) and manually
> import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with
> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
>
>
> - option b) Free IPA without CA
> the installation instructions are in Installing without a CA [2]. You will
> provide the certificate that will be used by both the LDAP server and the
> WebUI in the command options.
>
> HTH,
> Flo.
>
> [1] https://fedorahosted.org/freeipa/ticket/4786
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Rob Crittenden 

Natxo Asenjo wrote:



On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden > wrote:


It's hard to say, it may in fact not be a problem.

It is really a matter of what service the certificate(s) are related
to. I'd look at the serial numbers and then correlate those to the
issued certificates.

I'd also do a service-find on the hostname to see if any services
have certificates issued and with what serial numbers.


I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


  $ ipa cert-find --subject=throwaway.unix.iriszorg.nl

--
2 certificates matched
--
   Serial number (hex): 0x3FFE0002
   Serial number: 1073610754
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0x3FFE0003
   Serial number: 1073610755
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


Number of entries returned 2



So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.


I'd check the Apache log to find the cert_request call to see if you can 
see if there are any issues raised. It should be doing a cert_revoke at 
the same time.


Can you should how this certificate is being tracked?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Natxo Asenjo 
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden  wrote:

>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s) are related to.
> I'd look at the serial numbers and then correlate those to the issued
> certificates.
>
> I'd also do a service-find on the hostname to see if any services have
> certificates issued and with what serial numbers.
>

I agree, it could be that. But just for testing I have created a vm, joined
it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


 $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
--
2 certificates matched
--
  Serial number (hex): 0x3FFE0002
  Serial number: 1073610754
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

  Serial number (hex): 0x3FFE0003
  Serial number: 1073610755
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

Number of entries returned 2



So it certmonger in this centos 6.8 32bit host is renewing but not having
the old certificate revoked.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Deepak Dimri 
Thanks, Florence


It works now.. my /etc/sssd/sssd.conf was missing with sudo service.. adding 
below line fixed the issue

services = nss, sudo, pam, ssh"


Many Thanks Again!


Best Regards,

Deepak



From: freeipa-users-boun...@redhat.com  on 
behalf of Florence Blanc-Renaud 
Sent: Thursday, September 29, 2016 6:03 AM
To: beeth beeth
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Install IPA Servers with third-party 
certificate(external CA)

On 09/29/2016 11:43 AM, beeth beeth wrote:
> Thanks for the quick response Florence!
>
> My goal is the use a 3rd party certificate(such as Verisign cert) for
> Web UI(company security requirement), in fact we are not required to use
> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
> couldn't make the new Verisign cert to work with the Web UI, without
> messing up the IPA function(after I updated the nss.conf to use the new
> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
> tried to follow the Redhat instruction, to see if I can get the Verisign
> cert installed at the most beginning, without using FreeIPA's
> own/default certificate), but I got the CSR question.
>
> I did install IPA without a CA, by following the instruction at
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



> but failed to restart HTTPD. When and how can I provide the 3rd-party
> certificate? Could you please point me a document about the detail?
Hi,

you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Using 3rd part certificates for HTTP/LDAP - 
FreeIPA
www.freeipa.org
The following command will allow you to use a 3rd party certificate after 
initially deploying the FreeIPA system. You will need the following files:



in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.

HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca

> Thanks again!
>
>
> On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud  > wrote:
>
> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
> to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's
> LDAP server and Web UI. In this case, you do not need to install
> FreeIPA with an embedded CA. You can follow the instructions for
> Installing without a CA [1], where you will need to provide a
> 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1]
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> 
> 
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
> I am trying to set up IPA servers with Verisign certificate, so
> that the
> Admin Web console can use public signed certificate to meet
> company's
> security requirement. But when I try to follow Red Hat's
> instructions at
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
> 
>

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud 

On 09/29/2016 11:43 AM, beeth beeth wrote:

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for
Web UI(company security requirement), in fact we are not required to use
3rd party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
tried to follow the Redhat instruction, to see if I can get the Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
but failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail?

Hi,

you need first to clarify if you want FreeIPA to act as a CA or not. The 
setup will depend on this choice.


- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the 
instructions at 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP 
in order to replace the WebUI certificate. Please note that there were 
some bugs in ipa-server-certinstall, preventing httpd from starting 
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as 
you did) and manually import the CA certificate into 
/etc/pki/pki-tomcat/alias, for instance with

$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,


- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You 
will provide the certificate that will be used by both the LDAP server 
and the WebUI in the command options.


HTH,
Flo.

[1] https://fedorahosted.org/freeipa/ticket/4786
[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca



Thanks again!


On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud > wrote:

Hi,

The instructions that you followed are used when you want to install
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
to issue certificates), and FreeIPA CA is signed by a 3rd party CA.

Maybe your goal is just to use a 3rd party certificate for IPA's
LDAP server and Web UI. In this case, you do not need to install
FreeIPA with an embedded CA. You can follow the instructions for
Installing without a CA [1], where you will need to provide a
3rd-part certificate.

Hope this clarifies,
Flo.

[1]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca





On 09/29/2016 11:03 AM, beeth beeth wrote:

I am trying to set up IPA servers with Verisign certificate, so
that the
Admin Web console can use public signed certificate to meet
company's
security requirement. But when I try to follow Red Hat's
instructions at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca

,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the
--external-ca
option to the ipa-server-install utility, which does generate a
CRS at
/root/ipa.csr. However, the ipa-server-install command in fact
doesn't
ask for Distinguished Name (DN) or the organization info(like
country,
state, etc.), which are required in the CSR. Without a valid CSR
file, I
can't request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for
Apache(the
Web Admin console) ONLY to the Verisign one, by adding the
certificates
to the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is
used to
point to the Verisign certs. That worked well for the website.
However,
the IPA client installation failed after

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
Ok, I will try out the "2.3.6. Installing Without a CA", and keep you
posted.
BTW, I noticed that the key needs to be encrypted, is that true?
Thanks!

On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue
> certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's LDAP
> server and Web UI. In this case, you do not need to install FreeIPA with an
> embedded CA. You can follow the instructions for Installing without a CA
> [1], where you will need to provide a 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
>> I am trying to set up IPA servers with Verisign certificate, so that the
>> Admin Web console can use public signed certificate to meet company's
>> security requirement. But when I try to follow Red Hat's instructions at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-external-ca,
>>
>> 2.3.5. Installing a Server with an External CA as the Root CA,
>> at the first step it says to generate CSR by adding the --external-ca
>> option to the ipa-server-install utility, which does generate a CRS at
>> /root/ipa.csr. However, the ipa-server-install command in fact doesn't
>> ask for Distinguished Name (DN) or the organization info(like country,
>> state, etc.), which are required in the CSR. Without a valid CSR file, I
>> can't request for new Verisign certs. Did I miss something?
>>
>> Originally I once tried to change the default certificate for Apache(the
>> Web Admin console) ONLY to the Verisign one, by adding the certificates
>> to the /etc/httpd/alias database with the command:
>>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
>> And updated the nss.conf for httpd, so that the new Nickname is used to
>> point to the Verisign certs. That worked well for the website. However,
>> the IPA client installation failed after that for the
>> "ipa-client-install":
>>
>> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction, explaining:  Peer's certificate issuer has been marked as
>> not trusted by the user.
>>
>> Even I tried to also update the certificate for the Directory
>> service(ipa-server-certinstall -d ... ), the client installation still
>> failed. I believe the new Verisign cert messed up the communication of
>> the IPA components. Then I am thinking to install the IPA server from
>> scratch with the Verisign cert, but then I hit the CSR problem described
>> above.
>>
>> Please advise. Thanks!
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for Web
UI(company security requirement), in fact we are not required to use 3rd
party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I tried
to follow the Redhat instruction, to see if I can get the Verisign cert
installed at the most beginning, without using FreeIPA's own/default
certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, but
failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail? Thanks
again!


On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue
> certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's LDAP
> server and Web UI. In this case, you do not need to install FreeIPA with an
> embedded CA. You can follow the instructions for Installing without a CA
> [1], where you will need to provide a 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
>> I am trying to set up IPA servers with Verisign certificate, so that the
>> Admin Web console can use public signed certificate to meet company's
>> security requirement. But when I try to follow Red Hat's instructions at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-external-ca,
>>
>> 2.3.5. Installing a Server with an External CA as the Root CA,
>> at the first step it says to generate CSR by adding the --external-ca
>> option to the ipa-server-install utility, which does generate a CRS at
>> /root/ipa.csr. However, the ipa-server-install command in fact doesn't
>> ask for Distinguished Name (DN) or the organization info(like country,
>> state, etc.), which are required in the CSR. Without a valid CSR file, I
>> can't request for new Verisign certs. Did I miss something?
>>
>> Originally I once tried to change the default certificate for Apache(the
>> Web Admin console) ONLY to the Verisign one, by adding the certificates
>> to the /etc/httpd/alias database with the command:
>>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
>> And updated the nss.conf for httpd, so that the new Nickname is used to
>> point to the Verisign certs. That worked well for the website. However,
>> the IPA client installation failed after that for the
>> "ipa-client-install":
>>
>> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction, explaining:  Peer's certificate issuer has been marked as
>> not trusted by the user.
>>
>> Even I tried to also update the certificate for the Directory
>> service(ipa-server-certinstall -d ... ), the client installation still
>> failed. I believe the new Verisign cert messed up the communication of
>> the IPA components. Then I am thinking to install the IPA server from
>> scratch with the Verisign cert, but then I hit the CSR problem described
>> above.
>>
>> Please advise. Thanks!
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
Also, I once followed the instruction about "Using 3rd part certificates
for HTTP/LDAP" at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
for my environment: IPA 4.2 on RHEL7

# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
# ipa-server-certinstall -w -d mysite.key mysite.crt
# systemctl restart httpd.service
# systemctl restart dirsrv@MY-REALM.service

It failed at the step to restart httpd.service.

Thanks!


On Thu, Sep 29, 2016 at 5:03 AM, beeth beeth  wrote:

> I am trying to set up IPA servers with Verisign certificate, so that the
> Admin Web console can use public signed certificate to meet company's
> security requirement. But when I try to follow Red Hat's instructions at
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/install-server.html#install-server-external-ca,
> 2.3.5. Installing a Server with an External CA as the Root CA,
> at the first step it says to generate CSR by adding the --external-ca
> option to the ipa-server-install utility, which does generate a CRS at
> /root/ipa.csr. However, the ipa-server-install command in fact doesn't ask
> for Distinguished Name (DN) or the organization info(like country, state,
> etc.), which are required in the CSR. Without a valid CSR file, I can't
> request for new Verisign certs. Did I miss something?
>
> Originally I once tried to change the default certificate for Apache(the
> Web Admin console) ONLY to the Verisign one, by adding the certificates to
> the /etc/httpd/alias database with the command:
>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
> And updated the nss.conf for httpd, so that the new Nickname is used to
> point to the Verisign certs. That worked well for the website. However, the
> IPA client installation failed after that for the "ipa-client-install":
>
> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
> transaction, explaining:  Peer's certificate issuer has been marked as not
> trusted by the user.
>
> Even I tried to also update the certificate for the Directory
> service(ipa-server-certinstall -d ... ), the client installation still
> failed. I believe the new Verisign cert messed up the communication of the
> IPA components. Then I am thinking to install the IPA server from scratch
> with the Verisign cert, but then I hit the CSR problem described above.
>
> Please advise. Thanks!
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread Florence Blanc-Renaud 

Hi,

The instructions that you followed are used when you want to install 
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to 
issue certificates), and FreeIPA CA is signed by a 3rd party CA.


Maybe your goal is just to use a 3rd party certificate for IPA's LDAP 
server and Web UI. In this case, you do not need to install FreeIPA with 
an embedded CA. You can follow the instructions for Installing without a 
CA [1], where you will need to provide a 3rd-part certificate.


Hope this clarifies,
Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca



On 09/29/2016 11:03 AM, beeth beeth wrote:

I am trying to set up IPA servers with Verisign certificate, so that the
Admin Web console can use public signed certificate to meet company's
security requirement. But when I try to follow Red Hat's instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the --external-ca
option to the ipa-server-install utility, which does generate a CRS at
/root/ipa.csr. However, the ipa-server-install command in fact doesn't
ask for Distinguished Name (DN) or the organization info(like country,
state, etc.), which are required in the CSR. Without a valid CSR file, I
can't request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for Apache(the
Web Admin console) ONLY to the Verisign one, by adding the certificates
to the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is used to
point to the Verisign certs. That worked well for the website. However,
the IPA client installation failed after that for the "ipa-client-install":

ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining:  Peer's certificate issuer has been marked as
not trusted by the user.

Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation still
failed. I believe the new Verisign cert messed up the communication of
the IPA components. Then I am thinking to install the IPA server from
scratch with the Verisign cert, but then I hit the CSR problem described
above.

Please advise. Thanks!




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Install IPA Servers with third-party certificate(external CA)

2016-09-29 Thread beeth beeth 
I am trying to set up IPA servers with Verisign certificate, so that the
Admin Web console can use public signed certificate to meet company's
security requirement. But when I try to follow Red Hat's instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca,

2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the --external-ca
option to the ipa-server-install utility, which does generate a CRS at
/root/ipa.csr. However, the ipa-server-install command in fact doesn't ask
for Distinguished Name (DN) or the organization info(like country, state,
etc.), which are required in the CSR. Without a valid CSR file, I can't
request for new Verisign certs. Did I miss something?

Originally I once tried to change the default certificate for Apache(the
Web Admin console) ONLY to the Verisign one, by adding the certificates to
the /etc/httpd/alias database with the command:
  # ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is used to
point to the Verisign certs. That worked well for the website. However, the
IPA client installation failed after that for the "ipa-client-install":

ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining:  Peer's certificate issuer has been marked as not
trusted by the user.

Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation still
failed. I believe the new Verisign cert messed up the communication of the
IPA components. Then I am thinking to install the IPA server from scratch
with the Verisign cert, but then I hit the CSR problem described above.

Please advise. Thanks!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unspecified GSS failure: No credentials cache found

2016-09-29 Thread Detlev Habicht 
Hi all,

based on the Red Hat docs i setup a Kerberized NFS Server with IPA and i course 
a lot of clients.
The IPA services are running on an own host. The servers are running Scientic 
Linux and
the clients Fedora.

Samba and NFS is running well - i think. I see no problems.

But i see a lot of this messages on the server and also on the clients:

Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) 
Unspecified GSS failure.  Minor code may provide more information, No 
credentials cache found
Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) 
Unspecified GSS failure.  Minor code may provide more information, No 
credentials cache found
Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) 
Unspecified GSS failure.  Minor code may provide more information, No 
credentials cache found
Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) 
Unspecified GSS failure.  Minor code may provide more information, No 
credentials cache found


What is wrong?

Thank you for any help!

Detlev



--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de
  + Handy+49 172 5415752  ---



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Sudo Rule not working

2016-09-29 Thread Jakub Hrozek 
On Thu, Sep 29, 2016 at 08:22:03AM +, Deepak Dimri wrote:
> Hi All,
> 
> I have added sudo rule  having allowed command for sudo su for a test user. 
> When i login with this test user to my IPA client (ubuntu). I am getting a 
> message that "the user is not in the sudoers file.  This incident will be 
> reported." and it works fine if i add the user to sudoers file then the user 
> can switch to sudo and is able to run all the commands even the commands i 
> have included in "deny" list in my IPA server.
> 
> 
> Do we need to have  user/group added sudoers list for IPA sudo rule to work? 
> if so then how can i make it work with IPA sudo rules?

Please check out:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudo Rule not working

2016-09-29 Thread Deepak Dimri 
Hi All,

I have added sudo rule  having allowed command for sudo su for a test user. 
When i login with this test user to my IPA client (ubuntu). I am getting a 
message that "the user is not in the sudoers file.  This incident will be 
reported." and it works fine if i add the user to sudoers file then the user 
can switch to sudo and is able to run all the commands even the commands i have 
included in "deny" list in my IPA server.


Do we need to have  user/group added sudoers list for IPA sudo rule to work? if 
so then how can i make it work with IPA sudo rules?


Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-29 Thread Sumit Bose 
On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> I started seeing some selinux errors on one of my RHEL 7 clients recently
> (possibly after a recent yum update ?), which prevents users from logging
> in with passwords. I've put SELinux in permissive mode for now. Logs follow

This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
Would you mind adding your findings and the SSSD logs as described in
https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
ticket.

Thank you.

bye,
Sumit

> 
> 
> SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
> key Unknown.
> 
> *  Plugin catchall (100. confidence) suggests
> **
> 
> If you believe that krb5_child should be allowed read access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> Additional Information:
> Source Contextsystem_u:system_r:sssd_t:s0
> Target Contextsystem_u:system_r:unconfined_service_t:s0
> Target ObjectsUnknown [ key ]
> Sourcekrb5_child
> Source Path   /usr/libexec/sssd/krb5_child
> Port  
> Host  
> Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModePermissive
> Host Name example.com
> Platform  Linux example.com 4.4.19-1.el7.x86_64
>   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count   38
> First Seen2016-09-28 18:37:43 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
>  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
> 
> 
> type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
> 
> Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> 
> 
> 
> SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
> key Unknown.
> 
> *  Plugin catchall (100. confidence) suggests
> **
> 
> If you believe that krb5_child should be allowed view access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> Additional Information:
> Source Contextsystem_u:system_r:sssd_t:s0
> Target Contextsystem_u:system_r:unconfined_service_t:s0
> Target ObjectsUnknown [ key ]
> Sourcekrb5_child
> Source Path   /usr/libexec/sssd/krb5_child
> Port  
> Host  
> Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModePermissive
> Host Name example.com
> Platform  Linux example.com 4.4.19-1.el7.x86_64
>   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count   10
> First Seen2016-09-28 18:40:00 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID  22ec0970-9447-444a-9631-69749e4e7226
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90789): avc:  denied  { view } for
>  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
> 
> 
> type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
> success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053

Re: [Freeipa-users] Replica created with expired certs

2016-09-29 Thread Natxo Asenjo 
hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard  wrote:

> Thanks Rob, that worked.
>
> Still on the subject of certs, any idea how to solve this error:
>
> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
> database is in an old, unsupported format.
>
> I see that in the gui when querying hosts as well as from cli when I
> ipa-show or ipa-find
>

I have had this too, and we did not find a solution (search my recent posts
on the archives). As a workaround I have created replicas and
decommissioned the older replicas.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project