[Freeipa-users] SPAM, please ban this user

2016-11-27 Thread Denis Müller 
kimirachel1...@tmtis.com

spamming all the time.
Please help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

2016-11-27 Thread Deepak Dimri 
Adding Jan into the email thread. Hopefully Jan can help too


Best Regards,

Deepak



From: Deepak Dimri 
Sent: Sunday, November 27, 2016 8:08 PM
To: Chris Dagdigian
Subject: Re: [Freeipa-users] URL is changing on the browser


Hello Chris,


Were you able to get around AWS ELB integration with IPA Server?  I am stuck 
with this - when i hit my ELB URL i am getting redirected to internal FQDN of 
the IP server ( hosted on private subnet). I tried tweaking ipa-rewrite.conf 
but in vain.  As an alternate i have installed Apache reverse proxy on the 
public subnet and then proxying the requests to IPA. But then it does not work 
if i add one more IPA server for load balancing/failover -  i think its failing 
at  "RequestHeader edit Referer" directive work.


Just thought of checking with you if found any solution to this issue


Many Thanks for your time,

Deepak





> On 15-Nov-2016, at 00:33, Chris Dagdigian  wrote:
>
>
> I'm still interested in this topic as our IPA servers are on private AWS 
> subnets and it would be really nice to have an internal AWS ALB or ELB be the 
> user-facing interface so we can route traffic between IPA systems and only 
> "advertise" a single hostname for access. Plus it would be great to put the 
> load balancer name into the various sssd.conf and krb5.conf client files 
> since our internal DNS-based service discovery has some brittleness that is 
> outside my control to fix.
>
> I played with this for a short time and hit the "IPA redirects to it's 
> internal FQDN" problem as well. Now that this appears to be a somewhat simple 
> tweak to the httpd.conf type files I may start playing around with putting 
> private IPA systems behind a private AWS load balancer
>
> Chris
>
>
>
> Deepak Dimri wrote:
>> we discussed the options internally and finally decided to host ipa within 
>> the private subnets - our security team wast too comfortable  to  expose ipa 
>> servers on to the public network.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails

2016-11-27 Thread Jochen Hein 
Jochen Hein  writes:

> 2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: 
> HTTPError: 406 Client Error: Failed to validate message: No recipient matched 
> the provided key["Failed: [ValueError('Multibackend cannot be initialized 
> with no backends. If you are seeing this error when trying to use 
> default_backend() please try uninstalling and reinstalling cryptography.',)]"]
> 2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No 
> recipient matched the provided key["Failed: [ValueError('Multibackend cannot 
> be initialized with no backends. If you are seeing this error when trying to 
> use default_backend() please try uninstalling and reinstalling 
> cryptography.',)]"]
> 2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See 
> /var/log/ipareplica-install.log for more information
>
> Any idea what's wrong?

Around that time the pki on the old master has this:

0.Thread-17 - [27/Nov/2016:22:06:47 MEZ] [8] [3] Publishing: Could not
publish certificate serial number 0x1a. Error Failed to publish using
rule: No rules enabled

Debug has:
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:: Queue: 1 noSingleRequest
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=1 
mSearchForRequests=false
[27/Nov/2016:22:06:47][Thread-17]: getRequest  getting request: 29
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: getRequest  request 29 found
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=0 
mSearchForRequests=false done
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateIssuedListener
[27/Nov/2016:22:06:47][Thread-17]: CertificateIssuedListener: accept 29
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cmscore.ldap.LdapRequestListener
[27/Nov/2016:22:06:47][Thread-17]: LdapRequestListener handling publishing for 
enrollment request id 29
[27/Nov/2016:22:06:47][Thread-17]: Checking publishing for request 29
[27/Nov/2016:22:06:47][Thread-17]: In  PublisherProcessor::publishCert
[27/Nov/2016:22:06:47][Thread-17]: Publishing: can't find publishing 
rule,exiting routine.
[27/Nov/2016:22:06:47][Thread-17]: PublishProcessor::publishCert : Failed to 
publish using rule: No rules enabled
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateRevokedListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: mRequest = 29
[27/Nov/2016:22:06:47][Thread-17]: updatePublishingStatus 
mSavePublishingCounter: 3 mSavePublishingStatus: 200
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:  noQueue  SingleRequest
[27/Nov/2016:22:06:47][Thread-17]: RequestRepository: setPublishingStatus  
mBaseDN: ou=ca,ou=requests,o=ipaca  status: -1
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: Number of publishing threads: 0

Maybe something in dogtag is missing?

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] mount lookup failure getautomntent_r

2016-11-27 Thread William Muriithi 
Jakub,

Thanks for response
On 27 November 2016 at 15:43, Jakub Hrozek  wrote:
>
>>
>> I have noticed an error that pop up as the final line after running

>> lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
>>
>>  failed to read map
>>
>> Have anyone found a way to clean up that error?
>>
>
> No idea without more context, sorry. Does auto mounter actually work for you 
> or are some maps missing?
>
The mount work fine actually. I only noticed the error because I have
a script that is consuming the standard output from "automount -m"
command.  I thought instead of filtering away the error, it would be
more prudent to fix the root issue.

> The message can really be harmless, because the client (=automounter) 
> iterates over the maps returned by the server (=sssd in this context) until 
> the server returns ENOENT. I agree though the message is confusing and we’ll 
> be (most probably) looking at some autofs enhancements in the next sssd 
> version..
>
Now that I have shared some context, is there any way I can track down
whats might be causing it? Or better, whats are some of the candidate
mistakes that can trigger it.

Regards,

William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add 4.4 replica to 4.3 server fails

2016-11-27 Thread Jochen Hein 

I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That
server has been updated from earlier Fedoras and runs DNS and CA.
I've updated domainlevel to 1 manually.

Installed packages in IPA master:
[root@freeipa ~]# rpm -qa | grep freeipa
freeipa-admintools-4.3.2-2.fc24.noarch
freeipa-server-common-4.3.2-2.fc24.noarch
freeipa-server-4.3.2-2.fc24.x86_64
freeipa-client-common-4.3.2-2.fc24.noarch
freeipa-server-trust-ad-4.3.2-2.fc24.x86_64
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-common-4.3.2-2.fc24.noarch
freeipa-python-compat-4.3.2-2.fc24.noarch

Now I'd like to switch to a CentOS install, so I installed CentOS 7.2
on a new VM and updated to the CR repo, so I'll get IPA 4.4.

Installed packages in new VM:
[root@freeipa1 ~]# rpm -qa | grep ipa
python2-ipaserver-4.4.0-12.el7.centos.noarch
python2-ipalib-4.4.0-12.el7.centos.noarch
ipa-server-4.4.0-12.el7.centos.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-dns-4.4.0-12.el7.centos.noarch
ipa-client-common-4.4.0-12.el7.centos.noarch
libipa_hbac-1.14.0-43.el7.x86_64
ipa-common-4.4.0-12.el7.centos.noarch
ipa-admintools-4.4.0-12.el7.centos.noarch
sssd-ipa-1.14.0-43.el7.x86_64
ipa-client-4.4.0-12.el7.centos.x86_64
ipa-python-compat-4.4.0-12.el7.centos.noarch
python-libipa_hbac-1.14.0-43.el7.x86_64
python2-ipaclient-4.4.0-12.el7.centos.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-server-common-4.4.0-12.el7.centos.noarch

When installing a replica with "ipa-replica-install --setup-ca" I get:

[root@freeipa1 ~]# ipa-replica-install --setup-ca
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
  Done configuring NTP daemon (ntpd).
  Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded

  [30/44]: adding sasl mappings to the directory
  [31/44]: updating schema
  [32/44]: setting Auto Member configuration
  [33/44]: enabling S4U2Proxy delegation
  [34/44]: importing CA certificates from LDAP
  [35/44]: initializing group membership
  [36/44]: adding master entry
  [37/44]: initializing domain level
  [38/44]: configuring Posix uid/gid generation
  [39/44]: adding replication acis
  [40/44]: enabling compatibility plugin
  [41/44]: activating sidgen plugin
  [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Generating ipa-custodia keys
  [3/5]: Importing RA Key
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: 
Certificate has no `subjectAltName`, falling back to check for a `commonName` 
for now. This feature is being removed by major browsers and deprecated by RFC 
2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SecurityWarning
[error] HTTPError: 406 Client Error: Failed to validate message: No recipient 
matched the provided key["Failed: [ValueError('Multibackend cannot be 
initialized with no backends. If you are seeing this error when trying to use 
default_backend() please try uninstalling and reinstalling cryptography.',)]"]
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR406 Client Error: 
Failed to validate message: No recipient matched the provided key["Failed: 
[ValueError('Multibackend cannot be initialized with no backends. If you are 
seeing this error when trying to use default_backend() please try uninstalling 
and reinstalling cryptography.',)]"]
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe

Re: [Freeipa-users] mount lookup failure getautomntent_r

2016-11-27 Thread Jakub Hrozek 

> On 27 Nov 2016, at 18:31, William Muriithi  wrote:
> 
> Hello,
> 
> I have noticed an error that pop up as the final line after running
> this command "
> automount -m". I suspect its related to selinux, but haven't seen how
> to fix it from the google search this morning.
> 
> I have autofs maps on IPA and using SSSD to read the maps.
> 
> 
> Mount point: /-
> 
> 
> source(s):
> 
> lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
> 
>  failed to read map
> 
> Have anyone found a way to clean up that error?
> 

No idea without more context, sorry. Does auto mounter actually work for you or 
are some maps missing?

The message can really be harmless, because the client (=automounter) iterates 
over the maps returned by the server (=sssd in this context) until the server 
returns ENOENT. I agree though the message is confusing and we’ll be (most 
probably) looking at some autofs enhancements in the next sssd version..

> Regards,
> William
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] mount lookup failure getautomntent_r

2016-11-27 Thread William Muriithi 
Hello,

I have noticed an error that pop up as the final line after running
this command "
automount -m". I suspect its related to selinux, but haven't seen how
to fix it from the google search this morning.

I have autofs maps on IPA and using SSSD to read the maps.


Mount point: /-


source(s):

lookup_read_map: lookup(sss): getautomntent_r: No such file or directory

  failed to read map

Have anyone found a way to clean up that error?

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA rewrite conf with AWS ELB

2016-11-27 Thread Deepak Dimri 
Hi All,

I am posting my issue here with an hope that i get a response.

I have AWS ELB configured to connect to FreeIPA servers on Ubuntu.  My FreeIPA 
servers are in private subnets. I am able to access my test index.html page 
deployed on the FreeIPA server by hitting https:///index.html. However 
when i try IPA UI https:///ipa/ui then i am getting redirected to my 
internal IPA address which then resulting to "site cannot be reached" error.  I 
am wondering if i have an option of tweaking my 
/etc/httpd/conf.d/ipa-rewrite.conf file so that i can access IPA UI using 
external ELB URL? I see ipa-rewrite.conf is hardcoded with my internal IPA 
server URLs.

Would appreciate if some one can give some pointers

Thanks,
Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project