[Freeipa-users] How to enable anonymous pkinit on FreeIPA 4.3.1 on Ubuntu ?

2016-11-28 Thread Diogenes S. Jesus 
I've got one freeipa instance for testing purposes and I'm trying to
enable anonymous pkinit support on it[1], as Simon mentioned being
possible :) [2]

For debug purposes, I have done:

/etc/kdc.conf
---
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 restrict_anonymous_to_tgt = true

[realms]
 REALM.EU = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /etc/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
  admin_keytab = /etc/krb5kdc/kadm5.keytab
   pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
   pkinit_eku_checking = none
 }

The user krb5.conf file:
[realms]
REALM.EU = {
master_kdc = kdc.realm.eu
admin_server = kdc.realm.eu
pkinit_anchors = /usr/local/share/ca-certificates/root-ca.crt
}


Openssl is able to verify the certificate:
root@ipa01:~# openssl verify -verbose -CAfile
/usr/local/share/ca-certificates/root-ca.crt /var/lib/krb5kdc/kdc.pem
/var/lib/krb5kdc/kdc.pem: OK

The KDC certificate was created based on MIT Kerberos guidelines[3]

The anonymous user (created manually first with "-rankey"), resulting
in the following user-side messages:
root@ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
[11573] 1480374327.337803: Getting initial credentials for
WELLKNOWN/anonym...@realm.eu
[11573] 1480374327.340203: Sending request (178 bytes) to REALM.EU
[11573] 1480374327.443449: Retrying AS request with master KDC
[11573] 1480374327.443939: Getting initial credentials for
WELLKNOWN/anonym...@realm.eu
[11573] 1480374327.444784: Sending request (178 bytes) to REALM.EU (master)
[11573] 1480374327.445357: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
[11573] 1480374327.471043: Sending initial UDP request to dgram 10.235.2.25:88
[11573] 1480374328.472199: Resolving hostname kdc.bdc1.hu.sec.in.realm.eu
[11573] 1480374328.498175: Sending initial UDP request to dgram 10.235.2.25:750
[11573] 1480374329.500579: Initiating TCP connection to stream 10.235.2.25:88
[11573] 1480374329.527259: Sending TCP request to stream 10.235.2.25:88
[11573] 1480374329.557528: Received answer (459 bytes) from stream
10.235.2.25:88
[11573] 1480374329.558323: Received error from KDC:
-1765328359/Additional pre-authentication required
[11573] 1480374329.558767: Processing preauth types: 16, 15, 14, 136,
19, 147, 2, 133
[11573] 1480374329.558976: Selected etype info: etype aes256-cts, salt
"REALM.EUWELLKNOWNANONYMOUS", params ""
[11573] 1480374329.559480: Received cookie: MIT
[11573] 1480374329.559532: Preauth module pkinit (147) (info)
returned: 0/Success
[11573] 1480374329.559627: PKINIT client has no configured identity; giving up
[11573] 1480374329.559651: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[11573] 1480374329.559669: PKINIT client has no configured identity; giving up
[11573] 1480374329.559680: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[11573] 1480374329.559696: PKINIT client has no configured identity; giving up
[11573] 1480374329.559707: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for WELLKNOWN/anonym...@realm.eu:


Then removed the anonymous user keys:
root@ipa01:~# kadmin.local -x ipa-setup-override-restrictions -q
'purgekeys -all WELLKNOWN/ANONYMOUS'

On the client side:

root@ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
[10593] 1480350802.381306: Getting initial credentials for
WELLKNOWN/anonym...@realm.eu
[10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU
[10593] 1480350802.433623: Retrying AS request with master KDC
[10593] 1480350802.434688: Getting initial credentials for
WELLKNOWN/anonym...@realm.eu
[10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master)
[10593] 1480350802.436191: Resolving hostname kdc.domain.eu
[10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88
[10593] 1480350803.465087: Resolving hostname kdc.domain.eu
[10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750
[10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88
[10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88
[10593] 1480350804.547579: Received answer (269 bytes) from stream
10.235.2.25:88
[10593] 1480350804.547663: Received error from KDC:
-1765328359/Additional pre-authentication required
[10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133
[10593] 1480350804.547713: Received cookie: MIT
[10593] 1480350804.547744: Preauth module pkinit (147) (info)
returned: 0/Success
[10593] 1480350804.547758: PKINIT client has no configured identity; giving up
[10593] 1480350804.547765: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[10593] 1480350804.547776: PKINIT client has no configured identity; giving up
[10593] 1480350804.547782: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[10593] 1480350804.547793: PKINIT client has no configured identity; giving up
[10593]

[Freeipa-users] DNS search timeouts and incomplete results

2016-11-28 Thread Mike Driscoll 
I'm running:
# rpm -qa | grep ipa-server
ipa-server-4.4.0-12.0.1.el7.x86_64
ipa-server-dns-4.4.0-12.0.1.el7.noarch
ipa-server-common-4.4.0-12.0.1.el7.noarch

Searching DNS for all hostnames containing "qa" times out in the GUI.  Setting 
aside the option to change server defaults, this cli command isn't giving me 
the content I need:

# ipa dnsrecord-find mydomain.com --sizelimit=1 --timelimit=20 | grep qa
ipa: WARNING: Search result has been truncated: Configured size limit exceeded

It seems like the sizelimit parameter greater than two thousand is being 
ignored:

# ipa dnsrecord-find mydomain.com --sizelimit=1900 --timelimit=20
...
---
Number of entries returned 1900
---

# ipa dnsrecord-find mydomain.com --sizelimit=2100 --timelimit=20
...
---
Number of entries returned 2000
---

Any suggestions?

Mike

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Host with Multiple hostnames

2016-11-28 Thread Michael Plemmons 
The error is telling you that a DNS entry already exists for the hostname
you want the CNAME.  A DNS record can only have one record type.  Meaning
is you have 1.2.3.4 points to test.example.com you cannot have
test.example.com also be a CNAME for foo.example.com.



*Mike Plemmons | Senior DevOps Engineer*
614-741-5475
mike.plemm...@crosschx.com
www.crosschx.com

On Mon, Nov 28, 2016 at 1:02 PM, Mike Jacobacci  wrote:

> Hello,
>
> I am sorry for the simple question, but I am using FreeIPA as our DNS
> server and I am trying to figure out how to map a second hostname to a
> host... I am unsure how the best way to go do it. I am just trying to
> give a server a user friendly name for access and I don't want to change
> the system hostname.
>
> I thought I could just add a CNAME entry for the host record, but it fails
> with the following error:
>
> invalid 'cnamerecord': CNAME record is not allowed to coexist with any
> other record (RFC 1034, section 3.6.2)
>
> Is there an easy way I can do this?
>
> Cheers,
> Mike
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Esdras La-Roque 
This will be help me.

Thanks Simo.

2016-11-28 18:17 GMT-03:00 Simo Sorce :

> On Mon, 2016-11-28 at 13:10 -0300, Esdras La-Roque wrote:
> > Hi Guys,
> >
> > What's the safe method to clone an virtual machine that is in IPA ?
> >
> > I tried do this already, but I had many troubles related with IPA to fix.
>
> Unjoin the client before you clone (ipa-client-install --uninstall) and
> then re-join after.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>


-- 
*Esdras La-Roque*
Analista e Desenvolvedor de Sistemas
Mestrando em Ciência da Computação

LPI-1 | Linux Professional Institute - Nível 1
MCITP | Microsoft Virtualization Administrator
NCLA | Novell Certified Linux Administrator
DCTS | Data Center Technical Specialist
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 25 install error PR_ADDRESS_NOT_SUPPORTED_ERROR Network address type not supported

2016-11-28 Thread Rob Crittenden 
Robert Kudyba wrote:
> OK that’s because I got this error:
> 
> 
> Apache is already configured with a listener on port 443:
> *:443  ourdomain (/etc/httpd/conf.d/ssl.conf:56)
> 
> 
> What’s the best practice here? Comment out line 56?

Only one SSL provider can own a given port. mod_nss and mod_ssl can
co-exist ok but one may own port 443. Your best bet is to remove the
mod_ssl package.

rob

> 
>> On Nov 28, 2016, at 3:43 PM, Rob Crittenden > > wrote:
>>
>> Robert Kudyba wrote:
>>> This is a new installation attempt. Apache was running but I commented
>>> out #IncludeOptional conf.d/*.conf in the httpd.conf file. We also have
>>> DNS running outside this server. Any reasons for this? Known work
>>> around? This is what the end of the install script shows:
>>
>> You disabled the IPA web framework by commenting out the includes.
>>
>> rob
>>
>>>
>>> trying
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=oirPn2kEpdqJ2f4kKjWNdTFZpUZ79rd2e1BDI5BvK8g=
>>>
>>> Forwarding 'schema' to json server
>>> 'https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=oirPn2kEpdqJ2f4kKjWNdTFZpUZ79rd2e1BDI5BvK8g=
>>> '
>>> Traceback (most recent call last):
>>>  File "/usr/sbin/ipa-client-install", line 3138, in 
>>>sys.exit(main())
>>>  File "/usr/sbin/ipa-client-install", line 3119, in main
>>>rval = install(options, env, fstore, statestore)
>>>  File "/usr/sbin/ipa-client-install", line 2828, in install
>>>api.finalize()
>>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707,
>>> in finalize
>>>self.__do_if_not_done('load_plugins')
>>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422,
>>> in __do_if_not_done
>>>getattr(self, name)()
>>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585,
>>> in load_plugins
>>>for package in self.packages:
>>>  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919,
>>> in packages
>>>ipaclient.remote_plugins.get_package(self),
>>>  File
>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
>>> line 118, in get_package
>>>plugins = schema.get_package(server_info, client)
>>>  File
>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 543, in get_package
>>>schema = Schema(client)
>>>  File
>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 387, in __init__
>>>fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>>>  File
>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>> line 426, in _fetch
>>>schema = client.forward(u'schema', **kwargs)['result']
>>>  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in
>>> forward
>>>raise NetworkError(uri=server, error=str(e))
>>> ipalib.errors.NetworkError: cannot connect to
>>> 'https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json-27-3A=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=9Yr-BQxeooBAJqbH13XubUi-EjMipmNnHgO6zFhYBiU=
>>>  Could not connect to ourdomain using any
>>> address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not
>>> supported.
>>> ipa.ipapython.install.cli.install_tool(Server): ERRORConfiguration
>>> of client side components failed!
>>> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
>>> ipa-server-install command failed.
>>>
>>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Simo Sorce 
On Mon, 2016-11-28 at 13:10 -0300, Esdras La-Roque wrote:
> Hi Guys,
> 
> What's the safe method to clone an virtual machine that is in IPA ?
> 
> I tried do this already, but I had many troubles related with IPA to fix.

Unjoin the client before you clone (ipa-client-install --uninstall) and
then re-join after.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 25 install error PR_ADDRESS_NOT_SUPPORTED_ERROR Network address type not supported

2016-11-28 Thread Robert Kudyba 
OK that’s because I got this error:


Apache is already configured with a listener on port 443:
*:443  ourdomain (/etc/httpd/conf.d/ssl.conf:56)


What’s the best practice here? Comment out line 56?

> On Nov 28, 2016, at 3:43 PM, Rob Crittenden  wrote:
> 
> Robert Kudyba wrote:
>> This is a new installation attempt. Apache was running but I commented
>> out #IncludeOptional conf.d/*.conf in the httpd.conf file. We also have
>> DNS running outside this server. Any reasons for this? Known work
>> around? This is what the end of the install script shows:
> 
> You disabled the IPA web framework by commenting out the includes.
> 
> rob
> 
>> 
>> trying 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=oirPn2kEpdqJ2f4kKjWNdTFZpUZ79rd2e1BDI5BvK8g=
>>  
>> Forwarding 'schema' to json server 
>> 'https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=oirPn2kEpdqJ2f4kKjWNdTFZpUZ79rd2e1BDI5BvK8g=
>>  '
>> Traceback (most recent call last):
>>  File "/usr/sbin/ipa-client-install", line 3138, in 
>>sys.exit(main())
>>  File "/usr/sbin/ipa-client-install", line 3119, in main
>>rval = install(options, env, fstore, statestore)
>>  File "/usr/sbin/ipa-client-install", line 2828, in install
>>api.finalize()
>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707,
>> in finalize
>>self.__do_if_not_done('load_plugins')
>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422,
>> in __do_if_not_done
>>getattr(self, name)()
>>  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585,
>> in load_plugins
>>for package in self.packages:
>>  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919,
>> in packages
>>ipaclient.remote_plugins.get_package(self),
>>  File
>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
>> line 118, in get_package
>>plugins = schema.get_package(server_info, client)
>>  File
>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>> line 543, in get_package
>>schema = Schema(client)
>>  File
>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>> line 387, in __init__
>>fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>>  File
>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>> line 426, in _fetch
>>schema = client.forward(u'schema', **kwargs)['result']
>>  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in
>> forward
>>raise NetworkError(uri=server, error=str(e))
>> ipalib.errors.NetworkError: cannot connect to
>> 'https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain_ipa_json-27-3A=DgICAw=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=JYfpTfJLQ2tucNaB1dYOh7KiTqCXl2oUTVcz8N5M9QI=9Yr-BQxeooBAJqbH13XubUi-EjMipmNnHgO6zFhYBiU=
>>   Could not connect to ourdomain using any
>> address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not
>> supported.
>> ipa.ipapython.install.cli.install_tool(Server): ERRORConfiguration
>> of client side components failed!
>> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
>> ipa-server-install command failed. 
>> 
>> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 25 install error PR_ADDRESS_NOT_SUPPORTED_ERROR Network address type not supported

2016-11-28 Thread Rob Crittenden 
Robert Kudyba wrote:
> This is a new installation attempt. Apache was running but I commented
> out #IncludeOptional conf.d/*.conf in the httpd.conf file. We also have
> DNS running outside this server. Any reasons for this? Known work
> around? This is what the end of the install script shows:

You disabled the IPA web framework by commenting out the includes.

rob

> 
> trying https://ourdomain/ipa/json
> Forwarding 'schema' to json server 'https://ourdomain/ipa/json'
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 3138, in 
> sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 3119, in main
> rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 2828, in install
> api.finalize()
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707,
> in finalize
> self.__do_if_not_done('load_plugins')
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422,
> in __do_if_not_done
> getattr(self, name)()
>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585,
> in load_plugins
> for package in self.packages:
>   File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919,
> in packages
> ipaclient.remote_plugins.get_package(self),
>   File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
> line 118, in get_package
> plugins = schema.get_package(server_info, client)
>   File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 543, in get_package
> schema = Schema(client)
>   File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 387, in __init__
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>   File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 426, in _fetch
> schema = client.forward(u'schema', **kwargs)['result']
>   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in
> forward
> raise NetworkError(uri=server, error=str(e))
> ipalib.errors.NetworkError: cannot connect to
> 'https://ourdomain/ipa/json': Could not connect to ourdomain using any
> address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not
> supported.
> ipa.ipapython.install.cli.install_tool(Server): ERRORConfiguration
> of client side components failed!
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
> ipa-server-install command failed. 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fedora 25 install error PR_ADDRESS_NOT_SUPPORTED_ERROR Network address type not supported

2016-11-28 Thread Robert Kudyba 
This is a new installation attempt. Apache was running but I commented out 
#IncludeOptional conf.d/*.conf in the httpd.conf file. We also have DNS running 
outside this server. Any reasons for this? Known work around? This is what the 
end of the install script shows:

trying https://ourdomain/ipa/json
Forwarding 'schema' to json server 'https://ourdomain/ipa/json'
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 3138, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 3119, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2828, in install
api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in 
finalize
self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in 
__do_if_not_done
getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in 
load_plugins
for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in 
packages
ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 118, in get_package
plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 543, in get_package
schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward
raise NetworkError(uri=server, error=str(e))
ipalib.errors.NetworkError: cannot connect to 'https://ourdomain/ipa/json': 
Could not connect to ourdomain using any address: 
(PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
ipa.ipapython.install.cli.install_tool(Server): ERRORConfiguration of 
client side components failed!
ipa.ipapython.install.cli.install_tool(Server): ERRORThe ipa-server-install 
command failed. -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure HPUX 11i V3 as IPA Client

2016-11-28 Thread Rob Crittenden 
Rajveer Singh wrote:
> Hi All,
> 
> I am referring
> http://www.freeipa.org/page/ConfiguringUnixClients#Configuring_Client_Authentication_3
> to configure HP UX 11i V3 as IPA client but it has no reference for
> 11iV3 but only 11i V0, 1 & 2.
> 
> Though I tried to follow the steps mentioned in 11iv0, but they are not
> getting good understanding.
> 
> Do we have any such document/procedure? Any URL will be highly appreciated.

Not that I know of. If you provide the errors you are seeing, or
describe what isn't working, someone might be able to help

You might try contacting HP directly for assistance.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ACIerrors is httpd log

2016-11-28 Thread Rob Crittenden 
Jim Richard wrote:
> Honestly I’m not even sure if something is not working correctly :)
> 
> All I know is that my httpd, access and krb5 logs are filling up all my
> disk space extremely quickly and I have no idea why.
> 
> Centos 6.8 + IPA 3.0
> 
> One master and one replica.
> 
> Are these things related? 
> 
> How do I fix, where do I even start?
> 
> Thanks !
> 
> On the replica the httpd log is constantly getting spammed with:
> 
> [Thu Nov 24 05:55:18 2016] [error] ipa: INFO:
> host/phoenix-153.nym1.placeiq@placeiq.net:
> cert_request(u’actual cert removed….. , add=True): ACIError
> 
> and on the master the access log is filling up quickly with:
> 
> 10.1.41.110 - - [24/Nov/2016:06:09:54 +] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 10106

Looks like certmonger trying to renew the per-client SSL certificate.
You can confirm by pulling out the CSR and poking at it with openssl req.

On the client you can try running: ipa-getcert list

This may show more details on why the request was rejected.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Rob Crittenden 
Esdras La-Roque wrote:
> I don't need clone of IPA Server.. I need for an client.

It won't work for either client or server. IPA provides an identity to a
machine based on it's hostname. If you clone a machine and give it a new
hostname then things won't line up and simply won't work.

rob

> 
> 2016-11-28 14:52 GMT-03:00 Lukas Slebodnik  >:
> 
> On (28/11/16 13:10), Esdras La-Roque wrote:
> >Hi Guys,
> >
> >What's the safe method to clone an virtual machine that is in IPA ?
> >
> >I tried do this already, but I had many troubles related with IPA to fix.
> >
> Why do you need to create clone?
> IMHO, It's much simpler to create replica of IPA (including CA replica).
> 
> LS
> 
> 
> 
> 
> -- 
> *Esdras La-Roque*
> Analista e Desenvolvedor de Sistemas
> Mestrando em Ciência da Computação
> 
> LPI-1 | Linux Professional Institute - Nível 1
> MCITP | Microsoft Virtualization Administrator
> NCLA | Novell Certified Linux Administrator
> DCTS | Data Center Technical Specialist
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] httpd error logs

2016-11-28 Thread Jim Richard 
I’ve got one master and one replica, IPA version is 3.0/CentOS 6.8.

About 1000 hosts.

Problem is, my httpd error logs are filling on super fast. I have no idea what 
these errors mean.

Can someone point me in the right direction please.

Thanks !

On the master:
[28/Nov/2016:19:21:27 +] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 200 
10108

On the replica: (no CA):
[Mon Nov 28 19:22:39 2016] [error] ipa: INFO: 
host/phoenix-226.nym1.placeiq@placeiq.net: 
cert_request(u’….removed….PLACEIQ.NET', add=True): ACIError



     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd segfault

2016-11-28 Thread Mark Reynolds 


On 11/28/2016 10:22 AM, Giulio Casella wrote:
> Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:
>> On (28/11/16 12:39), Giulio Casella wrote:
>>> Hello,
>>>
>>> I have a setup with two ipa server in replica, based on CentOS 7.
>>> On one server (since a couple of days) ipa cannot start, the failing
>>> service
>>> is dirsrv@.service.
>>> In journal I have:
>>>
>>> ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
>>> 7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]
>>>
>>> (just after a lot of SSL alerts complaining about some enabled
>>> cypher suite,
>>> but I cannot say if this could be related).
>>>
>>> I'm using ipa 4.2.0, and 389-ds-base 1.3.4.
>>>
>> It would be good to know the exact version.
>> rpm -q 389-ds-base
>
> Installed version is:
>
> 389-ds-base-1.3.4.0-33.el7_2.x86_64
>
>>
>> Please provide backtrace or coredump; other developers will know
>> wheter it's know bug or a new bug.
>
> Ok, you can find attached full stacktrace.
It's crashing trying to read updates from the replication changelog. 

Are you using attribute encryption?
Any chance you have a way to reproduce this?

Since this is happening on only one server then I think recreating the
replication changelog will "fix" the issue.  Just re-initializing that
replica should do it.  Does this server start - so it can be reinited? 
If not, you need to manually remove the changelog and start the
directory server, and reinit it.  Or perform a manual ldif
initialization.  (I can help with either one if needed)

Regards,
Mark
>
> Thanks in advance,
> gc
>
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Esdras La-Roque 
I don't need clone of IPA Server.. I need for an client.

2016-11-28 14:52 GMT-03:00 Lukas Slebodnik :

> On (28/11/16 13:10), Esdras La-Roque wrote:
> >Hi Guys,
> >
> >What's the safe method to clone an virtual machine that is in IPA ?
> >
> >I tried do this already, but I had many troubles related with IPA to fix.
> >
> Why do you need to create clone?
> IMHO, It's much simpler to create replica of IPA (including CA replica).
>
> LS
>



-- 
*Esdras La-Roque*
Analista e Desenvolvedor de Sistemas
Mestrando em Ciência da Computação

LPI-1 | Linux Professional Institute - Nível 1
MCITP | Microsoft Virtualization Administrator
NCLA | Novell Certified Linux Administrator
DCTS | Data Center Technical Specialist
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Host with Multiple hostnames

2016-11-28 Thread Mike Jacobacci 
Hello,

I am sorry for the simple question, but I am using FreeIPA as our DNS
server and I am trying to figure out how to map a second hostname to a
host... I am unsure how the best way to go do it. I am just trying to give
a server a user friendly name for access and I don't want to change the
system hostname.

I thought I could just add a CNAME entry for the host record, but it fails
with the following error:

invalid 'cnamerecord': CNAME record is not allowed to coexist with any
other record (RFC 1034, section 3.6.2)

Is there an easy way I can do this?

Cheers,
Mike
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Lukas Slebodnik 
On (28/11/16 13:10), Esdras La-Roque wrote:
>Hi Guys,
>
>What's the safe method to clone an virtual machine that is in IPA ?
>
>I tried do this already, but I had many troubles related with IPA to fix.
>
Why do you need to create clone?
IMHO, It's much simpler to create replica of IPA (including CA replica).

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Valid Sender ? - Re: Add 4.4 replica to 4.3 server fails

2016-11-28 Thread Jochen Hein 
Martin Babinsky  writes:

>>> 2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See 
>>> /var/log/ipareplica-install.log for more information
>>>
>>> Any idea what's wrong?
> can you please check the version of python-cryptography on master and
> replica? I remember there used to be problem with pre-0.9 versions
> breaking Custodia.

Both are newer.  Master:
[root@freeipa ca]# rpm -qa | grep python.*cryptogra
python2-cryptography-1.5.3-3.fc24.x86_64

Replica:
[root@freeipa1 pki]# rpm -qa | grep python.*cryptogra
python2-cryptography-1.3.1-3.el7.x86_64

I've found https://github.com/latchset/jwcrypto/issues/47,
https://github.com/pyinstaller/pyinstaller/issues/2013, and
https://github.com/pyca/cryptography/issues/2907. But nothing that
stands out for me. I'll wait for GA of CentOS 7.3 and will try again
later, and also browse reports I may find.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

2016-11-28 Thread Robert Kudyba 
There seems to be a problem either with Kerberos and/or using a self signed 
certificate vs. Let’s Encrypt. I tried to run the set up script from 
https://github.com/freeipa/freeipa-letsencrypt 
 and below are some errors and 
logs.  

Within the /etc/httpd/conf.d/ipa.conf file I commented out these directives as 
I had some Apache redirects that were breaking:

#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh 
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate 
issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such 
file or directory)

ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos credentials 
available (default cache: KEYRING:persistent:0))

ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: 
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional 
pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: 
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional 
pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Clonning VM

2016-11-28 Thread Esdras La-Roque 
Hi Guys,

What's the safe method to clone an virtual machine that is in IPA ?

I tried do this already, but I had many troubles related with IPA to fix.


-- 
*Esdras La-Roque*
Analista e Desenvolvedor de Sistemas
Mestrando em Ciência da Computação

LPI-1 | Linux Professional Institute - Nível 1
MCITP | Microsoft Virtualization Administrator
NCLA | Novell Certified Linux Administrator
DCTS | Data Center Technical Specialist
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd segfault

2016-11-28 Thread Giulio Casella 

Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:

On (28/11/16 12:39), Giulio Casella wrote:

Hello,

I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing service
is dirsrv@.service.
In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]

(just after a lot of SSL alerts complaining about some enabled cypher suite,
but I cannot say if this could be related).

I'm using ipa 4.2.0, and 389-ds-base 1.3.4.


It would be good to know the exact version.
rpm -q 389-ds-base


Installed version is:

389-ds-base-1.3.4.0-33.el7_2.x86_64



Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.


Ok, you can find attached full stacktrace.

Thanks in advance,
gc


GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/sbin/ns-slapd...Reading symbols from 
/usr/lib/debug/usr/sbin/ns-slapd.debug...done.
done.
[New LWP 4378]
[New LWP 4379]
[New LWP 4380]
[New LWP 4381]
[New LWP 4382]
[New LWP 4383]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MYDOMAIN-LOCAL 
-i /var/ru'.
Program terminated with signal 11, Segmentation fault.
#0  __memcpy_ssse3_back () at 
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1515
1515movdqu  0x10(%rsi), %xmm1

Thread 6 (Thread 0x7f023700 (LWP 4383)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at 
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
No locals.
#1  0x7f02565021f0 in PR_WaitCondVar (cvar=cvar@entry=0x7f025a3a2660, 
timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:396
rv = 
thred = 0x7f0259e7a8a0
#2  0x7f0258348198 in slapi_wait_condvar (cvar=0x7f025a3a2660, 
timeout=timeout@entry=0x0) at ldap/servers/slapd/slapi2nspr.c:150
prit = 
#3  0x7f024e6d662e in cos_cache_wait_on_change (arg=) at 
ldap/servers/plugins/cos/cos_cache.c:407
No locals.
#4  0x7f025650796b in _pt_root (arg=0x7f0259e7a8a0) at 
../../../nspr/pr/src/pthreads/ptthread.c:212
rv = 
thred = 0x7f0259e7a8a0
detached = 1
id = 139647640401664
tid = 4383
#5  0x7f0255ea8dc5 in start_thread (arg=0x7f023700) at 
pthread_create.c:308
__res = 
pd = 0x7f023700
now = 
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139647640401664, 
6391692756101938369, 0, 139647640402368, 139647640401664, 1, 
-6433491789647921983, -6433548853668037439}, mask_was_saved = 0}}, priv = {pad 
= {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 
pagesize_m1 = 
sp = 
freesize = 
#6  0x7f0255bd5ced in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.

Thread 5 (Thread 0x7f0244eca700 (LWP 4382)):
#0  0x7f0255bcd413 in select () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1  0x7f02583590e9 in DS_Sleep (ticks=) at 
ldap/servers/slapd/util.c:1035
mSecs = 
tm = {tv_sec = 0, tv_usec = 893342}
#2  0x7f024b9f6784 in perfctrs_wait (milliseconds=milliseconds@entry=1000, 
priv=, db_env=) at 
ldap/servers/slapd/back-ldbm/perfctrs.c:100
interval = 
#3  0x7f024b99e707 in perf_threadmain (param=) at 
ldap/servers/slapd/back-ldbm/dblayer.c:3966
priv = 0x7f0259cd0a60
li = 
#4  0x7f025650796b in _pt_root (arg=0x7f0259e7f770) at 
../../../nspr/pr/src/pthreads/ptthread.c:212
rv = 
thred = 0x7f0259e7f770
detached = 1
id = 139647723022080
tid = 4382
#5  0x7f0255ea8dc5 in start_thread (arg=0x7f0244eca700) at 
pthread_create.c:308
__res = 
pd = 0x7f0244eca700
now = 
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139647723022080, 
6391692756101938369, 0, 139647723022784, 139647723022080, 1, 
-6433581822362993471, -6433548853668037439}, mask_was_saved = 0}}, priv = {pad 
= {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 
pagesize_m1 = 
sp = 
freesize = 
#6  0x7f0255bd5ced in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.

Thread 4 (Thread 0x7f02456cb700 (LWP 4381)):
#0  0x7f0255bcd413 in select () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1  0x7f02583590e9 in DS_Sleep

Re: [Freeipa-users] IPA rewrite conf

2016-11-28 Thread Deepak Dimri 
Hi Jan, sorry to ask but  where exactly i can modify the referer with 
RequestHeader on IPA Server?


Many Thanks,

Deepak



From: Jan Pazdziora 
Sent: Monday, November 28, 2016 8:09 AM
To: Deepak Dimri
Cc: deepak dimri; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA rewrite conf

On Mon, Nov 28, 2016 at 11:25:30AM +, Deepak Dimri wrote:
> Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.
>
>
> I have seen the link you shared below.  My issue is that i want my IPA 
> servers in Failover/Load Balancing mode and  when i add another IPA server 
> using Proxy balancer  i believe  ProxyPassReverseCookieDomain and 
> RequestHeader edit Referer directives does not work for me.  Basically I am 
> trying to make the balancer to work with below configuration but its failing 
> at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives 
> level:
>

What error do you get when it fails?

> 
> 
> # IPA Server 1
> BalancerMember https://ipa1.int.example.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.example.com/
> 
> SSLProxyEngine on
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa1.int.example.com/
> ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa2.int.example.com/
> 
>
> I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer 
> can be configured in this scenario along with Proxy balancer?

I don't see why ProxyPassReverseCookieDomain should fail.

With RequestHeader, I suspect only one change will be done because
after the first change, the value of the Referer header already
contains name of one of the replicas.

Could you try modifying the Referer with the RequestHeader directly
on the IPA server, instead of on the balancer machine? On the IPA
server, you already know what name you want to set it to.

--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd segfault

2016-11-28 Thread Lukas Slebodnik 
On (28/11/16 12:39), Giulio Casella wrote:
>Hello,
>
>I have a setup with two ipa server in replica, based on CentOS 7.
>On one server (since a couple of days) ipa cannot start, the failing service
>is dirsrv@.service.
>In journal I have:
>
>ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
>7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]
>
>(just after a lot of SSL alerts complaining about some enabled cypher suite,
>but I cannot say if this could be related).
>
>I'm using ipa 4.2.0, and 389-ds-base 1.3.4.
>
It would be good to know the exact version.
rpm -q 389-ds-base

Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.

http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-crashes

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-11-28 Thread Alexander Bokovoy 

On ma, 28 marras 2016, Troels Hansen wrote:

Hi all

Just wanted to follow up on my recent findings in regards to IPA - AD
trust and kerberos delegations, sa we gave up on this, and just lived
with it not working.

In the end we ended up discovering that for kerberos trust delegation
to work ldap/udp ingoing HAVE to be open on the IPA server!

Correct, this is so-called CLDAP protocol (connectionless LDAP,
389/UDP), which is a key in DC resolution for AD domains.

This requirement is documented in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-req-ports





- On Sep 28, 2016, at 11:48 AM, Sumit Bose sb...@redhat.com wrote:


On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:


> Yes, this makes sense as well. If you are not in the forest root you
> first need a cross-realm TGT for your domain and the forest root. Then
> you need a cross-realm TGT for the forest root and the IPA domain.
>
> As a next step you should see a request to the IPA KDC to get the actual
> service ticket for the host in the IPA domain.

Yes, this is the traffic that's never seen in the capture.
It seems Windows(Putty) never asks for at host ticket for the IPA host. I
receive the krbtgt for the IPA domain, but never sees any traffic from the
Windows client to IPA, and thus, never receives the host ticket on the Windows
client.


Please check the other traffic on the client after receiving the
cross-realm ticket for the IPA domain. Since the client get the name to
the IPA realm from the AD DC in the last response I would expect that it
will try some DNS SRV lookups to find a KDC in the IPA realm.

HTH

bye,
Sumit



I'm not at all sure how Kerberos works in Putty, but it seems it uses its own
Kerberos libraryes and that these fail.

I Linux not joined to IPA, just installed with kerberos and use dns config in
krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine,

> so it seems the problem just relates to putty.


--
Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S


T (+45) 70 20 10 63

M (+45) 22 43 71 57

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA rewrite conf

2016-11-28 Thread Jan Pazdziora 
On Mon, Nov 28, 2016 at 11:25:30AM +, Deepak Dimri wrote:
> Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.
> 
> 
> I have seen the link you shared below.  My issue is that i want my IPA 
> servers in Failover/Load Balancing mode and  when i add another IPA server 
> using Proxy balancer  i believe  ProxyPassReverseCookieDomain and 
> RequestHeader edit Referer directives does not work for me.  Basically I am 
> trying to make the balancer to work with below configuration but its failing 
> at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives 
> level:
> 

What error do you get when it fails?

> 
> 
> # IPA Server 1
> BalancerMember https://ipa1.int.example.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.example.com/
> 
> SSLProxyEngine on
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa1.int.example.com/
> ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ 
> https://ipa2.int.example.com/
> 
> 
> I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer 
> can be configured in this scenario along with Proxy balancer?

I don't see why ProxyPassReverseCookieDomain should fail.

With RequestHeader, I suspect only one change will be done because
after the first change, the value of the Referer header already
contains name of one of the replicas.

Could you try modifying the Referer with the RequestHeader directly
on the IPA server, instead of on the balancer machine? On the IPA
server, you already know what name you want to set it to.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH using putty to IPA client

2016-11-28 Thread Troels Hansen 
Hi all

Just wanted to follow up on my recent findings in regards to IPA - AD trust and 
kerberos delegations, sa we gave up on this, and just lived with it not working.

In the end we ended up discovering that for kerberos trust delegation to work 
ldap/udp ingoing HAVE to be open on the IPA server!



- On Sep 28, 2016, at 11:48 AM, Sumit Bose sb...@redhat.com wrote:

> On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
>> 
>> > Yes, this makes sense as well. If you are not in the forest root you
>> > first need a cross-realm TGT for your domain and the forest root. Then
>> > you need a cross-realm TGT for the forest root and the IPA domain.
>> > 
>> > As a next step you should see a request to the IPA KDC to get the actual
>> > service ticket for the host in the IPA domain.
>> 
>> Yes, this is the traffic that's never seen in the capture.
>> It seems Windows(Putty) never asks for at host ticket for the IPA host. I
>> receive the krbtgt for the IPA domain, but never sees any traffic from the
>> Windows client to IPA, and thus, never receives the host ticket on the 
>> Windows
>> client.
> 
> Please check the other traffic on the client after receiving the
> cross-realm ticket for the IPA domain. Since the client get the name to
> the IPA realm from the AD DC in the last response I would expect that it
> will try some DNS SRV lookups to find a KDC in the IPA realm.
> 
> HTH
> 
> bye,
> Sumit
> 
>> 
>> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own
>> Kerberos libraryes and that these fail.
>> 
>> I Linux not joined to IPA, just installed with kerberos and use dns config in
>> krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just 
>> fine,
> > so it seems the problem just relates to putty.

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP Algorithm

2016-11-28 Thread Callum Guy 
Hi All,

I wanted to ask a quick question - perhaps a more experienced user will be
able to help or point me to the correct documentation.

Basically we have implemented password+OTP type authentication which works
great.

When adding a OTP code using the admin login you can choose an algorithm.
For us the generated codes only work properly if the weakest sha1 algorithm
is chosen/ To be clear the code generation works fine but the codes are not
valid when logging in. Is there a related setting we must change?

Thanks,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-11-28 Thread Simo Sorce 
On Sat, 2016-11-26 at 23:18 +0530, deepak dimri wrote:
> Hi All,
> 
> I want to configure Apache reverse proxy to load balance/failover between
> two IPA servers. I have referred
> *https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> * to
> configure reverse proxy and it all works fine with one IPA server but i
> want  to load balance across two IPA Servers using Proxy Balancer module.
> What should be the configuration for RequestHeader edit Referer with Proxy
> balancer? In another thread*
> https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html
>  *Peter
> has mentioned cookie rewriting or 2 VHs and i will try VH option. But it
> will really help and will save my time if some one can share full working
> configuration. I tried below configuration but its failing at RequestHeader
> edit Referer.
> 
> 
> 
> # IPA Server 1
> BalancerMember https://ipa1.int.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.com/
> 
> SSLEngine On
> SSLProxyEngine On
> LogLevel debug
> SSLCertificateFile /etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> ProxyRequests off
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.com ipa.ext.com
> RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa1.int.com/
> ProxyPassReverseCookieDomain ipa2.int.com ipa.ext.com
> RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa2.int.com/
> 
> 

Changing the referer is not sufficient, if you use a different name then
kerberos authentication will fail. You'd have to create a new key for
the new name and distribute it to both server's http keytab so they can
decrypt incoming requests.
However your load balancer then also needs to stick with one server for
all requests coming from the same client, because we use session cookies
to maintain authentication and we do not share them between servers.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] mailing list SPAM

2016-11-28 Thread William Muriithi 
Hello,

This is just a FYI.  Whenever I post an email here, I get lot of
emails from this address - kimirachel4...@cczaa.com.  Think there is
someone in the list who is harvesting email addresses.

That wouldn't be too bad because if he try to send a fresh mail, the
spam system at google would filter it out, but since he is leveraging
the mailing list and a current thread, it just pass through.


Regards,

William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ns-slapd segfault

2016-11-28 Thread Giulio Casella 

Hello,

I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing 
service is dirsrv@.service.

In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp 
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]


(just after a lot of SSL alerts complaining about some enabled cypher 
suite, but I cannot say if this could be related).


I'm using ipa 4.2.0, and 389-ds-base 1.3.4.

Servers are identical in hardware (they're virtual machines) and 
software (installed and updated at the same time).


Second server works like a charme.

Any hint?

--
Giulio Casellagiulio at di.unimi.it
System and network manager
Computer Science Dept. - University of Milano

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA rewrite conf

2016-11-28 Thread Deepak Dimri 
Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.


I have seen the link you shared below.  My issue is that i want my IPA servers 
in Failover/Load Balancing mode and  when i add another IPA server using Proxy 
balancer  i believe  ProxyPassReverseCookieDomain and RequestHeader edit 
Referer directives does not work for me.  Basically I am trying to make the 
balancer to work with below configuration but its failing at the 
ProxyPassReverseCookieDomain and RequestHeader edit Referer directives level:



# IPA Server 1
BalancerMember https://ipa1.int.example.com/
# IPA Server 2
BalancerMember https://ipa2.int.example.com/

SSLProxyEngine on
ProxyPass / balancer://ipacluster/
ProxyPassReverse / balancer://ipacluster/
ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
RequestHeader edit Referer ^https://webipa\.example\.com/ 
https://ipa1.int.example.com/
ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
RequestHeader edit Referer ^https://webipa\.example\.com/ 
https://ipa2.int.example.com/



I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer 
can be configured in this scenario along with Proxy balancer?


Regards,

Deepak



From: freeipa-users-boun...@redhat.com  on 
behalf of Jan Pazdziora 
Sent: Monday, November 28, 2016 3:04 AM
To: deepak dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA rewrite conf

On Sun, Nov 27, 2016 at 01:06:36PM +0530, deepak dimri wrote:
> Hi All,
>
> I am posting my issue here with an hope that i get a response.
>
> I have WS ELB configured to connect to FreeIPA servers on Ubuntu.  My
> FreeIPA servers are in private subnets. I am able to access my test
> index.html page deployed on the FreeIPA server by hitting https:// url>/index.html. However when i try IPA UI https:///ipa/ui then i
> am getting redirected to my internal IPA address which then resulting to
> "site cannot be reached" error.  I am wondering if i have an option of
> tweaking my /usr/share/ipa/ipa-rewrite.conf file so that i can access IPA
> UI using external ELB URL?
>
> Would appreciate if some one can give some pointers

I don't know what WS ELB is but maybe

https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name

can get you started?

--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails

2016-11-28 Thread Martin Babinsky 

On 11/27/2016 11:38 PM, Jochen Hein wrote:

Jochen Hein  writes:


2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 
406 Client Error: Failed to validate message: No recipient matched the provided 
key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If 
you are seeing this error when trying to use default_backend() please try uninstalling 
and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No recipient 
matched the provided key["Failed: [ValueError('Multibackend cannot be initialized 
with no backends. If you are seeing this error when trying to use default_backend() 
please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

Any idea what's wrong?


Around that time the pki on the old master has this:

0.Thread-17 - [27/Nov/2016:22:06:47 MEZ] [8] [3] Publishing: Could not
publish certificate serial number 0x1a. Error Failed to publish using
rule: No rules enabled

Debug has:
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:: Queue: 1 noSingleRequest
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=1 
mSearchForRequests=false
[27/Nov/2016:22:06:47][Thread-17]: getRequest  getting request: 29
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: getRequest  request 29 found
[27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=0 
mSearchForRequests=false done
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateIssuedListener
[27/Nov/2016:22:06:47][Thread-17]: CertificateIssuedListener: accept 29
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cmscore.ldap.LdapRequestListener
[27/Nov/2016:22:06:47][Thread-17]: LdapRequestListener handling publishing for 
enrollment request id 29
[27/Nov/2016:22:06:47][Thread-17]: Checking publishing for request 29
[27/Nov/2016:22:06:47][Thread-17]: In  PublisherProcessor::publishCert
[27/Nov/2016:22:06:47][Thread-17]: Publishing: can't find publishing 
rule,exiting routine.
[27/Nov/2016:22:06:47][Thread-17]: PublishProcessor::publishCert : Failed to 
publish using rule: No rules enabled
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = 
com.netscape.cms.listeners.CertificateRevokedListener
[27/Nov/2016:22:06:47][Thread-17]: RunListeners: mRequest = 29
[27/Nov/2016:22:06:47][Thread-17]: updatePublishingStatus 
mSavePublishingCounter: 3 mSavePublishingStatus: 200
[27/Nov/2016:22:06:47][Thread-17]: RunListeners:  noQueue  SingleRequest
[27/Nov/2016:22:06:47][Thread-17]: RequestRepository: setPublishingStatus  
mBaseDN: ou=ca,ou=requests,o=ipaca  status: -1
[27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
[27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
[27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
[27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
[27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
[27/Nov/2016:22:06:47][Thread-17]: Number of publishing threads: 0

Maybe something in dogtag is missing?

Jochen



Hi Jochen,

can you please check the version of python-cryptography on master and 
replica? I remember there used to be problem with pre-0.9 versions 
breaking Custodia.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SPAM, please ban this user

2016-11-28 Thread Martin Basti 



On 28.11.2016 08:10, Denis Müller wrote:

kimirachel1...@tmtis.com 

spamming all the time.
Please help.




It is not registered user, it is spambot that is mining public archives, 
it is not sent from RH servers, we can't help here, sorry.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] mount lookup failure getautomntent_r

2016-11-28 Thread Jakub Hrozek 
On Sun, Nov 27, 2016 at 05:34:20PM -0500, William Muriithi wrote:
> Jakub,
> 
> Thanks for response
> On 27 November 2016 at 15:43, Jakub Hrozek  wrote:
> >
> >>
> >> I have noticed an error that pop up as the final line after running
> 
> >> lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
> >>
> >>  failed to read map
> >>
> >> Have anyone found a way to clean up that error?
> >>
> >
> > No idea without more context, sorry. Does auto mounter actually work for 
> > you or are some maps missing?
> >
> The mount work fine actually. I only noticed the error because I have
> a script that is consuming the standard output from "automount -m"
> command.  I thought instead of filtering away the error, it would be
> more prudent to fix the root issue.

Yes..

> 
> > The message can really be harmless, because the client (=automounter) 
> > iterates over the maps returned by the server (=sssd in this context) until 
> > the server returns ENOENT. I agree though the message is confusing and 
> > we’ll be (most probably) looking at some autofs enhancements in the next 
> > sssd version..
> >
> Now that I have shared some context, is there any way I can track down
> whats might be causing it? Or better, whats are some of the candidate
> mistakes that can trigger it.

As long as all the maps are returned, though, this is really only a
confusing error message. I think the code that causes it is in SSSD's
automounter client code, around line 172 with the current master:

172 if (len == 0) {
173 /* There are no more records. */
174 *_key = NULL;
175 *_value = NULL;
176 ret = ENOENT;
177 goto done;
178 } 

what you see in the output is just strerror(ENOENT)..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] URL is changing on the browser

2016-11-28 Thread Jan Pazdziora 
On Mon, Nov 28, 2016 at 01:15:17AM +, Deepak Dimri wrote:
> Adding Jan into the email thread. Hopefully Jan can help too

I'm sorry but there seem to be different people chiming into this
thread with their use-cases and we really need to be talking ont setup
at a time.

What is the setup that you have, what is the configuration, what is
the expected behaviour, and what is the behaviour that you see?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project