Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Petr Spacek 
On 21.12.2016 21:36, Brian J. Murrell wrote:
> Some additional information.  I can't seem to use the CLI either. 
> Perhaps that is expected:
> 
> # kinit admin
> Password for ad...@example.com:
> 
> # klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
> Default principal: ad...@example.com
> 
> Valid starting ExpiresService principal
> 21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example@example.com
> 
> # ipa host-find
> ipa: ERROR: Insufficient access:  Invalid credentials
> 
> When I do that (the ipa host-find) /var/log/krb5kdc.log says:
> 
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
> HTTP/server.example@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> 1482352160, etypes {rep=18 tkt=18 ses=18}, 
> HTTP/server.example@example.com for ldap/server.example@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
> CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> 
> Not sure if that's helpful or not but it's something new (to me) so I
> thought I would add it to the case.
> 
> Most unfortunately I need to access IPA to do some configuration
> changes so this is getting more unfortunate than just some errors in a
> log now.  :-(

Yes, this will be manifestation of the same problem. Interestingly the LDAP
server should use the ds.keytab file instead of krb5.keytab.

We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
into it.

Simo, Ludwig, how can this happen?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows 7 Authentication Failed with FreeIPA

2016-12-21 Thread Alexander Bokovoy 

On ke, 21 joulu 2016, Jaril Nambiar wrote:

Hi Concern,



This email is regarding an issue while using a workgroup Windows-7 client is
trying to login the freeIPA realm. It is showing 'There  are currently no
log on server available to service the logon request' . The guide is to
setup for Windows XP. Am I able to create the same in Windows 7 client  or
not. Requesting your support to fulfill my reuirement.

Joining Windows clients to FreeIPA realm is not supported. Login to
Windows clients with FreeIPA users is not supported.

This is explained in the first link you referred to. Everything else in
the first link is a hackish attempt with no promise to work. If it
doesn't work, it doesn't.





Referred Links:

http://www.freeipa.org/page/Windows_authentication_against_FreeIPA

http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Win
dows/Linux)_-_Step_by_step

https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA
_Guide/Configuring_Microsoft_Windows.html

















Thank you,

Jaril V V

Ph: +91-9987027659

Email:   jaril.namb...@gmail.com










--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] backing up and starting over...

2016-12-21 Thread Robert Story 
I'm running a small instance of freeipa on CentOS 7 in our lab, for about 20
machines. Since CentOS 7.3 came out and upgraded from 4.2 to 4.4, things
have gotten flaky. e.g. clicking on a user get the spinning 'Working'
dialog and can take 3-5 minutes to load the page. But often it will die
with 'internal error'.

Is there a way to back up data so that I can re-install 4.4 and restore the
data? Specifically users+uids/groups+gids, HBAC and sudo rules?


Robert


pgp0gh9zR2_U2.pgp
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (trust domain AD)

2016-12-21 Thread Ing . Adrian Hernández Yeja 
Hi Youenn, thanks for your quick response. Actually I need to create a trust 
domain with an AD for disable NTLM auth and take advantage of FreeIPA. I 
thought to use Kerberos instead NTLM. It is possible to create a trust domain 
with AD and authenticate users with LDAP (FreeIPA)? 

- Mensaje original -

De: "Youenn PIOLET"  
Para: "Ing. Adrian Hernández Yeja"  
CC: freeipa-users@redhat.com 
Enviados: Miércoles, 21 de Diciembre 2016 13:05:30 
Asunto: Re: [Freeipa-users] (no subject) 

Hi Adrian, 

You can use basic_ldap_auth to connect to FreeIPA using LDAP instead of 
negotiate_kerberos_auth : 
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ 
-b "cn=accounts,dc=example,dc=com" \ 
-f uid=%s -h  -ZZ 
auth_param basic children 10 
auth_param basic realm infra.msv 
auth_param basic credentialsttl 30 second 
Regards, 

-- 
Youenn Piolet 
piole...@gmail.com 


2016-12-21 17:53 GMT+01:00 Ing. Adrian Hernández Yeja < ay...@uci.cu > : 


Hi folks, I need authenticate my users against a squid proxy server using 
FreeIPA. I know is possible ( 
https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On
 ) but my users are not necessarily authenticated in a FreeIPA domain, so my 
question is if it's possible to allow this requirement either a third 
application or a specific configuration. 

Regards. 

La @universidad_uci es Fidel. Los jóvenes no fallaremos. 
#HastaSiempreComandante 
#HastalaVictoriaSiempre 

-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 





La @universidad_uci es Fidel. Los jóvenes no fallaremos.
#HastaSiempreComandante
#HastalaVictoriaSiempre

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
Some additional information.  I can't seem to use the CLI either. 
Perhaps that is expected:

# kinit admin
Password for ad...@example.com:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
Default principal: ad...@example.com

Valid starting ExpiresService principal
21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example@example.com

# ipa host-find
ipa: ERROR: Insufficient access:  Invalid credentials

When I do that (the ipa host-find) /var/log/krb5kdc.log says:

Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
HTTP/server.example@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, HTTP/server.example@example.com 
for ldap/server.example@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
CONSTRAINED-DELEGATION s4u-client=ad...@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12

Not sure if that's helpful or not but it's something new (to me) so I
thought I would add it to the case.

Most unfortunately I need to access IPA to do some configuration
changes so this is getting more unfortunate than just some errors in a
log now.  :-(

Cheers,
b.


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ipa cert automatic renew Failing.

2016-12-21 Thread Lucas Diedrich 
Hello guys,

I'm having some trouble with, whats is happening with my server is that i'm
hiting an old BUG (https://bugzilla.redhat.com/show_bug.cgi?id=1033273).
Talking to mbasti over irc he oriented me to send this to the email list.

The problem is, i got on CA Master, so because of this problem the CA
Master certificates couldn't be renewd, so now i promoted another master to
be the CA. And the problem still persist.

This is the certs from my new CA (
https://paste.fedoraproject.org/510617/14823448/),
this is the certs from my old CA (
https://paste.fedoraproject.org/510618/44871148/)
This is the log then i restart pki-tomcat(  "CA port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)")
This is the log from dirsrv when i restart pki-tomcat (
https://paste.fedoraproject.org/510614/23446801/)

Basically my CA is not working anymore...

Anyway, i tried lots of thing but couldn't fix this, anyone has some idea?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-21 Thread beeth beeth 
Hi Flo,

First of all, thanks a lot for taking your time to reproduced the issue
from your end, you have been very helpful and you are the best!

Here're the what I observed after some more tests:

1. In this case I used Entrust(www.entrust.com) certificate service, and
they provided root-G2-L1K certificate chain. In the /etc/ipa/ca.crt file on
the primary IPA server ipaprd1, I saw 3 certificates(root, G2 and L1K) as
the root chain. When I checked the ca.crt file on the RHEL6 IPA
client(called ipadev6), I only saw one certificate, the L1K one, which
didn't look right. So I followed your advise to remove it, then the
ipa-client-install could finish without the LDAP error. But after the
installation, I found the ca.crt file on such RHEL6 box still had only one
certificate(L1K). Meanwhile, when I checked the RHEL7 IPA client(called
ipadev7, which I mentioned before that it was always working), the
/etc/ipa/ca.crt file has 3 certificate, the complete root chain. I have no
clue why the IPA client installation on RHEL7 box is so smooth but not the
RHEL6 box, while they both enrolled with the exact same primary & replica
IPA server. The bug document you mentioned doesn't explain this.

2. During the client installation on ipadev6(RHEL6 box), with ca.crt file
manually removed, I saw the following message:

A RA is not configured on the server. Not requesting host certificate.

The installation stuck there for about 3~4 minutes before it continued to
the next step, then it finished eventually with "Client configuration
complete". Any idea about such message?

Thanks!!


On Tue, Dec 20, 2016 at 9:43 AM, Florence Blanc-Renaud 
wrote:

> On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote:
>
>> On 12/15/2016 08:01 PM, beeth beeth wrote:
>>
>>> Hi Flo,
>>>
>>> That's a good point! I checked the dirsrv certificate and confirmed
>>> valid(good until later next year).
>>> Since I had no problem to enroll another new IPA client(RHEL7 box
>>> instead of RHEL6) to such replica server, I thought it might not be a
>>> server end issue. However, when I tried to restart the DIRSRV service on
>>> the replica server, I found these messages in the log
>>> file /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors:
>>>
>>> [15/Dec/2016:13:38:15.891301246 -0500] 389-Directory/1.3.5.10
>>>  B2016.257.1817 starting up
>>> [15/Dec/2016:13:38:15.911777373 -0500] default_mr_indexer_create:
>>> warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
>>> [15/Dec/2016:13:38:15.926320306 -0500] WARNING: changelog: entry cache
>>> size 2097152 B is less than db size 5488640 B; We recommend to increase
>>> the entry cache size nsslapd-cachememsize.
>>> [15/Dec/2016:13:38:16.132155534 -0500] schema-compat-plugin - scheduled
>>> schema-compat-plugin tree scan in about 5 seconds after the server
>>> startup!
>>> [15/Dec/2016:13:38:16.167896279 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.173317345 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.178354342 -0500] NSACLPlugin - The ACL target
>>> cn=keys,cn=sec,cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.183579322 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.188786976 -0500] NSACLPlugin - The ACL target
>>> cn=dns,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.193275650 -0500] NSACLPlugin - The ACL target
>>> cn=groups,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.197580407 -0500] NSACLPlugin - The ACL target
>>> cn=computers,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.201863256 -0500] NSACLPlugin - The ACL target
>>> cn=ng,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.206318629 -0500] NSACLPlugin - The ACL target
>>> ou=sudoers,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.211559100 -0500] NSACLPlugin - The ACL target
>>> cn=users,cn=compat,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.216146819 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.220786596 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.225594942 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.229986749 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.234518367 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.238763121 -0500] NSACLPlugin - The ACL target
>>> cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
>>> [15/Dec/2016:13:38:16.243031116 -0500]

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote:
> Okay, I believe that this is the problem:
> 
> On 21.12.2016 15:53, Brian J. Murrell wrote:
> > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107
> > connection from local to /var/run/slapd-EXAMPLE.COM.socket
> 
> ...
> > [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn=""
> > method=sasl version=3 mech=GSSAPI
> > [21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT
> > err=49 tag=97 nentries=0 etime=0 - SASL(-1): generic failure:
> > GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
> > information (Permission denied)
> > [21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
> > [21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107
> > closed - U1
> 
> I have no idea why it is returning Permission denied.
> 
> Is it reproducible when you run this?
> $ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> ipa-dnskeysyncd/server.example.com
> $ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
> ?

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ipa-dnskeysyncd/server.example@example.com

Valid starting ExpiresService principal
21/12/16 13:05:16  22/12/16 13:02:12  ldap/server.example@example.com
21/12/16 13:02:12  22/12/16 13:02:12  krbtgt/example@example.com

# ldapsearch -Y GSSAPI -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE.COM.socket 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

> 
> We need to find out why it is blowing up on GSSAPI negotiation.
> 
> Wild guess is that /etc/dirsrv/ds.keytab could have wrong
> permissions. It
> should have
> -rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0

# ls -lZ /etc/dirsrv/ds.keytab
-rw---. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 
/etc/dirsrv/ds.keytab
 
> If you manage to reproduce it, you can attach strace to the running
> dirsrv

By that I assume you mean the ns-slapd.

The strace (minus poll/select/futex noise) is attached.

> 
process and see what call is failing (if it is a system call)...

Perhaps this one:

[pid 13449] open("/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)

# ls -lZ /etc/krb5.keytab
-rw---. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

But looking into the backup of this system, even a week and a month
ago, that file had the same permissions/ownership.  And changing it to
644 temporarily doesn't fix the "ldap_sasl_interactive_bind_s: Invalid
credentials (49)" from ldapsearch.

Cheers,
b.
8967  restart_syscall(<... resuming interrupted call ...> 
13414 restart_syscall(<... resuming interrupted call ...> 
13413 restart_syscall(<... resuming interrupted call ...> 
12933 restart_syscall(<... resuming interrupted call ...>) = 0
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
12933 accept(8, {sa_family=AF_LOCAL, NULL}, [2]) = 65
12933 fcntl(65, F_GETFL)= 0x2 (flags O_RDWR)
12933 fcntl(65, F_SETFL, O_RDWR|O_NONBLOCK) = 0
12933 setsockopt(65, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
12933 getpeername(65, {sa_family=AF_LOCAL, NULL}, [2]) = 0
12933 getsockname(65, {sa_family=AF_LOCAL, 
sun_path="/var/run/slapd-EXAMPLE.COM.socket"}, [40]) = 0
12933 getsockopt(65, SOL_SOCKET, SO_PEERCRED, {pid=16254, uid=0, gid=0}, [12]) 
= 0
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
8967  <... restart_syscall resumed> )   = -1 ETIMEDOUT (Connection timed out)
12933 getpeername(7, 0x7ffc9bff1450, [112]) = -1 ENOTCONN (Transport endpoint 
is not connected)
13442 recvfrom(65, 
"0\202\2\316\2\1\1`\202\2\307\2\1\3\4\0\243\202\2\276\4\6GSSAPI\4\202\2\262"...,
 512, 0, NULL, NULL) = 512
13442 recvfrom(65, 
"\237\23\203^\177$\376[\345\20\223t\3052\326\305\352\355i\277\207V\214\n\312M\210h=\2\233="...,
 512, 0, NULL, NULL) = 210
13442 write(51, "\0", 1)= 1
13442 sendto(59, "<39>Dec 21 13:16:42 ns-slapd: GS"..., 51, MSG_NOSIGNAL, NULL, 
0) = 51
13442 lstat("/etc/gss/mech", 0x7feac37ecd00) = -1 ENOENT (No such file or 
directory)
13442 openat(AT_FDCWD, "/etc/gss/mech.d", 
O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 107
13442 getdents(107, /* 3 entries */, 32768) = 88
13442 getdents(107, /* 0 entries */, 32768) = 0
13442 close(107)= 0
13442 lstat("/etc/gss/mech.d/gssproxy.conf", {st_mode=S_IFREG|0644, 
st_size=189, ...}) = 0
13442 stat("/usr/lib64/gssproxy/proxymech.so", {st_mode=S_IFREG|0755, 
st_size=110960, ...}) = 0
13442 stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=780, ...}) = 0
13442 open("/etc/krb5.conf", O_RDONLY)  = 107
13442 fcntl(107,

Re: [Freeipa-users] (no subject)

2016-12-21 Thread Youenn PIOLET 
Hi Adrian,

You can use basic_ldap_auth to connect to FreeIPA using LDAP instead of
negotiate_kerberos_auth :

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \

-b "cn=accounts,dc=example,dc=com" \

-f uid=%s -h  -ZZ
auth_param basic children 10

auth_param basic realm infra.msv

auth_param basic credentialsttl 30 second



Regards,

--
Youenn Piolet
piole...@gmail.com


2016-12-21 17:53 GMT+01:00 Ing. Adrian Hernández Yeja :

> Hi folks, I need authenticate my users against a squid proxy server using
> FreeIPA. I know is possible (https://www.freeipa.org/page/
> Squid_Integration_with_FreeIPA_using_Single_Sign_On) but my users are not
> necessarily authenticated in a FreeIPA domain, so my question is if it's
> possible to allow this requirement either a third application or a specific
> configuration.
>
> Regards.
>
> La @universidad_uci es Fidel. Los jóvenes no fallaremos.
> #HastaSiempreComandante
> #HastalaVictoriaSiempre
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] (no subject)

2016-12-21 Thread Ing . Adrian Hernández Yeja 
Hi folks, I need authenticate my users against a squid proxy server using 
FreeIPA. I know is possible 
(https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On)
 but my users are not necessarily authenticated in a FreeIPA domain, so my 
question is if it's possible to allow this requirement either a third 
application or a specific configuration.

Regards.

La @universidad_uci es Fidel. Los jóvenes no fallaremos.
#HastaSiempreComandante
#HastalaVictoriaSiempre

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Petr Spacek 
Okay, I believe that this is the problem:

On 21.12.2016 15:53, Brian J. Murrell wrote:
> [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection 
> from local to /var/run/slapd-EXAMPLE.COM.socket
...
> [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [21/Dec/2016:09:39:12.067486416 -0500] conn=77028 op=0 RESULT err=49 tag=97 
> nentries=0 etime=0 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
> failure.  Minor code may provide more information (Permission denied)
> [21/Dec/2016:09:39:12.192506861 -0500] conn=77028 op=1 UNBIND
> [21/Dec/2016:09:39:12.192549740 -0500] conn=77028 op=1 fd=107 closed - U1

I have no idea why it is returning Permission denied.

Is it reproducible when you run this?
$ kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/server.example.com
$ ldapsearch -Y GSSAPI -H /var/run/slapd-EXAMPLE.COM.socket
?

We need to find out why it is blowing up on GSSAPI negotiation.

Wild guess is that /etc/dirsrv/ds.keytab could have wrong permissions. It
should have
-rw---. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0

If you manage to reproduce it, you can attach strace to the running dirsrv
process and see what call is failing (if it is a system call)...

I'm CCing LDAP server gurus to see if it rings a bell.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS reverse zone is not managed by this server

2016-12-21 Thread Martin Basti 

Hello all :)


On 20.12.2016 01:33, Maciej Drobniuch wrote:

Hi All!

I get the following message while adding a new hostname.

"The host was added but the DNS update failed with: DNS reverse zone 
in-addr.arpa. for IP address 10.0.0.165 is not managed by this server"


IPA failed to get correct reverse zone, can you try dig -x 10.0.0.165 
what will be in SOA answer?


What is the name of reverse zone you have on IPA DNS server?


Martin



The reverse zone is configured and working.
When I am manually adding the PTR record to the reverse zone - all OK

While adding a new host,  the A record is being created but the PTR 
fails with the message above.


Reinstalling centos+IPA worked once but I had to reinstall again 
because of problems with kerberos(probably dependencies).


Not sure what is the root cause of the issue.

VERSION: 4.4.0, API_VERSION: 2.213

CENTOS7 Linux freeipa1 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 
UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


Any help appreciated!
--
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-sense LLC




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to promote ipa client to ipa replica

2016-12-21 Thread Martin Basti 



On 20.12.2016 20:27, fay wang wrote:
Hi, I have no luck in promoting ipa client to ipa replica. In my 
replica system where ipa client is installed:


certutil -L -d /etc/dirsrv/slapd-

does not have Server-Cert.

Please help!

Thanks,
fay






Which commands did you used to promote replica?
Can you show us the output of that commands?

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] modify schema - add group email and display attribute

2016-12-21 Thread Sandor Juhasz 
That would be perfect solution. 

How do i do it? 

ldapmodify: 
dn: cn=schema 
changetype: modify 
add: objectclasses 
objectclasses: (  
NAME 'googleGroup' SUP groupofnames 
STRUCTURAL 
MAY ( mail $ displayname ) 
X-ORIGIN 'Extending FreeIPA' ) 

What to use for ? 

Then i just 
ipa config-mod --addattr=ipaGroupObjectClasses=googleGroup 

Then groupmail.py 
from ipalib.plugins import group 
from ipalib.parameters import Str 
from ipalib import _ 

group.group.takes_params = group.group.takes_params + ( 
Str('mail?', 
cli_name='mail', 
label=_('mail'), 
), 
) 
group.group.default_attributes.append('mail') 

Then groupdisplayname.py 
from ipalib.plugins import group 
from ipalib.parameters import Str 
from ipalib import _ 


group.group.takes_params = group.group.takes_params + ( 
Str('displayname?', 
cli_name='displayname', 
label=_('dispalayname'), 
), 
) 
group.group.default_attributes.append('displayname') 

And finally update js somehow... 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 


From: "Ludwig Krispenz"  
To: freeipa-users@redhat.com 
Sent: Wednesday, December 21, 2016 3:34:03 PM 
Subject: Re: [Freeipa-users] modify schema - add group email and display 
attribute 


On 12/21/2016 02:07 PM, Sandor Juhasz wrote: 



Hi, 

i would like to modify schema to have group objects extended with email and 
display name attribute. 
The reason is that we are trying to sync our ldap to our google apps. 

I don't know how much this doc 
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf 
can be applied to groups. Neither did i find a supported attribute syntax for 
email, maybe 
PrintableString 1.3.6.1.4.1.1466.115.121.1.58   For values 
which contain strings containing alphabetic, numeral, and select punctuation 
characters (as defined in RFC 4517 ). 
but i am not sure if that could hold email addresses. 


why don't you just use the mail attribute ? only define a new auxilliary 
objectclass allowing mail and displayname 

BQ_BEGIN


It would be pretty to have it exposed via ipalib and js plugins as well. 
If someone could help me out on extending schema, i would be really happy. 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 



BQ_END

-- 
Red Hat GmbH, http://www.de.redhat.com/ , Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander 

-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2016-12-21 Thread Rob Crittenden 
Daniel Schimpfoessl wrote:
> Thanks for getting back to me. 
> 
> getcert list | grep expires shows dates years in the future for all
> certificates
> Inline-Bild 1
> 
> ipactl start --force
> 
> Eventually the system started with:
>  Forced start, ignoring pki-tomcatd Service, continuing normal
> operations.
> 
> systemctl status ipa shows: failed

I don't think this is a certificate problem at all. I think the timing
with your renewal is just coincidence.

Did you change your Directory Manager password at some point?

> 
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> *** -b "" -s base
> Inline-Bild 2

You need the -x flag to indicate simple bind.

rob

> The logs have thousands of lines like it, what am I looking for
> specifically?
> 
> Daniel
> 
> 
> 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud  >:
> 
> On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
> 
> Good day and happy holidays,
> 
> I have been running a freeIPA instance for a few years and been very
> happy. Recently the certificate expired and I updated it using the
> documented methods. At first all seemed fine. Added a Nagios
> monitor for
> the certificate expiration and restarted the server (single
> server). I
> have weekly snapshots, daily backups (using Amanda on the entire
> disk).
> 
> One day the services relying on IPA failed to authenticate.
> Looking at
> the server the ipa service had stopped. Restarting the service
> fails.
> Restoring a few weeks old snapshot does not start either.
> Resetting the
> date to a few month back does not work either as httpd fails to
> start .
> 
> I am at a loss.
> 
> Here a few details:
> # ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> 
> 
> # /usr/sbin/ipactl start
> ...
> out -> Failed to start pki-tomcatd Service
> /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
> host ipa.myorg.com  
> port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted
> due to
> error: Retrieving CA status failed with status 500
> 
> Any help would be appreciated as all connected services are now
> down.
> 
> Thanks,
> 
> Daniel
> 
> 
> 
> 
> Hi Daniel,
> 
> more information would be required to understand what is going on.
> First of all, which certificate did you renew? Can you check with
> $ getcert list
> if other certificates also expired?
> 
> PKI fails to start and the error seems linked to the SSL connection
> with the LDAP server. You may want to check if the LDAP server is
> listening on the LDAPs port:
> - start the stack with
> $ ipactl start --force
> - check the LDAPs port with
> $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
> 
> The communication between PKI and the LDAP server is authenticated
> with the certificate 'subsystemCert cert-pki-ca' located in
> /etc/pki/pki-tomcat/alias, so you may also want to check if it is
> still valid.
> The directory server access logs (in
> /var/log/dirsrv/slapd-DOMAIN-COM/access) would also show the
> connection with logs similar to:
> 
> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
> 10.34.58.150
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA
> Subsystem,O=DOMAIN.COM ; issuer CN=Certificate
> Authority,O=DOMAIN.COM 
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
> 
> 
> 
> HTH,
> Flo
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 15:04 +0100, Petr Spacek wrote:
> 
> I'm really curious what you will find out :-)

It seems to be like this, over and over again:

[21/Dec/2016:09:39:02.124732240 -0500] conn=77025 fd=107 slot=107 connection 
from 10.75.22.1 to 10.75.22.247
[21/Dec/2016:09:39:02.125630906 -0500] conn=77025 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl 
supportedExtension supportedFeatures supportedLDAPVersion 
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext 
lastusn highestcommittedusn aci"
[21/Dec/2016:09:39:02.131312941 -0500] conn=77025 op=0 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.138517633 -0500] conn=75097 op=14926 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/pc.example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=host/pc.example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.140094769 -0500] conn=75097 op=14926 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.140571682 -0500] conn=75097 op=14927 SRCH 
base="cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[21/Dec/2016:09:39:02.140877517 -0500] conn=75097 op=14927 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.141169433 -0500] conn=75097 op=14928 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.142218937 -0500] conn=75097 op=14928 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.142565212 -0500] conn=75097 op=14929 SRCH 
base="cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[21/Dec/2016:09:39:02.143021565 -0500] conn=75097 op=14929 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.145295331 -0500] conn=75097 op=14930 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/pc.example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=host/pc.example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Dec/2016:09:39:02.146427034 -0500] conn=75097 op=14930 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.146896867 -0500] conn=75097 op=14931 SRCH 
base="cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[21/Dec/2016:09:39:02.147152183 -0500] conn=75097 op=14931 RESULT err=0 tag=101 
nentries=1 etime=0
[21/Dec/2016:09:39:02.147429299 -0500] conn=75097 op=14932 SRCH 
base="dc=example,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/example@example.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/example@example.com)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey

[Freeipa-users] Failed to promote ipa client to ipa replica

2016-12-21 Thread fay wang 
Hi, I have no luck in promoting ipa client to ipa replica. In my replica
system where ipa client is installed:

certutil -L -d /etc/dirsrv/slapd-

does not have Server-Cert.

Please help!

Thanks,
fay
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Services

2016-12-21 Thread Callum Guy 
Hi All,

I am looking to find out all the services which FreeIPA has installed and
which must be up and running as part of normal operations. I am clear on
the various systems which have been installed on the master server (we run
no replicas) however I'm not sure what resource I should refer to in order
to improve my understanding.

To get started on this I have retrieved a list of running services using
"systemctl -t service".

Our installation is working pretty well and although we have been
experiencing the odd stability issue we had believed that this is due to
wider platform changes rather than any issues with the installation. In the
service list I am seeing lots of duplicate and failed services and it is
not clear how to interpret the output and whether this is to be expected?

The attached screenshot should explain my question.

Can anyone offer any guidance for the severity of this issue? The most
pressing question is how/why we have multiple 389 instances for various
casings of our domain. The other issue is the large number of OTP service
daemons - is that an issue?!

Thanks in advance,

Callum

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
   
   
 * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] modify schema - add group email and display attribute

2016-12-21 Thread Ludwig Krispenz 


On 12/21/2016 02:07 PM, Sandor Juhasz wrote:

Hi,

i would like to modify schema to have group objects extended with 
email and display name attribute.

The reason is that we are trying to sync our ldap to our google apps.

I don't know how much this 
doc http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
can be applied to groups. Neither did i find a supported attribute 
syntax for email, maybe
PrintableString 	1.3.6.1.4.1.1466.115.121.1.58 	For values which 
contain strings containing alphabetic, numeral, and select punctuation 
characters (as defined in RFC 4517 ).


but i am not sure if that could hold email addresses.
why don't you just use the mail attribute ? only define a new auxilliary 
objectclass allowing mail and displayname


It would be pretty to have it exposed via ipalib and js plugins as well.
If someone could help me out on extending schema, i would be really happy.

*Sándor Juhász*
System Administrator
*ChemAxon**Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] modify schema - add group email and display attribute

2016-12-21 Thread Sandor Juhasz 
Hi, 

i would like to modify schema to have group objects extended with email and 
display name attribute. 
The reason is that we are trying to sync our ldap to our google apps. 

I don't know how much this doc 
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf 
can be applied to groups. Neither did i find a supported attribute syntax for 
email, maybe PrintableString  1.3.6.1.4.1.1466.115.121.1.58   For values 
which contain strings containing alphabetic, numeral, and select punctuation 
characters (as defined in RFC 4517 ). 
but i am not sure if that could hold email addresses. 

It would be pretty to have it exposed via ipalib and js plugins as well. 
If someone could help me out on extending schema, i would be really happy. 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell 
On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote:
> 
> You can try to add line
> KRB5_TRACE=/dev/stdout
> to
> /etc/sysconfig/ipa-dnskeysyncd

[27472] 1482320667.240500: Retrieving 
ipa-dnskeysyncd/server.example@example.com from 
FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype 0) with result: 
0/Success
[27472] 1482320667.240567: Getting initial credentials for 
ipa-dnskeysyncd/server.example@example.com
[27472] 1482320667.241542: Looked up etypes in keytab: aes256-cts, aes128-cts, 
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[27472] 1482320667.241619: Sending request (207 bytes) to EXAMPLE.COM
[27472] 1482320667.241952: Resolving hostname server.example.com
[27472] 1482320667.242781: Initiating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.243067: Sending TCP request to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248018: Received answer (336 bytes) from stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248054: Terminating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.248215: Response was from master KDC
[27472] 1482320667.248250: Received error from KDC: -1765328359/Additional 
pre-authentication required
[27472] 1482320667.248304: Processing preauth types: 136, 19, 2, 133
[27472] 1482320667.248317: Selected etype info: etype aes256-cts, salt 
"EXAMPLE.COMipa-dnskeysyncdserver.example.com", params ""
[27472] 1482320667.248327: Received cookie: MIT
[27472] 1482320667.248400: Retrieving 
ipa-dnskeysyncd/server.example@example.com from 
FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype aes256-cts) with 
result: 0/Success
[27472] 1482320667.248424: AS key obtained for encrypted timestamp: 
aes256-cts/BCCF
[27472] 1482320667.248498: Encrypted timestamp (for 1482320667.247961): plain 
[redacted], encrypted [redacted]
[27472] 1482320667.248512: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success
[27472] 1482320667.248520: Produced preauth for next request: 133, 2
[27472] 1482320667.248540: Sending request (302 bytes) to EXAMPLE.COM
[27472] 1482320667.248561: Resolving hostname server.example.com
[27472] 1482320667.248841: Initiating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.249050: Sending TCP request to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.512953: Received answer (837 bytes) from stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.512974: Terminating TCP connection to stream 
fd31:aeb1:48df:0:214:d1ff:fe13:45ac:88
[27472] 1482320667.513076: Response was from master KDC
[27472] 1482320667.513117: Processing preauth types: 19
[27472] 1482320667.513131: Selected etype info: etype aes256-cts, salt 
"EXAMPLE.COMipa-dnskeysyncdserver.example.com", params ""
[27472] 1482320667.513143: Produced preauth for next request: (empty)
[27472] 1482320667.513159: AS key determined by preauth: aes256-cts/BCCF
[27472] 1482320667.513244: Decrypted AS reply; session key is: aes256-cts/BD92
[27472] 1482320667.513271: FAST negotiation: available
[27472] 1482320667.513297: Initializing FILE:/tmp/ipa-dnskeysyncd.ccache with 
default princ ipa-dnskeysyncd/server.example@example.com
[27472] 1482320667.513881: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krbtgt/example@example.com in FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.513974: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for krbtgt/example@example.com: fast_avail: yes
[27472] 1482320667.514022: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: 
in FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.514065: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for krbtgt/example@example.com: pa_type: 2
[27472] 1482320667.514102: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.COM\@EXAMPLE.COM@X-CACHECONF: in 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.514181: Storing config in FILE:/tmp/ipa-dnskeysyncd.ccache 
for : refresh_time: 1482363867
[27472] 1482320667.514220: Storing 
ipa-dnskeysyncd/server.example@example.com -> 
krb5_ccache_conf_data/refresh_time@X-CACHECONF: in 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.619828: ccselect module realm chose cache 
FILE:/tmp/ipa-dnskeysyncd.ccache with client principal 
ipa-dnskeysyncd/server.example@example.com for server principal 
ldap/server.example@example.com
[27472] 1482320667.692119: Getting credentials 
ipa-dnskeysyncd/server.example@example.com -> 
ldap/server.example@example.com using ccache 
FILE:/tmp/ipa-dnskeysyncd.ccache
[27472] 1482320667.692241: Retrieving 
ipa-dnskeysyncd/server.example@example.com -> 
ldap/server.example@example.com from FILE:/tmp/ipa-dnskeysyncd.ccache with 
result: -1765328243/Matching credential not found

Re: [Freeipa-users] freeipa 4.1 replication conflict resolve issue

2016-12-21 Thread Ludwig Krispenz 


On 12/21/2016 05:11 AM, Ian Chen wrote:

hello list,

I tried to search for answer, but not solution come up yet. please help.

the setup with multiple nodes has IPA version:
ipa-server-4.1.0-18.el7.centos.4.x86_64


after adding a replication with an old node, replicaiton conflict occured.

 node104
dn: 
nsuniqueid=5820a804-af9211e6-bbce8d9c-0794b841+uid=test2,cn=users,cn=acco

 unts,dc=...
uid: test2
nsds5ReplConflict: namingConflict uid=test2,cn=users,cn=accounts,dc=...
krbPrincipalName: test2@...
krbLastPwdChange: 20161220054653Z
krbPasswordExpiration: 20170320054653Z
ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d


 node203
dn: uid=test2,cn=users,cn=accounts,dc=...
uid: test2
krbPrincipalName: test2@...
krbLastPwdChange: 20161220054653Z
krbPasswordExpiration: 20170320054653Z
ipaUniqueID: 606b2260-af92-11e6-a928-0050568faf9d


I tried rename RDN following this
https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA_Guide/ipa-replica-manage.html

but when trying to delete uid, then change RDN back to uid, there is 
this error


modifying entry "cn=TempValue,cn=users,cn=accounts,dc=..."
ldap_modify: Object class violation (65)
additional info: missing attribute "uid" required by object class 
"posixAccount"


I cannot delete object class posixAccount then add it back
I cannot see which commands you really tried to execute and failed, so 
could you provide the full log of what you did if you want to follow the 
steps in the IPA doc.


But I do not think that you need to go thru the MOD/MODRDN/... sequence 
if you do not want to keep both entries. If a conflict arises, one entry 
keeps the original dn, the other gets a dn with "nsuniquid=+..." and 
the nsds5ReplConflict attribute. you can check the entries and inmost 
cases you just want to keep the "original" and just delete the conflict 
entry





--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] [PTO] 2016-12-21 -- 2017-01-02

2016-12-21 Thread Martin Basti 

Merry Christmas and Happy New Year 2017


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA User Authorization Guidelines Required

2016-12-21 Thread nirajkumar.singh 
Hi Petr,

Is there any way to automatically create .PPK and Public ssh key for new users 
created?


Thanks,
Niraj Kumar

-Original Message-
From: Petr Vobornik [mailto:pvobo...@redhat.com]
Sent: 20 December 2016 16:40
To: Singh, NirajKumar ; freeipa-users@redhat.com
Cc: Morikawa, Hirofumi 
Subject: Re: [Freeipa-users] FreeIPA User Authorization Guidelines Required

On 12/20/2016 10:58 AM, nirajkumar.si...@accenture.com wrote:
> Hi FreeIPA Team,
>
> We have performed installation of FreeIPA Master Server and Client
> Server. We are successful with user creation with home directory and sudo 
> configuration.
>
> Regarding Authentication we have some questions:
>
> 1.Can we implement authorized key authentication for these servers. Is
> there any way in FreeIPA we can automate the ppk key generation for each 
> individual user?

FreeIPA/IdM supports central management of public SSH keys:
 
https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2DUS_Red-5FHat-5FEnterprise-5FLinux_7_html_Linux-5FDomain-5FIdentity-5FAuthentication-5Fand-5FPolicy-5FGuide_user-2Dkeys.html=DgIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=J_tjNpkwndknzRvQ2_H1bSGILs8ve3v6B5UQit18NC0=tfQVRIRjW-wT95LvX5PLzw9edRibMixUTKVUIIwijLE=ldieGGgCFsQtjTOIEa7mxR1OkAz88yCH_8Pw_lbwyhw=

>
> 2.If Not Automated key generation what are the possible ways for more
> secured authentication other than password authentication?

It supports Two Factor Authentication via integrated OTP support or third party 
RADIUS server:

OTP:
https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2DUS_Red-5FHat-5FEnterprise-5FLinux_7_html_Linux-5FDomain-5FIdentity-5FAuthentication-5Fand-5FPolicy-5FGuide_otp.html=DgIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=J_tjNpkwndknzRvQ2_H1bSGILs8ve3v6B5UQit18NC0=tfQVRIRjW-wT95LvX5PLzw9edRibMixUTKVUIIwijLE=nPIf9X-15LZzI5un06oWEsFYIkL8kU2LcxbsS4G6JyU=

RADIUS proxy:
https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2DUS_Red-5FHat-5FEnterprise-5FLinux_7_html_Linux-5FDomain-5FIdentity-5FAuthentication-5Fand-5FPolicy-5FGuide_otp.html-23migrating-2Dproprietary-2Dotp=DgIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=J_tjNpkwndknzRvQ2_H1bSGILs8ve3v6B5UQit18NC0=tfQVRIRjW-wT95LvX5PLzw9edRibMixUTKVUIIwijLE=2BLd2lichlzyifLuvJw2eNEtVghd0SYlGtO9P2vxsCk=

>
> Thanks and Regards,
>
> Niraj Kumar Singh
>
> Mobile: +91-9663212985
>
> Email: nirajkumar.si...@accenture.com
> 
>
>
> --
> --
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of information 
> security and assessment of internal compliance with Accenture policy.
> __
> 
>
> www.accenture.com
>
>
>


--
Petr Vobornik



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project