[Freeipa-users] Unable to sudo with just one user on only a few servers

2016-12-30 Thread pgb205 
I have followed troubleshooting procedure outlined hereTroubleshooting - FreeIPA

  
|  
|   
|   
|   ||

   |

  |
|  
|   |  
Troubleshooting - FreeIPA
   |   |

  |

  |

 
Additionally I have done contrast and compare with a working server for the 
following 
files/etc/hosts/etc/resolv.conf/etc/sudo-ldap.conf/etc/krb5.conf/etc/sssd.conf/etc/nssswitch.conf
all are identical other than host specific information.
In addition I have also enabled debug_level in sssd.conf in all stanzas, but 
noticed that sudo log is not being generated.I can however provide other logs.
I have also enabled sudo_debug=2 in /etc/sudo-ldap.confbut not sure where to 
look for that log file.
A and PTR records exist for problematic servers in FreeIPA DNS.
As mentioned above the user-id can  ssh just fine but not sudo for any command 
even though that id should be able to do ANY ANY.
I have checked the the user-id is in the correct sudo groups that are applied 
for the host-groups for broken servers.
To add to the oddity we somehow managed to fix the problem on several servers 
but as it was a lot blind trial and error we are not surewhat the corrective 
steps actually were. 
Please let me know what else I can/should take a look at. I can also provide 
logs if needed.
thanks-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS wildcards record for domain

2016-12-30 Thread Outback Dingo 
a bit at a loss here, whats the proper way to add a DNS wildcard for a
domain name to resolve to www.acmewidgets.com if someone type just the
domain acmewigets.com in a browser ?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI

2016-12-30 Thread Tomasz Torcz 
On Fri, Dec 30, 2016 at 10:19:30PM +0530, Abhinay Reddy Peddireddy wrote:
> Hi,
> 
> Yes. It is fine with Firefox. But not with chrome.
> 
> However customer is expecting the same on Chrome also.
> 
> Ant modifications can be done to avoid the pop-up ?


  See https://fedorahosted.org/freeipa/ticket/5614  and
https://github.com/modauthgssapi/mod_auth_gssapi/pull/65 , 
setting ”GssapiNegotiateOnce” looks relevant.

-- 
Tomasz Torcz Morality must always be based on practicality.
xmpp: zdzich...@chrome.pl-- Baron Vladimir Harkonnen

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI

2016-12-30 Thread Marc Boorshtein 
Not in chrome. If you don't want kerberos at all for the console you could
try disabling it in Apache but that will break with every update to ipa

On Fri, Dec 30, 2016, 11:49 AM Abhinay Reddy Peddireddy 
wrote:

> Hi,
>
> Yes. It is fine with Firefox. But not with chrome.
>
> However customer is expecting the same on Chrome also.
>
> Ant modifications can be done to avoid the pop-up ?
>
> On Fri, Dec 30, 2016 at 10:05 PM, Marc Boorshtein <
> marc.boorsht...@tremolosecurity.com> wrote:
>
> it looks like you are using chrome?  we have a customer with a similar
> issue.  Chrome doesn't follow the specs around kerberos, if it receives a
> 401 it will generally prompt you even if you are not a member of a domain.
> My guess is if you try it with Firefox or IE you should be fine and not get
> the prompt.
>
> On Fri, Dec 30, 2016 at 10:52 AM Abhinay Reddy Peddireddy <
> apedd...@redhat.com> wrote:
>
> Hello Team,
>
> I have a customer testing IPA on RHEL 7.
>
> When he tries to access the WebUI, it prompts for the username and
> password as a pop-up as shown in the below attached image.
>
> This happens with Google Chrome and Internet Explorer only. But it appears
> normal in Firefox.
>
> Customer is expecting a normal authentication prompt. Is this something to
> be checked from IPA end. I hope this has to be corrected or modified from
> browser end.
>
> Any suggestions ?
>
> Thanks and Regards,
> Abhinay Reddy.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> --
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> (703) 828-4902
> Twitter - @mlbiam / @tremolosecurity
>
>
> --
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI

2016-12-30 Thread Abhinay Reddy Peddireddy 
Hi,

Yes. It is fine with Firefox. But not with chrome.

However customer is expecting the same on Chrome also.

Ant modifications can be done to avoid the pop-up ?

On Fri, Dec 30, 2016 at 10:05 PM, Marc Boorshtein <
marc.boorsht...@tremolosecurity.com> wrote:

> it looks like you are using chrome?  we have a customer with a similar
> issue.  Chrome doesn't follow the specs around kerberos, if it receives a
> 401 it will generally prompt you even if you are not a member of a domain.
> My guess is if you try it with Firefox or IE you should be fine and not get
> the prompt.
>
> On Fri, Dec 30, 2016 at 10:52 AM Abhinay Reddy Peddireddy <
> apedd...@redhat.com> wrote:
>
>> Hello Team,
>>
>> I have a customer testing IPA on RHEL 7.
>>
>> When he tries to access the WebUI, it prompts for the username and
>> password as a pop-up as shown in the below attached image.
>>
>> This happens with Google Chrome and Internet Explorer only. But it
>> appears normal in Firefox.
>>
>> Customer is expecting a normal authentication prompt. Is this something
>> to be checked from IPA end. I hope this has to be corrected or modified
>> from browser end.
>>
>> Any suggestions ?
>>
>> Thanks and Regards,
>> Abhinay Reddy.
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> (703) 828-4902
> Twitter - @mlbiam / @tremolosecurity
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Authentication Pop-up appearing for IPA WebUI

2016-12-30 Thread Marc Boorshtein 
it looks like you are using chrome?  we have a customer with a similar
issue.  Chrome doesn't follow the specs around kerberos, if it receives a
401 it will generally prompt you even if you are not a member of a domain.
My guess is if you try it with Firefox or IE you should be fine and not get
the prompt.

On Fri, Dec 30, 2016 at 10:52 AM Abhinay Reddy Peddireddy <
apedd...@redhat.com> wrote:

> Hello Team,
>
> I have a customer testing IPA on RHEL 7.
>
> When he tries to access the WebUI, it prompts for the username and
> password as a pop-up as shown in the below attached image.
>
> This happens with Google Chrome and Internet Explorer only. But it appears
> normal in Firefox.
>
> Customer is expecting a normal authentication prompt. Is this something to
> be checked from IPA end. I hope this has to be corrected or modified from
> browser end.
>
> Any suggestions ?
>
> Thanks and Regards,
> Abhinay Reddy.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-30 Thread Brian J. Murrell 
[ Sent just to the list.  Hopefully Martin is on it. ]

On Thu, 2016-12-22 at 10:06 +0100, Martin Babinsky wrote:
> 
> Hi Brian,

Hi Martin,

> DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env
> variable 
> to /etc/dirsrv/ds.keytab.

Ah-ha!

This was the problem.  When I upgraded from 4.2 to 4.4 as part of my
CentOS upgrade I pulled up the config file changes (i.e. those usually
in .rpmnew file) because I like to keep the config files up-to-date
with the package.  But when I did so, the KRB5_KTNAME setting got
dropped.  :-(

> Can you please verify that /etc/sysconfig/dirsrv file exists and that
> it 
> contains the following lines?:
> 
> KRB5_CCNAME=/tmp/krb5cc_389

This is actually KRB5CCNAME in my config file.

> KRB5_KTNAME=/etc/dirsrv/ds.keytab
> 
> 
> If not, please add this line to the file, restart dirsrv and try IPA 
> commands again.

That worked.  Thanks so much!

Cheers,
b.

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

2016-12-30 Thread Martin Basti 

Hello,

The first half of the first issue is this bug: 
https://fedorahosted.org/freeipa/ticket/6226


you have to enable SSL on server manually after installation


The second half of the first issue shouldn't be related to ticket above, 
but I don't know more details I'll leave this for IPA CA gurus



The second issue is unrelated to certificates, I believe that something 
in dirsrv causes this unusual behavior. I saw this before with other users.


* both no such entry for HTTP principal, or for topology plugin are the 
same issue


* all users have this issue with CA-less installation, but not always 
reproducible, I'm not sure if there can be a step in CA-less install 
that can cause this


* entries are in database (were added previously by installer) but 
during installation the search failed with no such entry, ldapsearch 
after installation works


* in access log SRCH is before ADD operation, but this is against the 
steps in installer, entry is added first and even installer failed hard 
so there is no way how to add it after failure caused by not found error.


[29/Dec/2016:10:33:02.775715491 +] conn=16 op=1 SRCH 
base="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
 scope=0 filter="(objectClass=*)" attrs=ALL
[29/Dec/2016:10:33:02.775892719 +] conn=16 op=1 RESULT err=32 tag=101 
nentries=0 etime=0


This caused installation failure (IMO - there is no more SRCH operation for 
HTTP principal in log) ^^
..
[29/Dec/2016:10:33:05.487917960 +] conn=17 op=10 ADD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.492213776 +] conn=17 op=10 RESULT err=0 tag=105 
nentries=0 etime=0 csn=5864e6530004
[29/Dec/2016:10:33:05.492372184 +] conn=17 op=11 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
[29/Dec/2016:10:33:05.494649080 +] conn=17 op=11 RESULT err=0 tag=103 
nentries=0 etime=0 csn=5864e65300010004
[29/Dec/2016:10:33:05.494816357 +] conn=17 op=12 MOD 
dn="krbprincipalname=HTTP/ipa01.pakos...@pakos.uk,cn=services,cn=accounts,dc=pakos,dc=uk"
These were added after failure ??? ^


I need a DS guru assistance to resolve this :)
Martin^2

On 29.12.2016 19:13, Peter Pakos wrote:

Access log: https://files.pakos.uk/access.txt
Error log: https://files.pakos.uk/ipareplica-install.log.txt
I hope it helps.
On 29 December 2016 at 12:52, Peter Pakos > wrote:


Hi guys,
I'm facing yet another problem with CA-less install of FreeIPA
replica and 3rd party SSL certificate.
Few days ago I deployed a new CA-less server (ipa02) by running
the following command:

ipa-server-install \   -r PAKOS.UK  \   -n
pakos.uk  \   -p 'password' \   -a 'password'
\   --mkhomedir \   --setup-dns \   --no-forwarders \  
--no-dnssec-validation \  
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \   --http-pin=''

\   --http-cert-name=AlphaWildcardIPA \   --idstart=1000

This server appears to be working OK.
Then yesterday I deployed a client (ipa01):

ipa-client-install \   -p admin \   -w 'password' \   --mkhomedir

Next, I promoted it to IPA server:

ipa-replica-install \   -w 'password' \   --mkhomedir \  
--setup-dns \   --no-forwarders \   --no-dnssec-validation \  
--dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \  
--dirsrv-pin='' \   --dirsrv-cert-name=AlphaWildcardIPA \  
--http-cert-file=/root/ssl/star.pakos.uk.pfx \   --http-pin=''

\   --http-cert-name=AlphaWildcardIPA

After it finished, I've noticed that dirsrv wasn't running on port
636 on ipa01.
Further investigation revealed that the SSL wildcard certificate
(AlphaWildcardIPA) wasn't installed in dirsrv DB and CA
certificates were named oddly (CA 1 and CA 2):

[root@ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate
Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA
u,u,u CA 1 ,, CA 2 C,, [root@ipa01 ~]# certutil -L -d
/etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,,
AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,

This is what I found in the error log:

[29/Dec/2016:01:43:58.852745536 +] 389-Directory/1.3.5.10
 B2016.341. starting up
[29/Dec/2016:01:43:58.867642515 +] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +]
schema-compat-plugin - scheduled schema-compat-plugin tree scan in
about 5 seconds after the server startup!
[29/Dec/2016:01:43:58.905267535 +] NSACLPlugin - The ACL
target