[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Alan Latteri]

I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa 
to 4.4.  On some clients they failed to re-authenticate post upgrade.  I then 
did an 
ipa-client-install —uninstall , and then tried re-joining to IPA server with 
ipa-client-install --mkhomedir --force-ntpd --force-join.

Now I am getting the below error, and I have no idea how to recover.  Firewall 
is disabled.

Thanks,
Alan

User authorized to enroll computers: admin
Password for admin@XXX.LOCAL: 
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be 
read while initializing Kerberos 5 library 

Installation failed. Rolling back changes.
IPA client is not configured on this system.


[root@troll ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor 
preset: enabled)
   Active: inactive (dead)

Installed Packages
ipa-client.x86_64
4.4.0-14.el7.centos @updates 
ipa-client-common.noarch 
4.4.0-14.el7.centos @updates 
ipa-common.noarch
4.4.0-14.el7.centos @updates 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

[nirajkumar.singh]

Hi Prtr,

Can you please suggest how to do it with plugins and which plugin I need to use 
and how to integrate that plugin with freeipa.

Thanks
Niraj

-Original Message-
From: Petr Vobornik [mailto:pvobo...@redhat.com]
Sent: 02 January 2017 22:21
To: Singh, NirajKumar ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] how to make email as mandatory field before user 
creation

On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
> Hi Team,
>
> Is there any way to make email as mandatory field before creating any
> user from WEBUI or Console?
>
> Thanks & Regards,
>
> Niraj Kumar Singh
>

Hello Niraj,

FreeIPA doesn't support such configuration out of the box.

It is theoretically possible to implement IPA server side plugin to mark the 
field as required. It may not be straightforward though.

--
Petr Vobornik



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

[Daniel Schimpfoessl]

Thanks for your reply.

This was the initial error I asked for help a while ago and did not get
resolved. Further digging showed the recent errors.
The service was running (using ipactl start --force) and only after a
restart I am getting a stack trace for two primary messages:

Could not connect to LDAP server host wwgwho01.webwim.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
...

Internal Database Error encountered: Could not connect to LDAP server host
wwgwho01.webwim.com port 636 Error netscape.ldap.LDAPException:
Authentication failed (48)
...

and finally:
[02/Jan/2017:12:20:34][localhost-startStop-1]: CMSEngine.shutdown()


2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud :

> systemctl start pki-tomcatd@pki-tomcat.service
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

[Petr Vobornik]

On 01/02/2017 06:21 PM, Matt . wrote:
> Doesn't get the user a default mailaddress when you add him under the
> REALM domain ?


By default user gets an email address but there ways to skip it:

   ipa user-add test2 --first Test --last Test --email=
   ipa config-mod --emaildomain=


Btw, in Web UI, user adder dialog doesn't have email field. To add it
there a Web UI plugin would be needed.

> 
> 2017-01-02 17:50 GMT+01:00 Petr Vobornik :
>> On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
>>> Hi Team,
>>>
>>> Is there any way to make email as mandatory field before creating any user 
>>> from
>>> WEBUI or Console?
>>>
>>> Thanks & Regards,
>>>
>>> Niraj Kumar Singh
>>>
>>
>> Hello Niraj,
>>
>> FreeIPA doesn't support such configuration out of the box.
>>
>> It is theoretically possible to implement IPA server side plugin to mark
>> the field as required. It may not be straightforward though.
>>
>> --
>> Petr Vobornik
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] modify schema - add group email and display attribute

[Brian Candler]

On 02/01/2017 11:53, Sandor Juhasz wrote:
I would be really happy if anybody could assign an OID for the new 
objectcalss


You can get your own enterprise OID for free from here:

http://pen.iana.org/pen/PenApplication.page

Note that you only get one, so it's up to you to subdivide the space. 
For example: if you get 1.3.6.1.4.1.9, then you might decide to use:


1.3.6.1.4.1.9.1 = LDAP object classes

1.3.6.1.4.1.9.1.1 = myMailObjectClass

1.3.6.1.4.1.9.1.2 = someOtherObjectClass

1.3.6.1.4.1.9.2 = LDAP attributes

1.3.6.1.4.1.9.2.1 = mySpecialAttribute

then later you can assign under 1.3.6.1.4.1.9.3 for something else 
that needs OIDs (e.g. SNMP MIBs) and so on.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unspecified GSS failure. Minor code may provide more information KDC has no support for encryption type

[tarak sinha]

Hi Team,

I am getting below error while trying to ssh my host without password.

Unspecified GSS failure. Minor code may provide more information KDC has no
support for encryption type

Thanks in advance

*Thanks,*

*Tarak Nath Sinha*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

[Matt .]

Doesn't get the user a default mailaddress when you add him under the
REALM domain ?

2017-01-02 17:50 GMT+01:00 Petr Vobornik :
> On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
>> Hi Team,
>>
>> Is there any way to make email as mandatory field before creating any user 
>> from
>> WEBUI or Console?
>>
>> Thanks & Regards,
>>
>> Niraj Kumar Singh
>>
>
> Hello Niraj,
>
> FreeIPA doesn't support such configuration out of the box.
>
> It is theoretically possible to implement IPA server side plugin to mark
> the field as required. It may not be straightforward though.
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

[Petr Vobornik]

On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
> Hi Team,
> 
> Is there any way to make email as mandatory field before creating any user 
> from 
> WEBUI or Console?
> 
> Thanks & Regards,
> 
> Niraj Kumar Singh
> 

Hello Niraj,

FreeIPA doesn't support such configuration out of the box.

It is theoretically possible to implement IPA server side plugin to mark
the field as required. It may not be straightforward though.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how to make email as mandatory field before user creation

[nirajkumar.singh]

Hi Team,

Is there any way to make email as mandatory field before creating any user from 
WEBUI or Console?


Thanks & Regards,
Niraj Kumar Singh
AWS & Oracle DB Team
Vodafone NewCo
Accenture Services Pvt. Ltd.
Voice: (+91)9663212985
Email: nirajkumar.si...@accenture.com




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Automate PPK file generation for newly created users.

[nirajkumar.singh]

Hi Team,

We have created master and client servers. We are able to create and login 
users with password. But our requirement is to generate ppk file for each user 
,which should be used as login credentials to the users.

Question :


*   Is there any way to automate key(.ppk) generation for user when user is 
getting created?

We don't want any manual effort in this process. Kindly suggest.


Thanks & Regards,
Niraj Kumar Singh
AWS & Oracle DB Team
Vodafone NewCo
Accenture Services Pvt. Ltd.
Voice: (+91)9663212985
Email: nirajkumar.si...@accenture.com






This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fwd: IPA Client not able to remove

[tarak sinha]

Hi Team,

Please give me some suggestion to fix the below issue..


-- Forwarded message --
From: tarak sinha 
Date: Mon, Jan 2, 2017 at 9:03 PM
Subject: Re: [Freeipa-users] IPA Client not able to remove
To: Rob Crittenden 


Thanks Rob for your suggestion...
I have another issue on my hosts. Few node's are asking password rather
than authenticated with kerberoas.

Getting below error (Unspecified GSS failure). rest of the hosts are able
to login via gssapi-with-mic method


-snip--

debug1: Authentications that can continue: publickey,gssapi-with-mic,
password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
KDC has no support for encryption type

debug1: Unspecified GSS failure.  Minor code may provide more information
KDC has no support for encryption type

debug1: Unspecified GSS failure.  Minor code may provide more information


debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,
password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /uhome/tsinha/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply

snip-

Please give me some advise to login my linux nodes without any password.

Thanks,

Tarak

On Mon, Jan 2, 2017 at 7:28 AM, Rob Crittenden  wrote:

> tarak sinha wrote:
> > Hi FreeIPA Team,
> >
> >
> >
> > I am not able to remove the IPA client host entry from Web UI and
> > command line as well. While trying to add it’s showing “Host is already
> > exist”. Please give me some suggestion to get rid if this issue.
> >
> >
> >
> > #ipa host-del xxx.example.com  --updatedns
> >
> > ipa: ERROR: xxx.example.com : host not found
> >
> > #ipa host-show xxx.example.com 
> >
> > ipa: ERROR: xxx.example.com : host not found
>
> It sounds like it is a replication conflict entry. You can confirm by
> doing something like 'ipa host-find xxx.example.com --all' and look at
> the DN. If it has nsuniqueid in the DN then it is a conflict entry. See
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/8.2/html/Administration_Guide/Managing_Replicatio
> n-Solving_Common_Replication_Conflicts.html
> but given you want to remove it you can do so via ldapdelete.
>
> rob
>



-- 

*Thanks,*

*Tarak Nath Sinha*

*Mobile: **+91 8197522750*



-- 

*Thanks,*

*Tarak Nath Sinha*

*Mobile: **+91 8197522750*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] modify schema - add group email and display attribute

[Sandor Juhasz]

I would be really happy if anybody could assign an OID for the new objectcalss 
i want to use to store group mail and displayname attributes. 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 


From: "Sandor Juhasz"  
To: "Ludwig Krispenz"  
Cc: freeipa-users@redhat.com 
Sent: Wednesday, December 21, 2016 4:39:32 PM 
Subject: Re: [Freeipa-users] modify schema - add group email and display 
attribute 

That would be perfect solution. 

How do i do it? 

ldapmodify: 
dn: cn=schema 
changetype: modify 
add: objectclasses 
objectclasses: (  
NAME 'googleGroup' SUP groupofnames 
STRUCTURAL 
MAY ( mail $ displayname ) 
X-ORIGIN 'Extending FreeIPA' ) 

What to use for ? 

Then i just 
ipa config-mod --addattr=ipaGroupObjectClasses=googleGroup 

Then groupmail.py 
from ipalib.plugins import group 
from ipalib.parameters import Str 
from ipalib import _ 

group.group.takes_params = group.group.takes_params + ( 
Str('mail?', 
cli_name='mail', 
label=_('mail'), 
), 
) 
group.group.default_attributes.append('mail') 

Then groupdisplayname.py 
from ipalib.plugins import group 
from ipalib.parameters import Str 
from ipalib import _ 


group.group.takes_params = group.group.takes_params + ( 
Str('displayname?', 
cli_name='displayname', 
label=_('dispalayname'), 
), 
) 
group.group.default_attributes.append('displayname') 

And finally update js somehow... 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 


From: "Ludwig Krispenz"  
To: freeipa-users@redhat.com 
Sent: Wednesday, December 21, 2016 3:34:03 PM 
Subject: Re: [Freeipa-users] modify schema - add group email and display 
attribute 


On 12/21/2016 02:07 PM, Sandor Juhasz wrote: 



Hi, 

i would like to modify schema to have group objects extended with email and 
display name attribute. 
The reason is that we are trying to sync our ldap to our google apps. 

I don't know how much this doc 
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf 
can be applied to groups. Neither did i find a supported attribute syntax for 
email, maybe 
PrintableString 1.3.6.1.4.1.1466.115.121.1.58   For values 
which contain strings containing alphabetic, numeral, and select punctuation 
characters (as defined in RFC 4517 ). 
but i am not sure if that could hold email addresses. 


why don't you just use the mail attribute ? only define a new auxilliary 
objectclass allowing mail and displayname 

BQ_BEGIN


It would be pretty to have it exposed via ipalib and js plugins as well. 
If someone could help me out on extending schema, i would be really happy. 

Sándor Juhász 
System Administrator 
ChemAxon Ltd . 
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 
Cell: +36704258964 



BQ_END

-- 
Red Hat GmbH, http://www.de.redhat.com/ , Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander 

-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] section 2.3.6. Installing Without a CA - then how to update expired certificates in LDAP?

[Florence Blanc-Renaud]

On 12/24/2016 05:54 AM, Josh wrote:

I discussed this problem once before and got partial answers but I would
like to finally resolve it.

Scenario:

1. Install IPA without a CA, according to section 2.3.6 as of now in
latest RHEL7 Linux Domain Identity, Authentication and Policy Guide.
2. Install a client and note certificates it receives from IPA LDAP.
3. Near expiration term obtain a new set of certificates (server and
intermediate), note that intermediate certificate common name has changed.
4. run "ipa-server-certinstall -d -w key cert" to update all
certificates. command asks for directory manager password, I suppose it
should update its contents but
5. Install another client and observe that it receives original
certificates and no ipa command works.
6. ipa-certupdate, when run, pulls original set from LDAP as if nothing
was updated.

Workaround is to manually install new intermediate certificate on all
systems /etc/ipa/nssdb by
certutil -d /etc/ipa/nssdb/ -A -n "StartCom Class 1 DV Server CA -
StartCom Ltd." -t C,, -i /tmp/1_Intermediate.crt

In LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=org I still
see previous version of intermediate certificate with a different common
name:
StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital
Certificate Signing,O=StartCom Ltd.,C=IL

Please help me replace it by any means.

Best Regards,
Josh.


Hi Josh,

As you write that "intermediate certificate common name has changed", I 
assume that the intermediate CA providing the new server certificates is 
different. In this case, the command ipa-cacert-manage install must be 
run to install the new intermediate CA *before* ipa-server-certinstall 
is run to install the new server certificates.


Please refer to Installing a CA Certificate Manually [1] or Using 3rd 
part certificates for HTTP/LDAP [2]. Do not forget to run ipa-certupdate 
on all the IPA servers/clients in order to install the new intermediate 
CA cert.


HTH,
Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/manual-cert-install.html

[2] http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any good CLI methods for testing connectivity from IPA replica to remote AD servers?

[Jakub Hrozek]

On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote:
> 
> Hi folks,
> 
> I may have network blocks between one of my IPA replicas and the *many*
> remote AD servers that need to be queried but I can only see evidence of
> this in the authentication failures and the debug level logging.
> 
> Not sure how to test from the command line to verify connectivity or narrow
> down which ports may be getting blocked.
> 
> Are there any common CLI techniques, ldaps:// search queries or other
> commands that could be run from an IPA replica to confirm basic
> communication with a remote AD controller?

1) kinit with the trust keytab. The exact principals depend on your IPA
and Windows realm names, in my test setup it is:

# ls /var/lib/sss/keytabs/
win.trust.test.keytab
#kinit -kt /var/lib/sss/keytabs/win.trust.test.keytab 'IPA$@WIN.TRUST.TEST'
(the principal is taken from the keytab, see klist -k
/var/lib/sss/keytabs/win.trust.test.keytab)

2) search the DC
#ldapsearch -Y GSSAPI -H ldap://dc.win.trust.test -b dc=win,dc=trust,dc=test -s 
base 

btw at the moment it is not possible to set custom DCs to talk to. This
feature will come in the next version (sssd-1-15).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to sudo with just one user on only a few servers

[Jakub Hrozek]

On Sat, Dec 31, 2016 at 07:43:20AM +, pgb205 wrote:
> I have followed troubleshooting procedure outlined hereTroubleshooting - 
> FreeIPA
> 
>   
> |  
> |   
> |   
> |   ||
> 
>|
> 
>   |
> |  
> |   |  
> Troubleshooting - FreeIPA
>|   |
> 
>   |
> 
>   |
> 
>  
> Additionally I have done contrast and compare with a working server for the 
> following 
> files/etc/hosts/etc/resolv.conf/etc/sudo-ldap.conf/etc/krb5.conf/etc/sssd.conf/etc/nssswitch.conf
> all are identical other than host specific information.
> In addition I have also enabled debug_level in sssd.conf in all stanzas, but 
> noticed that sudo log is not being generated.I can however provide other logs.
> I have also enabled sudo_debug=2 in /etc/sudo-ldap.confbut not sure where to 
> look for that log file.
> A and PTR records exist for problematic servers in FreeIPA DNS.
> As mentioned above the user-id can  ssh just fine but not sudo for any 
> command even though that id should be able to do ANY ANY.
> I have checked the the user-id is in the correct sudo groups that are applied 
> for the host-groups for broken servers.
> To add to the oddity we somehow managed to fix the problem on several servers 
> but as it was a lot blind trial and error we are not surewhat the corrective 
> steps actually were. 
> Please let me know what else I can/should take a look at. I can also provide 
> logs if needed.
> thanks

If the sudo log is not being generated at all, then I would assume that
sudo is not talking to sssd at all. Did you check the sudo logs (the
logs of the sudo binary, not the sssd-sudo responder) already?

The howto is here:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project