[Freeipa-users] DirSrv hanging

[Adam Bishop]

I have a standalone FreeIPA instance that is becoming unresponsive every few 
hours. While in this state it will accept connections, but will not do anything 
with them (i.e. if you connect an ldaps client to 636, you see 
SYN->SYNACK->ACK->ClientHello, but a ServerHello is not returned). This system 
is running FreeIPA 4.4.0 currently, but this also occurred on 4.2.x. Time is 
synchronised correctly and this is a fairly new installation so all the PKI 
expiry dates are well into the future.

It handles queries without complaint, right up until the point it doesn't.

Inspecting the process with strace shows it waiting on a socket:

getpeername(7, 0x7ffeb749af70, [112])   = -1 ENOTCONN (Transport endpoint 
is not connected)
poll([{fd=50, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, 
{fd=8, events=POLLIN}, 
{fd=66, events=POLLIN}, {fd=80, events=POLLIN}, {fd=79, events=POLLIN}, 
{fd=78, events=POLLIN}, 
{fd=77, events=POLLIN}, {fd=76, events=POLLIN}, {fd=75, events=POLLIN}, 
{fd=73, events=POLLIN}, 
{fd=71, events=POLLIN}, {fd=70, events=POLLIN}, {fd=68, events=POLLIN}], 
15, 250) = 0 (Timeout)

fd 7 is a constant:

ls -l /proc/2428/fd
lrwx--. 1 root root 64 Jan  6 17:16 7 -> socket:[18972]

I'm not sure if I'm understanding the meaning of the fd entry correctly, but I 
believe this is the entry:

[root@ldap-001 log]# lsof -p 2428 | grep 18972
ns-slapd 2428 dirsrv7u  IPv6  18972  0t0  TCP 
*:ldaps (LISTEN)

A backtrace from GDB follows at the end of this message -  it shows the address 
struct, which just contains the source address of the last connection to port 
636 before DirSrv hangs.

The server is configured to use the FreeIPA dns service as its own resolver. 
The DNS service is definitely still running, and resolves the query fine when 
executed with dig.

There is nothing in the DirSrv logs that indicates an issue. The KDC logs 
indicate a problem, but I i don't know if DirSrv is hanging because of the KDC, 
or if the KDC is just reflecting that DirSrv is unresponsive.

Jan 06 21:53:29 ldap-001.domain krb5kdc[2702](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 193.63.63.108: LOOKING_UP_CLIENT: host/ldap-001.domain@DOMAIN 
for krbtgt/DOMAIN@DOMAIN, Server error
Jan 06 21:53:29 ldap-001.domain krb5kdc[2702](info): closing down fd 12

sssd reports an issue too, but that is almost certainly due to an unresponsive 
DirSrv:

(Sat Jan  7 03:16:08 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The 
Data Provider returned an error 
[org.freedesktop.sssd.Error.DataProvider.Offline]

I'm not really sure what to check next - all the individual components seem to 
be working, but not together.

Any suggestions are appreciated.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

---

[root@ldap-001 log]# gdb -p 2428
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
.
Attaching to process 2428
0x7fc80bf4fdfd in poll () at ../sysdeps/unix/syscall-template.S:81
81  T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
Missing separate debuginfos, use: debuginfo-install 
ipa-server-4.4.0-14.el7.centos.1.1.x86_64
(gdb) break getpeername
Breakpoint 1 at 0x7fc80bf5b4b0: file ../sysdeps/unix/syscall-template.S, line 
81.
(gdb) cont
Continuing.

Breakpoint 1, getpeername () at ../sysdeps/unix/syscall-template.S:81
81  T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) bt full
#0  getpeername () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1  0x7fc80c888389 in pt_GetPeerName (fd=0x7fc810d92010, 
addr=0x7ffeb749af70) at ../../../nspr/pr/src/pthreads/ptio.c:2795
rv = -1
addr_len = 112
#2  0x7fc80d3fec23 in ssl_Poll (fd=0x7fc810b69260, how_flags=, p_out_flags=0x7ffeb749b06c) at sslsock.c:2639
ss = 0x7fc810d94f30
new_flags = 1
addr = {raw = {family = 0, data = '\000' }, inet = 
{family = 0, port = 0, ip = 0, pad = "\000\000\000\000\000\000\000"}, ipv6 = 
{family = 0, port = 0, flowinfo = 0,
ip = {_S6_un = {_S6_u8 = '\000' , _S6_u16 = {0, 
0, 0, 0, 0, 0, 0, 0}, _S6_u32 = {0, 0, 0, 0}, _S6_u64 = {0, 0}}}, scope_id = 
0}, local = {family = 0,
path = '\000' , 
"\061\071\063.63.63.108\000\000\000`\327!\f\310\177\000\000\017\000\000\000\000\000\000\000p\260I\267\376\177\000\000\000\000\000\000\000\000\000\000\372",
 '\000' , "\372\000\000\000\000\000\000\000\215", }}
#3  0x7fc80c887a45 in _pr_poll_with_poll (pds=0x7fc811256b40, npds=15, 

[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

[Chen Lufan]

Dear Team,

I am new to freeIPA and GSS authentication so maybe someone can shed a light on 
where the issue is when I perform below ssh?  Your help will be greatly 
appreciated!


host2$  ssh -F /home/user/config   u...@host1.example.com


I got below error in audit.log in host1  :

type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" 
(hostname=?, addr=10.22.6.70, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, 
addr=10.22.6.70, terminal=ssh res=failed)'


where

host2$ more /home/user/config
Host *
Protocol 2

# Options for Protocol 1 only
#RSAAuthentication no
#RhostsRSAAuthentication no

HostbasedAuthentication no
PubKeyAuthentication no
PasswordAuthentication no

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

PreferredAuthentications gssapi-with-mic

StrictHostKeyChecking no
CheckHostIP no

LogLevel FATAL

UserKnownHostsFile /uhome/installer/.ssh/known_hosts
IdentityFile /uhome/installer/.ssh/id_rsa


AND on host1:

# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/issue.net
Subsystem   sftp/usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

host1# more krb5.conf

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
kdc = auth1.iad.example.com.
kdc = auth2.iad.example.com.
admin_server = auth1.iad.example.com.

default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt

auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
auth_to_local = DEFAULT
}

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
  }


Thanks,

Lufan



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

I have to confess I'm in over my head already. Another shot in the foot
isn't going to help. Is there good documentation for solving the problem on
the version I'm using?

Jeff

On Fri, Jan 6, 2017 at 5:44 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > Rob,
> >
> > I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
> > /var/lib/pki-ca/alias -t u,u,Pu
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
>
> The database is in /var/lib/pki/pki-tomcat/alias
>
> I'd start by checking current trust.
>
> Be very wary about documents related to old versions of IPA and proceed
> cautiously and understand the changes you may make before applying them.
>
> rob
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> Rob,
> 
> I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
> /var/lib/pki-ca/alias -t u,u,Pu
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.

The database is in /var/lib/pki/pki-tomcat/alias

I'd start by checking current trust.

Be very wary about documents related to old versions of IPA and proceed
cautiously and understand the changes you may make before applying them.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> Rob,
> 
> I'm missing something in either the syntax of execution. I'm getting
> this error:
> 
> ldap_modify: Invalid DN syntax (34)
> additional info: invalid dn
> 
> Just as a reminder the version of ipa I'm on is 4.4.

I'd need to see the ldif you're trying to apply.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Rob,

I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
/var/lib/pki-ca/alias -t u,u,Pu
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.

Jeff


On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > > wrote:
> >
> > Alan,
> >
> > Thank you so VERY much. That resolved the issue for the CA signing
> > certificate. However I'm still seeing
> >
> > ca-error: Server at
> > "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> >  agent/ca/profileProcess>"
> > replied: 1: Invalid Credential.
> >
> > On multiple requests which have expiration dates in the past. Is
> > there something else I need to do?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > > wrote:
> >
> > Looks like you need to get the PIN associated to the cert.|
> >
> >  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> > Then replace  with the PIN in the command above.
> >
> >  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> >
> > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > > wrote:
> >
> > I think my problem is deeper than that. I was following this
> > guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> >  Renew_CA_Certificate_on_CA_Servers>
> > and executed the commands related to having an external CA -
> > which we do not have. I now get this message for the CA:
> >
> > Request ID '20170101055025':
> > status: NEED_KEY_GEN_PIN
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Is there any way I can recover?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > > wrote:
> >
> > Jeff Goddard wrote:
> > > I've done this.
> > > [root@id-management-1 ipa]# date
> > > Sun Jan  1 01:12:27 EST 2017
> > >
> > >  getcert list give me this as the first entry:
> > >
> > > Request ID '20150116162120':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at
> > > https://id-management-1.internal.emerlyn.com/ipa/xml
> > 
> > failed request,
> > > will retry: 4001 (RPC failed at server.  ipa:
> > Certificate Authority not
> > > found).
> > > stuck: no
> > > key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
> > Authority,O=INTERNAL.EMERLYN.COM
> > 
> > > 
> > > 

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Rob,

I'm missing something in either the syntax of execution. I'm getting this
error:

ldap_modify: Invalid DN syntax (34)
additional info: invalid dn

Just as a reminder the version of ipa I'm on is 4.4.

Jeff

On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > > wrote:
> >
> > Alan,
> >
> > Thank you so VERY much. That resolved the issue for the CA signing
> > certificate. However I'm still seeing
> >
> > ca-error: Server at
> > "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> >  agent/ca/profileProcess>"
> > replied: 1: Invalid Credential.
> >
> > On multiple requests which have expiration dates in the past. Is
> > there something else I need to do?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > > wrote:
> >
> > Looks like you need to get the PIN associated to the cert.|
> >
> >  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> > Then replace  with the PIN in the command above.
> >
> >  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> >
> > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > > wrote:
> >
> > I think my problem is deeper than that. I was following this
> > guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> >  Renew_CA_Certificate_on_CA_Servers>
> > and executed the commands related to having an external CA -
> > which we do not have. I now get this message for the CA:
> >
> > Request ID '20170101055025':
> > status: NEED_KEY_GEN_PIN
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Is there any way I can recover?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > > wrote:
> >
> > Jeff Goddard wrote:
> > > I've done this.
> > > [root@id-management-1 ipa]# date
> > > Sun Jan  1 01:12:27 EST 2017
> > >
> > >  getcert list give me this as the first entry:
> > >
> > > Request ID '20150116162120':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at
> > > https://id-management-1.internal.emerlyn.com/ipa/xml
> > 
> > failed request,
> > > will retry: 4001 (RPC failed at server.  ipa:
> > Certificate Authority not
> > > found).
> > > stuck: no
> > > key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
> > Authority,O=INTERNAL.EMERLYN.COM
> > 
> > > 
> > > subject:
> > 

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> I've followed the instructions related to my error here:
> http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> haven't found a solution.

Look at these instructions
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

Look only at the ipaCert part, particularly the ou=people part and the
description attribute.

rob

> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > wrote:
> 
> Alan,
> 
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
> 
> ca-error: Server at
> 
> "https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess
> 
> "
> replied: 1: Invalid Credential.
> 
> On multiple requests which have expiration dates in the past. Is
> there something else I need to do?
> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > wrote:
> 
> Looks like you need to get the PIN associated to the cert.|
> 
>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> 
> Then replace  with the PIN in the command above.
>  
>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> 
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > wrote:
> 
> I think my problem is deeper than that. I was following this
> 
> guide:http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
> 
> 
> and executed the commands related to having an external CA -
> which we do not have. I now get this message for the CA:
> 
> Request ID '20170101055025':
> status: NEED_KEY_GEN_PIN
> stuck: yes
> key pair storage:
> 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',pin set
> certificate:
> 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca'
> CA: dogtag-ipa-ca-renew-agent
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 
> Is there any way I can recover?
> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > wrote:
> 
> Jeff Goddard wrote:
> > I've done this.
> > [root@id-management-1 ipa]# date
> > Sun Jan  1 01:12:27 EST 2017
> >
> >  getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> > status: CA_UNREACHABLE
> > ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml
> 
> failed request,
> > will retry: 4001 (RPC failed at server.  ipa:
> Certificate Authority not
> > found).
> > stuck: no
> > key pair storage:
> >
> 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=INTERNAL.EMERLYN.COM
> 
> > 
> > subject:
> CN=id-management-1.internal.emerlyn.com
> 
> >  
> >,O=INTERNAL.EMERLYN.COM
> 
> > 
> > expires: 2017-01-16 16:21:20 UTC
> > key usage:
> >
>   

Re: [Freeipa-users] pki-tomcatd fails to start

[Alan Heverley]

First we have to query the NSS database to get the current ipaCert
certificate for the ipara user and store it into a file:
# cd /tmp
# certutil -a -d /etc/httpd/alias/ -n ipaCert -L | sed '/^-.*/d' | tr -d
'\r\n' > ipaCert.cert


Then we need to replace the userCertificate attribute with the content of
ipaCert.cert:

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
userCertificate:: 


Next we modify the description attribute of the same entry.

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;267976771;CN=Certificate
Authority,O=EXAMPLE.LOCAL;CN=IPA RA,O=EXAMPLE.LOCAL

/var/log/pki/pki-tomcat/ca/system log file shows, that the
authentication of the ipara user failed:

0.http-bio-8443-exec-14 - [13/May/2015:22:04:26 CET] [6] [3] Cannot
authenticate agent with certificate Serial 0xff90043


The long number in the description represents the serial number of the
user certificate in decimal. It can be calculated with the help of bc:

# echo "ibase=16; FF90043"|bc  <--- 0xff90043 is the serial number
from the ca error log.
267976771

The following command verifies that all went well:

# ldapsearch -x -h localhost -b uid=ipara,ou=people,o=ipaca

If everything went ok, please resubmit the certificates and check if the
expiration date of the same has changed to a future date:

# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "auditSigningCert
cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"



On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  wrote:

> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace  with the PIN in the command above.
>>
>>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard 
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>> status: NEED_KEY_GEN_PIN
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>> certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>>> wrote:
>>>
 Jeff Goddard wrote:
 > I've done this.
 > [root@id-management-1 ipa]# date
 > Sun Jan  1 01:12:27 EST 2017
 >
 >  getcert list give me this as the first entry:
 >
 > Request ID '20150116162120':
 > status: CA_UNREACHABLE
 > ca-error: Server at
 > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
 > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority
 not
 > found).
 > stuck: no
 > key pair storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 > certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB'
 > CA: IPA
 > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
 > 
 > subject: CN=id-management-1.internal.emerlyn.com
 > ,O=INTERNAL.EMERLYN.COM
 > 
 > expires: 2017-01-16 16:21:20 UTC
 > key usage:
 > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 > eku: id-kp-serverAuth,id-kp-clientAuth
 >   

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

I've followed the instructions related to my error here:
http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't
found a solution.

Jeff

On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  wrote:

> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace  with the PIN in the command above.
>>
>>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard 
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>> status: NEED_KEY_GEN_PIN
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>> certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>>> wrote:
>>>
 Jeff Goddard wrote:
 > I've done this.
 > [root@id-management-1 ipa]# date
 > Sun Jan  1 01:12:27 EST 2017
 >
 >  getcert list give me this as the first entry:
 >
 > Request ID '20150116162120':
 > status: CA_UNREACHABLE
 > ca-error: Server at
 > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
 > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority
 not
 > found).
 > stuck: no
 > key pair storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 > certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB'
 > CA: IPA
 > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
 > 
 > subject: CN=id-management-1.internal.emerlyn.com
 > ,O=INTERNAL.EMERLYN.COM
 > 
 > expires: 2017-01-16 16:21:20 UTC
 > key usage:
 > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 > eku: id-kp-serverAuth,id-kp-clientAuth
 > pre-save command:
 > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 > track: yes
 > auto-renew: yes
 >
 > Restarting cermonger multiple times doesn't help.

 Sorry, I missed a step. When you go back in time you first need to
 restart IPA. The CA isn't up.

 rob

 >
 > Jeff
 >
 >
 >
 >
 > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > wrote:
 >
 > Jeff Goddard wrote:
 > > Flo,
 > >
 > > I'm not able to access the link you posted. I did find this
 thread
 > > though
 > >
 > https://www.redhat.com/archives/freeipa-users/2015-June/msg
 00144.html 
 > >
 >  >
 > > and have set the time back and resubmitted a request. Still no
 > success.
 > > Any further hints?
 >
 > You need to stop ntpd, go back in time to when the certs are
 valid and
 > restart the certmonger service.
 >
 > Then use getcert list to monitor things. You really only care
 about the
 > CA subsystem certs are this point.
 >
 > You may need to restart certmonger more than once to get all the
 

Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication

[Jake]

Worked.

Thank You!

- Original Message -
From: "Rob Crittenden" 
To: "Jake" , "freeipa-users" 
Sent: Friday, January 6, 2017 3:24:35 PM
Subject: Re: [Freeipa-users] unable to add or remove replica after prepare and 
failed replication

Jake wrote:
> Hey All,
> 
> I need to reinstall the replica ipa03.ipa.example.com after
> ipa-server-install --uninstall, however.
> 
> 
> ipa-replica-install replica-info-ipa03.example.com.gpg
> Directory Manager (existing master) password:
> 
> The host ipa03.example.com already exists on the master server.
> You should remove it before proceeding:
> % ipa host-del ipa03.example.com
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
> 
> So on the master I ran:
> 
> ipa-replica-manage del ipa03.ipa.example.com
> ' ipa01.ipa.example.com' has no replication agreement for '
> ipa03.ipa.example.com'
> 
> ipa host-del ipa03.ipa.example.com
> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
> disabled

Try ipa-replica-manage del ipa03.ipa.example.com --force --cleanup

You may still need to delete the host entry but the first command should
mark it as not a master.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication has stopped and server errors

[sipazzo]

I have changed the number of db locks to 4. After restart, each server 
reports a lot of these type errors:
DSRetroclPlugin - delete_changerecord: could not delete change record 6038434 

As well as immediately coming up with these errors (even after re-initializing)

06/Jan/2017:12:10:12 -0800] NSMMReplicationPlugin - changelog program - 
agmt="cn=meToipa1-dev.example.local" (ipa1-corp:389): CSN 586d8aab00040011 
not found, we aren't as up to date, or we purged
[06/Jan/2017:12:10:12 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa1-corp.example.local" (ipa1-dev:389): Data required to update 
replica has been purged. The replica must be reinitialized.
[06/Jan/2017:12:10:12 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa1-prod.example.local" (ipa1-xo:389): Incremental update failed 
and requires administrator action
[06/Jan/2017:12:10:12 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa1-dev.example.local" (ipa1-corp:389): Incremental update failed 
and requires administrator action
06/Jan/2017:12:15:47 -0800] agmt="cn=meToipa1-dr.example.local" (ipa1-io:389) - 
Can't locate CSN 586ffaf500030010 in the changelog (DB rc=-30988). If 
replication stops, the consumer may need to be reinitialized.
[06/Jan/2017:12:15:49 -0800] agmt="cn=meToipa1-dr.example.local" (ipa1-io:389) 
- Can't locate CSN 586ffaf70010 in the changelog (DB rc=-30988). If 
replication stops, the consumer may need to be reinitialized.

Replication topology is:3 geographic locations each with 2 ipa servers (dr, 
prod, dev)
ipa1-dev replicates with all servers (ipa2-dev,ipa1-dr, ipa2-dr, ipa1-prod, 
ipa2-prod)ipa1-dr also replicates with ipa2-dripa1-prod also replicates with 
ipa2-prod

As a test I deleted one host on each of the servers. I have waited 30 minutes 
and the results are:ipa1-dev - deletion replicated to all serversipa2-dr - 
deletion replicated to all servers
ipa1-dr, ipa1-prod, ipa2-dev, ipa2-prod - deletions not replicated



  From: Martin Basti 
 To: sipazzo ; Freeipa-users  
 Sent: Friday, January 6, 2017 8:58 AM
 Subject: Re: [Freeipa-users] Replication has stopped and server errors
   
 
  
 On 06.01.2017 00:29, sipazzo wrote:
  
  I have 6 ipa servers in 3 locations running 4.2.0-15.0.1on RHEL 7. Ipa1-dev 
is the CA Renewal and CRL Master server and where most of our updates  (host 
enrollment, password changes) end up taking place.   Servers had been running 
fine. Over the holidays we started having some replication issues and looking 
at /var/log/dirsrv/slapd-REALM-COM/errors showed the following: 
  All servers currently have these errors for each replica the respective IPA 
servers are connected to: NSMMReplicationPlugin - 
agmt="cn=meToipa2-dr.example.local" (ipa2-dr:389): Incremental update failed 
and requires administrator action [04/Jan/2017:15:39:48 -0800] 
agmt="cn=meToipa1-dr.example.local" (ipa1-dr:389) - Can't locate CSN 
583c8e7400060011 in the changelog (DB  rc=-30988). If replication stops, 
the consumer may need to be reinitialized NSMMReplicationPlugin - 
agmt="cn=meToipa1-prod.example.local" (ipa1-prod:389): Data required to update 
replica has been purged. The replica must be reinitialized. 
[04/Jan/2017:13:33:26 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa2-dev.example.local" (ipa2-dev:389): Incremental update failed 
and requires administrator action  [04/Jan/2017:13:33:26 -0800] 
NSMMReplicationPlugin - agmt="cn=meToipa1-prod.example.local" (ipa1-prod:389): 
Incremental update failed and requires administrator action 
[04/Jan/2017:13:33:27 -0800] agmt="cn=meToipa2-prod.example.local" 
(ipa2-prod:389) - Can't locate CSN 586d69f40012 in the changelog (DB 
rc=-30988). If replication stops, the consumer may need to be reinitialized.   
And all servers have these types of errors which are worrisome but they go back 
quite a way
  NSACLPlugin - The ACL target cn=dns,dc=example,dc=local does not exist 
NSACLPlugin - The ACL target cn=dns,dc=example,dc=local does not exist 
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=example,dc=local does not 
exist NSACLPlugin - The ACL target cn=computers,cn=compat,dc=example,dc=local 
does not exist NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local does not exist 
NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local does not exist 
NSACLPlugin - The ACL target ou=sudoers,dc=networkfleet,dc=local does not exist 
 
 ^^^ just INFO messages, you can ignore them
 
 
 
    All servers except one have a lot of these DSRetroclPlugin - 
delete_changerecord: could not delete change record   Ipa1-dev only has this
  04/Jan/2017:18:36:52 -0800] NSMMReplicationPlugin 
-agmt="cn=masterAgreement1-ipa1-prod.example.local-pki-tomcat" (ipa1-prod:389): 
Replication bind with SIMPLE auth resumed [04/Jan/2017:18:36:52 -0800] 
NSMMReplicationPlugin - 

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Alan,

Thank you so VERY much. That resolved the issue for the CA signing
certificate. However I'm still seeing

ca-error: Server at "
https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess;
replied: 1: Invalid Credential.

On multiple requests which have expiration dates in the past. Is there
something else I need to do?

Jeff

On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:

> Looks like you need to get the PIN associated to the cert.
>
>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>
> Then replace  with the PIN in the command above.
>
>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard  wrote:
>
>> I think my problem is deeper than that. I was following this guide:
>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>> to having an external CA - which we do not have. I now get this message for
>> the CA:
>>
>> Request ID '20170101055025':
>> status: NEED_KEY_GEN_PIN
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>> certificate: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> Is there any way I can recover?
>>
>> Jeff
>>
>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>> wrote:
>>
>>> Jeff Goddard wrote:
>>> > I've done this.
>>> > [root@id-management-1 ipa]# date
>>> > Sun Jan  1 01:12:27 EST 2017
>>> >
>>> >  getcert list give me this as the first entry:
>>> >
>>> > Request ID '20150116162120':
>>> > status: CA_UNREACHABLE
>>> > ca-error: Server at
>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
>>> > found).
>>> > stuck: no
>>> > key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>>> > 
>>> > subject: CN=id-management-1.internal.emerlyn.com
>>> > ,O=INTERNAL.EMERLYN.COM
>>> > 
>>> > expires: 2017-01-16 16:21:20 UTC
>>> > key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> > track: yes
>>> > auto-renew: yes
>>> >
>>> > Restarting cermonger multiple times doesn't help.
>>>
>>> Sorry, I missed a step. When you go back in time you first need to
>>> restart IPA. The CA isn't up.
>>>
>>> rob
>>>
>>> >
>>> > Jeff
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden >> > > wrote:
>>> >
>>> > Jeff Goddard wrote:
>>> > > Flo,
>>> > >
>>> > > I'm not able to access the link you posted. I did find this
>>> thread
>>> > > though
>>> > >
>>> > https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>> 00144.html >> 00144.html>
>>> > >
>>> > >> g00144.html
>>> > >> g00144.html>>
>>> > > and have set the time back and resubmitted a request. Still no
>>> > success.
>>> > > Any further hints?
>>> >
>>> > You need to stop ntpd, go back in time to when the certs are valid
>>> and
>>> > restart the certmonger service.
>>> >
>>> > Then use getcert list to monitor things. You really only care
>>> about the
>>> > CA subsystem certs are this point.
>>> >
>>> > You may need to restart certmonger more than once to get all the
>>> certs
>>> > updated (you can manually call getcert resubmit -i  if you'd
>>> > prefer).
>>> >
>>> > Once that is done return to present day, restart ntpd then ipactl
>>> > restart.
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> 

Re: [Freeipa-users] pki-tomcatd fails to start

[Alan Heverley]

Looks like you need to get the PIN associated to the cert.

 # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf

Then replace  with the PIN in the command above.

 # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent

On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard  wrote:

> I think my problem is deeper than that. I was following this guide:
> http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands
> related to having an external CA - which we do not have. I now get this
> message for the CA:
>
> Request ID '20170101055025':
> status: NEED_KEY_GEN_PIN
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
> CA: dogtag-ipa-ca-renew-agent
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Is there any way I can recover?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
> wrote:
>
>> Jeff Goddard wrote:
>> > I've done this.
>> > [root@id-management-1 ipa]# date
>> > Sun Jan  1 01:12:27 EST 2017
>> >
>> >  getcert list give me this as the first entry:
>> >
>> > Request ID '20150116162120':
>> > status: CA_UNREACHABLE
>> > ca-error: Server at
>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
>> > found).
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> > 
>> > subject: CN=id-management-1.internal.emerlyn.com
>> > ,O=INTERNAL.EMERLYN.COM
>> > 
>> > expires: 2017-01-16 16:21:20 UTC
>> > key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> > track: yes
>> > auto-renew: yes
>> >
>> > Restarting cermonger multiple times doesn't help.
>>
>> Sorry, I missed a step. When you go back in time you first need to
>> restart IPA. The CA isn't up.
>>
>> rob
>>
>> >
>> > Jeff
>> >
>> >
>> >
>> >
>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden > > > wrote:
>> >
>> > Jeff Goddard wrote:
>> > > Flo,
>> > >
>> > > I'm not able to access the link you posted. I did find this thread
>> > > though
>> > >
>> > https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html > msg00144.html>
>> > >
>> > > msg00144.html
>> > > msg00144.html>>
>> > > and have set the time back and resubmitted a request. Still no
>> > success.
>> > > Any further hints?
>> >
>> > You need to stop ntpd, go back in time to when the certs are valid
>> and
>> > restart the certmonger service.
>> >
>> > Then use getcert list to monitor things. You really only care about
>> the
>> > CA subsystem certs are this point.
>> >
>> > You may need to restart certmonger more than once to get all the
>> certs
>> > updated (you can manually call getcert resubmit -i  if you'd
>> > prefer).
>> >
>> > Once that is done return to present day, restart ntpd then ipactl
>> > restart.
>> >
>> > rob
>> >
>> >
>> >
>> >
>> > --
>> >
>>
>>
>
>
> --
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alan Heverley
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

I think my problem is deeper than that. I was following this guide:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
and executed the commands related to having an external CA - which we do
not have. I now get this message for the CA:

Request ID '20170101055025':
status: NEED_KEY_GEN_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Is there any way I can recover?

Jeff

On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've done this.
> > [root@id-management-1 ipa]# date
> > Sun Jan  1 01:12:27 EST 2017
> >
> >  getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> > status: CA_UNREACHABLE
> > ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> > found).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> > 
> > subject: CN=id-management-1.internal.emerlyn.com
> > ,O=INTERNAL.EMERLYN.COM
> > 
> > expires: 2017-01-16 16:21:20 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> >
> > Restarting cermonger multiple times doesn't help.
>
> Sorry, I missed a step. When you go back in time you first need to
> restart IPA. The CA isn't up.
>
> rob
>
> >
> > Jeff
> >
> >
> >
> >
> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > > wrote:
> >
> > Jeff Goddard wrote:
> > > Flo,
> > >
> > > I'm not able to access the link you posted. I did find this thread
> > > though
> > >
> > https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html  June/msg00144.html>
> > >
> >  June/msg00144.html
> >  June/msg00144.html>>
> > > and have set the time back and resubmitted a request. Still no
> > success.
> > > Any further hints?
> >
> > You need to stop ntpd, go back in time to when the certs are valid
> and
> > restart the certmonger service.
> >
> > Then use getcert list to monitor things. You really only care about
> the
> > CA subsystem certs are this point.
> >
> > You may need to restart certmonger more than once to get all the
> certs
> > updated (you can manually call getcert resubmit -i  if you'd
> > prefer).
> >
> > Once that is done return to present day, restart ntpd then ipactl
> > restart.
> >
> > rob
> >
> >
> >
> >
> > --
> >
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> I've done this.
> [root@id-management-1 ipa]# date
> Sun Jan  1 01:12:27 EST 2017
> 
>  getcert list give me this as the first entry:
> 
> Request ID '20150116162120':
> status: CA_UNREACHABLE
> ca-error: Server at
> https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> found).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> 
> subject: CN=id-management-1.internal.emerlyn.com
> ,O=INTERNAL.EMERLYN.COM
> 
> expires: 2017-01-16 16:21:20 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> 
> Restarting cermonger multiple times doesn't help.

Sorry, I missed a step. When you go back in time you first need to
restart IPA. The CA isn't up.

rob

> 
> Jeff
> 
> 
> 
> 
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > wrote:
> 
> Jeff Goddard wrote:
> > Flo,
> >
> > I'm not able to access the link you posted. I did find this thread
> > though
> >
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html 
> 
> >
>  >
> > and have set the time back and resubmitted a request. Still no
> success.
> > Any further hints?
> 
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
> 
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
> 
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i  if you'd
> prefer).
> 
> Once that is done return to present day, restart ntpd then ipactl
> restart.
> 
> rob
> 
> 
> 
> 
> -- 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

I've done this.
[root@id-management-1 ipa]# date
Sun Jan  1 01:12:27 EST 2017

 getcert list give me this as the first entry:

Request ID '20150116162120':
status: CA_UNREACHABLE
ca-error: Server at
https://id-management-1.internal.emerlyn.com/ipa/xml failed request, will
retry: 4001 (RPC failed at server.  ipa: Certificate Authority not found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Restarting cermonger multiple times doesn't help.

Jeff




On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > Flo,
> >
> > I'm not able to access the link you posted. I did find this thread
> > though
> > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> > 
> > and have set the time back and resubmitted a request. Still no success.
> > Any further hints?
>
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
>
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
>
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i  if you'd prefer).
>
> Once that is done return to present day, restart ntpd then ipactl restart.
>
> rob
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication

[Rob Crittenden]

Jake wrote:
> Hey All,
> 
> I need to reinstall the replica ipa03.ipa.example.com after
> ipa-server-install --uninstall, however.
> 
> 
> ipa-replica-install replica-info-ipa03.example.com.gpg
> Directory Manager (existing master) password:
> 
> The host ipa03.example.com already exists on the master server.
> You should remove it before proceeding:
> % ipa host-del ipa03.example.com
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
> 
> So on the master I ran:
> 
> ipa-replica-manage del ipa03.ipa.example.com
> ' ipa01.ipa.example.com' has no replication agreement for '
> ipa03.ipa.example.com'
> 
> ipa host-del ipa03.ipa.example.com
> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
> disabled

Try ipa-replica-manage del ipa03.ipa.example.com --force --cleanup

You may still need to delete the host entry but the first command should
mark it as not a master.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> Flo,
> 
> I'm not able to access the link you posted. I did find this thread
> though
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> 
> and have set the time back and resubmitted a request. Still no success.
> Any further hints?

You need to stop ntpd, go back in time to when the certs are valid and
restart the certmonger service.

Then use getcert list to monitor things. You really only care about the
CA subsystem certs are this point.

You may need to restart certmonger more than once to get all the certs
updated (you can manually call getcert resubmit -i  if you'd prefer).

Once that is done return to present day, restart ntpd then ipactl restart.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to add new replicas - Total update aborted - Replica has a different generation ID than the local data.

[Steve Viola]

Hello,

I'm running FreeIPA 3 on CentOS 6.8, and have a bit of a bind on my hand.
Replication appeared to break with all replicas, and trying to initialize
new replicas will not proceed. I've taken my cluster apart to the point
where I have one server with no replicas, and attempting to add replicas
fails with the response:

Update failed! Status: [-2 Total update abortedLDAP error: Local error]


The dirsrv logs on the master show the following error repeating:

[06/Jan/2017:16:56:10 +] NSMMReplicationPlugin - agmt="cn=
> meToreplica2.example.com" (replica2:389): Replica has a different
> generation ID than the local data.


The errors on the replica I'm trying to setup show this errors:

[06/Jan/2017:16:56:11 +] NSMMReplicationPlugin -
> replica_replace_ruv_tombstone: failed to update replication update vector
> for replica dc=example,dc=com: LDAP error - 1


I don't see any other errors in the access or error logs on either the
master or replica, and have tried replicating to several new servers, all
which consistently fail with the same issue.

When running ipa-replica-install in debug mode, the output when things
break looks like this:

ipa.ipaserver.plugins.ldap2.SchemaCache: DEBUGretrieving schema for
> SchemaCache url=ldaps://master.example.com:636



conn=
> Starting replication, please wait until this has completed.
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> [master.example.com] reports: Update failed! Status: [-2 Total update
> abortedLDAP error: Local error]
> ipa : INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
> 614, in run_script
> return_value = main_function()
>   File "/usr/sbin/ipa-replica-install", line 487, in main
> ds = install_replica_ds(config)
>   File "/usr/sbin/ipa-replica-install", line 150, in install_replica_ds
> pkcs12_info)
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
> line 300, in create_replica
> self.start_creation(runtime=60)
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
> method()
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
> line 313, in __setup_replica
> r_bindpw=self.dm_password)
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line
> 865, in setup_replication
> raise RuntimeError("Failed to start replication")
> ipa : INFO The ipa-replica-install command failed, exception:
> RuntimeError: Failed to start replication


On the master, when tailing the dirsrv access and error logs, the following
happens:


> [06/Jan/2017:19:13:30 +] conn=35465 op=16 SRCH base="cn=meTo
> replica2.example.com,cn=replica,cn=dc\3Dcriticalmention\2Cdc\3Dcom,cn=mapping
> tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn
> nsds5BeginReplicaRefresh nsds5replicaUpdateInProgress
> nsds5replicaLastInitStatus nsds5replicaLastInitStart
> nsds5replicaLastInitEnd"
> [06/Jan/2017:19:13:30 +] conn=35465 op=16 RESULT err=0 tag=101
> nentries=1 etime=0
> [06/Jan/2017:19:13:30 +] conn=35021 op=9 UNBIND
> [06/Jan/2017:19:13:30 +] conn=35021 op=9 fd=89 closed - U1
> [06/Jan/2017:19:13:31 +] conn=35465 op=17 SRCH base="cn=meTo
> replica2.example.com,cn=replica,cn=dc\3Dcriticalmention\2Cdc\3Dcom,cn=mapping
> tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn
> nsds5BeginReplicaRefresh nsds5replicaUpdateInProgress
> nsds5replicaLastInitStatus nsds5replicaLastInitStart
> nsds5replicaLastInitEnd"
> [06/Jan/2017:19:13:31 +] conn=35465 op=17 RESULT err=0 tag=101
> nentries=1 etime=0

==> /var/log/dirsrv/slapd-EXAMPLE-COM/errors <==
> [06/Jan/2017:19:13:37 +] NSMMReplicationPlugin - agmt="cn=meTo
> replica2.example.com" (replica2:389): Failed to send extended operation:
> LDAP error -1 (Can't contact LDAP server)
> [06/Jan/2017:19:13:37 +] NSMMReplicationPlugin - agmt="cn=meTo
> replica2.example.com" (replica2:389): Received error -1 (Can't contact
> LDAP server):  for total update operation
> [06/Jan/2017:19:13:38 +] NSMMReplicationPlugin - agmt="cn=meTo
> replica2.example.com" (replica2:389): Warning: unable to send
> endReplication extended operation (Can't contact LDAP server)
> [06/Jan/2017:19:13:38 +] NSMMReplicationPlugin - agmt="cn=meTo
> replica2.example.com" (replica2:389): Replication bind with SIMPLE auth
> resumed

[06/Jan/2017:19:13:38 +] NSMMReplicationPlugin - agmt="cn=meTo
> replica2.example.com" (replica2:389): Replica has a different generation
> ID than the local data.


On the replica, in the dirsrv error logs for the same time, the following
happens:

[06/Jan/2017:19:13:26 +] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [06/Jan/2017:19:13:26 +] - Listening on All 

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Flo,

I'm not able to access the link you posted. I did find this thread though
https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and
have set the time back and resubmitted a request. Still no success. Any
further hints?


On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud 
wrote:

> On 01/06/2017 05:36 PM, Jeff Goddard wrote:
>
>> Thanks Flo,
>>
>> I was able to add the host to the keytab once I found the correct
>> command and then was able to issue
>>
>> [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
>> Renewing CA certificate, please wait
>> CA certificate successfully renewed
>> The ipa-cacert-manage command was successful
>>
>> Hi Jeff,
>
> the "ipa-cacert-manage renew" command renews the CA certificate (the one
> with the alias caSigningCert cert-pki-ca) but not the expired ones. You
> need to follow the instructions linked in my previous e-mail to fix them
> first, basically go back in time by setting the system clock time and let
> certmonger renew them.
>
> HTH,
> Flo.
>
> But the pki-tomcat still fails to start. From the logs I get:
>>
>> [root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
>> Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
>> SEVERE: StandardWrapper.Throwable
>> java.lang.NullPointerException
>> at
>> com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se
>> lfTestSubsystem.java:1886)
>> at
>> com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn
>> gine.java:2115)
>> at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:
>> 2010)
>> at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> at
>> org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:156)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:145)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> I fond this thread:
>> https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html
>> > /msg00125.html>
>> but I don't have self-test logs from today, only from yesterday. Here

[Freeipa-users] unable to add or remove replica after prepare and failed replication

[Jake]

Hey All, 

I need to reinstall the replica ipa03.ipa.example.com after ipa-server-install 
--uninstall, however. 


ipa-replica-install replica-info-ipa03.example.com.gpg 
Directory Manager (existing master) password: 

The host ipa03.example.com already exists on the master server. 
You should remove it before proceeding: 
% ipa host-del ipa03.example.com 
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install 
command failed. See /var/log/ipareplica-install.log for more information 

So on the master I ran: 

ipa-replica-manage del ipa03.ipa.example.com 
' ipa01 .ipa. example.com ' has no replication agreement for ' ipa0 3 .ipa. 
example.com ' 

ipa host-del ipa03.ipa.example.com 
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or 
disabled 

Help? 

Thanks Again, 
- Jake 

2017-01-06T19:40:45Z DEBUG Logging to /var/log/ipareplica-install.log
2017-01-06T19:40:45Z DEBUG ipa-replica-install was invoked with arguments 
['replica-info-ipa03.example.com.gpg'] and options: {'no_dns_sshfp': None, 
'skip_schema_check': None, 'setup_kra': None, 'ip_addresses': None, 
'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None, 
'reverse_zones': None, 'no_forwarders': None, 'keytab': None, 'no_ntp': None, 
'domain_name': None, 'http_cert_name': None, 'dirsrv_cert_files': None, 
'no_dnssec_validation': None, 'no_reverse': None, 'unattended': False, 
'auto_reverse': None, 'auto_forwarders': None, 'no_host_dns': None, 'no_sshd': 
None, 'no_ui_redirect': None, 'dirsrv_config_file': None, 'forwarders': None, 
'verbose': False, 'setup_ca': None, 'realm_name': None, 'skip_conncheck': None, 
'no_ssh': None, 'forward_policy': None, 'dirsrv_cert_name': None, 'quiet': 
False, 'server': None, 'setup_dns': None, 'host_name': None, 'log_file': None, 
'allow_zone_overlap': None}
2017-01-06T19:40:45Z DEBUG IPA version 4.4.0-14.el7.centos.1.1
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/usr/sbin/selinuxenabled
2017-01-06T19:40:45Z DEBUG Process finished, return code=0
2017-01-06T19:40:45Z DEBUG stdout=
2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:45Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-06T19:40:45Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG httpd is not configured
2017-01-06T19:40:45Z DEBUG kadmin is not configured
2017-01-06T19:40:45Z DEBUG dirsrv is not configured
2017-01-06T19:40:45Z DEBUG pki-tomcatd is not configured
2017-01-06T19:40:45Z DEBUG install is not configured
2017-01-06T19:40:45Z DEBUG krb5kdc is not configured
2017-01-06T19:40:45Z DEBUG ntpd is not configured
2017-01-06T19:40:45Z DEBUG named is not configured
2017-01-06T19:40:45Z DEBUG ipa_memcached is not configured
2017-01-06T19:40:45Z DEBUG filestore is tracking no files
2017-01-06T19:40:45Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-06T19:40:45Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2017-01-06T19:40:45Z DEBUG Process finished, return code=0
2017-01-06T19:40:45Z DEBUG stdout=VirtualHost configuration:
*:8443 ipa03.example.com (/etc/httpd/conf.d/nss.conf:83)

2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-01-06T19:40:45Z DEBUG Process finished, return code=1
2017-01-06T19:40:45Z DEBUG stdout=
2017-01-06T19:40:45Z DEBUG stderr=Failed to get unit file state for 
chronyd.service: No such file or directory

2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/bin/systemctl is-active chronyd.service
2017-01-06T19:40:45Z DEBUG Process finished, return code=3
2017-01-06T19:40:45Z DEBUG stdout=unknown

2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:48Z DEBUG Starting external process
2017-01-06T19:40:48Z DEBUG args=/usr/bin/gpg-agent --batch --homedir 
/tmp/tmpnJnWiQipa/ipa-iUdnBL/.gnupg --daemon /usr/bin/gpg --batch --homedir 
/tmp/tmpnJnWiQipa/ipa-iUdnBL/.gnupg --passphrase-fd 0 --yes --no-tty -o 
/tmp/tmpnJnWiQipa/files.tar -d replica-info-ipa03.example.com.gpg
2017-01-06T19:40:48Z DEBUG Process finished, return code=0
2017-01-06T19:40:48Z DEBUG Starting external process
2017-01-06T19:40:48Z DEBUG args=tar xf /tmp/tmpnJnWiQipa/files.tar -C 
/tmp/tmpnJnWiQipa
2017-01-06T19:40:48Z DEBUG Process finished, return code=0
2017-01-06T19:40:48Z DEBUG stdout=
2017-01-06T19:40:48Z DEBUG stderr=
2017-01-06T19:40:48Z DEBUG Installing replica file with version 40200 (0 means 
no version in prepared file).
2017-01-06T19:40:48Z DEBUG Check if ipa03.example.com is a primary hostname for 
localhost
2017-01-06T19:40:48Z DEBUG 

Re: [Freeipa-users] Should IPA Replica DNS SOA Serials match?

[Baird, Josh]

Yes, this is expected.

>From the IPA documentation [1]:

"The IdM-integrated DNS is multi-master. SOA serial numbers in IdM zones are 
not synchronized between IdM servers. For this reason, configure DNS slave 
servers to only use one IdM master server. This prevents zone transfer failures 
caused by non-synchronized SOA serial numbers."

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers

Thanks,

Josh

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jake
Sent: Friday, January 6, 2017 2:25 PM
To: freeipa-users 
Subject: [Freeipa-users] Should IPA Replica DNS SOA Serials match?

Hey All,
I currently have 4 ipa 4.2 masters and none of the SOA Serials match, is this 
expected behavior of bind-ldap?

ipa01 - 1483710336
ipa02 - 1483709696
ipa03 - 1483730432
ipa04 - 1483714048

Thanks!

-Jake

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Should IPA Replica DNS SOA Serials match?

[Jake]

Hey All, 
I currently have 4 ipa 4.2 masters and none of the SOA Serials match, is this 
expected behavior of bind-ldap? 

ipa01 - 1483710336 
ipa02 - 1483709696 
ipa03 - 1483730432 
ipa04 - 1483714048 

Thanks! 

-Jake 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA to IPA migration

[Mateusz Małek]

Hi,

On 06.01.2017 16:42, Ian Harding wrote:

On 01/05/2017 07:17 AM, Rob Crittenden wrote:

Timothy Geier wrote:

This is something I’ve looked at lately and a manual proof of concept I
just did makes it seem theoretically possible (...)

Why migrate at all?

Maybe I'm just not smart enough, but I suspect others have wished they
could just throw in the towel and start over.  I would if it were
relatively easy, that is, if I could export and reimport users (ideally
with passwords), hosts, groups, hbac rules, etc.  I woudln't even mind
having to re-enroll them.


There are some ways to migrate passwords between FreeIPA instances, but 
I would say that mine it's not for the faint-hearted. You absolutely 
MUST be faimiliar with LDAP and Kerberos. I had to change my realm name, 
as it was decided that "mine" IPA would replace few other user databases 
- here's what have worked for me (details omitted to prevent 
inexperienced from copy-paste disaster):


First, you have to prepare new FreeIPA instance. Start with single 
machine and ipa-server-install - "migration" would render all Kerberos 
keys in target instance unusable, so do not create any replicas, do not 
create any additional users and do not join any hosts.
Then, extract Kerberos master key from old deployment and transfer it to 
new instance. It is stored in krbMKey attribute of K/M principal in 
Kerberos subtree of 389 DS instance used by IPA.
Now the tricky part - you have to recreate principal keys for all LDAP 
entries with krbPrincipalKey. You can, for example, create completely 
random principals with kadmin.local and copy their krbPrincipalKeys to 
broken entries. You also have to re-export service keytabs - also using 
kadmin.local; there are 6 *.keytab files on IPA server with DNS and CA 
roles installed - host, 389 Directory Server, Dogtag, Apache, BIND and 
DNSSEC key sync daemon.
After you've done that, restart all IPA services (`ipactl restart` or 
simply reboot whole machine).


Finally, copy all user entries from old IPA LDAP instance to your new 
deployment (make sure krbPrincipalName and krbCanonicalName match your 
new realm name) and all users would be able to authenticate using their 
existing passwords (using both Kerberos and simple LDAP bind). Now, you 
can create additional replicas and re-enroll existing hosts.


This is very tricky solution and definitely not a proper one. But hey, 
it works! No issues so far, but YMMV.


Other option could be to use (deprecated) -P/--master-password switch 
during FreeIPA installation - if you, by any chance, know previously 
generated master password (or you are able to recover it).


You can probably also try using `kdb5_util dump` with ` -mkey_convert` 
switch and then import data using `kdb5_util load`. I think this would 
be the best solution, as two previous make old and new instance share 
(master) key material - which seems security unwise, if you don't plan 
to trash old instance anyway. Unfortunately, I had troubles getting it 
to work, so I moved to a more "brute force" approach. :(


--
Best regards
Mateusz Małek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + /etc/named.conf

[TomK]

On 1/5/2017 2:17 PM, Martin Basti wrote:



On 05.01.2017 20:03, TomK wrote:

Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf?  Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV
_ldap._tcp.mds.xyz).

sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check.  Again, it works if I
change /etc/named.conf manually.



Forwarder settings has priority:

named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
config (ipa dnsserver-*) < forwardzones (applied per query, not as
global forwarder)

so what is in named.conf is usually always overwritten


How did you edited the named.conf?

Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??

Martin


Thanks Martin.

Yes, with the manual update of /etc/named.conf this command works, as I 
posted earlier (It doesn't work without the manual update of 
/etc/named.conf to  forward first; ):


dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.

;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 3600IN  SRV 0 100 389 winad02.mds.xyz.
_ldap._tcp.mds.xyz. 600 IN  SRV 0 100 389 winad01.mds.xyz.

Yes I stumbled on the journalctl command but really haven't seen 
anything applicable to my scenario AFAIKT.  Nontheless, logs available 
below:


http://microdevsys.com/freeipa/named-pkcs11-working.log
http://microdevsys.com/freeipa/named-pkcs11-non-working.log
http://microdevsys.com/freeipa/named-pkcs11-working-again.log

I'm still going over them.  The only message that seamed to make sense was:

ignoring inherited 'forward first;' for zone '.' - did you want 'forward 
only;' to override automatic empty zone


but it appears in both the working and non-working situations so isn't 
looking significant ATM and nothing I found applied to this scenario.  Btw:


[root@idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 127.0.0.1
You have new mail in /var/spool/mail/root
[root@idmipa01 log]#

And based on earlier chats, that's how it should stay.  Resolution of AD 
ID's does work from clients though (When I have forward first; in 
/etc/named.conf)




--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

[James Harrison]

Any ideas?
  From: James Harrison 
 To: "freeipa-users@redhat.com"  
 Sent: Thursday, 5 January 2017, 13:36
 Subject: FreeIPA sudo not working on ububtu xenial sssd version 
1.13.4-1ubuntu1.1
   
Hi all,I having problems with a FreeIPA client running Ububtu Xenial.
I can authenticate OK, I get a kerberos ticket, but cannot run sudo.
I get 1 rule returned, which I expect.
Many thanks,James Harrison


(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning 
info for user [x_james.harri...@domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): 
Retrieving rules for [x_james.harrison] from [domain.com]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1da40

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1da40 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c11d70

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c11e30

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c11e30 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c11d70 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to 
get sudo rules from cache
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c18790

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c1b720

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c1b720 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c18790 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c12600

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0f550 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c12600 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] 
(0x0200): Searching sysdb with 
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))]
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x1c0f550

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x1c0dfd0

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 
0x1c0dfd0 "ltdb_timeout"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 
0x1c0f550 "ltdb_callback"

(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting 
rules with higher-wins logic
(Thu Jan  5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] 
(0x0400): Returning 1 rules for [x_james.harri...@domain.com]

[Freeipa-users] disable inactive accounts and delete old accounts

[Giger, Justean]

I am trying to use the krblastsuccessfulauth attribute to detect accounts that 
have been inactive for >90 days as per this post: 
https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 
180 days.
However, I find most of my users do not have the krblastsuccessfulauth 
attribute populated. This is not because their accounts have never been used as 
I see they do have valid passwords which expire in the future so they had to 
login at least once (not necessarily with Kerberos though). Is there another 
attribute we can/should use for this?

Justean Giger
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication has stopped and server errors

[Martin Basti]

On 06.01.2017 00:29, sipazzo wrote:
I have6 ipa servers in 3 locations running 4.2.0-15.0.1on RHEL 7. 
Ipa1-dev is the CA Renewal and CRL Master server and where most of our 
updates (host enrollment, password changes) end up taking place.
Servers had been running fine. Over the holidays we started having 
some replication issues and looking at 
/var/log/dirsrv/slapd-REALM-COM/errors showed the following:


All servers currently have these errors for each replica the 
respective IPA servers are connected to:
NSMMReplicationPlugin - agmt="cn=meToipa2-dr.example.local" 
(ipa2-dr:389): Incremental update failed and requires administrator action
[04/Jan/2017:15:39:48 -0800] agmt="cn=meToipa1-dr.example.local" 
(ipa1-dr:389) - Can't locate CSN 583c8e7400060011 in the changelog 
(DB rc=-30988). If replication stops, the consumer may need to be 
reinitialized
NSMMReplicationPlugin - agmt="cn=meToipa1-prod.example.local" 
(ipa1-prod:389): Data required to update replica has been purged. The 
replica must be reinitialized.
[04/Jan/2017:13:33:26 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa2-dev.example.local" (ipa2-dev:389): Incremental 
update failed and requires administrator action
[04/Jan/2017:13:33:26 -0800] NSMMReplicationPlugin - 
agmt="cn=meToipa1-prod.example.local" (ipa1-prod:389): Incremental 
update failed and requires administrator action
[04/Jan/2017:13:33:27 -0800] agmt="cn=meToipa2-prod.example.local" 
(ipa2-prod:389) - Can't locate CSN 586d69f40012 in the 
changelog (DB rc=-30988). If replication stops, the consumer may need 
to be reinitialized.
And all servers have these types of errors which are worrisome but 
they go back quite a way

*NSACL*Plugin - The ACL target cn=dns,dc=example,dc=local does not exist
*NSACL*Plugin - The ACL target cn=dns,dc=example,dc=local does not exist
*NSACL*Plugin - The ACL target cn=groups,cn=compat,dc=example,dc=local 
does not exist
*NSACL*Plugin - The ACL target 
cn=computers,cn=compat,dc=example,dc=local does not exist
*NSACL*Plugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local does not exist
*NSACL*Plugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local does not exist
*NSACL*Plugin - The ACL target ou=sudoers,dc=networkfleet,dc=local 
does not exist

^^^ just INFO messages, you can ignore them



All servers except one have a lot of these
DSRetroclPlugin - delete_changerecord: could not delete change record
Ipa1-dev only has this
04/Jan/2017:18:36:52 -0800] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ipa1-prod.example.local-pki-tomcat" 
(ipa1-prod:389): Replication bind with *SIMPLE* auth resumed
[04/Jan/2017:18:36:52 -0800] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ipa2-dr.example.local-pki-tomcat" 
(ipa2-dr:389): Replication bind with *SIMPLE* auth resumed
[04/Jan/2017:18:36:52 -0800] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ipa1-dr.example.local-pki-tomcat" 
(ipa1-dr:389): Replication bind with *SIMPLE* auth resumed
[04/Jan/2017:18:36:53 -0800] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-ipa2-prod.example.local-pki-tomcat" 
(ipa2-prod:389): Replication bind with *SIMPLE* auth resumed

3 servers (ipa1-dr ipa2-dr ipa2-prod) have these errors:
[01/Jan/2017:14:43:06 -0800] - libdb: BDB2055 Lock table is out of 
available lock entries
[01/Jan/2017:14:43:06 -0800] - compactdb: failed to compact changelog; 
db error - 12 Cannot allocate memory


you probably need https://access.redhat.com/solutions/1241063 to 
increase number of locks (or in this thread 
https://lists.fedoraproject.org/pipermail/389-users/2011-June/013299.html)


I would first increase the number of locks, and then look if something 
improved.
We also don't know how your topology looks like, which servers are 
connected together.


Martin


4 servers (ipa1-dev, ipa2-dev, ipa1-dr and ipa2-dr) have these errors
[04/Jan/2017:15:37:21 -0800] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (*Transport* 
endpoint is not connected)
[04/Jan/2017:15:37:24 -0800] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (*Transport* 
endpoint is not connected)


I have tried various combinations or restarting, re-initializing, 
disconnecting and reconnecting replicas but am down to only two 
servers replicating with each other currently (ipa1-dev and ipa2-dev). 
We did have a power outage at the dev location but it does not seem to 
correspond to when the errors started? Not sure how to recover from 
this. Any help is appreciated





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Florence Blanc-Renaud]

On 01/06/2017 05:36 PM, Jeff Goddard wrote:

Thanks Flo,

I was able to add the host to the keytab once I found the correct
command and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful


Hi Jeff,

the "ipa-cacert-manage renew" command renews the CA certificate (the one 
with the alias caSigningCert cert-pki-ca) but not the expired ones. You 
need to follow the instructions linked in my previous e-mail to fix them 
first, basically go back in time by setting the system clock time and 
let certmonger renew them.


HTH,
Flo.


But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at
com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1886)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:2115)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I fond this thread:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html 

but I don't have self-test logs from today, only from yesterday. Here
are the relevant debug logs from the most recent restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: =  DEBUG SUBSYSTEM
INITIALIZED   ===
[06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown 

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

[Andy Brittingham]

Sorry for the delay, was doing some troubleshooting.

Here is what I know now:

The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu 
14.04).


SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.

Users in the admin group can't log into these hosts.

I created a newadmins group and assigned a new user to it. When I add 
the "User Administrator" role the new user can't log into the hosts with 
older sssd.


As soon as I delete the "User Administrator" role, new user has access 
again.


I've pasted the last bit of logs from a sssd_domain log below. I'd be 
happy to forward the entire log, or additional logs if they will be helpful.



Andy


(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[loginExpirationTime]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[loginAllowedTimeMap]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x1b47990], connected[1], ops[0x1b59ab0], 
ldap[0x1b2b030]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no 
errmsg set
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [groups_by_user_done] 
(0x0040): Failed to canonicalize name, using [rob].
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sysdb_search_user_by_name] (0x0400): No such entry
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] 
(0x2000): Search groups with filter: (&(objectclass=group)(ghost=rob))
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] 
(0x2000): No such entry
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_delete_user] 
(0x0400): Error: 2 (No such file or directory)
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 0,0,Success
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x1b47990], connected[1], ops[(nil)], ldap[0x1b2b030]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] 
(0x2000): Trace: ldap_result found nothing!
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [be_get_account_info] 
(0x0100): Got request for [4099][1][name=monetra]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] [be_req_set_domain] 
(0x0400): Changing request domain from [monetra.com] to [monetra.com]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse 
domain SID from [(null)]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse 
domain SID from [(null)]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_initgr_next_base] (0x0400): Searching for users with base 
[cn=accounts,dc=monetra,dc=com]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(uid=monetra)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=monetra,dc=com].
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri Jan  6 10:00:15 2017) [sssd[be[monetra.com]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: 
[ipaNTSecurityIdentifier]
(Fri Jan  6 10:00:15 

Re: [Freeipa-users] FreeIPA DNS (named)

[Martin Basti]

On 06.01.2017 15:38, Günther J. Niederwimmer wrote:

Hello List,

I have configured my domain (DNSSEC) with Freeipa

Now I have to configure a internal ZONE with the same Domain NAME but with
internal IP's.

Is it possible to add a "view "internal""  "view "external"" to the named.conf
or is this overwritten from the FreeIPA DNS Module ??


No it will not work, IPA managed zones cannot be in views, there is no 
support in bind-dyndb-ldap plugin for that.
This is still valid 
https://www.redhat.com/archives/freeipa-users/2016-July/msg00434.html


Is a other way possible to do this with FreeIPA?


No, you can create views only for zones which aren't managed by IPA



Thanks for a answer,



Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Thanks Flo,

I was able to add the host to the keytab once I found the correct command
and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at com.netscape.cmscore.selftests.SelfTestSubsystem.
shutdown(SelfTestSubsystem.java:1886)
at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(
CMSEngine.java:2115)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
at com.netscape.cms.servlet.base.CMSStartServlet.init(
CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(
SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:124)
at org.apache.catalina.core.StandardWrapper.initServlet(
StandardWrapper.java:1270)
at org.apache.catalina.core.StandardWrapper.loadServlet(
StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(
StandardWrapper.java:1085)
at org.apache.catalina.core.StandardContext.loadOnStartup(
StandardContext.java:5318)
at org.apache.catalina.core.StandardContext.startInternal(
StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:147)
at org.apache.catalina.core.ContainerBase.addChildInternal(
ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(
ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(
ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(
StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(
HostConfig.java:679)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.
run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I fond this thread: https://www.redhat.com/archives/freeipa-users/2016-
February/msg00125.html but I don't have self-test logs from today, only
from yesterday. Here are the relevant debug logs from the most recent
restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: =  DEBUG SUBSYSTEM
INITIALIZED   ===
[06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=log

Re: [Freeipa-users] pki-tomcatd fails to start

[Florence Blanc-Renaud]

On 01/06/2017 04:47 PM, Jeff Goddard wrote:

Sorry for the typo. here is the correct output:
ldapsearch -h id-management-1.internal.emerlyn.com

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:




When I look at the certificates I get errors regarding a host service in
the keytab. Here is the output:

[root@id-management-1 ca]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150116161829':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for
host/id-management-1.internal.emerlyn@internal.emerlyn.com
.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=id-management-1.internal.emerlyn.com
,O=INTERNAL.EMERLYN.COM

expires: 2017-01-16 16:18:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNAL-EMERLYN-COM
track: yes
auto-renew: yes
Request ID '20150116162120':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for
host/id-management-1.internal.emerlyn@internal.emerlyn.com
.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=id-management-1.internal.emerlyn.com
,O=INTERNAL.EMERLYN.COM

expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20151217174142':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM

expires: 2017-01-05 16:18:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174143':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM

expires: 2017-01-05 16:17:58 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174144':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:

Re: [Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

Sorry for the typo. here is the correct output:
ldapsearch -h id-management-1.internal.emerlyn.com
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:




When I look at the certificates I get errors regarding a host service in
the keytab. Here is the output:

[root@id-management-1 ca]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150116161829':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for host/
id-management-1.internal.emerlyn@internal.emerlyn.com.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:18:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNAL-EMERLYN-COM
track: yes
auto-renew: yes
Request ID '20150116162120':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for host/
id-management-1.internal.emerlyn@internal.emerlyn.com.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20151217174142':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:18:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174143':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:17:58 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174144':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:17:59 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: 

Re: [Freeipa-users] IPA to IPA migration

[Ian Harding]

On 01/05/2017 07:17 AM, Rob Crittenden wrote:
> Timothy Geier wrote:
>> This is something I’ve looked at lately and a manual proof of concept I
>> just did (using ideas from
>> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA)
>> makes it seem theoretically possible (though it looks like, barring the
>> migration of the kerberos master key, all enrolled hosts would need to
>> use ipa-getkeytab to get a replacement keytab from the new server and
>> copy it to /etc/krb5.keytab so that sssd will work properly..the
>> alternative is re-enrollment.  All other keytabs in use by other
>> applications would have to be similarly replaced).  
> 
> Why migrate at all?

It is possible to get a FreeIPA installation so boogered up that it's
just not salvageable.  I'm pretty close to that right now.  The
replication model is really great but it replicates all my mistakes.

Maybe I'm just not smart enough, but I suspect others have wished they
could just throw in the towel and start over.  I would if it were
relatively easy, that is, if I could export and reimport users (ideally
with passwords), hosts, groups, hbac rules, etc.  I woudln't even mind
having to re-enroll them.



-- 
Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186
http://www.brownpapertickets.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

[Rob Crittenden]

Jeff Goddard wrote:
> My environment is freeipa 4.4; centos 7.3. This system was upgraded as
> of yesterday afternoon. I'm unable to start pki-tomcat. The debug log
> show this entry:
> 
> Internal Database Error encountered: Could not connect to LDAP server
> host id-management-1.internal.emerlyn.com
>  port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> 
> 
> I'm able to get a kerberos ticket using kinit but ldap search gives this
> error:
> 
>  ldapsearch -h id-manaement-1.internal.emerlyn.com
>  -x -b
> "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>  
> adding the -d1 debugging tag results in:
> 
> ldap_create
> ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
> )
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
> 
> ldap_connect_to_host: getaddrinfo failed: Name or service not known
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> I'm able to resolve the hostname via nslookup and /etc/hosts has the
> correct mapping entry.
> 
> I'm kind of lost at this point and could use some help.
> 
> Thanks in advance.

You have a typo in the hostname you're trying to connect to, missing the
'g' in management.

I have a vague memory from other reports of this issue that the problem
may be that the value of the certificate(s) in CS.cfg is 

[Freeipa-users] FreeIPA DNS (named)

[Günther J . Niederwimmer]

Hello List,

I have configured my domain (DNSSEC) with Freeipa

Now I have to configure a internal ZONE with the same Domain NAME but with 
internal IP's.

Is it possible to add a "view "internal""  "view "external"" to the named.conf 
or is this overwritten from the FreeIPA DNS Module ??

Is a other way possible to do this with FreeIPA?

Thanks for a answer,

-- 
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

[Jakub Hrozek]

On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote:
> Hi,
> 
> I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my
> Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate
> against the upgraded servers. It appears the problem is the version of sssd
> that is installed in the earlier Ubuntu versions. Is this a know issue and
> does anyone know of a work around for this? The sssd package in the PPA repo
> for 14.04 ( 1.12.5-1~trusty) didn't fix the issue.

What do the sssd logs say?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication has stopped and server errors

[sipazzo]

I have 6 ipaservers in 3 locations running 4.2.0-15.0.1on RHEL 7. Ipa1-dev is 
the CARenewal and CRL Master server and where most of our updates (host 
enrollment,password changes) end up taking place. Servers hadbeen running fine. 
Over the holidays we started having some replication issuesand looking at 
/var/log/dirsrv/slapd-REALM-COM/errors showed the following:
All servers currently have these errors for each replica the respective IPA 
servers areconnected to:NSMMReplicationPlugin- 
agmt="cn=meToipa2-dr.example.local" (ipa2-dr:389): Incrementalupdate failed and 
requires administrator action[04/Jan/2017:15:39:48-0800] 
agmt="cn=meToipa1-dr.example.local" (ipa1-dr:389) - Can'tlocate CSN 
583c8e7400060011 in the changelog (DB rc=-30988). If replicationstops, the 
consumer may need to be reinitializedNSMMReplicationPlugin- 
agmt="cn=meToipa1-prod.example.local" (ipa1-prod:389): Datarequired to update 
replica has been purged. The replica must be 
reinitialized.[04/Jan/2017:13:33:26-0800] NSMMReplicationPlugin - 
agmt="cn=meToipa2-dev.example.local"(ipa2-dev:389): Incremental update failed 
and requires administrator action [04/Jan/2017:13:33:26 
-0800]NSMMReplicationPlugin - 
agmt="cn=meToipa1-prod.example.local"(ipa1-prod:389): Incremental update failed 
and requires administrator action[04/Jan/2017:13:33:27-0800] 
agmt="cn=meToipa2-prod.example.local" (ipa2-prod:389) - Can'tlocate CSN 
586d69f40012 in the changelog (DB rc=-30988). If replicationstops, the 
consumer may need to be reinitialized. And allservers have these types of 
errors which are worrisome but they go back quite a way
NSACLPlugin - The ACL target cn=dns,dc=example,dc=localdoes not 
existNSACLPlugin - The ACL target cn=dns,dc=example,dc=localdoes not 
existNSACLPlugin - The ACL targetcn=groups,cn=compat,dc=example,dc=local does 
not existNSACLPlugin - The ACL targetcn=computers,cn=compat,dc=example,dc=local 
does not existNSACLPlugin - The ACL target 
cn=casigningcertcert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local 
does not existNSACLPlugin - The ACL target 
cn=casigningcertcert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=local 
does not existNSACLPlugin - The ACL targetou=sudoers,dc=networkfleet,dc=local 
does not exist All servers except one have a lot of theseDSRetroclPlugin - 
delete_changerecord: could not delete change record Ipa1-dev only has this
04/Jan/2017:18:36:52-0800] NSMMReplicationPlugin 
-agmt="cn=masterAgreement1-ipa1-prod.example.local-pki-tomcat"(ipa1-prod:389): 
Replication bind with SIMPLE auth resumed[04/Jan/2017:18:36:52-0800] 
NSMMReplicationPlugin 
-agmt="cn=masterAgreement1-ipa2-dr.example.local-pki-tomcat"(ipa2-dr:389): 
Replication bind with SIMPLE auth resumed[04/Jan/2017:18:36:52-0800] 
NSMMReplicationPlugin 
-agmt="cn=masterAgreement1-ipa1-dr.example.local-pki-tomcat"(ipa1-dr:389): 
Replication bind with SIMPLE auth resumed[04/Jan/2017:18:36:53-0800] 
NSMMReplicationPlugin 
-agmt="cn=masterAgreement1-ipa2-prod.example.local-pki-tomcat"(ipa2-prod:389): 
Replication bind with SIMPLE auth resumed 3 servers(ipa1-dr ipa2-dr ipa2-prod) 
have these errors: [01/Jan/2017:14:43:06 -0800] - libdb: BDB2055 Lock table is 
out ofavailable lock entries[01/Jan/2017:14:43:06 -0800] - compactdb: failed to 
compact changelog;db error - 12 Cannot allocate memory 4 servers (ipa1-dev, 
ipa2-dev, ipa1-dr and ipa2-dr) have these errors
[04/Jan/2017:15:37:21 -0800] slapd_ldap_sasl_interactive_bind - Error:could not 
perform interactive bind for id [] mech [GSSAPI]: LDAP error -1(Can't contact 
LDAP server) ((null)) errno 107 (Transport endpoint isnot 
connected)[04/Jan/2017:15:37:24 -0800] slapd_ldap_sasl_interactive_bind - 
Error:could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint isnot 
connected) 
I have tried various combinations or restarting, re-initializing, disconnecting 
and reconnecting replicas but am down toonly two servers replicating with each 
other currently (ipa1-dev and ipa2-dev). We did have a power outageat the dev 
location but it does not seem to correspond to when the errors started? Not 
sure howto recover from this. Any help is appreciated  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

[Andy Brittingham]

Hi,

I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of 
my Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can 
authenticate against the upgraded servers. It appears the problem is the 
version of sssd that is installed in the earlier Ubuntu versions. Is 
this a know issue and does anyone know of a work around for this? The 
sssd package in the PPA repo for 14.04 ( 1.12.5-1~trusty) didn't fix the 
issue.



Thanks,

Andy


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] pki-tomcatd fails to start

[Jeff Goddard]

My environment is freeipa 4.4; centos 7.3. This system was upgraded as of
yesterday afternoon. I'm unable to start pki-tomcat. The debug log show
this entry:

Internal Database Error encountered: Could not connect to LDAP server host
id-management-1.internal.emerlyn.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)


I'm able to get a kerberos ticket using kinit but ldap search gives this
error:

 ldapsearch -h id-manaement-1.internal.emerlyn.com -x -b
"cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

adding the -d1 debugging tag results in:

ldap_create
ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
ldap_connect_to_host: getaddrinfo failed: Name or service not known
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I'm able to resolve the hostname via nslookup and /etc/hosts has the
correct mapping entry.

I'm kind of lost at this point and could use some help.

Thanks in advance.



Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to connect, going offline (5 [Input/output error])

[rajat gupta]

sssd.conf from the ilt-gif-ipa02

[root@ilt-gif-ipa02 ~]# cat /etc/sssd/sssd.conf
[domain/ipa.preprod.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.preprod.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ilt-gif-ipa02.ipa.preprod.local
chpass_provider = ipa
ipa_server = _srv_, ilt-gif-ipa01.ipa.preprod.local
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9


[sssd]
default_domain_suffix = corp.corpcommon.com
services = nss, sudo, pam, ssh
debug_level = 9


domains = ipa.preprod.local
[nss]
override_homedir = /home/%u
debug_level = 9



[pam]
debug_level = 9


[sudo]

[autofs]

[ssh]
debug_level = 9


[pac]

[ifp]


On Fri, Jan 6, 2017 at 11:31 AM, rajat gupta  wrote:

> Hi,
>
> only few user are able to login. ipa ad-trust setup.
>
> ==
> Jan  6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking
> getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user et33015 from
> 146.213.128.135
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: input_userauth_request: invalid
> user et33015 [preauth]
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: error: PAM: User not known to
> the underlying authentication module for illegal user et33015 from x.x.x.x
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Failed keyboard-interactive/pam
> for invalid user et33015 from x.x.x.x port 51270 ssh2
> Jan  6 10:48:56 ilt-gif-ipa02 sshd[22490]: Failed password for invalid
> user et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:00 ilt-gif-ipa02 sshd[22490]: Failed password for invalid
> user et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:02 ilt-gif-ipa02 sshd[22490]: Failed password for invalid
> user et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:32 ilt-gif-ipa02 sshd[22490]: Connection closed by x.x.x.x
> [preauth]
> 
>
> 
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [get_server_status] (0x1000): Status of server 
> 'ilt-gif-ipa01.ipa.preprod.local'
> is 'working'
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [get_port_status]
> (0x1000): Port status of port 0 for server 'ilt-gif-ipa01.ipa.preprod.local'
> is 'not working'
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_resolve_server_done] (0x1000): Server resolution failed: [5]:
> Input/output error
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
> [Input/output error])
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
> (0x2000): Going offline!
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
> (0x2000): Initialize check_if_online_ptask.
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_ptask_create]
> (0x0400): Periodic task [Check if online (periodic)] was created
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling
> task 72 seconds from now [1483696200]
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_run_offline_cb] (0x0080): Going offline. Running callbacks
>
> i am able to getent and  kinit for all of the AD user. but most of the
> user are not able to login via ssh /ad-password
>
> getent passwd  et33015
> et33...@corp.corpcommon.com:*:1007629326:1007629326:Th Sub:/home/et33015:
>
> and
>
> kinit et33...@corp.corpcommon.com
>
>
>
> --
>
> *Rajat Gupta*
>



-- 

*Rajat Gupta *
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to connect, going offline (5 [Input/output error])

[Sumit Bose]

On Fri, Jan 06, 2017 at 11:31:31AM +0100, rajat gupta wrote:
> Hi,
> 
> only few user are able to login. ipa ad-trust setup.

more details are needed here. Can you at least share sssd.conf from the
ilt-gif-ipa02?

> 
> ==
> Jan  6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking
> getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed -
> POSSIBLE BREAK-IN ATTEMPT!
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user et33015 from
> 146.213.128.135
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: input_userauth_request: invalid
> user et33015 [preauth]
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: error: PAM: User not known to
> the underlying authentication module for illegal user et33015 from x.x.x.x
> Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Failed keyboard-interactive/pam
> for invalid user et33015 from x.x.x.x port 51270 ssh2
> Jan  6 10:48:56 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
> et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:00 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
> et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:02 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
> et33015 from 146.213.128.135 port 51270 ssh2
> Jan  6 10:49:32 ilt-gif-ipa02 sshd[22490]: Connection closed by x.x.x.x
> [preauth]
> 
> 
> 
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [get_server_status] (0x1000): Status of server
> 'ilt-gif-ipa01.ipa.preprod.local' is 'working'
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [get_port_status]
> (0x1000): Port status of port 0 for server
> 'ilt-gif-ipa01.ipa.preprod.local' is 'not working'

Is it expected that ilt-gif-ipa01.ipa.preprod.local is not reachable?
Does authentication work on this server? Please send the full log so that it
can be checked what happened before and why SSSD assumes that the server
is 'not working'.

bye,
Sumit

> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_resolve_server_done] (0x1000): Server resolution failed: [5]:
> Input/output error
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
> [Input/output error])
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
> (0x2000): Going offline!
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
> (0x2000): Initialize check_if_online_ptask.
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_ptask_create]
> (0x0400): Periodic task [Check if online (periodic)] was created
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling
> task 72 seconds from now [1483696200]
> (Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
> [be_run_offline_cb] (0x0080): Going offline. Running callbacks
> 
> i am able to getent and  kinit for all of the AD user. but most of the user
> are not able to login via ssh /ad-password
> 
> getent passwd  et33015
> et33...@corp.corpcommon.com:*:1007629326:1007629326:Th Sub:/home/et33015:
> 
> and
> 
> kinit et33...@corp.corpcommon.com
> 
> 
> 
> -- 
> 
> *Rajat Gupta*

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Failed to connect, going offline (5 [Input/output error])

[rajat gupta]

Hi,

only few user are able to login. ipa ad-trust setup.

==
Jan  6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking
getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user et33015 from
146.213.128.135
Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: input_userauth_request: invalid
user et33015 [preauth]
Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: error: PAM: User not known to
the underlying authentication module for illegal user et33015 from x.x.x.x
Jan  6 10:48:48 ilt-gif-ipa02 sshd[22490]: Failed keyboard-interactive/pam
for invalid user et33015 from x.x.x.x port 51270 ssh2
Jan  6 10:48:56 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
et33015 from 146.213.128.135 port 51270 ssh2
Jan  6 10:49:00 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
et33015 from 146.213.128.135 port 51270 ssh2
Jan  6 10:49:02 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user
et33015 from 146.213.128.135 port 51270 ssh2
Jan  6 10:49:32 ilt-gif-ipa02 sshd[22490]: Connection closed by x.x.x.x
[preauth]



(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[get_server_status] (0x1000): Status of server
'ilt-gif-ipa01.ipa.preprod.local' is 'working'
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [get_port_status]
(0x1000): Port status of port 0 for server
'ilt-gif-ipa01.ipa.preprod.local' is 'not working'
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[be_resolve_server_done] (0x1000): Server resolution failed: [5]:
Input/output error
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
[Input/output error])
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
(0x2000): Going offline!
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline]
(0x2000): Initialize check_if_online_ptask.
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_ptask_create]
(0x0400): Periodic task [Check if online (periodic)] was created
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling
task 72 seconds from now [1483696200]
(Fri Jan  6 10:48:48 2017) [sssd[be[ipa.preprod.local]]]
[be_run_offline_cb] (0x0080): Going offline. Running callbacks

i am able to getent and  kinit for all of the AD user. but most of the user
are not able to login via ssh /ad-password

getent passwd  et33015
et33...@corp.corpcommon.com:*:1007629326:1007629326:Th Sub:/home/et33015:

and

kinit et33...@corp.corpcommon.com



-- 

*Rajat Gupta*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project