[Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate
Although I had previously been using a self-signed certificate, I recently started using a cert signed by InCommon CA on my FreeIPA master (still on IPA 3.0.0 at this time). I added the certificate and intermediate certificates to /etc/ssl/certs and the certificate database in /etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing to the new certificate for NSSNickname. I can log into the web UI, but when I attempt to delete a host I get the following error: Operations Error Some entries were not deleted Show details Under "Show details": cannot connect to 'https://freeipa.example.com:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. Likewise, if I attempt to delete a host using the CLI I get an error message: # ipa host-del host-01.example.com ipa: ERROR: cert validation failed for "CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml If I enable the verbose flag -vv, I see that it is making an HTTP POST request to https://freeipa.example.com/ipa/xml. It looks like Firefox on my local client trusts the certificate, but that the server itself does not trust its own certificate when connecting to itself. Can anyone advise on how I can address this issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain
Hi Alexander, Superb, thanks a lot for this quick fix! Matt 2017-04-04 20:48 GMT+02:00 Alexander Bokovoy: > On ti, 04 huhti 2017, Matt . wrote: >> >> Hi guys, >> >> Is it possible to create in a simple way the SRV domains for kerberos >> on subdomains ? it's a pain to add them all manually when you have a >> lot of subdomains. >> >> I hope someone has a solution. > > Create TXT record _kerberos.sub.domain.tld that contains name of your > Kerberos realm in upper case. For MIT Kerberos clients this is enough to > discover their proper Kerberos realm and DNS domain for SRV record > discovery. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain
On ti, 04 huhti 2017, Matt . wrote: Hi guys, Is it possible to create in a simple way the SRV domains for kerberos on subdomains ? it's a pain to add them all manually when you have a lot of subdomains. I hope someone has a solution. Create TXT record _kerberos.sub.domain.tld that contains name of your Kerberos realm in upper case. For MIT Kerberos clients this is enough to discover their proper Kerberos realm and DNS domain for SRV record discovery. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Auto create kerberos/ldap SRV records on subdomain
Hi guys, Is it possible to create in a simple way the SRV domains for kerberos on subdomains ? it's a pain to add them all manually when you have a lot of subdomains. I hope someone has a solution. Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD hangs on IPA master
On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote: > Hi, > > my IPA master has an AD trust (several thousand users). Since the trust has > been set up I am experiencing that I cannot login on the web interface. Even > connecting via SSH does not work or takes extremely long. When I managed to > log in as root via SSH (after waiting and trying several times or rebooting > the machine) I could not restart SSSD (systemctl restart sssd). I had to > kill the SSSD processes manually and then everything seemed to work fine > again. > > What could be going on? Could the SSSD cache be to big (122M)? Where should > I take a deeper look? > > Any hints are highly appreciated! SSSD logs that capture the problem are always a good start. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSSD hangs on IPA master
Hi, my IPA master has an AD trust (several thousand users). Since the trust has been set up I am experiencing that I cannot login on the web interface. Even connecting via SSH does not work or takes extremely long. When I managed to log in as root via SSH (after waiting and trying several times or rebooting the machine) I could not restart SSSD (systemctl restart sssd). I had to kill the SSSD processes manually and then everything seemed to work fine again. What could be going on? Could the SSSD cache be to big (122M)? Where should I take a deeper look? Any hints are highly appreciated! Regards, Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On (04/04/17 09:32), Lukas Slebodnik wrote: >On (04/04/17 10:13), Lachlan Musicman wrote: >>On 3 April 2017 at 19:11, Jakub Hrozekwrote: >> >>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: >>> > >>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces >>> in >>> > their names, libsemanage fails to update: >>> > >>> > eg from recent monthly upgrade cycle: >>> > >>> > Updating : >>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch >>> > 3/14 >>> > libsemanage.parse_assert_ch: expected character ':', but found 'f' >>> > (/etc/selinux/targeted/tmp/seusers.local: 5): >>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file >>> or >>> > directory). >>> > libsemanage.seuser_parse: could not parse seuser record (No such file or >>> > directory). >>> > libsemanage.dbase_file_cache: could not cache file database (No such file >>> > or directory). >>> > libsemanage.semanage_base_merge_components: could not merge local >>> > modifications into policy (No such file or directory). >>> > >>> >>> Hi, >>> according to my quick testing this is solved with this PR: >>> https://github.com/SSSD/sssd/pull/189 >This patch will not help with spaces in name. > >it need to be fixed in selinux-policy or libsemanage. > It looks like it happen with each upgrade of selinux-policy. I assume it might be some missing quoting in rpm bash scriptlet. It should not be difficult to reproduce and file a bug. Feel free to add to CC my mail. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master
On 2017-03-31 13:35, Lukas Slebodnik wrote: On (29/03/17 10:47), Ronald Wimmer wrote: Hi, yesterday I suddenly was unable to use the webinterface of my ipa master. SSH login (with root user) did not work also. When I uncommented the setting "memcache_timeout = 600" in the sssd config file of the master everything seemed to work fine again. (my ipa setup has a trust to AD) I doubt it had anything to do memcache_timeout. I would say that restart of sssd helped. But it difficult to say without log files. either sssd logs or at least /var/log/secure (journald for pam). You were right. I uncommented the setting and the problem ocurred again. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On (04/04/17 10:13), Lachlan Musicman wrote: >On 3 April 2017 at 19:11, Jakub Hrozekwrote: > >> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: >> > >> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces >> in >> > their names, libsemanage fails to update: >> > >> > eg from recent monthly upgrade cycle: >> > >> > Updating : >> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch >> > 3/14 >> > libsemanage.parse_assert_ch: expected character ':', but found 'f' >> > (/etc/selinux/targeted/tmp/seusers.local: 5): >> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file >> or >> > directory). >> > libsemanage.seuser_parse: could not parse seuser record (No such file or >> > directory). >> > libsemanage.dbase_file_cache: could not cache file database (No such file >> > or directory). >> > libsemanage.semanage_base_merge_components: could not merge local >> > modifications into policy (No such file or directory). >> > >> >> Hi, >> according to my quick testing this is solved with this PR: >> https://github.com/SSSD/sssd/pull/189 This patch will not help with spaces in name. it need to be fixed in selinux-policy or libsemanage. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project