[Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate

2017-04-04 Thread Chris Herdt 
Although I had previously been using a self-signed certificate, I
recently started using a cert signed by InCommon CA on my FreeIPA
master (still on IPA 3.0.0 at this time).

I added the certificate and intermediate certificates to
/etc/ssl/certs and the certificate database in
/etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
to the new certificate for NSSNickname.

I can log into the web UI, but when I attempt to delete a host I get
the following error:

Operations Error
Some entries were not deleted
Show details

Under "Show details":
cannot connect to
'https://freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

Likewise, if I attempt to delete a host using the CLI I get an error message:

# ipa host-del host-01.example.com
ipa: ERROR: cert validation failed for
"CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml

If I enable the verbose flag -vv, I see that it is making an HTTP POST
request to https://freeipa.example.com/ipa/xml.

It looks like Firefox on my local client trusts the certificate, but
that the server itself does not trust its own certificate when
connecting to itself. Can anyone advise on how I can address this
issue?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

2017-04-04 Thread Matt . 
Hi Alexander,

Superb, thanks a lot for this quick fix!

Matt

2017-04-04 20:48 GMT+02:00 Alexander Bokovoy :
> On ti, 04 huhti 2017, Matt . wrote:
>>
>> Hi guys,
>>
>> Is it possible to create in a simple way the SRV domains for kerberos
>> on subdomains ? it's a pain to add them all manually when you have a
>> lot of subdomains.
>>
>> I hope someone has a solution.
>
> Create TXT record _kerberos.sub.domain.tld that contains name of your
> Kerberos realm in upper case. For MIT Kerberos clients this is enough to
> discover their proper Kerberos realm and DNS domain for SRV record
> discovery.
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

2017-04-04 Thread Alexander Bokovoy 

On ti, 04 huhti 2017, Matt . wrote:

Hi guys,

Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.

I hope someone has a solution.

Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

2017-04-04 Thread Matt . 
Hi guys,

Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.

I hope someone has a solution.

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD hangs on IPA master

2017-04-04 Thread Jakub Hrozek 
On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote:
> Hi,
> 
> my IPA master has an AD trust (several thousand users). Since the trust has
> been set up I am experiencing that I cannot login on the web interface. Even
> connecting via SSH does not work or takes extremely long. When I managed to
> log in as root via SSH (after waiting and trying several times or rebooting
> the machine) I could not restart SSSD (systemctl restart sssd). I had to
> kill the SSSD processes manually and then everything seemed to work fine
> again.
> 
> What could be going on? Could the SSSD cache be to big (122M)? Where should
> I take a deeper look?
> 
> Any hints are highly appreciated!

SSSD logs that capture the problem are always a good start.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSSD hangs on IPA master

2017-04-04 Thread Ronald Wimmer 

Hi,

my IPA master has an AD trust (several thousand users). Since the trust 
has been set up I am experiencing that I cannot login on the web 
interface. Even connecting via SSH does not work or takes extremely 
long. When I managed to log in as root via SSH (after waiting and trying 
several times or rebooting the machine) I could not restart SSSD 
(systemctl restart sssd). I had to kill the SSSD processes manually and 
then everything seemed to work fine again.


What could be going on? Could the SSSD cache be to big (122M)? Where 
should I take a deeper look?


Any hints are highly appreciated!

Regards,
Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-04 Thread Lukas Slebodnik 
On (04/04/17 09:32), Lukas Slebodnik wrote:
>On (04/04/17 10:13), Lachlan Musicman wrote:
>>On 3 April 2017 at 19:11, Jakub Hrozek  wrote:
>>
>>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
>>> >
>>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
>>> in
>>> > their names, libsemanage fails to update:
>>> >
>>> > eg from recent monthly upgrade cycle:
>>> >
>>> > Updating   :
>>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
>>> > 3/14
>>> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
>>> > (/etc/selinux/targeted/tmp/seusers.local: 5):
>>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
>>> or
>>> > directory).
>>> > libsemanage.seuser_parse: could not parse seuser record (No such file or
>>> > directory).
>>> > libsemanage.dbase_file_cache: could not cache file database (No such file
>>> > or directory).
>>> > libsemanage.semanage_base_merge_components: could not merge local
>>> > modifications into policy (No such file or directory).
>>> >
>>>
>>> Hi,
>>> according to my quick testing this is solved with this PR:
>>> https://github.com/SSSD/sssd/pull/189
>This patch will not help with spaces in name.
>
>it need to be fixed in selinux-policy or libsemanage.
>

It looks like it happen with each upgrade of selinux-policy.
I assume it might be some missing quoting in rpm bash scriptlet.

It should not be difficult to reproduce and file a bug.
Feel free to add to CC my mail.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD setting memcache_timeout on ipa master

2017-04-04 Thread Ronald Wimmer 

On 2017-03-31 13:35, Lukas Slebodnik wrote:

On (29/03/17 10:47), Ronald Wimmer wrote:

Hi,

yesterday I suddenly was unable to use the webinterface of my ipa master. SSH
login (with root user) did not work also.

When I uncommented the setting "memcache_timeout = 600" in the sssd config
file of the master everything seemed to work fine again. (my ipa setup has a
trust to AD)


I doubt it had anything to do memcache_timeout.
I would say that restart of sssd helped. But it difficult to say
without log files. either sssd logs or at least /var/log/secure
(journald for pam).

You were right. I uncommented the setting and the problem ocurred again.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-04 Thread Lukas Slebodnik 
On (04/04/17 10:13), Lachlan Musicman wrote:
>On 3 April 2017 at 19:11, Jakub Hrozek  wrote:
>
>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
>> >
>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
>> in
>> > their names, libsemanage fails to update:
>> >
>> > eg from recent monthly upgrade cycle:
>> >
>> > Updating   :
>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
>> > 3/14
>> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
>> > (/etc/selinux/targeted/tmp/seusers.local: 5):
>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
>> or
>> > directory).
>> > libsemanage.seuser_parse: could not parse seuser record (No such file or
>> > directory).
>> > libsemanage.dbase_file_cache: could not cache file database (No such file
>> > or directory).
>> > libsemanage.semanage_base_merge_components: could not merge local
>> > modifications into policy (No such file or directory).
>> >
>>
>> Hi,
>> according to my quick testing this is solved with this PR:
>> https://github.com/SSSD/sssd/pull/189
This patch will not help with spaces in name.

it need to be fixed in selinux-policy or libsemanage.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project