[Freeipa-users] Replication fails after CentOS 6.5 - 6.6 Upgrade - sasl_io_recv failed to decode packet for connection xxxx
Hello, I just did a 'yum update' from CentOS 6.5 - 6.6 on my freeipa system (master and 2 replicas) and I seen to have run into the following bug, https://bugzilla.redhat.com/show_bug.cgi?id=953653 On Master: [root@srv-1 slapd-CN-LOCAL]# rpm -qa|grep ipa ipa-client-3.0.0-42.el6.centos.x86_64 libipa_hbac-python-1.11.6-30.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch [root@srv-1 slapd-CN-LOCAL]# rpm -qa|grep 389 389-ds-base-1.2.11.15-47.el6.x86_64 389-ds-base-libs-1.2.11.15-47.el6.x86_64 ldapsearch -b cn=config -D cn=Directory Manager -W | grep nsslapd-sasl-max-buffer-size nsslapd-sasl-max-buffer-size: 65536 [root@srv-1]tail /etc/dirsrv/slapd-/errors [31/Oct/2014:10:59:51 -0400] - sasl_io_recv failed to decode packet for connection 2313 [31/Oct/2014:10:59:55 -0400] - sasl_io_recv failed to decode packet for connection 2314 [31/Oct/2014:11:00:00 -0400] - sasl_io_recv failed to decode packet for connection 2316 [31/Oct/2014:11:00:01 -0400] - sasl_io_recv failed to decode packet for connection 2315 On Replica: [root@srv-2 slapd-CN-LOCAL]# rpm -qa|grep ipa ipa-server-selinux-3.0.0-42.el6.centos.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 ipa-admintools-3.0.0-42.el6.centos.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.11.6-30.el6.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 [root@srv-2 slapd-CN-LOCAL]# rpm -qa|grep 389 389-ds-base-1.2.11.15-47.el6.x86_64 389-ds-base-libs-1.2.11.15-47.el6.x86_64 [root@srv-2 slapd-CN-LOCAL]# ldapsearch -b cn=config -D cn=Directory Manager -W | grep nsslapd-sasl-max-buffer-size Enter LDAP Password: nsslapd-sasl-max-buffer-size: 65536 [root@svr-2]tail -f /etc/dirsrv/slapd-/errors [31/Oct/2014:11:01:11 -0400] NSMMReplicationPlugin - agmt=cn=meTosrv-1. (srv-1:389): Replication bind with GSSAPI auth resumed [31/Oct/2014:11:01:18 -0400] NSMMReplicationPlugin - agmt=cn=meTosrv-1. (srv-1:389): Warning: unable to replicate schema: rc=2 [31/Oct/2014:11:01:18 -0400] NSMMReplicationPlugin - agmt=cn=meTosrv-1. (srv-1:389): Consumer failed to replay change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will retry later. [31/Oct/2014:11:01:18 -0400] NSMMReplicationPlugin - agmt=cn=meTosrv-1. (srv-1:389): Failed to send update operation to consumer (uniqueid 515cdb0f-24fa11e2-816add07-a91dabe7, CSN 5453fc2600090003): Can't contact LDAP server. Will retry later. [31/Oct/2014:11:01:18 -0400] NSMMReplicationPlugin - agmt=cn=meTosrv-1. (srv-1:389): Warning: unable to send endReplication extended operation (Can't contact LDAP server) In the ticket, Scott Poore says he increased the nsslapd-sasl-max-buffer-size to work around the problem. Is this the correct course of action, or should I be trying something else? Thanks, Mike -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
On Dec 5, 2013, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Michael Mercier wrote: Hello, A few details to begin: The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system. ipa-*-3.0.0-37. mod_nss-1.0.8-19 openssl-1.0.1e-16 The system was upgraded from 2.2 Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues. Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf): ipa cert-request csrfile principal: hostname ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request The GUI responds with: IPA ERROR 4310 Certificate operation cannot be completed: Failure decoding Certificate Signing Request I have no issues running 'openssl req -text -noout -verify -in csrfile’ on the request file. I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists. I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem? Anyone have an idea where a good place to start looking is? The Failure decoding is a duplicate error message in a couple of different places. I'd recommend modifying it per the other thread so we can know exactly where it failed and why. Here is the exact message after applying the patch… ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. Note: I used java keytool to create the CSR, could that be the problem? Thanks, Mike rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request
Hello, A few details to begin: The IPA system consists of 3 servers running on fully patched CentOS 6.5 (updated Monday night). DNS is integrated with the IPA system. ipa-*-3.0.0-37. mod_nss-1.0.8-19 openssl-1.0.1e-16 The system was upgraded from 2.2 Yesterday, I revoked a certificate for an old system and signed a certificate for the replacement system (same hostname) with no apparent issues. Today, I am attempting to sign a certificate for a new system and I am seeing the following error from the command line (with debug=True in /etc/ipa/default.conf): ipa cert-request csrfile principal: hostname ipa: ERROR: Certificate operation cannot be completed: Failure decoding Certificate Signing Request The GUI responds with: IPA ERROR 4310 Certificate operation cannot be completed: Failure decoding Certificate Signing Request I have no issues running 'openssl req -text -noout -verify -in csrfile’ on the request file. I did do a 'yum update’ on the system today (after experiencing the errors), with openssl and mod_nss being upgraded on all servers. All systems were rebooted after the upgrade and the problem still exists. I did see an older thread with a similar issue, but that seemed to involve updating expired certs and Rob did not seem to be able to reproduce the error. Maybe I am experiencing the same problem? Anyone have an idea where a good place to start looking is? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Login hangs / hung task?
Hello, I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success. Running 'ssh root@service-2', the server would reply with a password prompt and then hang. I went to the system console to discover many of the following messages on screen: Jun 30 time service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 time service-2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password. After rebooting the system, I see the following in /var/log/messages Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 00:29:29 service-2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Jun 30 00:29:29 service-2 kernel: sssd_be D 000e 0 22447 3673 0x0084 Jun 30 00:29:29 service-2 kernel: 880827dffce8 0086 Jun 30 00:29:29 service-2 kernel: Jun 30 00:29:29 service-2 kernel: 880827255058 880827dfffd8 fb88 880827255058 Jun 30 00:29:29 service-2 kernel: Call Trace: Jun 30 00:29:29 service-2 kernel: [a00aabf0] ? ext4_file_open+0x0/0x130 [ext4] Jun 30 00:29:29 service-2 kernel: [8150ea85] schedule_timeout+0x215/0x2e0 Jun 30 00:29:29 service-2 kernel: [8117e574] ? nameidata_to_filp+0x54/0x70 Jun 30 00:29:29 service-2 kernel: [812773c9] ? cpumask_next_and+0x29/0x50 Jun 30 00:29:29 service-2 kernel: [8150e703] wait_for_common+0x123/0x180 Jun 30 00:29:29 service-2 kernel: [81063310] ? default_wake_function+0x0/0x20 Jun 30 00:29:29 service-2 kernel: [8150e81d] wait_for_completion+0x1d/0x20 Jun 30 00:29:29 service-2 kernel: [8106513c] sched_exec+0xdc/0xe0 Jun 30 00:29:29 service-2 kernel: [8118a100] do_execve+0xe0/0x2c0 Jun 30 00:29:29 service-2 kernel: [810095ea] sys_execve+0x4a/0x80 Jun 30 00:29:29 service-2 kernel: [8100b4ca] stub_execve+0x6a/0xc0 This sequence of messages is repeated many times. I did not have any problems logging into the other two freeipa systems on the network. The servers are currently used exclusively for freeipa. Any ideas what may have happened? rpm -qa | grep ipa libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Login hangs / hung task?
Hello, The log files are empty in /var/log/sssd, and the filesystems checked clean after the hard boot. Thanks, Mike On 2013-07-03, at 10:38 AM, Sumit Bose wrote: On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote: Hello, I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success. Running 'ssh root@service-2', the server would reply with a password prompt and then hang. I went to the system console to discover many of the following messages on screen: Jun 30 time service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 time service-2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password. After rebooting the system, I see the following in /var/log/messages Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 00:29:29 service-2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Jun 30 00:29:29 service-2 kernel: sssd_be D 000e 0 22447 3673 0x0084 Jun 30 00:29:29 service-2 kernel: 880827dffce8 0086 Jun 30 00:29:29 service-2 kernel: Jun 30 00:29:29 service-2 kernel: 880827255058 880827dfffd8 fb88 880827255058 Jun 30 00:29:29 service-2 kernel: Call Trace: Jun 30 00:29:29 service-2 kernel: [a00aabf0] ? ext4_file_open+0x0/0x130 [ext4] Jun 30 00:29:29 service-2 kernel: [8150ea85] schedule_timeout+0x215/0x2e0 Jun 30 00:29:29 service-2 kernel: [8117e574] ? nameidata_to_filp+0x54/0x70 Jun 30 00:29:29 service-2 kernel: [812773c9] ? cpumask_next_and+0x29/0x50 Jun 30 00:29:29 service-2 kernel: [8150e703] wait_for_common+0x123/0x180 Jun 30 00:29:29 service-2 kernel: [81063310] ? default_wake_function+0x0/0x20 Jun 30 00:29:29 service-2 kernel: [8150e81d] wait_for_completion+0x1d/0x20 Jun 30 00:29:29 service-2 kernel: [8106513c] sched_exec+0xdc/0xe0 Jun 30 00:29:29 service-2 kernel: [8118a100] do_execve+0xe0/0x2c0 Jun 30 00:29:29 service-2 kernel: [810095ea] sys_execve+0x4a/0x80 Jun 30 00:29:29 service-2 kernel: [8100b4ca] stub_execve+0x6a/0xc0 This sequence of messages is repeated many times. I did not have any problems logging into the other two freeipa systems on the network. The servers are currently used exclusively for freeipa. Any ideas what may have happened? do you see anything in the sssd logs in /var/log/sssd ? ext4_file_open might indicate that sssd is stuck while trying to open a file. Have you tried to run a filesystem check? bye, Sumit rpm -qa | grep ipa libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] named crash
Hello, Named stopped on one of my IPA servers over the weekend, this was the last message in the log file: ldap_helper.c:627: fatal error: RUNTIME_CHECK(((pthread_mutex_destroy(((ldap_conn-lock))) == 0) ? 0 : 34) == 0) failed exiting (due to fatal error in library) Any ideas? All other IPA services (ipactl status) were shown as running when I checked this morning, the only service stopped was named. IPA on CentOS 6.3: libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-17.el6_3.1.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-17.el6_3.1.x86_64 ipa-client-2.2.0-17.el6_3.1.x86_64 ipa-server-2.2.0-17.el6_3.1.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-server-selinux-2.2.0-17.el6_3.1.x86_64 bind-libs-9.8.2-0.10.rc1.el6_3.6.x86_64 bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64 bind-dyndb-ldap-1.1.0-0.9.b1.el6_3.1.x86_64 bind-9.8.2-0.10.rc1.el6_3.6.x86_64 Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process conflict issue when restarting IPA
On 2013-01-14, at 8:11 PM, Dmitri Pal wrote: On 01/14/2013 05:59 PM, William Muriithi wrote: Hello When I restart IPA through ipactl, I get the following message. All seem to be working despite the message. I think it is pki-ca that is running on tomcat Starting httpd: [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already used by another worker [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already used by another worker I assume there may be a bug on the ipactl script, is this a correct assumption? Regards William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Which version you are on? This issue seems to be addressed quite some time ago https://fedorahosted.org/freeipa/ticket/2333 https://bugzilla.redhat.com/show_bug.cgi?id=785791 I see the same issue as William on CentOS6.3 fully up-to-date... [root@test-1 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 [root@test-1 ~]# yum update Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile base | 3.7 kB 00:00 extras | 3.5 kB 00:00 updates | 3.5 kB 00:00 Setting up Update Process No Packages marked for Update [root@service-1 ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: TEST-LOCAL...[ OK ] PKI-IPA... [ OK ] Starting dirsrv: TEST-LOCAL...[ OK ] PKI-IPA... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: [ OK ] Starting named:[ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd: [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used by another worker [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root@test-1 ~]# Thanks, Mike -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: DNS / Allow PTR sync
Hello, I missed the reply all button. See my response to Dmitri inline below. Thanks, Mike Begin forwarded message: From: Michael Mercier mmerc...@gmail.com Date: November 5, 2012 8:10:53 PM GMT-05:00 To: d...@redhat.com Subject: Re: [Freeipa-users] DNS / Allow PTR sync Hello, On 5-Nov-12, at 7:12 PM, Dmitri Pal wrote: On 11/05/2012 04:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? 2. Do you have to wait a specified amount of time for the PTR record to be removed after you remove a host? e.g. 1. Add 'testhost', 192.168.10.10 to 'example.com' (with Allow PTR sync enabled on the zone) with 'Create reverse' enabled. 2. Remove 'testhost' from 'example.com' 3. Check 168.192.in-addr.arpa. zone and host 'testhost' still exists. Which version you are using? I knew this question was coming as soon as I pressed 'send'... :D IPA 2.2 on CentOS 6.3 (latest RPM's) Do you use #ipa host-del --updatedns host The DNS entries are not IPA hosts (i.e. not added with ipa host- add). Most of the DNS entries were added by performing the following: ipa dnsrecord-add example.com hostname --a-rec=x.x.x.x --a-create- reverse My example above was done using the GUI using the DNS page. Thanks, Mike when delete host? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] DNS / Allow PTR sync
Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? 2. Do you have to wait a specified amount of time for the PTR record to be removed after you remove a host? e.g. 1. Add 'testhost', 192.168.10.10 to 'example.com' (with Allow PTR sync enabled on the zone) with 'Create reverse' enabled. 2. Remove 'testhost' from 'example.com' 3. Check 168.192.in-addr.arpa. zone and host 'testhost' still exists. Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [root@ipaclient sssd]# su - mike# short delay ~2 seconds [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-10, at 4:35 AM, Petr Spacek wrote: On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-17, at 10:33 AM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True Hello, I setup default.conf with debug = True, and I am unable to reproduce the different results? Removed the debug statement and restart httpd, both interfaces produce the same result (success). Thanks, Mike and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: On 09/17/2012 10:14 AM, Michael Mercier wrote: On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address:172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address:172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name:ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup
[Freeipa-users] errors when one ipa server down
Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 ... wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HBAC Test - web vs command line - returns different results
Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] PAM / SSSD / HBAC (was: Re: tacacs+ integration)
On 2012-08-22, at 4:12 PM, Rob Crittenden wrote: Michael Mercier wrote: Hello, In Aug 2010, someone posted a message to this list about integrating tacacs+ with freeipa https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html At the time, it was mentioned that this was not on the roadmap, has this changed? No, still not on the roadmap. If RedHat has no plans to do this, where can I find the freeipa documentation that would allow me to do a proof-of-concept? I would use the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a staring point. http://freeipa.org/page/Contribute (in Developer Documentation and Developement Process) and http://abbra.fedorapeople.org/freeipa-extensibility.html Some of the specific things I am looking for: 1. How should passwords be verified? sssd, pam, ldap lookup, krb? 2. How the ldap schema should be designed for best integration? I'd start by seeing if there is already one defined as a real or quasi standard. 3. The proper way to query the ldap server (standard ldap calls or is there some specific freeipa api) Standard LDAP calls. 4. I am sure I am not asking something!! I tried asking some similar questions on freeipa-devel but didn't receive a response. rob Hello, I have started playing with having the tac_plus daemon use Freeipa and have some questions regarding HBAC. I have done the following: 1. Created a DNS entry for my device: pix.beta.local - 192.168.0.1 2. Disabled the 'allow_all' HBAC rule 3. Created an HBAC rule tacacs with the following: a) who: user group: ciscoadmin - user mike is part of ciscoadmin b) Accessing: hosts: pix.beta.local c) via service: tac_plus d) from: any host I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using PAM. I have added some code to also attempt to do PAM accounting for the device and can't get this to work. Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=192.168.0.1 user=mike Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access denied for user mike: 6 (Permission denied) If I add the host (ipaserver.beta.local) the daemon is running on to the 'Accessing' list or enable the 'allow_all' rule, I am able to login. I see the following in my audit.log type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=mike exe=/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=success' type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=mike exe=/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=failed' It seems that the machine the daemon is running on is being used for the HBAC rule (at least that is what is looks like from the dirsrv access log) [28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base=cn=hbac,dc=beta,dc=local scope=2 filter=((objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=ipaserver.beta.local,cn=computers,cn=accounts,dc=beta,dc=local))) attrs=objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory Is it possible to get the 'hostname' (pix.beta.local/192.168.0.1) passed through to HBAC? It looks like the 'msg' portion of the audit data is coming from PAM (Is this correct)? Should I be posting this to the devel list instead? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to- point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted can they be? Thanks, Mike On 16-Aug-12, at 9:43 PM, Steven Jones wrote: Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com ] on behalf of Michael Mercier [mmerc...@gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) -- internet -- ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA over the Internet - Security Implications
Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) -- internet -- ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 3.0 beta1 install on Fedora 17 - No DNS Zones
Hello, I have installed FreeIPA 3.0 beta 1 on Fedora 17, and added a Fedora 17 client. I do not have anything under the Identity - DNS tab (i.e. no DNS zones) I did the following when installing: On the server: [root@ipaserver ~]#ipa-server-install -- oops forgot to include DNS [root@ipaserver ~]#ipa-server-install --uninstall -U [root@ipaserver ~]#ipa-server-install --setup-dns --no-forwarders -- at some point the installer prompted with a message that a named.conf already existed, overwrite? -- I chose yes [root@ipaserver ~]# cd /var/named/ [root@ipaserver named]# ls data dynamic named.ca named.empty named.localhost named.loopback slaves [root@ipaserver named]# find . . ./named.loopback ./named.empty ./slaves ./named.localhost ./data ./data/named.run ./dynamic ./named.ca [root@ipaserver named]# cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; // Put files that named is allowed to write in the data/ directory: directory /var/named; // the default dump-file data/cache_dump.db; statistics-file data/named_stats.txt; memstatistics-file data/named_mem_stats.txt; forward first; forwarders { }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-credential DNS/ipaserver.beta.local; tkey-domain BETA.LOCAL; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file data/named.run; severity dynamic; }; }; zone . IN { type hint; file named.ca; }; include /etc/named.rfc1912.zones; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-BETA-LOCAL.socket; arg base cn=dns, dc=beta,dc=local; arg fake_mname ipaserver.beta.local.; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/ipaserver.beta.local; arg zone_refresh 0; arg psearch yes; }; [root@ipaserver ~]# ifconfig eth0 eth0: flags=4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.16.112.10 netmask 255.255.255.0 broadcast 172.16.112.255 inet6 fe80::20c:29ff:fe56:53bd prefixlen 64 scopeid 0x20link ether 00:0c:29:56:53:bd txqueuelen 1000 (Ethernet) RX packets 33531 bytes 24153141 (23.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30428 bytes 17489346 (16.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 On the client: [root@ipaclient ~]#ipa-client-install --enable-dns-updates [root@ipaclient ~]# ifconfig eth0 eth0: flags=4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.16.112.11 netmask 255.255.255.0 broadcast 172.16.112.255 inet6 fe80::20c:29ff:fed4:9724 prefixlen 64 scopeid 0x20link ether 00:0c:29:d4:97:24 txqueuelen 1000 (Ethernet) RX packets 23591 bytes 24965586 (23.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12756 bytes 1274305 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@ipaclient ~]# nslookup ipaclient Server: 172.16.112.10 Address:172.16.112.10#53 Name: ipaclient.beta.local Address: 172.16.112.11 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.10 Address:172.16.112.10#53 Name: ipaserver.beta.local Address: 172.16.112.10 [root@ipaclient ~]# ipa dnszone-show beta.local ipa: ERROR: beta.local: DNS zone not found [root@ipaclient ~]# ipa dns-resolve ipaserver.beta.local - Found 'ipaserver.beta.local.' - [root@ipaclient ~]# ipa dnsconfig-show - Global DNS configuration is empty - Any pointers? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA3 beta - CA will not install
Hello, I am attempting to install the IPA 3.x beta on Fedora 17 and running into some difficulty. I performed the following steps attempting the install (following setup instructions for FreeIPA 2.2): 1. Download Fedora 17 2. Install Fedora 17 with VMWare 3. add hostname to /etc/hosts - 172.16.112.10 ipaserver.beta.local ipaserver 4. yum update 5. open the following ports on the firewall tcp 80,443,389,636,88,464,53,7839 udp 88,464,53,123 iptables -L ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kerberos ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kpasswd ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7389 ACCEPT udp -- anywhere anywhere state NEW udp dpt:kerberos ACCEPT udp -- anywhere anywhere state NEW udp dpt:kpasswd ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp 6. Disable NetworkManger and enable network 7. reboot 8. add freeipa repository baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch 9. yum install freeipa-server bind bind-dyndb-ldap 10. ipa-server-install Attached is the log file. Thanks, Mike ipaserver-install.log Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
Hello, On 2012-07-13, at 9:39 PM, Simo Sorce wrote: Unfortunately slaving is not supported at the moment, but just out of curiosity what is the ballpark number for many updates ? Doing a quick check on the system, anywhere between 600 and 1000 record updates per minute. Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] BIND named.conf
I will try to be more clear... My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. I have another zone (call it myzone.tld) hosted on some other systems. I would like ipaserver1 and ipaserver2 to both be a slave for this zone (not use a forwarder for the zone). Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in named.conf, is there anything that I should be concerned about if I were to add: zone myzone.tld { type slave; file slave/myzone.db masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; to ipaserver1? I had considered adding the zone via 'ipa dnszone-add ipaserver1.intranet.local' but I did not find anything specific in the documentation describing how to configure the new zone as a slave of another system. Also, the number of entries in the zone is large and there are a many updates per day and I was uncertain of the type of performance I could expect. Thanks, Mike On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: On 07/13/2012 07:04 PM, Michael Mercier wrote: Hello, I am by no means an expert either, but I believe what you are recommending would forward requests for myzone.tld to the ip.of.forwarder1 etc. I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all the data) of myzone.tld, and have ipaserver2 slave this data from ipaserver1. The replicas in IPA do not need to be specially configured to be slaves of each other. They have the same data which is replicated by LDAP back end so it is not clear why you are trying to configure the replicas to be in master-slave relation. Thanks, Mike On 13-Jul-12, at 5:11 PM, KodaK wrote: On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier mmerc...@gmail.com wrote: Hello, When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with adding slaves to the named.conf file? example on ipaserver1: zone myzone.tld { type slave; file slave/myzone.db masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; I'm no expert, but I think you'd want to use the command line option dnsconfig-mod: ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 myzone.tld -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users