Re: [Freeipa-users] authenticating with dns
learned some things in the last few days
I believe one of the root problems I have, if not THE root problem, is that
I cannot start pki-tomcatd on my nyc01ipa02 machine. I now believe that if
I could get that machine to work correctly, I could get all the others
So, I get this in my logs
from /var/log/pki/pki-tomcat/ca/debug
> LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca
> SSLClientCertificatSelectionCB: Entering!
> Candidate cert: subsystemCert cert-pki-ca
> SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert
> cert-pki-ca
> SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
> SSL handshake happened
> Could not connect to LDAP server host nyc01ipa02.mf port 636 Error
> netscape.ldap.LDAPException: Authentication failed (49)
from /var/log/dirsrv/slapd-MF/errors
> slapi_search_internal ("o=ipaca", subtree, seeAlso=CN=CA Subsystem,O=MF)
> err 32
which makes me think that the problem is the CA Subsystem secret isn't
available
when I do a "getcert list" I see that there are 8 keys
certificate: 'auditSigningCert
certificate: 'ocspSigningCert
certificate: 'subsystemCert
certificate: 'caSigningCert
certificate: 'ipaCert'
certificate: 'Server-Cert
certificate: 'Server-Cert'
certificate: 'Server-Cert'
should there be others?
also, I found this link
https://fedorahosted.org/freeipa/ticket/5100#comment:9
and this person outlined the a number of steps (I included them below) and
they seem reasonable to fix a problem like I'm experiencing...however, I
don't know how to do step 1. If anyone knows how to do that...?
1. Make changes to cause FreeIPA to think it is CA-less.
1. Extract CA signing key from a replica info file.
1. Run ipa-ca-install to install the CA on one of the IPA servers, with
external CA. This will generate a new private key and CSR to send to
external CA.
1. Replace the new private key generated for the CSR, with the private
key from the replica info file.
1. Continue the ipa-ca-install with the CA signing certificate from the
replica info file.
1. Manually adjust serial number ranges to ensure the new CA instance
does not issue certs with serial numbers that collide with certs issued by
the original CA instance. (This might have to be hacked into the
ipa-ca-install process).
1. Depending on whether your CA is self-signed, might need to tell
certmonger to track the CA signing certificate.
On Thu, Feb 23, 2017 at 11:57 AM, Aaron Young <ayo...@marketfactory.com>
wrote:
> And yes, I learned to stop using kadmin after I made that note
>
> On Thu, Feb 23, 2017 at 11:56 AM, Aaron Young <ayo...@marketfactory.com>
> wrote:
>
>> on ld4ipa01, I removed it with ipa-server-install --uninstall
>>
>> this was an attempt to recreate the replica from nyc02ipa02
>>
>> On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti <mba...@redhat.com> wrote:
>>
>>>
>>>
>>> On 22.02.2017 23:26, Aaron Young wrote:
>>>
>>> Hello Everyone
>>>
>>> I recently lost the master master IPA server setup by the previous
>>> administrator.
>>> As it stands now, if I try to add a new client, in order to standup a
>>> new replica, I get errors while trying to setup DNS. This led me to look at
>>> how authentication worked (I'm new to IPA) and I learned about the kerberos
>>> tools
>>>
>>> I don't know if I'm familiar enough with the terminology to adequately
>>> describe what I'm experiencing, so I'll give you some of the commands and
>>> their results
>>>
>>> but first, a bit on the design
>>>
>>> before I got to this, we had
>>>
>>> a <-> b <-> c <-> d
>>>
>>> b was the master master
>>>
>>> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not
>>> pictured, I discovered them later when c and d started having problems)
>>>
>>> a - nyc01ipa02
>>> b - nyc01ipa01
>>> c - ld4ipa01
>>> d - ld4ipa02
>>>
>>> currently, I have nyc02ipa02 <-> nyc01ipa02
>>>
>>> the reason I have it limited like this is because all the other servers
>>> stopped replicating for one reason or another (mainly that they can't
>>> authenticate or in one case, there was a database record corruption)
>>>
>>> Anyway, here are some activities and logs from the latest round of fixes
>>> and information activities I've been engaging in
>>>
>>> 22:54:32 root@nyc01ipa02:~# kinit admin
>>> kinit: Clients credentials have been revoked while getting initial
>>> credentials
>>
Re: [Freeipa-users] authenticating with dns
And yes, I learned to stop using kadmin after I made that note On Thu, Feb 23, 2017 at 11:56 AM, Aaron Young <ayo...@marketfactory.com> wrote: > on ld4ipa01, I removed it with ipa-server-install --uninstall > > this was an attempt to recreate the replica from nyc02ipa02 > > On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti <mba...@redhat.com> wrote: > >> >> >> On 22.02.2017 23:26, Aaron Young wrote: >> >> Hello Everyone >> >> I recently lost the master master IPA server setup by the previous >> administrator. >> As it stands now, if I try to add a new client, in order to standup a new >> replica, I get errors while trying to setup DNS. This led me to look at how >> authentication worked (I'm new to IPA) and I learned about the kerberos >> tools >> >> I don't know if I'm familiar enough with the terminology to adequately >> describe what I'm experiencing, so I'll give you some of the commands and >> their results >> >> but first, a bit on the design >> >> before I got to this, we had >> >> a <-> b <-> c <-> d >> >> b was the master master >> >> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not >> pictured, I discovered them later when c and d started having problems) >> >> a - nyc01ipa02 >> b - nyc01ipa01 >> c - ld4ipa01 >> d - ld4ipa02 >> >> currently, I have nyc02ipa02 <-> nyc01ipa02 >> >> the reason I have it limited like this is because all the other servers >> stopped replicating for one reason or another (mainly that they can't >> authenticate or in one case, there was a database record corruption) >> >> Anyway, here are some activities and logs from the latest round of fixes >> and information activities I've been engaging in >> >> 22:54:32 root@nyc01ipa02:~# kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> Reading through this >> <http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html> tells me >> that >> >> # kadmin: modprinc -unlock PRINCNAME >> >> will unlock an account...but if I can't get in >> >> 22:54:37 root@nyc01ipa02:~# kadmin >> Authenticating as principal root/admin@MF with password. >> kadmin: Client 'root/admin@MF' not found in Kerberos database while >> initializing kadmin interface >> >> on ld4ipa02, did a >> >> # ipa-client-install --uninstall >> >> then >> >> # ipa-client-install --force-join --enable-dns-updates --permit -f >> --ssh-trust-dns --request-cert --automount-location=LD4 --enable-dns-updates >> >> DNS did not update, here is the relevant portion from >> /var/log/ipaclient-install.log >> >> 2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to >> /etc/ipa/.dns_update.txt: >> 2017-02-20T18:46:49Z DEBUG debug >> >> update delete ld4ipa02.mf. IN A >> show >> send >> >> update delete ld4ipa02.mf. IN >> show >> send >> >> update add ld4ipa02.mf. 1200 IN A 10.102.100.140 >> show >> send >> >> 2017-02-20T18:46:49Z DEBUG Starting external process >> 2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt >> 2017-02-20T18:46:49Z DEBUG Process finished, return code=1 >> 2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> ld4ipa02.mf. 0 ANY A >> >> 2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702 >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> ;; QUESTION SECTION: >> ;ld4ipa02.mf. IN SOA >> >> ;; AUTHORITY SECTION: >> mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600 >> >> Found zone name: mf >> The master is: ld4ipa01.mf >> start_gssrequest >> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code >> may provide more information, Minor = Server DNS/ld4ipa01.mf@MF not found in >> Kerberos database. >> >> 2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt' returned non-zero exit status 1 >> 2017-02-20T18:46:49Z ERROR Failed to update DNS records. >> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf I
Re: [Freeipa-users] authenticating with dns
on ld4ipa01, I removed it with ipa-server-install --uninstall this was an attempt to recreate the replica from nyc02ipa02 On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 22.02.2017 23:26, Aaron Young wrote: > > Hello Everyone > > I recently lost the master master IPA server setup by the previous > administrator. > As it stands now, if I try to add a new client, in order to standup a new > replica, I get errors while trying to setup DNS. This led me to look at how > authentication worked (I'm new to IPA) and I learned about the kerberos > tools > > I don't know if I'm familiar enough with the terminology to adequately > describe what I'm experiencing, so I'll give you some of the commands and > their results > > but first, a bit on the design > > before I got to this, we had > > a <-> b <-> c <-> d > > b was the master master > > a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not > pictured, I discovered them later when c and d started having problems) > > a - nyc01ipa02 > b - nyc01ipa01 > c - ld4ipa01 > d - ld4ipa02 > > currently, I have nyc02ipa02 <-> nyc01ipa02 > > the reason I have it limited like this is because all the other servers > stopped replicating for one reason or another (mainly that they can't > authenticate or in one case, there was a database record corruption) > > Anyway, here are some activities and logs from the latest round of fixes > and information activities I've been engaging in > > 22:54:32 root@nyc01ipa02:~# kinit admin > kinit: Clients credentials have been revoked while getting initial > credentials > > Reading through this > <http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html> tells me > that > > # kadmin: modprinc -unlock PRINCNAME > > will unlock an account...but if I can't get in > > 22:54:37 root@nyc01ipa02:~# kadmin > Authenticating as principal root/admin@MF with password. > kadmin: Client 'root/admin@MF' not found in Kerberos database while > initializing kadmin interface > > on ld4ipa02, did a > > # ipa-client-install --uninstall > > then > > # ipa-client-install --force-join --enable-dns-updates --permit -f > --ssh-trust-dns --request-cert --automount-location=LD4 --enable-dns-updates > > DNS did not update, here is the relevant portion from > /var/log/ipaclient-install.log > > 2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2017-02-20T18:46:49Z DEBUG debug > > update delete ld4ipa02.mf. IN A > show > send > > update delete ld4ipa02.mf. IN > show > send > > update add ld4ipa02.mf. 1200 IN A 10.102.100.140 > show > send > > 2017-02-20T18:46:49Z DEBUG Starting external process > 2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > 2017-02-20T18:46:49Z DEBUG Process finished, return code=1 > 2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ld4ipa02.mf. 0 ANY A > > 2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702 > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;ld4ipa02.mf. IN SOA > > ;; AUTHORITY SECTION: > mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600 > > Found zone name: mf > The master is: ld4ipa01.mf > start_gssrequest > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code > may provide more information, Minor = Server DNS/ld4ipa01.mf@MF not found in > Kerberos database. > > 2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > 2017-02-20T18:46:49Z ERROR Failed to update DNS records. > 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A > 2017-02-20T18:46:49Z DEBUG DNS resolver: No record. > 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN > 2017-02-20T18:46:49Z DEBUG DNS resolver: No record. > 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: 140.100.102.10.in-addr.arpa. > IN PTR > 2017-02-20T18:46:49Z DEBUG DNS resolver: No record. > 2017-02-20T18:46:49Z WARNING Missing A/ record(s) for host ld4ipa02.mf: > 10.102.100.140. > 2017-02-20T18:46:49Z WARNING Missing reverse record(s) for address(es): > 10.102.100.140. > > Why isn't there an entry for "DNS/ld4ipa01.mf@MF" in the Kerberos > database? > > klist -ktK /etc/dirsrv/d
[Freeipa-users] authenticating with dns
psearch -H ldap://nyc02ipa02:389 -D "cn=directory manager" -W -b "" -s base # ldapsearch -H ldaps://nyc02ipa02:686 -D "cn=directory manager" -W -b "" -s base Testing the kvno 02:10:00 root@ld4ipa01:~# kvno DNS/ld4ipa01.mf@MF DNS/ld4ipa01.mf@MF: kvno = 2 02:10:52 root@ld4ipa02:~# kvno DNS/ld4ipa01.mf@MF kvno: Server DNS/ld4ipa01.mf@MF not found in Kerberos database while getting credentials for DNS/ld4ipa01.mf@MF Add this to any command line to get debug on kerberos commands KRB5_TRACE=/dev/stdout kvno DNS/ld4ipa01.mf@MF So, looking at the debug kvno from ld4ipa02, does not return tickets. It does this because it contacts the KDC which is nyc02ipa02, and nyc02ipa02 does not recognize ldipa02 as an IPA server. It doesn't recognize ld4ipa01 either. right now, if I try to connect nyc02ipa02 to ld4ipa01 I get 21:56:27 root@nyc02ipa02:~# ipa topologysegment-add domain ld4ipa01-to-nyc02ipa02 --leftnode ld4ipa01.mf --rightnode nyc02ipa02.mf ipa: ERROR: invalid 'leftnode': left node is not a topology node: ld4ipa01.mf ipa privilege-show 'DNS Servers' --all --raw dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=mf cn: DNS Servers description: DNS Servers member: krbprincipalname=DNS/nyc01ipa02.mf@MF,cn=services,cn=accounts,dc=mf member: krbprincipalname=ipa-dnskeysyncd/nyc01ipa02.mf@MF,cn=services,cn=accounts,dc=mf member: krbprincipalname=DNS/nyc02ipa02.mf@MF,cn=services,cn=accounts,dc=mf member: krbprincipalname=ipa-dnskeysyncd/nyc02ipa02.mf@MF,cn=services,cn=accounts,dc=mf member: krbprincipalname=ipa-ods-exporter/nyc01ipa02.mf@MF,cn=services,cn=accounts,dc=mf memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=mf memberof: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=mf objectClass: top objectClass: groupofnames objectClass: nestedgroup -- Aaron Young MarketFactory, Manager of Site Reliability Engineering 425 Broadway, 3FL New York, NY 10013 Office: +1 212 625 9988 Direct +1 646 779 3710 US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] lost master master and soa
sorry for the late response, yes, this was helpful I ended up realizing that each IPA server is a kind of SOA and that I needed to get rid of the old master and much of it resolved itself...until the next problem surfaced that is keeping me from creating a new master (at least, with my limited knowledge) i'll start a new message about this to help the web searchers in the future On Tue, Feb 14, 2017 at 2:18 AM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 02/13/2017 10:12 PM, Aaron Young wrote: > >> hello >> >> So, I recently took over this site and a couple days into it, the first >> ipa server died because of disk corruption. >> >> Right now, I've built another ipa server to step into the topology as a >> replica, but I keep getting strange dns errors during update >> >> Looking at it closer, it appears that when nsupdate runs, it fails >> updating >> >> looking closer, I notice that the SOA comes back with the name of the >> missing server >> >> So, it seems like I should change that. So far I've been unable to >> >> I get messages back from nsupdate like >> >> "response to SOA query was unsuccessful" >> >> I'm not sure what information I should send to help with this >> >> My main question is, is there a way to force the change of the SOA? >> >> aaron >> -- >> Aaron Young >> MarketFactory, Manager of Site Reliability Engineering >> 425 Broadway, 3FL >> New York, NY 10013 >> Office: +1 212 625 9988 >> Direct +1 646 779 3710 >> US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK >> Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997> >> >> >> > Hi Aaron, > > there may be some stale NS record on other IPA masters which serve your > DNS zone. you can verify this by running: > > # ipa dnsrecord-show @ > > and check the list of nameservers returned. > > To remove the record of the old master run > > # ipa dnsrecord-del @ --ns-rec > > Also, make sure you cleaned up old agreements, services, etc. of the old > master by running `ipa-replica-manage del --force --cleanup ` > on some other IPA master. > > You will also probably have to stand-up a new CA renewal/CRL master[1] on > one of remaining replicas if the first server died and you have CA > configured. > > [1] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > Hope this helps > > -- > Martin^3 Babinsky > -- Aaron Young MarketFactory, Manager of Site Reliability Engineering 425 Broadway, 3FL New York, NY 10013 Office: +1 212 625 9988 Direct +1 646 779 3710 US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] lost master master and soa
hello So, I recently took over this site and a couple days into it, the first ipa server died because of disk corruption. Right now, I've built another ipa server to step into the topology as a replica, but I keep getting strange dns errors during update Looking at it closer, it appears that when nsupdate runs, it fails updating looking closer, I notice that the SOA comes back with the name of the missing server So, it seems like I should change that. So far I've been unable to I get messages back from nsupdate like "response to SOA query was unsuccessful" I'm not sure what information I should send to help with this My main question is, is there a way to force the change of the SOA? aaron -- Aaron Young MarketFactory, Manager of Site Reliability Engineering 425 Broadway, 3FL New York, NY 10013 Office: +1 212 625 9988 Direct +1 646 779 3710 US Support: +1 (212) 625-0688 | UK Support: +44 (0) 203 695-7997 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
