Re: [Freeipa-users] A public interface (aka My account management)
On 04/24/2013 08:32 AM, Tomas Babej wrote: On 04/24/2013 01:53 PM, Arturo Borrero wrote: Hi there. I'm wondering if it's possible to get FreeIPA with a 'public user interface'. This is: a place where a standar user can update his password and other personal data. I'm thinking in something similar to google.com/accounts Does this exists? If not, it is possible to develop this addon? We are strongly evaluating this functionality in order to actually implement FreeIPA as our identity management system. Best regards Hi, every user can log in to the Web UI using their login and Kerberos password. Having no other rights, there they can only edit their contact information, address information, reset their password, etc. See /ipa/ui/ on your FreeIPA server, that is https://ipa.example.com/ipa/ui/ https://vm-131.idm.lab.bos.redhat.com/ipa/ui/index.html#identity =usernavigation=identityuser-pkey=randomuser-facet=details Having played with it off/on a year or so ago, IIRC it's relatively easy to get apache + SSL speaking with LDAP + Kerberos. Even ignoring the direct python IPA interface. With some server-side scripting (I did it in python) you could emulate most of what's on the google accounts-page. The hardest part I found was getting my head around the lower-level LDAP + Kerberos python interfaces. However, going from understanding common-operations of both technologies from the command-line level to working with the API's isn't a very long road. Depending on how pretty the web-site needs to be, the code one yourself approach could be feasible, given educated developer resources. Since it sounds like your requirements are fairly basic, this may be an option to consider. (No I'm not volunteering, though it sounds fun :) Otherwise, I've also used the built-in web interface. It may be a bit cluttered for someone who _just_ needs to change a password or other very simplistic task (compared to google accounts-page). However if your users are somewhat technically-mided, they shouldn't have any trouble with the built-in self-service UI. It also offers a HUGE benefit to greatly extend self-service to the n-th degree, when it's multi-level rights-management features are used. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] KISS: DHCP from IPA
On 08/29/2012 03:52 PM, Rob Crittenden wrote: Chris Evich wrote: On 08/29/2012 11:57 AM, John Dennis wrote: Thanks for the contribution Chris! Just as an aside if you know Python you can call the IPA commands directly and use Python to extract and reformat the data, it might be a lot simpler than doing the bash/awk dance. I agree that using bash/sed/awk is a bit clunky. I actually did stumble on the python stuff by accident, but wasn't able to find much reference / examples for how to use it. At the time I just needed something quick to toss-together. Maybe the python docs/examples are different today, any links handy? I seem to recall this came up on either freeipa-users or freeipa-devel but I can't find the thread. Some decent examples got posted. Here is something I've been twiddling with to add users from a well-formatted passwd file: import sys import re from ipalib import api from ipalib import errors filename='passwd' name_pattern = re.compile('(\w+) \w (\w+)') api.bootstrap(context='cli') api.finalize() api.Backend.xmlclient.connect() count = 0 fd = open(filename, 'r') while True: line = fd.readline() if not line: break line = unicode(line.strip()) try: (login, passwd, uid, gid, gecos, dir, shell) = line.split(':') except ValueError, e: print mal-formed passwd entry: %s (%s) % (e, line) continue m = name_pattern.match(gecos) if m: first = m.group(1) last = m.group(2) else: first = u'USER' last = u'NAME' try: api.Command['user_add'](login, gidnumber=int(gid), uidnumber=int(uid), gecos=gecos.strip(), homedir=dir, shell=shell, givenname=first, sn=last) except errors.DuplicateEntry: print %s already exists % login continue ... rob Thanks! That helps. Still, one can only get so far by reading docstrings :) More examples like this on the wiki, or (even better) some API docs would be great! -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] KISS: DHCP from IPA
Kool Idm Simple Script :D In case it's helpful to anyone else, I've been using a simple script to keep my dhcp server's static entries in-sync with ipa host info. Since I'm using IPA 2.1 on Fedora 16, I had to hijack the 'location' host info. key to store the MAC address for each host. IIRC, IPA 2.2 and later can add custom keys, however 'location' works fine for my purposes. This is most probably the slowest way to do this, however it's simple and works well for my very small setup. First I configured dhcpd (/etc/dhcp/dhcpd.conf) similar to: ---cut--- authoritative;#we are the definitave DHCP server on network ping-check true; #try to ping all hosts before committing one-lease-per-client on; ddns-update-style none; max-lease-time 432000; #maximum lease time is 5 days default-lease-time 86400; #default to 24 hour leases pid-file-name /var/run/dhcpd.pid; lease-file-name /var/lib/dhcpd/dhcpd.leases; log-facility local5; subnet subnet addr netmask 255.255.255.0 { option domain-name fqdn.com; option domain-name-servers ipa1 IP, ipa2 IP, ipa3 IP; option subnet-mask 255.255.255.0; option broadcast-address broadcast addr; option routers gateway addr; #pool of dynamically allocatable addresses 200 - 249 pool { range addr.200 addr.249; } } # static entries in separate file include /etc/dhcp/dhcpd.known_hosts; ---cut--- Then, I stuck a cron entry to redirect the output from the script below, into /etc/dhcp/dhcpd.known_hosts and it's been working beautifully. Enjoy! ---cut--- #!/bin/bash KRBPRINC='host/fqdn@domain.com' print_entry() { hostinfo=$1 hostname=`echo $1 | awk '/Host name: /{print $3}'` macaddr=`echo $1 | awk '/Location: /{print $2}'` if [ -n $hostname ] [ -n $macaddr ] then shortname=`echo $hostname | cut -d . -f 1` echo host $shortname { hardware ethernet $macaddr; fixed-address $hostname; } #else #echo -e Error parsing entry:\n${hostinfo} /dev/stderr fi } kinit -k $KRBPRINC infoblock= ipa host-find --all | while read line do if ( echo $line | grep -q 'dn: fqdn=' ) || \ ( echo $line | grep -q 'Number of entries returned' ) then # parse last complete entry print_entry $infoblock # start recording new entry infoblock=$line else # still getting lines for entry # append to previous lines infoblock=$infoblock $line fi done kdestroy ---cut--- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] KISS: DHCP from IPA
On 08/29/2012 11:57 AM, John Dennis wrote: Thanks for the contribution Chris! Just as an aside if you know Python you can call the IPA commands directly and use Python to extract and reformat the data, it might be a lot simpler than doing the bash/awk dance. I agree that using bash/sed/awk is a bit clunky. I actually did stumble on the python stuff by accident, but wasn't able to find much reference / examples for how to use it. At the time I just needed something quick to toss-together. Maybe the python docs/examples are different today, any links handy? -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
On 08/17/2012 07:02 AM, Michael Mercier wrote: Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to-point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted can they be? Thanks, Mike On 16-Aug-12, at 9:43 PM, Steven Jones wrote: Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Michael Mercier [mmerc...@gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) -- internet -- ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike Don't overlook DOS/DDOS type attacks against these servers. While it may not penetrate the encryption, they could limit your options for fixing the problem remotely, or even locally. I'm not aware of/if/how well these services are validated against DOS-type attacks. However, even if they are somewhat hardened, simple things like massive ping-floods could easily overload the networking stack. Further, all of these services are heavily dependent on DNS. I'd worry about this just as much as KDC/LDAP, for simple availability problems (whatever the attack vector). This could easily bottle up all other traffic, and the short client-side timeouts (6-seconds) aren't helping. Again thinking beyond just the encrypted traffic, the server processes are also exposed with whatever unknown flaws they have. While they're certainly tighter than the average app., I'd pay particular attention to keeping them updated, 0-day if possible. This again can impact availability, for example in the case of unknown and unrelated regressions in the updates themselves. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Doc. mixup
Hi, Not sure if this is the right place or not, but I noticed that the freeipa.org documentation link for 2.0 goes to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html which is for version 2.1.3. Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 docs at https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html show the version as 2.2 and as I've learned (the hard way) there are new features not supported in 2.1 :D Are there plans to rebase FreeIPA to 2.2 in Fedora 16? If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Doc. mixup
Hi, Not sure if this is the right place or not, but I noticed that the freeipa.org documentation link for 2.0 goes to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html which is for version 2.1.3. Freeipa 2.1.x is also what you get with Fedora 16, however the fedora 16 docs at https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/index.html show the version as 2.2 and as I've learned (the hard way) there are new features not supported in 2.1 :D Are there plans to rebase FreeIPA to 2.2 in Fedora 16? If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Doc. mixup
On 05/21/2012 10:12 AM, Rob Crittenden wrote: Chris Evich wrote: Are there plans to rebase FreeIPA to 2.2 in Fedora 16? No. It can be possible to run a 2.2 server on F-16 but there are some things missing. If not, then should I open a bug to fix up the Fedora 16 FreeIPA docs to point at the version which actually ships with it? That would be great, thanks. rob Thanks for the info. I opened a fedora docs bug here: https://bugzilla.redhat.com/show_bug.cgi?id=823654 w/ keywords Documentation EasyFix. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
On 05/09/2012 06:18 PM, Steven Jones wrote: Hi, Thanks so I will remove the sec=sys bit and re-test..and then I assume it will be kerberos only. This is not true, it's documented in the exports man page how you can assign different permissions depending on the security type. For example: /nfsroot/stuff *(crossmnt,no_subtree_check,async,sec=krb5p,rw,root_squash,sec=sys,ro,all_squash) This makes it so users with valid kerberos creds have rw access (though root is squashed). W/o a kerberos ticket, a user can still read stuff, but all ownership information is squashed. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] insecure IPA'd NFS
On 05/09/2012 08:47 PM, Steven Jones wrote: Removed the sys: and now no IPA'd client can mount.oh joy Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups. it's very easy to miss a little detail and not get much back as to why it's not working. I'd suggest going through the setup step-by-step again to see what's missing. Does both client and server have valid nfs/fqdn@DOMAIN keys in /etc/krb5.keytab? Is /etc/krb5.keytab accessible (i.e. no SELinux problems)? Is port 2049 open on firewall? What's the state of rpc.svcgssd process on server and rpc.gssd process on client? Can you manually mount the export on the server? What shows in krb5kdc.log when trying to manually mount on client? If none of those localize the problem area further, you can go down the road of bumping the rpc debug levels on both sides to see where the issue is. Hope that helps. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed
On 05/08/2012 09:10 AM, Simo Sorce wrote: On Sat, 2012-05-05 at 21:47 -0400, Chris Evich wrote: On 05/05/2012 09:08 PM, Chris Evich wrote: On 05/05/2012 08:01 PM, Chris Evich wrote: On 05/04/2012 04:17 PM, Chris Evich wrote: That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem ...cut... I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. Google was kind to me and I found https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly confirmed was a problem: [root@master ~]# find /var/lib -name caIPAserviceCert.cfg /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg [root@master ~]# cd /var/lib/pki-ca/profiles/ca/ [root@master ca]# ll total 424 -rw-rw. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg -rw-rw. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg -rw-rw. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg ...cut... -rw-rw. 1 pkiuser pkiuser 5548 Apr 22 16:42 caInternalAuthServerCert.cfg -rw-rw. 1 pkiuser pkiuser 5580 Apr 22 16:42 caInternalAuthSubsystemCert.cfg -rw-rw. 1 pkiuser pkiuser 5784 Apr 22 16:42 caInternalAuthTransportCert.cfg -rw-rw. 1 rootroot 6220 May 4 10:18 caIPAserviceCert.cfg ...cut... [root@master ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg [root@master ca]# fixfiles restore * [root@master ~]# systemctl restart pki-cad@pki-ca.service certmonger.service ipa.service (Probably only needed to restart ipa.service) Now generating the cert works like a champ! with a whole boat-load more stuff showing up in the debug log: [root@replica ~]# ipa cert-request --principal=imap/replica fqdn@domain dovecot.pem.csr Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE ...blahblahblah... fXlqt7LmHUSbfg== Subject: CN=replica fqdn,O=domain Issuer: CN=Certificate Authority,O=domain Not Before: Sun May 06 01:20:26 2012 UTC Not After: Wed May 07 01:20:26 2014 UTC Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 Fingerprint (SHA1): e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b Feeling confident, I tried ipa-replica-prepare and it worked! [root@master ca]# ipa-replica-prepare replica fqdn Directory Manager (existing master) password: Preparing replica forreplica fqdn frommaster fqdn Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-replica fqdn.gpg I'm guessing what happened was I got bit by BZ 675742 or similar before or after the upgrade but never noticed b/c I haven't used the cert system until now. Maybe whatever the fix for this bug was should be revisited, or the upgrade process should make sure this file gets reset with the correct ownership. Otherwise, hopefully this exercise will be helpful to someone else, and thanks Rob for responding so quickly the other day. Chris, thanks a lot for getting back with your solution, it is very valuable for all users that may end up in the same weird situation. Simo. Sure thing. If y'all think of it, it might be good to put some more error reporting into the ipa-replica-prepare tool. The debug log didn't seem to be much help (to my n00b eyes). Ultimately it was the error message from ipa cert-request, Profile caIPAserviceCert Not Found which lead me to the solution. If it's hard to add it to the tool, then tossing stuff like that into the logs would help too. Just a suggestion, since with such awesome tooling (graphical and CLI) on a project like this, it's bound to attract more n00bs like me. The DNS/Kerberos stuff is straight forward because there's lots of deployments and a long history of mailing list posts to find answers on. The cert. system seems to be a different story entirely, it's (arguably) as powerful as kerberos but doesn't get nearly as much press coverage :D ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed
On 05/05/2012 08:01 PM, Chris Evich wrote: On 05/04/2012 04:17 PM, Chris Evich wrote: That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem I found the 20120504213228 request (from previous mail) sitting on the replica machine in /etc/pki/nssdb and was able to nuke it with certutil.Running ipa-replica-prepare however gave same failure. I'm assuming that came from when I did an ipa-client install on the replica box recently. Playing more to see if I could coax out more info, I tried running 'ipa cert-request' from what I want to be my replica machine: [root@replica certs]# ipa cert-request --principal=imap/replica fqdn@domain dovecot.csr ipa: ERROR: Certificate operation cannot be completed: FAILURE (Profile caIPAserviceCert Not Found) At the same time, I had a tailf running on the master's /var/log/pki-ca/debug and this is what came out: [05/May/2012:20:51:55][TP-Processor2]: CMSServlet:service() uri = //ca/eeca/ca/profileSubmitSSLClient [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='cert_request' value='-BEGIN CERTIFICATE REQUEST- MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu ...blah blah blah... z2ZS4bG7jleB0zm1rN3b5TY= -END CERTIFICATE REQUEST-' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='xml' value='true' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [05/May/2012:20:51:55][TP-Processor2]: CMSServlet: caProfileSubmitSSLClient start to service. [05/May/2012:20:51:55][TP-Processor2]: xmlOutput true [05/May/2012:20:51:55][TP-Processor2]: Start of ProfileSubmitServlet Input Parameters [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter cert_request='-BEGIN CERTIFICATE REQUEST- MIIBjTCB9wIBADBOMRQwEgYDVQQLEwtJTUFQIHNlcnZlcjEXMBUGA1UEAxMOa2lu ...blah blah blah... z2ZS4bG7jleB0zm1rN3b5TY= -END CERTIFICATE REQUEST-' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter xml='true' [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [05/May/2012:20:51:55][TP-Processor2]: End of ProfileSubmitServlet Input Parameters [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: start serving [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: SubId=profile [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: isRenewal false [05/May/2012:20:51:55][TP-Processor2]: ProfileSubmitServlet: profileId caIPAserviceCert [05/May/2012:20:51:55][TP-Processor2]: CMSServlet: curDate=Sat May 05 20:51:55 EDT 2012 id=caProfileSubmitSSLClient time=12 I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] *SOLVED* Re: ipa-replica-prepare Certificate issuance failed
On 05/05/2012 09:08 PM, Chris Evich wrote: On 05/05/2012 08:01 PM, Chris Evich wrote: On 05/04/2012 04:17 PM, Chris Evich wrote: That makes me think maybe there's just a missing service principal or something I can add? I'll see if I can remove that request and try running ipa-replica-prepare again to see if it still gives that error (systems have been restarted since then). Though any other suggestions/ideas of what I can try or look at are much appreciated. Thanks. Replying to myself again, bad-form, but maybe it'll help someone else if they have a similar problem ...cut... I'm guessing there's something going on with this 'caIPAserviceCert' thing. Granted I didn't try requesting any certs prior to the update, however I can click the 'view' button in the web UI on some service certs from the install, so it was generating them at some point. Google was kind to me and I found https://bugzilla.redhat.com/show_bug.cgi?id=675742 which I quickly confirmed was a problem: [root@master ~]# find /var/lib -name caIPAserviceCert.cfg /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg [root@master ~]# cd /var/lib/pki-ca/profiles/ca/ [root@master ca]# ll total 424 -rw-rw. 1 pkiuser pkiuser 5571 Apr 22 16:42 caAdminCert.cfg -rw-rw. 1 pkiuser pkiuser 5485 Apr 22 16:42 caAgentFileSigning.cfg -rw-rw. 1 pkiuser pkiuser 5279 Apr 22 16:42 caAgentServerCert.cfg ...cut... -rw-rw. 1 pkiuser pkiuser 5548 Apr 22 16:42 caInternalAuthServerCert.cfg -rw-rw. 1 pkiuser pkiuser 5580 Apr 22 16:42 caInternalAuthSubsystemCert.cfg -rw-rw. 1 pkiuser pkiuser 5784 Apr 22 16:42 caInternalAuthTransportCert.cfg -rw-rw. 1 rootroot 6220 May 4 10:18 caIPAserviceCert.cfg ...cut... [root@master ca]# chown pkiuser.pkiuser caIPAserviceCert.cfg [root@master ca]# fixfiles restore * [root@master ~]# systemctl restart pki-cad@pki-ca.service certmonger.service ipa.service (Probably only needed to restart ipa.service) Now generating the cert works like a champ! with a whole boat-load more stuff showing up in the debug log: [root@replica ~]# ipa cert-request --principal=imap/replica fqdn@domain dovecot.pem.csr Certificate: MIIC6zCCAdOgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKE ...blahblahblah... fXlqt7LmHUSbfg== Subject: CN=replica fqdn,O=domain Issuer: CN=Certificate Authority,O=domain Not Before: Sun May 06 01:20:26 2012 UTC Not After: Wed May 07 01:20:26 2014 UTC Fingerprint (MD5): 41:ba:26:d9:71:82:7d:29:cf:c2:a2:2f:94:bc:22:82 Fingerprint (SHA1): e2:13:c5:69:43:f3:5e:44:23:d0:9a:fd:0f:e5:79:c3:2f:66:27:7b Feeling confident, I tried ipa-replica-prepare and it worked! [root@master ca]# ipa-replica-prepare king.yewess.us Directory Manager (existing master) password: Preparing replica for replica fqdn from master fqdn Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-replica fqdn.gpg I'm guessing what happened was I got bit by BZ 675742 or similar before or after the upgrade but never noticed b/c I haven't used the cert system until now. Maybe whatever the fix for this bug was should be revisited, or the upgrade process should make sure this file gets reset with the correct ownership. Otherwise, hopefully this exercise will be helpful to someone else, and thanks Rob for responding so quickly the other day. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm now running: freeipa-python-2.1.4-7.fc16.x86_64 freeipa-client-2.1.4-7.fc16.x86_64 freeipa-admintools-2.1.4-7.fc16.x86_64 freeipa-server-2.1.4-7.fc16.x86_64 freeipa-server-selinux-2.1.4-7.fc16.x86_64 dogtag-pki-common-theme-9.0.11-1.fc16.noarch dogtag-pki-ca-theme-9.0.11-1.fc16.noarch pki-symkey-9.0.19-1.fc16.x86_64 pki-java-tools-9.0.19-1.fc16.noarch pki-setup-9.0.19-1.fc16.noarch pki-common-9.0.19-1.fc16.noarch pki-silent-9.0.19-1.fc16.noarch pki-util-9.0.19-1.fc16.noarch pki-selinux-9.0.19-1.fc16.noarch pki-ca-9.0.19-1.fc16.noarch I went to try and setup a replica following the docs at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html and ran into a problem I can't figure out (after checking logs, list, google, and BZ searches): [root@master log]# ipa-replica-prepare replica fqdn Directory Manager (existing master) password: Preparing replica for replica fqdn from master fqdn Creating SSL certificate for the Directory Server Certificate issuance failed I just ran it again, with a tail on /var/log/pki-ca/debug and this is what it spat out: [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:14:44:09][http-9444-1]: xmlOutput true [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed
On 05/04/2012 03:18 PM, Rob Crittenden wrote: Chris Evich wrote: Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, ...cut... [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? I think we'll need to get more info out of dogtag. If you edit /etc/ipa/default.conf and add debug=True, restart httpd, re-run the replica-prepare, there should be more information on the failure in /var/log/httpd/error_log. rob Whoa, okay, a WHOLE lot more info.: [Fri May 04 15:43:19 2012] [notice] Apache/2.2.22 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.3 Python/2.7.2 configured -- resuming normal operations [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ...lots more import plugin messages... [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** Then I run ipa-replica-prepare fqdn of replica, put in my Directory Manager password, and it outputs the same Certificate issuance failed. I had a tailf on /var/log/httpd/error_log but nothing new was logged (nothing logged at all in fact) :S In /var/log/pki-ca/debug I see (what appears similar to before): [04/May/2012:15:46:31][Timer-0]: In LdapBoundConnFactory::getConn() [04/May/2012:15:46:31][Timer-0]: masterConn is connected: true [04/May/2012:15:46:31][Timer-0]: getConn: conn is connected true [04/May/2012:15:46:31][Timer-0]: getConn: mNumConns now 2 [04/May/2012:15:46:31][Timer-0]: SecurityDomainSessionTable: getSessionIds(): no sessions have been created [04/May/2012:15:46:31][Timer-0]: returnConn: mNumConns now 3 [04/May/2012:15:48:11][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:15:48:11][http-9444-1]: xmlOutput true [04/May/2012:15:48:11][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:15:48:11][http-9444-1]: CMSServlet: curDate=Fri May 04 15:48:11 EDT 2012 id=caProfileSubmitSSLClient time=9 I think the 3-minute time difference is expected - I was checking through other logs. Nothing that appears relevant shows up in audit.log, messages, http/access.log, dirsrv/slapd-PKI-IPA/errors or access: [04/May/2012:15:46:30 -0400] conn=2 op=58 SRCH base=ou=sessions,ou=Security