[Freeipa-users] FreeIPA DNS (named)
Hello List, I have configured my domain (DNSSEC) with Freeipa Now I have to configure a internal ZONE with the same Domain NAME but with internal IP's. Is it possible to add a "view "internal"" "view "external"" to the named.conf or is this overwritten from the FreeIPA DNS Module ?? Is a other way possible to do this with FreeIPA? Thanks for a answer, -- mit freundlichen Grüssen / best regards Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Problem (Errors)
Hello Ludwig,
Thanks for the help.
Am Dienstag, 25. Oktober 2016, 17:20:44 schrieb Ludwig Krispenz:
> On 10/25/2016 04:41 PM, Günther J. Niederwimmer wrote:
> > Hello Ludwig,
> >
> > Thanks for the answer and help,
> >>>> - attrlist_replace errors: looks like you have recreated a replica on a
> >>>> machine and not cleaned the RUV, please see:
> >>>> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records
> >>>
> >>> I don't have add or remove a replica ? this two servers running now I
> >>> mean
> >>> over three month ?
> >>
> >> that is strange, could you perform step 1] and 2] of this recipe:
> >> https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html
> >> but add the option "-o ldif-wrap=no" to the ldapsearch to get the full
> >> ruv
> >
> > OK.
> > The first is
> >
> > ipa-csreplica-manage list
> > Directory Manager password:
> >
> > ipa.example.com: master
> > ipa1.example.com: master
> >
> > The second is:
> > nsDS5ReplicaId: 96
> > nsds50ruv: {replicageneration} 5706b1a30060
> > nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab0060
> > 580f6a5f0060
> > nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad01005b
> > 575c65140005005b
> > nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd0061
> > 570803a90061
> you should do the same search on ipa1, it looks like you have to
> replicaids: 91 and 97 for the sane server: ipa1.example.com
> from the timestamps in the RUV I think you recreated the instance on
> ipa1 between Apr,8th and Apr,18th and since then have this in teh RUV.
> but it looks like changes on ipa1 for the o=ipaca suffix are rare (ruv
> output from ipa1 would tell more) and maybe missed the error messages so
> far.
but I don't remember to recreate ipa1 ? But it could be, I have a Error on
creating the Replica (?).
OK, ipa1 is this
nsDS5ReplicaId: 91
nsds50ruv: {replicageneration} 5706b1a30060
nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad01005b
575c65140005005b
nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab0060
580f6a5f0060
nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd0061
570803a90061
> I would suggest you follow the next steps in the doc abou cleaning the
> no longer active replicaID from the ruv
OK, I test it out and hope this is working !
But for me it is not really understandable why this is created ?
> > The domain is changed !!
> >
> >>> The last I remember I add a 3rd Party Certificate ?
> >>>
> >>> but I don't found before so much Errors :-(.
> >>>
> >>> Is there a possible way to check a freeIPA Installation, to find out for
> >>> a
> >>> "normal" user to have a consistent System ?
> >>>
> >>>> - keep-alive already exists: this is also an indication of a new
> >>>> replica, the keep alive entry was in the database, but the supplier
> >>>> tries to send it again, this should also disappear once some real
> >>>> changes from replica 4 are replicated
> >>>>
> >>>>> but now I have on the changed master this 100... Errors
> >>>>>
> >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>>>> could
> >>>>> not delete change record 396504 (rc: 32)
> >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>>>> could
> >>>>> not delete change record 396505 (rc: 32)
> >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>>>> could
> >>>>> not delete change record 396506 (rc: 32)
> >>>>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep
> >>>>> alive
> >>>>> entry
Re: [Freeipa-users] Replica Problem (Errors)
Hello Ludwig,
Thanks for the answer and help,
Am Montag, 24. Oktober 2016, 14:16:23 schrieb Ludwig Krispenz:
> On 10/24/2016 01:21 PM, Günther J. Niederwimmer wrote:
> > Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz:
> >> On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote:
> >>> I have added on my ipa (Master) Server this user and ACI with a ldif
> >>> file
> >>>
> >>> This Ends with a
> >>> modifying entry "cn=users,cn=accounts,dc=example,dc=com"
> >>
> >> these changes are not related to the errors you report below (I would be
> >> really surprised) and you only need to apply them on one server, that's
> >> what replication is good for.
> >>
> >> There are a couple of different types of messages:
> >> - failed to delete changelog record: this is from retro changelog
> >> trimming, when miscalculation of the starting point for trimming starts
> >> with changenumber lower than what's in the retro changelog.
> >> In my experience this can happen after a crash/kill/reboot and should
> >> stop after som time
> >
> > OK, nothing to do ;-).
> >
> >> - attrlist_replace errors: looks like you have recreated a replica on a
> >> machine and not cleaned the RUV, please see:
> >> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records
> >
> > I don't have add or remove a replica ? this two servers running now I mean
> > over three month ?
>
> that is strange, could you perform step 1] and 2] of this recipe:
> https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html
> but add the option "-o ldif-wrap=no" to the ldapsearch to get the full ruv
OK.
The first is
ipa-csreplica-manage list
Directory Manager password:
ipa.example.com: master
ipa1.example.com: master
The second is:
nsDS5ReplicaId: 96
nsds50ruv: {replicageneration} 5706b1a30060
nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab0060
580f6a5f0060
nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad01005b
575c65140005005b
nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd0061
570803a90061
The domain is changed !!
> > The last I remember I add a 3rd Party Certificate ?
> >
> > but I don't found before so much Errors :-(.
> >
> > Is there a possible way to check a freeIPA Installation, to find out for a
> > "normal" user to have a consistent System ?
> >
> >> - keep-alive already exists: this is also an indication of a new
> >> replica, the keep alive entry was in the database, but the supplier
> >> tries to send it again, this should also disappear once some real
> >> changes from replica 4 are replicated
> >>
> >>> but now I have on the changed master this 100... Errors
> >>>
> >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>> could
> >>> not delete change record 396504 (rc: 32)
> >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>> could
> >>> not delete change record 396505 (rc: 32)
> >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord:
> >>> could
> >>> not delete change record 396506 (rc: 32)
> >>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep
> >>> alive
> >>> entry
[Freeipa-users] Is this a bigger Problem DNSSEC ?
Hello, FreeIPA 4.3.1 CentOS 7.2 I found today in /var/log/messages this entries Is the DNSSEC now broken ? Thanks for a answer ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last): Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in Oct 25 15:41:29 ipa ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib64/python2.7/site- packages/ldap/syncrepl.py", line 405, in syncrepl_poll Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.syncrepl_refreshdone() Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/keysyncer.py", line 118, in syncrepl_refreshdone Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.bindmgr.sync(self.dnssec_zones) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 209, in sync Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.sync_zone(zone) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 182, in sync_zone Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.install_key(zone, uuid, attrs, tempdir) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 117, in install_key Oct 25 15:41:29 ipa ipa-dnskeysyncd: result = ipautil.run(cmd, capture_output=True) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/ipautil.py", line 479, in run Oct 25 15:41:29 ipa ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output)) Oct 25 15:41:29 ipa ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/sbin/dnssec-keyfromlabel-pkcs11 -K /var/named/dyndb- ldap/ipa/master/4gjn.com/tmppaO_R2 -a RSASHA256 -l pkcs11:object=d7fe5c98d5f3f89aefb9e8dfb92ebcb1;pin- source=/var/lib/ipa/dnssec/softhsm_pin -I 20160811091542 -D 20160825225503 -P 20160513081600 -A 20160513081600 4gjn.com.' returned non-zero exit status 1 Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Oct 25 15:41:30 ipa systemd: Unit ipa-dnskeysyncd.service entered failed state. Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service failed. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Problem (Errors)
Hello Ludwig, thanks for the answer, Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: > On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote: > > I have added on my ipa (Master) Server this user and ACI with a ldif file > > > > ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: (targetattr="mailAlternateAddress") > > (targetfilter="(objectClass=mailrecipient)") > > > >(version > >3.0; acl "Allow system account to read mail address"; allow(read, > >search, compare) userdn = > >"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > > > > This Ends with a > > modifying entry "cn=users,cn=accounts,dc=example,dc=com" > > these changes are not related to the errors you report below (I would be > really surprised) and you only need to apply them on one server, that's > what replication is good for. > > There are a couple of different types of messages: > - failed to delete changelog record: this is from retro changelog > trimming, when miscalculation of the starting point for trimming starts > with changenumber lower than what's in the retro changelog. > In my experience this can happen after a crash/kill/reboot and should > stop after som time OK, nothing to do ;-). > - attrlist_replace errors: looks like you have recreated a replica on a > machine and not cleaned the RUV, please see: > http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records I don't have add or remove a replica ? this two servers running now I mean over three month ? The last I remember I add a 3rd Party Certificate ? but I don't found before so much Errors :-(. Is there a possible way to check a freeIPA Installation, to find out for a "normal" user to have a consistent System ? > - keep-alive already exists: this is also an indication of a new > replica, the keep alive entry was in the database, but the supplier > tries to send it again, this should also disappear once some real > changes from replica 4 are replicated > > > but now I have on the changed master this 100... Errors > > > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396504 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396505 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396506 (rc: 32) > > [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep > > alive > > entry
[Freeipa-users] Replica Problem (Errors)
Hello, I have added on my ipa (Master) Server this user and ACI with a ldif file ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress") (targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) This Ends with a modifying entry "cn=users,cn=accounts,dc=example,dc=com" but now I have on the changed master this 100... Errors [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396504 (rc: 32) [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396505 (rc: 32) [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396506 (rc: 32) [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep alive entry
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello, many, many thanks, this was the Problem ;-) now I have a modifying entry "cn=users,cn=accounts,dc=example,dc=com" :-))) So now I hope I can configure my dovecot Server and the mailAlternatAddress was found! Thanks again. Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz: > On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote: > > Hello, > > > > Thanks for the answer, > > > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List, > >>> > >>> Pardon me, but anything is wrong with the ldif i > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: > > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie > > nt)") (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > > "" > > > > but what is wrong ? > > the value for the aci attribute spans multiple lines. In a ldif file a > continuation line has to start with a space. Try > > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien > t)") (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > > >>> I have search and read now any Days, but this FreeIPA / LDAP Problem > >>> have > >>> a to high level for me :-(. > >>> > >>> Pleas help again.. > >>> > >>> Thanks for a answer > >>> > >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >>>> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > >>>>> Hello Martin and List > >>>>> > >>>>> Thanks for the answer and Help. > >>>>> > >>>>> I mean my big Problem is to understand the way to configure a ACI :-(. > >>> > >>> # ldapmodify -x -D 'cn=Directory Manager' -W > >>> > >>>dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > >>>changetype: add > >>>objectclass: account > >>>objectclass: simplesecurityobject > >>>uid: system > >>>userPassword: secret123 > >>>passwordExpirationTime: 20380119031407Z > >>>nsIdleTimeout: 0 > >>> > >>> > >>> ^D > >>> > >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>>>> > >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>>>> > >>>>>>> :-(. > >>>>>>> > >>>>>>> Thanks for a answer, > >>>>>> > >>>>>> Hi Gunther, > >>>>>> > >>>>>> that LDIF look ok to me. > >>>>>> > >>>>>> Do not forget that you must set up the correct ACIs in order for the > >>>>>> system account to see the 'mailAlternaleAddress' attribute. > >>>> > >>>> See the following document for a step-by-step guide on how to write > >>>> ACIs: > >>>> > >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/ > >>>> 10 > >>>> /ht > >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually. > >>>> h > >>>> tml > >>>> > >>>> To allow the system account read access to your custom attributes, you > >>>> can use LDIF like this (untested, hopefully I got it right from the top > >>>> of my head): > >>>> > >>>> """ > >>>> dn: cn=users,cn=accounts,dc=example,dc=com > >>>> changetype: modify > >>>> add: aci > >>>> aci: > >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci > >>>> pi > >>>> ent )")(version 3.0; acl "Allow system account to read mail address"; > >>>> allow(read, > >>>> search, compare) userdn = > >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > >>>> """ > >>>> save it to file and then call > >>>> > >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >>>> > >>>> to add this ACI to cn=users subtree. The ACI then applies to all > >>>> entries > >>>> in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > > Hello Martin and List, > > > > Pardon me, but anything is wrong with the ldif i > > > > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif > > Enter LDAP Password: > > ldapmodify: invalid format (line 5) entry: > > "cn=users,cn=accounts,dc=4gjn,dc=com" > > dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) "" but what is wrong ? > > I have search and read now any Days, but this FreeIPA / LDAP Problem have > > a to high level for me :-(. > > > > Pleas help again.. > > > > Thanks for a answer > > > > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List > >>> > >>> Thanks for the answer and Help. > >>> > >>> I mean my big Problem is to understand the way to configure a ACI :-(. > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > > > ^D > > > >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>> > >>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>> :-(. > >>>>> > >>>>> Thanks for a answer, > >>>> > >>>> Hi Gunther, > >>>> > >>>> that LDIF look ok to me. > >>>> > >>>> Do not forget that you must set up the correct ACIs in order for the > >>>> system account to see the 'mailAlternaleAddress' attribute. > >> > >> See the following document for a step-by-step guide on how to write ACIs: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 > >> /ht > >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h > >> tml > >> > >> To allow the system account read access to your custom attributes, you > >> can use LDIF like this (untested, hopefully I got it right from the top > >> of my head): > >> > >> """ > >> dn: cn=users,cn=accounts,dc=example,dc=com > >> changetype: modify > >> add: aci > >> aci: > >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi > >> ent )")(version 3.0; acl "Allow system account to read mail address"; > >> allow(read, > >> search, compare) userdn = > >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > >> """ > >> save it to file and then call > >> > >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >> > >> to add this ACI to cn=users subtree. The ACI then applies to all entries > >> in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > > Hello Martin and List > > > > Thanks for the answer and Help. > > > > I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D > >>> > >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>> > >>> The IPA Docs have no time stamp to found out, is this actual or old :-(. > >>> > >>> Thanks for a answer, > >> > >> Hi Gunther, > >> > >> that LDIF look ok to me. > >> > >> Do not forget that you must set up the correct ACIs in order for the > >> system account to see the 'mailAlternaleAddress' attribute. > > See the following document for a step-by-step guide on how to write ACIs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht > ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html > > To allow the system account read access to your custom attributes, you > can use LDIF like this (untested, hopefully I got it right from the top > of my head): > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient > )")(version 3.0; acl "Allow system account to read mail address"; > allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > """ > save it to file and then call > > ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > > to add this ACI to cn=users subtree. The ACI then applies to all entries > in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question Time and DS
Hello, CentOS 7 1. is it possible to install the DS tools for installing / testing ACI (found in Redhat Docs) without destroy the FreeIPA installation? 2. What is the best way to have a correct time in KVM Clients (FreeIPA Server)? my way in the moment is" chrony", with NTP I have the Problem for a to big time difference and NTP can't correct this ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional LIGA in FreeIPA , and I am not a professional :-(.. I make this, for all LDAP configured Apps ipa group-add systemers --nonposix #group ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0 #forever-passwords ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" --shell=/usr/sbin/nologin --email="" --random #user This user (ldapbind) is only in group systemers But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint or link to understand this Problem? Thanks for a answer and help, Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: > On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: > > Hello, > > > > IPA 4.3.1 > > > > I have a big Problem with my LDAP Read User (ldapbind) I like to install > > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin > > for this, but now I cant read this Attributes :-(. > > > > Is this the actual way to implement a System Account > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > > > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > > The IPA Docs have no time stamp to found out, is this actual or old :-(. > > > > Thanks for a answer, > > Hi Gunther, > > that LDIF look ok to me. > > Do not forget that you must set up the correct ACIs in order for the > system account to see the 'mailAlternaleAddress' attribute. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Best and Secure Way for a System Account
Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way to implement a System Account # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question Test 3rd Party Certificate
Hello, what is the best way to test a new installed 3rd Party certificate ? I hope i have now install (with big problems) the new certificate on clients and servers. But now is the big question is this all working correct together (?), or have i make a mistake ? I like to install this on a productive server with two master and 8 clients Freeipa 4.2 Centos 7 with all Updates with MailServer, private Cloud, webserver, DNS server . the next question is, what is in three years when the certificates expire ? Is there a tested way to renew the certificate ? I have search a long time in the internet but I can't found answers ? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party Cert install now IPA total broken
Hello.
Thanks for the first help,
Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
> On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > Freeipa 4.3.1
> >
> > I have now install a 3rd Party Certificat from Startcom now my IPA is
> > total
> > broken?
> > ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install
> > root.crt
I mean this is the wrong cert I installed :-(.
Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")
> > ipa-certupdate
> >
> > ipa-server-certinstall -w -d ipa_3rd_ca.p12
This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxx
> > I create this p12 with key.pem, cert.pem root.crt
now i create a new p12 with I hope the correct certs
I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.
This p12 I Installed on the first master with
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W x
I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
/dsl.ldif
Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT
afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Why is ipa-ods-exporter Service always STOPPED ??
The next I Test a login on the Web UI from IPA, this is now also working ;-)
the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).
Have I to repeat this all on the second Master ?
and what is the correct way to inform the clients ?
Thanks again for a answer,
> Hi,
>
> there were some issues with ipa-server-certinstall (see tickets #4785,
> #4786 and #6263).
> In order to check your configuration, you must make sure that the NSS
> DBs for Apache and the LDAP server (/etc/httpd/alias,
> /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
> - the server certificate with flags u,u,u (= the one contained in
> ipa_3rd_ca.p12)
> - the certificate of the CA which signed the server certificate, with
> flags C,, (= the one contained in root.rt)
>
> Then you can also check if the nickname for the server cert is properly
> set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
> the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
> nsSSLPersonalitySSL).
>
> If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
> provide more information.
>
> Also note that it is important to run ipa-certupdate on all the clients
> and replicas in order to install the new certificates in the NSS DBs
> *before* you run ipa-server-certinstall.
>
> Hope this helps,
> Flo.
>
> > the kerberos don't start anymore ?
> > The Error Is
> >
> > Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
> > realm>
> > '4GJN.COM'
> >
> > after insert in nss.conf
> > "NSSEnforceValidCerts off"
> >
> > ipactl restart is starting (?) but
> >
> > ipactl status tell me
> > Directory Service: RUNNING
> > krb5kdc Service: RUNNING
> > kadmin Service: RUNNING
> > named Service: RUNNING
> > ipa_memcached Service: RUNNING
> > httpd Service: RUNNING
> > ipa-custodia Service: RUNNING
> > pki-tomcatd Service: RUNNING
> > ipa-otpd Service: RUNNING
> > ipa-ods-exporter Service: STOPPED
> > ods-enforcerd Service: RUNNING
> > ipa-dnskeysyncd Service: RUNNING
> > ipa: INFO: The ipactl command was successful
> >
> > with certutil -d /etc/httpd/alias -L I have now this
> > Certificate Nickname Trust
> > Attributes>
> > SSL,S/MIME,JA
> > R/XPI
> >
> > Signing-Cert
[Freeipa-users] 3rd party Cert install now IPA total broken
Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOTCT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOTC,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-certinstall -w -d mysite.key mysite.crt
Hello, FreeIPA 4.3.1 is it a workaround to install the key and cert with this command I have to insert a password, but the key file have no password? Afterward I have a Error from ipa-server-certinstall ? Thanks for the Help -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3rd party Certificate install
Hello, FreeIPA 4.3.1 I like to install my new Startcom Cert and have a Problem with the access ? I search and found this ipa-cacert-manage -p '#-!???<<<<<<' -n STARTCOM-ROOT -t C,, install 1_root_bundle.crt but I become this Insufficient access: Invalid credentials The ipa-cacert-manage command failed. Can I test the "DM" Password with a other command or is this a Problem with ipa-cacert-manage? I test it with "kinit admin" and without ? or is this a Problem with the Password when I write this ipa-cacert-manage -p #-!???<<<<<< -n STARTCOM-ROOT -t C,, install 1_root_bundle.crt I have this answer ipa-cacert-manage: error: -p option requires an argument Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error by creating a services SOLVED
Hello, Am Montag, 5. September 2016, 17:43:26 schrieb Günther J. Niederwimmer: I found it with Help Thanks for the Help, my mistake was a in a local DNS Entry! > Am Montag, 5. September 2016, 17:09:03 schrieb Martin Basti: > > On 05.09.2016 16:53, Günther J. Niederwimmer wrote: > > > Hello, > > > > > > CentOs 7.2 > > > FreeIPA: 4.2.0-15 > > > > > > Why is this Error only on one Server ? > > > > Hello, > > > > probably you have something DNS related misconfigured on that particular > > server. > > > > Can you resolve hostname manually from server? (host, dig A commands) > > This was my first check ;-) , yes I all is correct host and dig is working, > this is a external server and I can connect remote with mx03.example.com > > I check also the reverse Zone, this is also correct ? > > But it is not possible to create a service, the enrollment is working with > no errors ? > > OK, now I make ipa-client-install --uninstall and a ipa-client-install again > and test it ? > > > > IPA Error 4019: DNSNotARecordError > > > Host does not have corresponding DNS A/ record > > > > > > When I create on a other Server (KVM) a service, this is no Problem, but > > > on my new "mx03.example.com" I have this Errors ? > > > > > > The DNS is in the Moment not configured with IPA, it is a KVM Client > > > (named) and it works correct? > > > > > > > > > Is this a Name Problem (mx03) or .. > > > > > > Thanks for a answer > > > > > > Reverse Zone is correct set to mx03."example.com" -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error by creating a services
Hello, Am Montag, 5. September 2016, 17:09:03 schrieb Martin Basti: > On 05.09.2016 16:53, Günther J. Niederwimmer wrote: > > Hello, > > > > CentOs 7.2 > > FreeIPA: 4.2.0-15 > > > > Why is this Error only on one Server ? > > Hello, > > probably you have something DNS related misconfigured on that particular > server. > > Can you resolve hostname manually from server? (host, dig A commands) This was my first check ;-) , yes I all is correct host and dig is working, this is a external server and I can connect remote with mx03.example.com I check also the reverse Zone, this is also correct ? But it is not possible to create a service, the enrollment is working with no errors ? OK, now I make ipa-client-install --uninstall and a ipa-client-install again and test it ? > > IPA Error 4019: DNSNotARecordError > > Host does not have corresponding DNS A/ record > > > > When I create on a other Server (KVM) a service, this is no Problem, but > > on my new "mx03.example.com" I have this Errors ? > > > > The DNS is in the Moment not configured with IPA, it is a KVM Client > > (named) and it works correct? > > Is this a Name Problem (mx03) or .. > > > > Thanks for a answer > > > > Reverse Zone is correct set to mx03."example.com" -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error by creating a services
Hello, CentOs 7.2 FreeIPA: 4.2.0-15 Why is this Error only on one Server ? IPA Error 4019: DNSNotARecordError Host does not have corresponding DNS A/ record When I create on a other Server (KVM) a service, this is no Problem, but on my new "mx03.example.com" I have this Errors ? The DNS is in the Moment not configured with IPA, it is a KVM Client (named) and it works correct? Is this a Name Problem (mx03) or .. Thanks for a answer Reverse Zone is correct set to mx03."example.com" -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question DNS
Hello List, what is the best way to include a local DNS Server? Can I configure on a IPA DNS Server (extern) views for a internal DNS without problems ? Is the named Configuration is overwritten by Updates or other ? I have read now much FreeIPA Doc's but found nothing for this Problem ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] (DRAFT) HA mail services with FreeIPA, postfix, dovecot, amavisd-new, clamd and PLAIN/GSSAPI SSO
Hello, some days ago I found this doc, now I like to setup a secure mail server but the article is now missing? Can this come back? Thanks, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-ods-exporter failed ?
Hello Petr, Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: > On 23.6.2016 15:27, Günther J. Niederwimmer wrote: > > Hello Martin, > > > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: > >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > >>>> On 18.6.2016 15:03, Günther J. Niederwimmer wrote: > >>>>> hello, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >>>>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote: > >>>>>>> Hello, > >>>>>>> > >>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: > >>>>>>>>> Hello List, > >>>>>>>>> > >>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: > >>>>>>>>>>>> Hello > >>>>>>>>>>>> > >>>>>>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>>>>>> > >>>>>>>>>>>> I have this in the logs > >>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>>>>>> > >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>>>>>> errors.ACIError(info=info) > >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>>>>>> Insufficient > >>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>>>>>>>>>> GSS > >>>>>>>>>>>> failure. > >>>>>>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>>>>> > >>>>>>>>>>> Here seems to be a reason why it failed. > >>>>>>>>>>> But I can't help you more. > >>>>>>>>>> > >>>>>>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>>>>>> > >>>>>>>>> this have I also found ;-) > >>>>>>>>> > >>>>>>>>>> Please enable debugging using procedure > >>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o > >>>>>>>>>> r_ > >>>>>>>>>> re > >>>>>>>>>> tu > >>>>>>>>>> rn > >>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>>>>>> Thank you! > >>>>>>>>> > >>>>>>>>> OK, > >>>>>>>>> > >>>>>>>>> I attache the messages log? > >>>>>>>>> > >>>>>>>>> I mean this is a problem with my DNS ? > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>>>>>> > >>>>>>>> identity/services/ipa-ods-exported/ > >>>>>>>> There should be kerberos status in right top corner in details view > >>>>>>> > >>>>>>> I have a > >>>>>>> identity/services/ipa-ods-exporter/.. > >>>>>>> > >>>>>>> with a "Kerberos Key Present, Service Provisioned" > >>>>>>> > >>>>>>> but no Certificate ? > >>>>>> > >>>>>> Can you try, > >>>>>> > >>>>>> # kinit -kt /etc/ip
[Freeipa-users] Kerberois FreeIPA Question
Hello, Is it possible to create a kerberos Ticket for a secondary domain ? CentOS 7.2 IPA 4.3.1 My installing, I have a IPAServer for Domain test.com LDAP & Kerberos TEST.COM now i like to include a other Domain new.net Is it possible to have for this domain also a kerberos ticket ? I found a example in a krb5.conf like this [domain_realm] .test.com = TEST.COM .new.net = TEST.COM ... is this possible with FreeIPA ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] webmaster permission
Hello, Am Freitag, 1. Juli 2016, 13:43:35 CEST schrieb Petr Spacek: > On 1.7.2016 13:35, Günther J. Niederwimmer wrote: > > Hello, > > > > I am a newbie with IPA and have big Problems ;-), > > the "normal" Installation is working nice. :-)) > > > > But now I have a Problem ? > > > > CentOS 7.2 IPA 4.3.1 > > 1 Server (extern) with Virtual Systems (KVM) installed. > > DNSserver, Mailserver, Ipaserver,Webserver.. > > > > Now we like to have our Websystem on this Server > > > > What is the best way to allow a external Webmaster to create or modify the > > websites with joomla, and have the secure from IPA. > > > > Have any a hint or link for this Problem. > > Hi, > > it is strongly recommended to keep FreeIPA on a separate machine / VM and do > not mix it with anything else. FreeIPA should be considered as security > centre of your network and having additional applications under the same > operating system instance is potentially opening doors to attackers. > > My recommendation is to install a seperate VM for FreeIPA and another > separate VM for other applications. hello Petr, thanks for the answer, the install Structure is a VM with FreeIPA and enrolled clients for (VM) mailserver, httpserver, host, So my Problem is, the Webmaster permission, give only the Webserver and Joomla Thanks, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] webmaster permission
Hello, I am a newbie with IPA and have big Problems ;-), the "normal" Installation is working nice. :-)) But now I have a Problem ? CentOS 7.2 IPA 4.3.1 1 Server (extern) with Virtual Systems (KVM) installed. DNSserver, Mailserver, Ipaserver,Webserver.. Now we like to have our Websystem on this Server What is the best way to allow a external Webmaster to create or modify the websites with joomla, and have the secure from IPA. Have any a hint or link for this Problem. Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hello, Am Montag, 27. Juni 2016, 12:43:13 CEST schrieb Bjarne Blichfeldt: > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. > > > Regards, > Bjarne thank's for the info > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andreas Ladanyi > Sent: 27. juni 2016 13:49 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Replace with 3rd part certificates > > Hi, > > i try to replace the self signed certificate from the ipa installation with > this description: > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > ipa-server-certinstall -w -d mysite.key mysite.crt > > The tool ask for the private key unlock passwort. The private key was > generated without passwort. I tried out to press only the enter key, but it > doesnt help. So iam confused. The certificate and keyfile are in PEM > format. > > For testing I converted the private key with: > > openssl rsa -in -out > > because i want to know if openssl ask me for a password, but it doesnt. > > My version number is FreeIPA 4.1. My version 4.3.1 ;-) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3th Party Certificate
Hello Professional, what is the minimum when I like to replace the private Certificates ? must I have a Class2 wild card Certificate? Have I to reinstall IPA, I mean no ? when I read all correct, this is working. Have any hints for this scenario Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-ods-exporter failed ?
Hello Martin, Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: > On 20.06.2016 18:48, Günther J. Niederwimmer wrote: > > Hello, > > > > Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > >> On 18.6.2016 15:03, Günther J. Niederwimmer wrote: > >>> hello, > >>> > >>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >>>> On 17.06.2016 18:29, Günther J. Niederwimmer wrote: > >>>>> Hello, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: > >>>>>>> Hello List, > >>>>>>> > >>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: > >>>>>>>>>> Hello > >>>>>>>>>> > >>>>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>>>> > >>>>>>>>>> I have this in the logs > >>>>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>>>> > >>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>>>> errors.ACIError(info=info) > >>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>>>> Insufficient > >>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>>>>>> failure. > >>>>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>>>> > >>>>>>>>> ^^ > >>>>>>>>> > >>>>>>>>> Here seems to be a reason why it failed. > >>>>>>>>> But I can't help you more. > >>>>>>>> > >>>>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>>>> > >>>>>>> this have I also found ;-) > >>>>>>> > >>>>>>>> Please enable debugging using procedure > >>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_ > >>>>>>>> re > >>>>>>>> tu > >>>>>>>> rn > >>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>>>> Thank you! > >>>>>>> > >>>>>>> OK, > >>>>>>> > >>>>>>> I attache the messages log? > >>>>>>> > >>>>>>> I mean this is a problem with my DNS ? > >>>>>> > >>>>>> Hello, > >>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>>>> > >>>>>> identity/services/ipa-ods-exported/ > >>>>>> There should be kerberos status in right top corner in details view > >>>>> > >>>>> I have a > >>>>> identity/services/ipa-ods-exporter/.. > >>>>> > >>>>> with a "Kerberos Key Present, Service Provisioned" > >>>>> > >>>>> but no Certificate ? > >>>> > >>>> Can you try, > >>>> > >>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > >>>> ipa-ods-exporter/$(hostname) > >>> > >>> OK > >>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > >>> exporter/$(hostname)" > >>> > >>> written on one line!! is this OK. > >>> > >>>> and do ldapsearch > >>>> # ldapsearch -Y GSSAPI > >>> > >>> and also ldapsearch is OK > >>> > >>>> It should show us if keytab is okay > >>> > >>> But the Error is present :-(. > >> > >>
[Freeipa-users] new Webserver with Virtualhost (Certificates)
Hello, I search now a long time for the correct installation a Webserver with FreeIPa. I like to create a webserver for three "DOMAINS" with Virtualhost like www..bbb www..ccc www.cc.ddd is there a way to include the domains in krb5 on the FreeIPA Server The second problem, I mean I have read, it is possible to add a 'subject alternate Name' to a certificate like HTTP/www.aaa.bbb but I can't found this again. :-) Can any help, Thanks. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-ods-exporter failed ?
Hello, Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > On 18.6.2016 15:03, Günther J. Niederwimmer wrote: > > hello, > > > > Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >> On 17.06.2016 18:29, Günther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: > >>>>> Hello List, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: > >>>>>>>> Hello > >>>>>>>> > >>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>> > >>>>>>>> I have this in the logs > >>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>> > >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>> errors.ACIError(info=info) > >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>> Insufficient > >>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>>>> failure. > >>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>> > >>>>>>> ^^ > >>>>>>> > >>>>>>> Here seems to be a reason why it failed. > >>>>>>> But I can't help you more. > >>>>>> > >>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>> > >>>>> this have I also found ;-) > >>>>> > >>>>>> Please enable debugging using procedure > >>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_re > >>>>>> tu > >>>>>> rn > >>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>> Thank you! > >>>>> > >>>>> OK, > >>>>> > >>>>> I attache the messages log? > >>>>> > >>>>> I mean this is a problem with my DNS ? > >>>> > >>>> Hello, > >>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>> > >>>> identity/services/ipa-ods-exported/ > >>>> There should be kerberos status in right top corner in details view > >>> > >>> I have a > >>> identity/services/ipa-ods-exporter/.. > >>> > >>> with a "Kerberos Key Present, Service Provisioned" > >>> > >>> but no Certificate ? > >> > >> Can you try, > >> > >> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > >> ipa-ods-exporter/$(hostname) > > > > OK > > I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > > exporter/$(hostname)" > > > > written on one line!! is this OK. > > > >> and do ldapsearch > >> # ldapsearch -Y GSSAPI > > > > and also ldapsearch is OK > > > >> It should show us if keytab is okay > > > > But the Error is present :-(. > > We need to see precise error. Please copy it into the e-mail. that is it. Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Moun
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: > Günther J. Niederwimmer wrote: > > Hello, > > > > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > >> Günther J. Niederwimmer wrote: > >>> Hello > >>> I found any Help for the IPA Certificate but I found no way to import > >>> the > >>> IPA CA ? > >>> I like to create a webserver with a owncloud virtualhost and other.. > >>> > >>> But it is for me not possible to create the /etc/httpd/alias correct ? > >>> > >>> I found this in IPA DOCS > >>> > >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > >>> > >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong > >>> format ? > >>> > >>> Have any a link with a working example > >> > >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > >> clients so the documentation is written from that perspective. > > > > Yes. > > > >> You can grab a copy from any enrolled system, including an IPA Master. > >> Otherwise the command looks ok assuming you were sitting in > >> /etc/httpd/alias when the command was executed (-d .). > > > > Yes ;-). > > but certutil mean it is a wrong format from the Certificate > > $ mkdir /tmp/testdb && cd /tmp/testdb > $ certutil -N -d . > $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt On my system I have this message after install ca.crt p11-kit: objects of this type cannot be created ? is this correct ? A other question, have I to change the Attribute (?), IPA-server create / IMPORT this ca.crt with -t "CT,C,C" > $ certutil -L -d . > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > EXAMPLE.COM IPA CA CT,, > > I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You > can use openssl for that: > > $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt > > > Something is wrong on my system !! > > > > for me it is not possible to have on a enrolled ipa-client a working > > webserver (apache) with mod_NSS > > > > The last Tests apache mean it is the wrong "passwd" for the DB and don't > > start? > > > > So now I start again with a new clean /etc/httpd/alias > > Not knowing how you created the database or what your nss.conf looks > like it's hard to say what is going on. If you set a NSS database > password then you need to tell mod_nss about it. > > Typically you'd set this in nss.conf: > > NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" > > and create /etc/httpd/conf/password.conf with contents like: > > internal:SecretPassword123 > > Ensure that the file is owned by apache:apache and mode 0400. This is the best INFO for this file ;-) Thanks -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP "mail" from User
Hello, Am Mittwoch, 15. Juni 2016, 01:17:02 CEST schrieb Peter Fern: > I wrote a plugin a long time ago for this, just put it on Github for you: > > https://github.com/pdf/freeipa-user-mailalternateaddress > > This adds support for the mailAlternateAddress (AKA alias) schema to the > GUI/CLI. > > On 14/06/16 23:27, Günther J. Niederwimmer wrote: > > Hello, > > Is there a way to differ the Mail addresses from a user. > > I > > setup a User with with 3 Mail addresses in IPA UI > > User: Peter > > > pe...@xxx.net > pe...@.com > pe...@.bbb > > for me, I can't > found a way to setup this correct in a dovecot way? > > I mean I must > have a "aliases" field in Ldap ? > > I am not a Ldap Profi ;-), but why > I can insert more EMail addresses when I > can't found this later. > > > Have any a answer for my problem, > > Thanks > Thanks for your work, I hope this is working with FreeIPA 4.3.1 on my system ;-). Now I have to install it .. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-ods-exporter failed ?
hello, Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > On 17.06.2016 18:29, Günther J. Niederwimmer wrote: > > Hello, > > > > Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >> On 17.06.2016 12:54, Günther J. Niederwimmer wrote: > >>> Hello List, > >>> > >>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: > >>>>>> Hello > >>>>>> > >>>>>> on my system the ods-exporter i mean have a problem. > >>>>>> > >>>>>> I have this in the logs > >>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>> > >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>> errors.ACIError(info=info) > >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>> Insufficient > >>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>> failure. > >>>>>> Minor code may provide more information (Ticket expired) > >>>>>> > >>>>> ^^ > >>>>> > >>>>> Here seems to be a reason why it failed. > >>>>> But I can't help you more. > >>>> > >>>> Lukas is right. Interesting, this should never happen :-) > >>> > >>> this have I also found ;-) > >>> > >>>> Please enable debugging using procedure > >>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_retu > >>>> rn > >>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>> Thank you! > >>> > >>> OK, > >>> > >>> I attache the messages log? > >>> > >>> I mean this is a problem with my DNS ? > >> > >> Hello, > >> can you check kerberos status of ipa-ods-exporter service in webUI? > >> > >> identity/services/ipa-ods-exported/ > >> There should be kerberos status in right top corner in details view > > > > I have a > > identity/services/ipa-ods-exporter/.. > > > > with a "Kerberos Key Present, Service Provisioned" > > > > but no Certificate ? > > Can you try, > > # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > ipa-ods-exporter/$(hostname) OK I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- exporter/$(hostname)" written on one line!! is this OK. > and do ldapsearch > # ldapsearch -Y GSSAPI and also ldapsearch is OK > It should show us if keytab is okay But the Error is present :-(. > Certificate is not needed. OK Thanks for the Help. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-ods-exporter failed ?
Hello, Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > On 17.06.2016 12:54, Günther J. Niederwimmer wrote: > > Hello List, > > > > Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>> On (16/06/16 11:54), Günther J. Niederwimmer wrote: > >>>> Hello > >>>> > >>>> on my system the ods-exporter i mean have a problem. > >>>> > >>>> I have this in the logs > >>>> CentOS 7.(2) ipa 4.3.1 > >>>> > >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>> Insufficient > >>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>> failure. > >>>> Minor code may provide more information (Ticket expired) > >>>> > >>>^^ > >>> > >>> Here seems to be a reason why it failed. > >>> But I can't help you more. > >> > >> Lukas is right. Interesting, this should never happen :-) > > > > this have I also found ;-) > > > >> Please enable debugging using procedure > >> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_return > >> s_n o_data and check logs after next ipa-ods-exporter restart. > >> Thank you! > > > > OK, > > > > I attache the messages log? > > > > I mean this is a problem with my DNS ? > > Hello, > can you check kerberos status of ipa-ods-exporter service in webUI? > > identity/services/ipa-ods-exported/ > There should be kerberos status in right top corner in details view > I have a identity/services/ipa-ods-exporter/.. with a "Kerberos Key Present, Service Provisioned" but no Certificate ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-ods-exporter failed ?
Hello on my system the ods-exporter i mean have a problem. I have this in the logs CentOS 7.(2) ipa 4.3.1 Jun 16 11:37:25 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 16 11:37:25 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 16 11:37:25 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 16 11:37:25 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 16 11:37:26 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:37:26 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 16 11:37:26 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 16 11:37:26 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 16 11:37:26 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 16 11:37:26 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 16 11:37:26 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 16 11:37:26 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service failed. Jun 16 11:38:26 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 16 11:38:26 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 16 11:38:26 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 16 11:38:27 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 16 11:38:28 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:38:28 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 16 11:38:28 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 16 11:38:28 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 16 11:38:28 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:38:28 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 16 11:38:28 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 16 11:38:28 ipa systemd: ipa-ods-exporter.service failed. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP "mail" from User
Hello, Is there a way to differ the Mail addresses from a user. I setup a User with with 3 Mail addresses in IPA UI User: Peter pe...@xxx.net pe...@.com pe...@.bbb for me, I can't found a way to setup this correct in a dovecot way? I mean I must have a "aliases" field in Ldap ? I am not a Ldap Profi ;-), but why I can insert more EMail addresses when I can't found this later. Have any a answer for my problem, Thanks -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC A, AAAA Records
Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti: > On 10.06.2016 17:33, Günther J. Niederwimmer wrote: > > Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: > >> On 10.6.2016 14:21, Günther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > >>>> On 10.06.2016 09:09, Günther J. Niederwimmer wrote: > >>>>> Hello, > >>>>> > >>>>> can any help me to clear a question for DNSSEC, NSEC3 > >>>>> > >>>>> I have a domain created with bind and DNSSEC and NSEC3 I test this > >>>>> Domain > >>>>> and other, not my Domain with > >>>>> > >>>>> http://dnsviz.net/d/esslmaier.at/dnssec/ > >>>>> > >>>>> This site from Verisign tell me, I have all Secure and also the A, > >>>>> > >>>>> Records > >>>>> > >>>>> FreeIPA 4.3.1 Centos 7.2 > >>> > >>> I mean with the FreeIPA 4.2 I have A or Records but one from the > >>> list > >>> tell me 4.3.1 is the better version for DNSSEC ? > >>> > >>>>> But when I test my IPA created domain > >>>>> http://dnsviz.net/d/4gjn.com/dnssec/ > >>>>> > >>>>> I miss the A, Records > >>>>> > >>>>> can this be correct ? > >>>>> > >>>>> Thanks for a answer > >>>> > >>>> Hello, > >>>> do you have configured A and records in zone apex of '4gjn.com'? > >>> > >>> Yes I have configured A Records, but something is wrong with the > >>> Zone > >>> File ? when I look on my secondary DNS this is a PDNS then I found total > >>> different entry for esslmaier.at and my 4gjn.com. > >>> > >>>> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > >>>> +dnssec 4gjn.com. A` , it looks like there is no A/ records. > >>> > >>> Yes I wrote this before but I have no answer, what I can do :-(. > >>> > >>>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > >>> > >>> this is all !!! > >>> > >>> [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @ > >>> > >>>Datensatzname: @ > >>>MX record: 10 smtp.4gjn.com. > >>>NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., > >>> > >>> ns1.gratisdns.dk. > >>> > >>>TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 > > > > ip6:2001:470:6f: > >>> 8f1::223 > >>> > >>>ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" > >>> > >>> ipa dnsrecord-show 4gjn.com. > >>> > >>> ipa: ERROR: : DNS resource record nicht gefunden > >>> > >>> Is this a LDAP Problem ? > >> > >> Apparently you do not have any A/ records defined in IPA. Add some > >> and > >> you will see :-) > > > > NO ;-( I have configurede all my server with A and Records ? > > But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second > one contains A/ records. > > 4gjn.com AFAIK is your IPA domain, so it should not contain A/ > records by default, unless you manually added them there. When I make a ipa dnsrecord-show I miss the RRSIG Record ? ipa dnsrecord-show Datensatzname: ipa Zonenname: 4gjn.com Datensatzname: ipa A record: 89.26.XXX.6 record: 2001:470:6f:XXX::204 SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2 59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB 05763604, 1 2 537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755 8E8789A0, 3 1 02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B > >> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get > >> for > >> DNSSEC. There is many bugs in older versions. > > > > I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found > > 4.3.2 > > > > I have this Repo > > > > group_freeipa-freeipa-4-3-centos-7-epel-7.repo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC A, AAAA Records
Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: > On 10.6.2016 14:21, Günther J. Niederwimmer wrote: > > Hello, > > > > Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > >> On 10.06.2016 09:09, Günther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> can any help me to clear a question for DNSSEC, NSEC3 > >>> > >>> I have a domain created with bind and DNSSEC and NSEC3 I test this > >>> Domain > >>> and other, not my Domain with > >>> > >>> http://dnsviz.net/d/esslmaier.at/dnssec/ > >>> > >>> This site from Verisign tell me, I have all Secure and also the A, > >>> Records > >>> > >>> FreeIPA 4.3.1 Centos 7.2 > > > > I mean with the FreeIPA 4.2 I have A or Records but one from the list > > tell me 4.3.1 is the better version for DNSSEC ? > > > >>> But when I test my IPA created domain > >>> http://dnsviz.net/d/4gjn.com/dnssec/ > >>> > >>> I miss the A, Records > >>> > >>> can this be correct ? > >>> > >>> Thanks for a answer > >> > >> Hello, > >> do you have configured A and records in zone apex of '4gjn.com'? > > > > Yes I have configured A Records, but something is wrong with the Zone > > File ? when I look on my secondary DNS this is a PDNS then I found total > > different entry for esslmaier.at and my 4gjn.com. > > > >> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > >> +dnssec 4gjn.com. A` , it looks like there is no A/ records. > > > > Yes I wrote this before but I have no answer, what I can do :-(. > > > >> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > > > > this is all !!! > > > > [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @ > > > > Datensatzname: @ > > MX record: 10 smtp.4gjn.com. > > NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., > > > > ns1.gratisdns.dk. > > > > TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f: > > 8f1::223 > > > > ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" > > > > ipa dnsrecord-show 4gjn.com. > > > > ipa: ERROR: : DNS resource record nicht gefunden > > > > Is this a LDAP Problem ? > > Apparently you do not have any A/ records defined in IPA. Add some and > you will see :-) NO ;-( I have configurede all my server with A and Records ? > Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for > DNSSEC. There is many bugs in older versions. I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found 4.3.2 I have this Repo group_freeipa-freeipa-4-3-centos-7-epel-7.repo -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC A, AAAA Records
Hello, Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > On 10.06.2016 09:09, Günther J. Niederwimmer wrote: > > Hello, > > > > can any help me to clear a question for DNSSEC, NSEC3 > > > > I have a domain created with bind and DNSSEC and NSEC3 I test this Domain > > and other, not my Domain with > > > > http://dnsviz.net/d/esslmaier.at/dnssec/ > > > > This site from Verisign tell me, I have all Secure and also the A, > > Records > > > > FreeIPA 4.3.1 Centos 7.2 I mean with the FreeIPA 4.2 I have A or Records but one from the list tell me 4.3.1 is the better version for DNSSEC ? > > But when I test my IPA created domain > > http://dnsviz.net/d/4gjn.com/dnssec/ > > > > I miss the A, Records > > > > can this be correct ? > > > > Thanks for a answer > > Hello, > do you have configured A and records in zone apex of '4gjn.com'? Yes I have configured A Records, but something is wrong with the Zone File ? when I look on my secondary DNS this is a PDNS then I found total different entry for esslmaier.at and my 4gjn.com. > I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > +dnssec 4gjn.com. A` , it looks like there is no A/ records. Yes I wrote this before but I have no answer, what I can do :-(. > Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? this is all !!! [root@ipa ~]# ipa dnsrecord-show 4gjn.com. @ Datensatzname: @ MX record: 10 smtp.4gjn.com. NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., ns1.gratisdns.dk. TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f: 8f1::223 ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" ipa dnsrecord-show 4gjn.com. ipa: ERROR: : DNS resource record nicht gefunden Is this a LDAP Problem ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC A, AAAA Records
Hello, can any help me to clear a question for DNSSEC, NSEC3 I have a domain created with bind and DNSSEC and NSEC3 I test this Domain and other, not my Domain with http://dnsviz.net/d/esslmaier.at/dnssec/ This site from Verisign tell me, I have all Secure and also the A, Records FreeIPA 4.3.1 Centos 7.2 But when I test my IPA created domain http://dnsviz.net/d/4gjn.com/dnssec/ I miss the A, Records can this be correct ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC DANE TLSA
Hello, is it possible with a FreeIPA Certificate make a DANE entry in IPA DNS ? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > Günther J. Niederwimmer wrote: > > Hello > > I found any Help for the IPA Certificate but I found no way to import the > > IPA CA ? > > I like to create a webserver with a owncloud virtualhost and other.. > > > > But it is for me not possible to create the /etc/httpd/alias correct ? > > > > I found this in IPA DOCS > > > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > > > but with this command line I have a Error /etc/ipa/ca.crt have wrong > > format ? > > > > Have any a link with a working example > > Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > clients so the documentation is written from that perspective. Yes. > You can grab a copy from any enrolled system, including an IPA Master. > Otherwise the command looks ok assuming you were sitting in > /etc/httpd/alias when the command was executed (-d .). Yes ;-). but certutil mean it is a wrong format from the Certificate Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias :-(. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Hello I found any Help for the IPA Certificate but I found no way to import the IPA CA ? I like to create a webserver with a owncloud virtualhost and other.. But it is for me not possible to create the /etc/httpd/alias correct ? I found this in IPC DOCS certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? Have any a link with a working example Thanks, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
Hello Alander, Thanks for the links, I hope it is for me possible to install it correct ? The next question is, is it possible to integrate this in a owncloud installation ? This is the Background, to create this webserver for owncloud and with users from IPA ? A hard way . ;-). Am Donnerstag, 26. Mai 2016, 10:01:41 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >Hello Alexander, > > > >Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > >> On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >> >Hello, > >> > > >> >can any help to find the correct way to configure a Webserver with IPA. > >> >(mod_nss) > >> > > >> >I can't create a correct DB in /etc/httpd/alias > >> > > >> >I search on the INet and read the install Log from ipa-server but it is > >> >for > >> >me not possible to found a working way :-(. > >> > >> So you want to set up a web server on an IPA client and have this web > >> server to use mod_nss with certificates from IPA CA? > > > >YES YES.. ;-) > > > >You have 100 Points . ;-) > > You have two options: mod_ssl and mod_nss. > For mod_ssl we have it documented: > http://www.freeipa.org/page/Apache_SNI_With_Kerberos > > For mod_nss it is mostly the same except that mod_nss brings working nss > configuration in the rpm package already and all you need is to > initialize NSS database in /etc/httpd/alias. > > Use instructions to setup SSL from > http://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA > > while the page above contains full MediaWiki setup, the MediaWiki part > is isolated and the rest is basically the same for any mod_nss based web > server. Thanks for the help, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
Hello Alexander, Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, Günther J. Niederwimmer wrote: > >Hello, > > > >can any help to find the correct way to configure a Webserver with IPA. > >(mod_nss) > > > >I can't create a correct DB in /etc/httpd/alias > > > >I search on the INet and read the install Log from ipa-server but it is for > >me not possible to found a working way :-(. > > So you want to set up a web server on an IPA client and have this web > server to use mod_nss with certificates from IPA CA? YES YES.. ;-) You have 100 Points . ;-) Thanks -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mod_nss FreeIPA
Hello David, Am Donnerstag, 26. Mai 2016, 08:09:17 CEST schrieb David Kupka: > On 26/05/16 07:42, Günther J. Niederwimmer wrote: > > Hello, > > > > can any help to find the correct way to configure a Webserver with IPA. > > (mod_nss) > > > > I can't create a correct DB in /etc/httpd/alias > > > > I search on the INet and read the install Log from ipa-server but it is > > for me not possible to found a working way :-(. > > > > Thanks for a answer ? > > Hello Günther, > > I'm not sure if I understand your question. What I take from you message is: > > I want a IPA webserver with NSSDB in /etc/httpd/alias. ;-) No and Yes. I want a new WEBSERVER on a ipa-client with IPA Certificate ? Afterward I like to create a "DANE" Entry from this Certificate for this webserver ? Bat I fail with the first configuration > The answer then is: > > ipa-server-install creates that DB for apache and populates it with > certificates. So there is nothing to do. Yes, and I can't found the way IPA create this ... > From one of my test servers: > > # certutil -d /etc/httpd/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > EXAMPLE.TEST IPA CA CT,C,C > Signing-Cert u,u,u > > > If this is not what you was asking please try to explain what you want > to achieve with more details. Thanks David for the answer, I have on the Master also Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u .XXX CA CT,C,C and on the replica this, Server-Cert u,u,u .XXX IPA CA CT,C,C ipaCert u,u,u I mean I must have a NSSDB like this from the replica, on my Webserver ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC Problem with Ipa-server (ldap?)
Hello, I installed the DNS-Module for IPA Server (update to 4.3.1, info from the List) But now I have missing Entry in the Zone File (?) I have no signed "A" or "" Entys in the Zone File? My test for This Domain on "http;//dnsviz.net I Have entry for /MX, /SOA, /TXT, /NS, but I miss /A, / Is this problem know ? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] mod_nss FreeIPA
Hello, can any help to find the correct way to configure a Webserver with IPA. (mod_nss) I can't create a correct DB in /etc/httpd/alias I search on the INet and read the install Log from ipa-server but it is for me not possible to found a working way :-(. Thanks for a answer ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPa and Mailserver (LDAP)
Hello, In FreeIpa UI it is possible to insert more then one EmailAdresses, but i can't found a way to figure out to have the correct Password / Mailaddresses together (Dovecot) the only way I found is user / password. My search Filter is in the Moment user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson) (memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(mail=%u)) I mean I must have a "mailalias" or . Have any a Idea or a Hint for this Problem? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA DNS Module (named.conf)
Hello, I have a question about the named.conf, is it possible to change the named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- module ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: > On 16.5.2016 08:47, Martin Kosek wrote: > > On 05/14/2016 07:49 PM, Günther J. Niederwimmer wrote: > >> Hello, > >> > >> Thanks for answer, > >> > >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > >>> On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > >>>> Hello, > >>>> I have the Problem to find the correct way for NSEC3PARAM ? > >>>> > >>>> With your Help I have this found > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec " > >>>> " > >>>> > >>>> But it dos not work correct ? > >>>> > >>>> Now the question, is this the correct way > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>>> f9ba6264232b7283" > >>>> > >>>> to insert the NSEC3PARAMETER ?? > >>> > >>> This should be right, there were related fixes by > >>> https://fedorahosted.org/freeipa/ticket/4413 > >>> > >>> Your second command works in my test environment: > >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>> f9ba6264232b7283" > >>> # dig -t nsec3param example.com. +short > >>> 1 7 100 F9BA6264232B7283 > >> > >> The question is now, I mean the Parameter is wrong ? > >> > >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation > >> (bind 9) > >> > >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) > >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > >> > >> and a > >> > >> dig -t nsec3param example.com. +short > >> > >> the relult is > >> > >> 1 0 10 > >> > >> 1 is sha1 > >> so I mean (?) "0" is the correct parameter ?. > >> "10" is the default for Bind > >> > >> so I hope this is working now correct > >> > >> Thanks for testing and answer > > > > Ahh, now I understand what you were asking about. The validators we have > > in DNS records are only limited, mostly to check that you are entering > > the right number of fields or that the data type is OK. They usually do > > not do any more complex evaluation. I would let Petr Spacek say if we > > need to change anything in FreeIPA in this case. > > Looking at > https://tools.ietf.org/html/rfc5155#section-4 > http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet > ers.xhtml#dnssec-nsec3-parameters-2 Petr, I read this all, but I mean I read it wrong ;-) A nicer way to implement this, is a automatic configuration only with a button :-)). Thanks for the Help, > The only valid value for NSEC3PARAM flags is 0 (at the moment, this might > change in future). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > > Hello, > > I have the Problem to find the correct way for NSEC3PARAM ? > > > > With your Help I have this found > > > > ipa dnszone-mod example.com. --nsec3param-rec " > > " > > > > But it dos not work correct ? > > > > Now the question, is this the correct way > > > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > > > to insert the NSEC3PARAMETER ?? > > This should be right, there were related fixes by > https://fedorahosted.org/freeipa/ticket/4413 > > Your second command works in my test environment: > # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > # dig -t nsec3param example.com. +short > 1 7 100 F9BA6264232B7283 The question is now, I mean the Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello Petr, thank you for the answer Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: > On 13.5.2016 13:14, Günther J. Niederwimmer wrote: > > Cannot open destination file, will not make backup. > > No keys in the READY state matched your parameters, please check the > > parameters > > This is correct. Configured TTL did not expire yet so the key is not > "ready". See the column "Date of next transition". You will be able to > activate the key when this time passes. > > For detailed info please see > https://wiki.opendnssec.org/display/DOCS/Key+States > > If you are going to use DNSSEC please make sure to use very latests FreeIPA > 4.3.1 or newer. We fixed a lot of bugs in the last release. My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository for this System ? This is my private Server and I hope this is running correct ? > Petr^2 Spacek > > > when i say > > > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key > > list --verbose > > SQLite database set to: /var/opendnssec/kasp.db > > Keys: > > Zone: Keytype: State:Date of next > > transition (to): Size: Algorithm: CKA_ID: > > Repository: Keytag: > > examle.comKSK publish 2016-05-14 > > 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 > > SoftHSM 40447 > > example.comZSK active2016-08-11 > > 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 > > SoftHSM 60630 > > > > The DS Record are published in the ".com" Domain > > > > dig +rrcomments example.com DS > > ;; ANSWER SECTION: > > example.com. 85610 IN DS 40447 8 1 > > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > > example.com. 85610 IN DS 40447 8 2 > > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > > > Is this the correct status or have I to change anything ? > > > > Have I to change the KSK status form publish to active or is this correct > > ? > > > > Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello, I have activated now my domain with DNSSEC but I mean I have a Problem to set it ACTIVE ? I install and Test it from https://www.freeipa.org/page/Howto/DNSSEC but my output from sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- seen --zone example.com --keytag 40447 is Cannot open destination file, will not make backup. No keys in the READY state matched your parameters, please check the parameters when i say sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list --verbose SQLite database set to: /var/opendnssec/kasp.db Keys: Zone: Keytype: State:Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: examle.comKSK publish 2016-05-14 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM 40447 example.comZSK active2016-08-11 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM 60630 The DS Record are published in the ".com" Domain dig +rrcomments example.com DS ;; ANSWER SECTION: example.com. 85610 IN DS 40447 8 1 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 example.com. 85610 IN DS 40447 8 2 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 Is this the correct status or have I to change anything ? Have I to change the KSK status form publish to active or is this correct ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC NSEC3 Parameter
Hello, I have the Problem to find the correct way for NSEC3PARAM ? With your Help I have this found ipa dnszone-mod example.com. --nsec3param-rec " " But it dos not work correct ? Now the question, is this the correct way ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" to insert the NSEC3PARAMETER ?? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with ipa-getkeytab ?
Hello List, Am Donnerstag, 21. April 2016, 16:53:36 CEST schrieb Günther J. Niederwimmer: Thank's for the answer ;-) I hope this helps. Thank you -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with ipa-getkeytab ?
Hello, I found a HowTO on FreeIPA to install a HA Version for a Mailsystem. Now I have a Problem to get the Keytab on the second Server On the first Server I run. kinit admin ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/ dovecot.keytab This is working but on the second Server when I start kinit admin ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/ dovecot/dovecot.keytab for the same keytab, I become a Error with not access is possible ? is this a Bug or a mistake from me ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Master Error with two Master CentOS 7.2
Hello Ludwig, Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz: > On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote: > > Hello List, > > > > I set up a CentOS 7.2 System with two master Server now I found this 1000 > > x > > Error on my first master? > > > > attrlist_replace - attr_replace (nsslapd-referral, > > ldap://ipa1.xxx.at:389/ o%3Dipaca) failed. > > did you install and reinstall the replica on the same machine ? The > message is usually related to removed replicaid, which was not properly > cleaned. Yes, I must delete and reinstall the Replica but I have all cleanup I found in the DOC ipa-replica-manage del ipa1..at ipa-csreplica-manage del ipa1...at and create a new ipa-replica-prepare ipa1.xxx.at the system for ipa1 is a new installed KVM guest., with the same name ipa1..at > can you do some searches ?. On both masters check which is the replicaID > in use and which are the known ruvs: > ldapsearch -b "cn=config" "objectclass=nsds5replica" replicaid > nsds50ruv Please can you give me the full command I am not a professional for LDAP Thanks > > the second is harmless I read ;-) > > NSMMReplicationPlugin - replication keep alive entry
[Freeipa-users] Master Error with two Master CentOS 7.2
Hello List, I set up a CentOS 7.2 System with two master Server now I found this 1000 x Error on my first master? attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.xxx.at:389/ o%3Dipaca) failed. the second is harmless I read ;-) NSMMReplicationPlugin - replication keep alive entry
Re: [Freeipa-users] Master Error with two Master CentOS 7.2
Hello Ludwig,
Am Dienstag, 26. Januar 2016, 14:48:31 CET schrieb Ludwig Krispenz:
> On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote:
> > Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz:
> >> On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
> >>> I set up a CentOS 7.2 System with two master Server now I found this
> >>> 1000
> >>> x
> >>> Error on my first master?
> >>>
> >>> attrlist_replace - attr_replace (nsslapd-referral,
> >>> ldap://ipa1.xxx.at:389/ o%3Dipaca) failed.
> >>
> >> did you install and reinstall the replica on the same machine ? The
> >> message is usually related to removed replicaid, which was not properly
> >> cleaned.
> >
> > Yes, I must delete and reinstall the Replica but I have all cleanup I
> > found in the DOC
> >
> > ipa-replica-manage del ipa1..at
> > ipa-csreplica-manage del ipa1...at
> >
> > and create a new
> >
> > ipa-replica-prepare ipa1.xxx.at
> >
> > the system for ipa1 is a new installed KVM guest., with the same name
> > ipa1..at
> >
> >> can you do some searches ?. On both masters check which is the replicaID
> >> in use and which are the known ruvs:
> >> ldapsearch -b "cn=config" "objectclass=nsds5replica" replicaid
> >> nsds50ruv
> >
> > Please can you give me the full command I am not a professional for LDAP
>
> ldapsearch -LLL -o ldif-wrap=no -x -h -p 389 -D "cn=directory
> manager" -W -b "cn=config" "objectclass=nsds5replica" nsds5replicaid
> nsds50ruv
> for host insert your masters
Thanks for the help.
The original master
dn: cn=replica,cn=dc\3Desslmaier\2Cdc\3Dat,cn=mapping tree,cn=config
nsds5replicaid: 4
nsds50ruv: {replicageneration} 562f579c0004
nsds50ruv: {replica 4 ldap://ipa.esslmaier.at:389} 562f57b70004
56a792640004
nsds50ruv: {replica 5 ldap://ipa1.esslmaier.at:389} 568a1fa20005
56a5cf7300020005
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaid: 96
nsds50ruv: {replicageneration} 562f57e30060
nsds50ruv: {replica 96 ldap://ipa.esslmaier.at:389} 562f58040060
56a790210060
nsds50ruv: {replica 91 ldap://ipa1.esslmaier.at:389} 568a1ff7005b
568a20250006005b
nsds50ruv: {replica 97 ldap://ipa1.esslmaier.at:389} 562f58110061
5630a9c40061
The first replica master.
nsds5replicaid: 5
nsds50ruv: {replicageneration} 562f579c0004
nsds50ruv: {replica 5 ldap://ipa1.esslmaier.at:389} 568a1fa20005
56a793fc0005
nsds50ruv: {replica 4 ldap://ipa.esslmaier.at:389} 562f57b70004
56a792640004
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds5replicaid: 91
nsds50ruv: {replicageneration} 562f57e30060
nsds50ruv: {replica 91 ldap://ipa1.esslmaier.at:389} 568a1ff7005b
568a20250006005b
nsds50ruv: {replica 96 ldap://ipa.esslmaier.at:389} 562f58040060
56a793a50060
nsds50ruv: {replica 97 ldap://ipa1.esslmaier.at:389} 562f58110061
5630a9c40061
> >>> Is this a bad Error ?
> >>>
> >>> Can I do anything
> >>>
> >>> Thanks for a answer,
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Master Error with two Master CentOS 7.2
Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz:
Hello Ludwig,
> you got a replicaid (97) leftover form the previous install for the
> o=ipaca backend. The other backend is ok, ipa-replica-manage del did the
> cleanup, but ipa-csreplica-manage doesn't. So you have to clean it
> manually by an ldap command.
:-(
> Execute the following mod on one of the servers:
>
> ldapmodify -D "cn=directory manager" -W -a
> dn: cn=clean 97, cn=cleanallruv, cn=tasks, cn=config
> objectclass: extensibleObject
> replica-base-dn: o=ipaca
> replica-id: 97
> cn: clean 97
Thanks for the Help but
I copy all in one line but something is wrong with this mod, i have only the
Help screen with the parameters ?
> On 01/26/2016 04:52 PM, Günther J. Niederwimmer wrote:
> > Am Dienstag, 26. Januar 2016, 14:48:31 CET schrieb Ludwig Krispenz:
> >> On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote:
> >>> Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz:
> >>>> On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
> >>>>> I set up a CentOS 7.2 System with two master Server now I found this
> >>>>> 1000
> >>>>> x
> >>>>> Error on my first master?
> >>>>>
> >>>>> attrlist_replace - attr_replace (nsslapd-referral,
> >>>>> ldap://ipa1.xxx.at:389/ o%3Dipaca) failed.
> >>>>
> >>>> did you install and reinstall the replica on the same machine ? The
> >>>> message is usually related to removed replicaid, which was not properly
> >>>> cleaned.
> >>>
> >>> Yes, I must delete and reinstall the Replica but I have all cleanup I
> >>> found in the DOC
> >>>
> >>> ipa-replica-manage del ipa1..at
> >>> ipa-csreplica-manage del ipa1...at
> >>>
> >>> and create a new
> >>>
> >>> ipa-replica-prepare ipa1.xxx.at
> >>>
> >>> the system for ipa1 is a new installed KVM guest., with the same name
> >>> ipa1..at
> >>>
> >>>> can you do some searches ?. On both masters check which is the
> >>>> replicaID
> >>>> in use and which are the known ruvs:
> >>>> ldapsearch -b "cn=config" "objectclass=nsds5replica" replicaid
> >>>> nsds50ruv
> >>>
> >>> Please can you give me the full command I am not a professional for
> >>> LDAP
> >>
> >> ldapsearch -LLL -o ldif-wrap=no -x -h -p 389 -D "cn=directory
> >> manager" -W -b "cn=config" "objectclass=nsds5replica" nsds5replicaid
> >> nsds50ruv
> >>
> >> for host insert your masters
> >
> > Thanks for the help.
> >
> > The original master
> >
> > dn: cn=replica,cn=dc\3Desslmaier\2Cdc\3Dat,cn=mapping tree,cn=config
> > nsds5replicaid: 4
> > nsds50ruv: {replicageneration} 562f579c0004
> > nsds50ruv: {replica 4 ldap://ipa.esslmaier.at:389} 562f57b70004
> > 56a792640004
> > nsds50ruv: {replica 5 ldap://ipa1.esslmaier.at:389} 568a1fa20005
> > 56a5cf7300020005
> >
> > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> > nsds5replicaid: 96
> > nsds50ruv: {replicageneration} 562f57e30060
> > nsds50ruv: {replica 96 ldap://ipa.esslmaier.at:389} 562f58040060
> > 56a790210060
> > nsds50ruv: {replica 91 ldap://ipa1.esslmaier.at:389} 568a1ff7005b
> > 568a20250006005b
> > nsds50ruv: {replica 97 ldap://ipa1.esslmaier.at:389} 562f58110061
> > 5630a9c40061
> >
> > The first replica master.
> >
> > nsds5replicaid: 5
> > nsds50ruv: {replicageneration} 562f579c00040000
> > nsds50ruv: {replica 5 ldap://ipa1.esslmaier.at:389} 568a1fa20005
> > 56a793fc0005
> > nsds50ruv: {replica 4 ldap://ipa.esslmaier.at:389} 562f57b70004
> > 56a792640004
> >
> > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> > nsds5replicaid: 91
> > nsds50ruv: {replicageneration} 562f57e30060
> > nsds50ruv: {replica 91 ldap://ipa1.esslmaier.at:389} 568a1ff7005b
> > 568a20250006005b
> > nsds50ruv: {replica 96 ldap://ipa.esslmaier.at:389} 562f58040060
> > 56a793a50060
> > nsds50ruv: {replica 97 ldap://ipa1.esslmaier.at:389} 562f58110061
> > 5630a9c40061
> >
> >>>>> Is this a bad Error ?
> >>>>>
> >>>>> Can I do anything
> >>>>>
> >>>>> Thanks for a answer,
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Replica Error with freeIPA Centos 7.2
Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin - replication keep alive entry
[Freeipa-users] DNS Module (DNSSEC) NSEC§
Hello, I can't find a way to integrate NSEC3, all DOC's I found is only for DNSSEC, but not including NSEC3. Can any help me to set up this correct ? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC Question (KSK ZSK)
Hello, Is it possible to install a DSNSEC Master with my before created KSK ZSK? Background: I have installed a IPA Master on my System now I have change the Hardware and make a new installation with new Hardware? I have only a backup from the Files in /var/named/dyndb-ldap/ipa/master/example.com/keys/ When I now enable a new DNSSEC Master create freeIPA new KSK ZSK for the Domain ? Then I have to wait after the holidays to UPDATE the DS Record on my ISP :-(. Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record
Am Thursday 10 December 2015, 12:51:19 schrieb Petr Spacek: > On 9.12.2015 14:40, Günther J. Niederwimmer wrote: > > Hello, > > > > I like to create a NSEC3PARAM Record but my tests are not working :-(. > > > > Is there a documentation for this Problem I can't found a DOCU > > > > My test is > > > > I make a "Salt" with this > > > > head -c 512 /dev/random | sha1sum | cut -b 1-16 > > x... > > > > afterward i make with > > ldns-nsec3-hash -t 10 -s xx x.com > > x. > > > > the result i like to insert in the WebUI but this is wrong ? > > > > What is the correct syntax to create a NSEC3PARAM record? > > > > Thanks for a answer, > > Hello, > > FreeIPA just passes the value to BIND, so standard syntax per > http://tools.ietf.org/html/rfc5155#section-4.3 > should work. > > I hope this helps. ;-) I am not a Mathematic Professor to understand this ;-) OK, I have to search again in World Wide Web to find a answer. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record
Hello, I like to create a NSEC3PARAM Record but my tests are not working :-(. Is there a documentation for this Problem I can't found a DOCU My test is I make a "Salt" with this head -c 512 /dev/random | sha1sum | cut -b 1-16 x... afterward i make with ldns-nsec3-hash -t 10 -s xx x.com x. the result i like to insert in the WebUI but this is wrong ? What is the correct syntax to create a NSEC3PARAM record? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?
Hello Martin, Am Tuesday 08 December 2015, 13:10:57 schrieb Martin Basti: > On 08.12.2015 12:52, Günther J. Niederwimmer wrote: > > Hello, > > > > Am Monday 07 December 2015, 22:46:45 schrieb Martin Basti: > >> On 07.12.2015 21:26, Günther J. Niederwimmer wrote: > >>> Am Monday 07 December 2015, 20:41:29 schrieb Martin Basti: > >>>> On 07.12.2015 20:12, Pavel Picka wrote: > >>>>> Hello > >>>>> > >>>>> for me working if ipv6 address is e.g. 2002::101 so reverse zone will > >>>>> be > >>>>> > >>>>> > >>>>> 0.2.0.0.2.ip6.arpa > >>>>> > >>>>> you can use more char as you mentioned ( 0.0.0.0.0.2.0.0.2.ip6.arpa > >>>>> will > >>>>> still be reverse for ip 2002::101 ) > >>> > >>> I tested also more chars ? > >>> > >>>>> so if your IP start 2001:: have reverse 2.0.0.1.ip6.arpa > >>>> > >>>> Nope. > >>>> > >>>> reverse zone of 2001::/16 is 1.0.0.2.ip6.arpa > >>> > >>> Is there a command line syntax for adding a reverse Zone, in the web > >>> Formula it is not possible to insert a reverse IPv6 zone. I have only > >>> the > >>> Message this is a wrong IP Address. > >> > >> It should work in webUI. > >> Did you write ipv6 address with prefix? (2001:db8::/32) ? > > > > No > > > > I have in my Zone only this Addresses > > 2001:15c0::::234 > > > > ? > > Have I to set all the 0. before the /64 Segment > > No, you do not need to. > > Try to write in webUI 2001:15c0::/64 > It is shortcut form of IPv6 address, zeroes will be added automatically That is it I have to write a "normal" IPv6 Address with Prefix, afterward the reverse ZONE are created Many Thanks Martin > >>>>> hope it helps > > > > ;-). > > > >>>>> - Original Message - > >>>>> From: "Günther J. Niederwimmer" <g...@gjn.priv.at> > >>>>> To: freeipa-users@redhat.com > >>>>> Sent: Monday, December 7, 2015 7:58:32 PM > >>>>> Subject: [Freeipa-users] Reverse Zone IPv6 Syntax ? > >>>>> > >>>>> Hello, > >>>>> > >>>>> I like to create a ip6.arpa with freeIPA but this is not possible ? I > >>>>> can't > >>>>> found the correct syntax for a IPv6 reverse Zone :-(. > >>>>> I Tested > >>>>> > >>>>> 16 Char > >>>>> x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2 > >>>>> x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa > >>>>> > >>>>> The last is working with named (bind) > >>>>> > >>>>> Can any tell me, is this working or have I link to read a Docu > >>>>> > >>>>> Thanks for a answer > >>>>> > >>>>> FreeIPA Version 4.2.0-15 -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?
Hello, Am Monday 07 December 2015, 22:46:45 schrieb Martin Basti: > On 07.12.2015 21:26, Günther J. Niederwimmer wrote: > > Am Monday 07 December 2015, 20:41:29 schrieb Martin Basti: > >> On 07.12.2015 20:12, Pavel Picka wrote: > >>> Hello > >>> > >>> for me working if ipv6 address is e.g. 2002::101 so reverse zone will be > >>> : > >>> > >>> 0.2.0.0.2.ip6.arpa > >>> > >>> you can use more char as you mentioned ( 0.0.0.0.0.2.0.0.2.ip6.arpa will > >>> still be reverse for ip 2002::101 ) > > > > I tested also more chars ? > > > >>> so if your IP start 2001:: have reverse 2.0.0.1.ip6.arpa > >> > >> Nope. > >> > >> reverse zone of 2001::/16 is 1.0.0.2.ip6.arpa > > > > Is there a command line syntax for adding a reverse Zone, in the web > > Formula it is not possible to insert a reverse IPv6 zone. I have only the > > Message this is a wrong IP Address. > > It should work in webUI. > Did you write ipv6 address with prefix? (2001:db8::/32) ? No I have in my Zone only this Addresses 2001:15c0::::234 ? Have I to set all the 0. before the /64 Segment > >>> hope it helps ;-). > >>> > >>> - Original Message - > >>> From: "Günther J. Niederwimmer" <g...@gjn.priv.at> > >>> To: freeipa-users@redhat.com > >>> Sent: Monday, December 7, 2015 7:58:32 PM > >>> Subject: [Freeipa-users] Reverse Zone IPv6 Syntax ? > >>> > >>> Hello, > >>> > >>> I like to create a ip6.arpa with freeIPA but this is not possible ? I > >>> can't > >>> found the correct syntax for a IPv6 reverse Zone :-(. > >>> I Tested > >>> > >>> 16 Char > >>> x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2 > >>> x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa > >>> > >>> The last is working with named (bind) > >>> > >>> Can any tell me, is this working or have I link to read a Docu > >>> > >>> Thanks for a answer > >>> > >>> FreeIPA Version 4.2.0-15 -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?
Am Monday 07 December 2015, 20:41:29 schrieb Martin Basti: > On 07.12.2015 20:12, Pavel Picka wrote: > > Hello > > > > for me working if ipv6 address is e.g. 2002::101 so reverse zone will be : > > > > 0.2.0.0.2.ip6.arpa > > > > you can use more char as you mentioned ( 0.0.0.0.0.2.0.0.2.ip6.arpa will > > still be reverse for ip 2002::101 ) I tested also more chars ? > > so if your IP start 2001:: have reverse 2.0.0.1.ip6.arpa > > Nope. > > reverse zone of 2001::/16 is 1.0.0.2.ip6.arpa Is there a command line syntax for adding a reverse Zone, in the web Formula it is not possible to insert a reverse IPv6 zone. I have only the Message this is a wrong IP Address. > > hope it helps > > > > - Original Message - > > From: "Günther J. Niederwimmer" <g...@gjn.priv.at> > > To: freeipa-users@redhat.com > > Sent: Monday, December 7, 2015 7:58:32 PM > > Subject: [Freeipa-users] Reverse Zone IPv6 Syntax ? > > > > Hello, > > > > I like to create a ip6.arpa with freeIPA but this is not possible ? I > > can't > > found the correct syntax for a IPv6 reverse Zone :-(. > > I Tested > > > > 16 Char > > x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2 > > x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa > > > > The last is working with named (bind) > > > > Can any tell me, is this working or have I link to read a Docu > > > > Thanks for a answer > > > > FreeIPA Version 4.2.0-15 -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Reverse Zone IPv6 Syntax ?
Hello, I like to create a ip6.arpa with freeIPA but this is not possible ? I can't found the correct syntax for a IPv6 reverse Zone :-(. I Tested 16 Char x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2 x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa The last is working with named (bind) Can any tell me, is this working or have I link to read a Docu Thanks for a answer FreeIPA Version 4.2.0-15 -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
Hello All, Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale: > On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: > > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > > >Hello , > > > > > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new > > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA? > > > > We have plans to support issuing certificates via Let's Encrypt. > > Günther, what are your specific wishes - to automatically acquire LE > certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or > services that are managed by FreeIPA? My wishes :-)). when I can have wishes, I mean all ;-) But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream. Now I make a test with FreeIPA and "DANE" I hope this is working ?. > > However, right now Let's encrypt only issues server certificates, not > > CA roots, so you cannot use them to bootstrap IPA CA. > > This will probably always be the case. > > Cheers, > Fraser -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and LetsEncrypt Question
Hello , I have the question, know any from the FreeIPA "Gurus" ;-), are the new upcoming LetsEncrypt Certificates compatible and working with FreeIPA? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] New Host and IP Address
Hello, System CentOs 7 FreeIPA 4.1, I like to add a new Host with a Service like imap/imap.example.com The imap.example.com exist in the zone file with a CNAME Record. I can't found the correct Doc for my Problem ;-) the second Problem is, is it possible to add a IPv6 Address to the Host and Certificates? Thanks's for a answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS Server
Hello, what is the best way to include a external Nameserver for a IPA Host? My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a extra Instance for a IPA Master Server and I have now to include the CNAMe Server like "smtp.example.com CNAME imap.example.com" or cvan I do a other way to include this server? Thanks for a answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] certificate add subject alt Name
Hello, System CentOS 7. is it possible to change a certificate to add a subject alt name? My "Problem" is, I have a Mail Server with name smtp.example.com and the correct service certificates smtp/smtp.example.com & imap/example.com now I make in my DNS Server (is a external system) a new Record "imap IN CNAME smtp" but this is now missing in the certificate? The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I don’t have a host/imap.example.com. Have any a answer for MY Problem ;-). I can't found nothing but I mean this is working with freeIPA? -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] different EMail Addresses
Hello, what is the way to read a different EMail Address from freeIPA? My system is a centos 7 When I create a user joe, on a system like ipa.example.com ldap dc=example, dc=com kerberos=EXAMPLE.COM. I have in the mask from the user, a default EMail Address j...@example.com, but the user must have also a secondary EMail address like joe@other_domain.net, it is no problem to insert this address, but I can't never read / found this address with sssd ? Have I to change more ... like kerberos or to have this working? Thanks for a answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA certificate for Outlook
Hello, is it possible to export a CA / certificate for a windows client outlook when yes, can any tell me the correct file? Thanks for a answer -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] EMail Address in Certificate
Hello, Is it possible to add a Email -Address to a user Certificate (Subject Alternative Name) I mean I have read something but I can't found again? Thanks for a Answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] access control
Hello, can any help me to create a access control for a user? Background: I have created a user like this from a FreeIPA site # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 blank line ^D now I have to create a access control rule for this user that he can read the userPassword atribute like this? # access to attribute=userPassword #by dn=dovecot's dn read # add this #by anonymous auth #by self write #by * none I can't found a example for this Problem and so I have no correct working Mailserver :-(. Please Help and tanks for a answer. -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberos principal add / create
Hello, I have a long way to found out the way to read from IPA the EMail addresses :-( Now the way is read direct from the 386 server. sssd don't found more the one address. OK. I found a readme that tell me to create a special User # dovecota, sysaccounts, etc, 4gjn.prv dn: uid=dovecota,cn=sysaccounts,cn=etc,dc=,dc= objectClass: account objectClass: simplesecurityobject objectClass: top uid: dovecota userPassword:: e1NTSEF9TWlKY0FWZkxTd3ZkS2dUZ0xyamV3bUJJbm9TLzRORTlwdU14c1E9PQ= with this user now I can read passwd, uid, mail but the question is, is it possible to add a kerberos principal to this user with IPA ? thanks for a answer, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] direct ldap connect from dovecot
Hello, is it possible to connect direct to the ldap from a program like dovecot? I have big auth problems with my setup? with cn=admin,cn=users,cn=accounts,dc=,dc=x and password from admin this is not working I don't know the 386 server :-(, in the moment I have to learn much more ;-). When any can help, Thank you -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install --request-cert ERROR
Hello, When I install a IPA client (Centos 7.1) I have this Error in the log. freeipa ERROR certmonger request for host certificate failed Is there a way to become this Certificate back ? I am nearly new on freeIPA and have mach problems :-(. Thanks for the help, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert Problem ?
Hello, Am Dienstag, 14. April 2015, 14:29:58 schrieb Nalin Dahyabhai: On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote: Hello I mean I have a Problem with the ipa-getcert script. system CentOS 7 (1503) and IPA 4.1.x can any help or declare my mistake or is this a IPA Problem I do a kinit admin ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' and have afterward with ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150414172251': status: CA_REJECTED ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HOST/xxx.4gjn@4gjn.prv,cn=services,cn=accounts,dc=4g jn,dc=prv'.). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes The server rejected the request because no service with the Kerberos principal name in the request exists yet. The host service is the one that's automatically created, and because Kerberos principal names are case sensitive, HOST is seen as being different from host. The certmonger service uses the local host's credentials in /etc/krb5.keytab to authenticate when it sends the request to the CA (so you could skip the kinit step above), and the host doesn't have the necessary privileges to create a new service, and that's why that particular error message is coming back from the server. ipa-getcert status process 4731: arguments to dbus_message_new_method_call() were incorrect, assertion path != NULL failed in file dbus-message.c line 1262. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Abgebrochen (Speicherabzug geschrieben) That's a bug in ipa-getcert. It should be producing an error message, suggesting that you'd need to specify additional options to indicate which request you wanted to check the status on, like so: getcert status -i 20150414172251 getcert status -d /etc/pki/nssdb -n Server-Cert I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv' (note the lower case) to change the parameters in the certificate request, which should be enough to satisfy the server's requirements. Thank you for the answer and help I mean this is working now ;) after some --uninstall and delete the certificate (?) . The wrong command I found with google :-(. The status command is not working on my system! -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-getcert Problem ?
Hello I mean I have a Problem with the ipa-getcert script. system CentOS 7 (1503) and IPA 4.1.x can any help or declare my mistake or is this a IPA Problem I do a kinit admin ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' and have afterward with ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150414172251': status: CA_REJECTED ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HOST/xxx.4gjn@4gjn.prv,cn=services,cn=accounts,dc=4gjn,dc=prv'.). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes ipa-getcert status process 4731: arguments to dbus_message_new_method_call() were incorrect, assertion path != NULL failed in file dbus-message.c line 1262. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Abgebrochen (Speicherabzug geschrieben) what is wrong ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cliebt-automount problem
Hello, Am Sonntag, 29. März 2015, 22:25:07 schrieb Rob Crittenden: Dmitri Pal wrote: On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote: Hello, My automount is not working correct? I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12 I have this Error in the logs automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory Is this correct with IPA 4.1 /etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not configured with ipa-client-automount, or have I to do this manual? Do you have libsss_autofs installed? The default is to configure automount using SSSD so no configuration in those files is expected. What isn't working? I mean this Error is not the best Thing ;) automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory I found this in mount ? /etc/auto.misc on /misc type autofs (rw,relatime,fd=6,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) -hosts on /net type autofs (rw,relatime,fd=12,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) auto.daten on /daten type autofs (rw,relatime,fd=18,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) auto.home on /home type autofs (rw,relatime,fd=24,pgrp=7198,timeout=300,minproto=5,maxproto=5,indirect) The first, now I found also the local auto.master in the mount? But the /net mount (nfs4) are not mounted ;) Have I to start any nfs Programms for working -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-cliebt-automount problem
Hello, My automount is not working correct? I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12 I have this Error in the logs automount[1899]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory Is this correct with IPA 4.1 /etc/sysconfig/autofs and /etc/autofs_ldap_auth.config was not configured with ipa-client-automount, or have I to do this manual? -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa Server down !!
Hello, is the freeipa.org Server down i have only a Proxy Error Reason: Error reading from remote server -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error with kerberos users
Hello, what is wrong on my setup? This is a normal install with ipa-server-install and ipa-client install on 5 KVM clients. CentOs 7 WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6912]: doing error downcall Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5 uid=22521 enctypes=18,17,16,23,3,1,2 ' Mar 3 16:28:22 smtp1 rpc.gssd[6913]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[6913]: process_krb5_upcall: service is 'null' Mar 3 16:28:22 smtp1 rpc.gssd[6913]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV' being considered, with preferred realm 'GJN.PRV' Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV' owned by 0, not 22521 Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: Error doing scandir on directory '/run/user/22521': No such file or directory Mar 3 16:28:22 smtp1 rpc.gssd[6913]: WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: doing error downcall Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5 uid=22521 enctypes=18,17,16,23,3,1,2 ' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[6914]: process_krb5_upcall: service is 'null' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV' being considered, with preferred realm 'GJN.PRV' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV' owned by 0, not 22521 Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6914]: Error doing scandir on directory '/run/user/22521': No such file or directory Mar 3 16:28:22 smtp1 rpc.gssd[6914]: WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Thank's for answer. -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Error with kerberos users
Hello, Am Dienstag, 3. März 2015, 11:15:14 schrieb Dmitri Pal: On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote: Hello, what is wrong on my setup? This is a normal install with ipa-server-install and ipa-client install on 5 KVM clients. CentOs 7 WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Can this be correct ?? I make a kinit with this user ? Mar 3 16:28:22 smtp1 rpc.gssd[6912]: doing error downcall Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5 uid=22521 enctypes=18,17,16,23,3,1,2 ' Mar 3 16:28:22 smtp1 rpc.gssd[6913]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[6913]: process_krb5_upcall: service is 'null' I assume this is a log from the nfs client shoing the attempt to access NFS server. Seems like something is misconfigured in the nfs configuration or there is a mismatch between the acceptable encryption types on the server and on the client. Yes this is a log from nfs-client but on the server I have the same Errors. I have all docs I found read .-(. Mar 3 16:28:22 smtp1 rpc.gssd[6913]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV' being considered, with preferred realm 'GJN.PRV' Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV' owned by 0, not 22521 Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: Error doing scandir on directory '/run/user/22521': No such file or directory Why I have no User (?) and this is not created by a kinit ? Mar 3 16:28:22 smtp1 rpc.gssd[6913]: WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6913]: doing error downcall Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5 uid=22521 enctypes=18,17,16,23,3,1,2 ' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt5) Mar 3 16:28:22 smtp1 rpc.gssd[6914]: process_krb5_upcall: service is 'null' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV' being considered, with preferred realm 'GJN.PRV' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV' owned by 0, not 22521 Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6914]: Error doing scandir on directory '/run/user/22521': No such file or directory Mar 3 16:28:22 smtp1 rpc.gssd[6914]: WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Thank's for answer. -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent group ipauser broken?
Am Freitag, 27. Februar 2015, 12:25:24 schrieb Alexander Bokovoy: On Fri, 27 Feb 2015, Günther J. Niederwimmer wrote: Hello, Have i to configure any other things, for a working /home/ I can make a getent passwd , this is working on the client but I mean I have no export for groups ? with getent group ipausers I have no answer? also I can't make a chown -R user:ipausers what can be wrong on my setup ? This is a fresh installed centos 7 with IPA Nothing wrong. Groups in IPA can have POSIX attributes or can be set without them. The latter one are used mostly for hierarchical grouping purposes. 'ipausers' is one of non-POSIX groups and therefore is not visible by POSIX tools. OK, Thank you I found this in a newer Documentation ? But I found no way to create a /home/xxx directory for a IPA User what is the correct way to create Users /home ?? The /home/ have 0700 root:root but I can't set /home/testuser/ I have always no permission. This is really a long way -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] getent group ipauser broken?
Hello, Have i to configure any other things, for a working /home/ I can make a getent passwd , this is working on the client but I mean I have no export for groups ? with getent group ipausers I have no answer? also I can't make a chown -R user:ipausers what can be wrong on my setup ? This is a fresh installed centos 7 with IPA -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 No permission to /home/..
Am Montag, 23. Februar 2015, 20:20:45 schrieb Jakub Hrozek: On Mon, Feb 23, 2015 at 05:29:32PM +0100, Günther J. Niederwimmer wrote: I tested all (?), I have configured a ntp /mount for /home, Create a /home/user directory only on the ipa-server, nothing is working I have allways permission denied ? I found a Bug report for the oddjob-mkhomedir, to change the permission from 0002 to 0077 but now, I am on the end ? Which bugreport? IIRC there was one by Stef Walter which I can't find right now described the default permissions, but it should still be configurable.. I found this, http://stackoverflow.com/questions/23040225/incorrect-permissions-when-home-directory-is-automatically-created-in-freeipa -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 No permission to /home/..
Hello, Am Montag, 23. Februar 2015, 09:55:06 schrieb Jakub Hrozek: On Sun, Feb 22, 2015 at 10:19:32PM +0100, Günther J. Niederwimmer wrote: Hello, I have installed centos 7 and a ipa-server on a other system a second ipa- server. But I can't create a user home directory, not on the server and not on a ipa- client with autocreate ? Have any a hint on witch place I can search for this problem ? sssd ipa-server / client When you like info please tell me what? The first step is verifying that getent passwd $user actually reports the home dir you'd like it to. It's especially important to check with users from trusted AD domains. This is working, tell me /home/ Do you intend to auto-create the home directories on the clients or have them mounted from a central location? In the former case, you should check configuration of oddjob-mkhomedir, in the latter, you should check the automounter configuration. I tested all (?), I have configured a ntp /mount for /home, Create a /home/user directory only on the ipa-server, nothing is working I have allways permission denied ? I found a Bug report for the oddjob-mkhomedir, to change the permission from 0002 to 0077 but now, I am on the end ? But on a ipa client a can't do chown -R :ipausers to change the permission. The ipausers Group is not found on a client? Is this a sssd problem? Now I uninstall all and start again ?. -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIpa and Dovecot
Hello, have any a functional Link for this Problem. I found nothing that is working correct ? :-(. -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
