Re: [Freeipa-users] nss unrecognized name alert with SAN name
2016-06-27 11:05 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (26/06/16 20:37), John Obaterspok wrote: > >Hi, > > > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName > >to work. > >F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't > >work any more. Is there any chance 1.0.14 will make it in as an F24 > update? > >(I can add karma if needed) > > > mod_nss-1.0.14-1 is only in rawhide (fc25) > I cannot see such package in fedora 23. > > http://koji.fedoraproject.org/koji/packageinfo?packageID=2554 > > Hi Lukas, When I ran F23 I installed mod_nss-1.0.14-1 from rawhide (fc25) in order to fix the problem with using SubjectAltName in certificate. I believe I manually installed 1.0.14 in april and this bug was fixed in 1.0.13 so that's why I was surprised F24 shipped with .12 -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nss unrecognized name alert with SAN name
Hi, I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName to work. F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't work any more. Is there any chance 1.0.14 will make it in as an F24 update? (I can add karma if needed) -- john 2016-04-25 19:26 GMT+02:00 John Obaterspok <john.obaters...@gmail.com>: > Thanks Rob! > > I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server > and it works like a charm. > > Thanks, > >john > > 2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > >> John Obaterspok wrote: >> >>> >>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com >>> <mailto:ftwee...@redhat.com>>: >>> >>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: >>> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com>>: >>> >>> > >>> > > John Obaterspok wrote: >>> > > >>> > >> Hi, >>> > >> >>> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to >>> ipa.my.lan >>> > >> >>> > >> I recently started to get nss error "SSL peer has no >>> certificate for the >>> > >> requested DNS name." when I'm accesing my >>> https://gitserver.my.lan >>> > >> >>> > >> Previously this worked fine if I had set "git config --global >>> > >> http.sslVerify false" according to >>> > >> >>> >>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >>> > >> >>> > >> Now I tried to solve this by adding a SubjectAltName to the >>> > >> HTTP/ipa.my.lan certitficate like this: >>> > >> >>> > >> status: MONITORING >>> > >> stuck: no >>> > >> key pair storage: >>> > >> >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > >> certificate: >>> > >> >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > >> Certificate DB' >>> > >> CA: IPA >>> > >> issuer: CN=Certificate Authority,O=MY.LAN >>> > >> subject: CN=ipa.my.lan,O=MY.LAN >>> > >> expires: 2018-02-06 19:24:52 UTC >>> > >> dns: gitserver.my.lan,ipa.my.lan >>> > >> principal name: http/ipa.my@my.lan >>> > >> key usage: >>> > >> >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> > >> eku: id-kp-serverAuth,id-kp-clientAuth >>> > >> pre-save command: >>> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> > >> track: yes >>> > >> auto-renew: yes >>> > >> >>> > >> But I still get the below error: >>> > >> >>> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >>> > >> * SSL peer has no certificate for the requested DNS name >>> > >> >>> > > >>> > > What version of mod_nss? It recently added support for SNI. You >>> can try >>> > > turning it off by adding NSSSNI off to >>> /etc/httpd/conf.d/nss.conf but I'd >>> > > imagine you were already relying on it. >>> > > >>> > > >>> > Hi, >>> > >>> > Turning it off didn't help >>> > >>> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 >>> > I noticed it worked if I set "ServerName gitserver.my.lan" in >>> > gitserver.conf, but then I got the NAME ALERT when accessing >>> ipa.my.lan. >>> > >>> > I then tried to put ipa.conf in but then I >>> got error >>> > about SSL_ERROR_RX_RECORD_TOO_LONG >>> > >>> > gitserver.conf has this: >>&g
Re: [Freeipa-users] nss unrecognized name alert with SAN name
Thanks Rob! I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server and it works like a charm. Thanks, john 2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > John Obaterspok wrote: > >> >> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com >> <mailto:ftwee...@redhat.com>>: >> >> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: >> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>>: >> >> > >> > > John Obaterspok wrote: >> > > >> > >> Hi, >> > >> >> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to >> ipa.my.lan >> > >> >> > >> I recently started to get nss error "SSL peer has no >> certificate for the >> > >> requested DNS name." when I'm accesing my >> https://gitserver.my.lan >> > >> >> > >> Previously this worked fine if I had set "git config --global >> > >> http.sslVerify false" according to >> > >> >> >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >> > >> >> > >> Now I tried to solve this by adding a SubjectAltName to the >> > >> HTTP/ipa.my.lan certitficate like this: >> > >> >> > >> status: MONITORING >> > >> stuck: no >> > >> key pair storage: >> > >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > >> certificate: >> > >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > >> Certificate DB' >> > >> CA: IPA >> > >> issuer: CN=Certificate Authority,O=MY.LAN >> > >> subject: CN=ipa.my.lan,O=MY.LAN >> > >> expires: 2018-02-06 19:24:52 UTC >> > >> dns: gitserver.my.lan,ipa.my.lan >> > >> principal name: http/ipa.my@my.lan >> > >> key usage: >> > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > >> eku: id-kp-serverAuth,id-kp-clientAuth >> > >> pre-save command: >> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > >> track: yes >> > >> auto-renew: yes >> > >> >> > >> But I still get the below error: >> > >> >> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >> > >> * SSL peer has no certificate for the requested DNS name >> > >> >> > > >> > > What version of mod_nss? It recently added support for SNI. You >> can try >> > > turning it off by adding NSSSNI off to >> /etc/httpd/conf.d/nss.conf but I'd >> > > imagine you were already relying on it. >> > > >> > > >> > Hi, >> > >> > Turning it off didn't help >> > >> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 >> > I noticed it worked if I set "ServerName gitserver.my.lan" in >> > gitserver.conf, but then I got the NAME ALERT when accessing >> ipa.my.lan. >> > >> > I then tried to put ipa.conf in but then I >> got error >> > about SSL_ERROR_RX_RECORD_TOO_LONG >> > >> > gitserver.conf has this: >> > >> > >> > DocumentRoot /opt/wwwgit >> > SetEnv GIT_PROJECT_ROOT /opt/wwwgit >> > SetEnv GIT_HTTP_EXPORT_ALL >> > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER >> > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ >> > >> > ServerName gitserver.my.lan >> > >> > >> > Options Indexes >> > AllowOverride None >> > Require all granted >> > >> > >> > >> > Options Indexes >> > A
Re: [Freeipa-users] nss unrecognized name alert with SAN name
2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com>: > On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: > > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > > > > > John Obaterspok wrote: > > > > > >> Hi, > > >> > > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to > ipa.my.lan > > >> > > >> I recently started to get nss error "SSL peer has no certificate for > the > > >> requested DNS name." when I'm accesing my https://gitserver.my.lan > > >> > > >> Previously this worked fine if I had set "git config --global > > >> http.sslVerify false" according to > > >> > https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html > > >> > > >> Now I tried to solve this by adding a SubjectAltName to the > > >> HTTP/ipa.my.lan certitficate like this: > > >> > > >> status: MONITORING > > >> stuck: no > > >> key pair storage: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >> certificate: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB' > > >> CA: IPA > > >> issuer: CN=Certificate Authority,O=MY.LAN > > >> subject: CN=ipa.my.lan,O=MY.LAN > > >> expires: 2018-02-06 19:24:52 UTC > > >> dns: gitserver.my.lan,ipa.my.lan > > >> principal name: http/ipa.my@my.lan > > >> key usage: > > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >> eku: id-kp-serverAuth,id-kp-clientAuth > > >> pre-save command: > > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > >> track: yes > > >> auto-renew: yes > > >> > > >> But I still get the below error: > > >> > > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) > > >> * SSL peer has no certificate for the requested DNS name > > >> > > > > > > What version of mod_nss? It recently added support for SNI. You can try > > > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but > I'd > > > imagine you were already relying on it. > > > > > > > > Hi, > > > > Turning it off didn't help > > > > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 > > I noticed it worked if I set "ServerName gitserver.my.lan" in > > gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan. > > > > I then tried to put ipa.conf in but then I got error > > about SSL_ERROR_RX_RECORD_TOO_LONG > > > > gitserver.conf has this: > > > > > > DocumentRoot /opt/wwwgit > > SetEnv GIT_PROJECT_ROOT /opt/wwwgit > > SetEnv GIT_HTTP_EXPORT_ALL > > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ > > > > ServerName gitserver.my.lan > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > #SSLRequireSSL > > AuthType Kerberos > > AuthName "Kerberos Login" > > KrbAuthRealm MY.LAN > > Krb5KeyTab /etc/httpd/conf/ipa.keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd off # Set to on to query for pwd if > negotiation > > failed due to no ticket available > > KrbSaveCredentials on > > KrbVerifyKDC on > > KrbServiceName HTTP/ipa.my@my.lan > > > > AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName > > AuthLDAPBindDN > "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" > > AuthLDAPBindPassword "secret123abc" > > Require ldap-group > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > > > > > > > > > > > Any more ideas what I do wrong? > > It was suggested that this may be due to the certificate not being > compliant with RFC 2818. This is likely true, but I think it is
Re: [Freeipa-users] nss unrecognized name alert with SAN name
2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > John Obaterspok wrote: > >> Hi, >> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan >> >> I recently started to get nss error "SSL peer has no certificate for the >> requested DNS name." when I'm accesing my https://gitserver.my.lan >> >> Previously this worked fine if I had set "git config --global >> http.sslVerify false" according to >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >> >> Now I tried to solve this by adding a SubjectAltName to the >> HTTP/ipa.my.lan certitficate like this: >> >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MY.LAN >> subject: CN=ipa.my.lan,O=MY.LAN >> expires: 2018-02-06 19:24:52 UTC >> dns: gitserver.my.lan,ipa.my.lan >> principal name: http/ipa.my@my.lan >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> But I still get the below error: >> >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >> * SSL peer has no certificate for the requested DNS name >> > > What version of mod_nss? It recently added support for SNI. You can try > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd > imagine you were already relying on it. > > Hi, Turning it off didn't help I'm on F23 with latest updates so I have mod_nss-1.0.12-1 I noticed it worked if I set "ServerName gitserver.my.lan" in gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan. I then tried to put ipa.conf in but then I got error about SSL_ERROR_RX_RECORD_TOO_LONG gitserver.conf has this: DocumentRoot /opt/wwwgit SetEnv GIT_PROJECT_ROOT /opt/wwwgit SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER $REDIRECT_REMOTE_USER ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ ServerName gitserver.my.lan Options Indexes AllowOverride None Require all granted Options Indexes AllowOverride None Require all granted #SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm WIN.LAN Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbMethodNegotiate on KrbMethodK5Passwd off # Set to on to query for pwd if negotiation failed due to no ticket available KrbSaveCredentials on KrbVerifyKDC on KrbServiceName HTTP/ipa.my@my.lan AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" AuthLDAPBindPassword "secret123abc" Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan Any more ideas what I do wrong? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] nss unrecognized name alert with SAN name
Hi, I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan I recently started to get nss error "SSL peer has no certificate for the requested DNS name." when I'm accesing my https://gitserver.my.lan Previously this worked fine if I had set "git config --global http.sslVerify false" according to https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html Now I tried to solve this by adding a SubjectAltName to the HTTP/ipa.my.lan certitficate like this: status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MY.LAN subject: CN=ipa.my.lan,O=MY.LAN expires: 2018-02-06 19:24:52 UTC dns: gitserver.my.lan,ipa.my.lan principal name: http/ipa.my@my.lan key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes But I still get the below error: * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) * SSL peer has no certificate for the requested DNS name Any ideas why? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Samba crashes with recent F23 update
Hello, I'm running F23 and now IPA fails to start due to crash in smb: -- Unit smb.service has begun starting up. jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:smbd_t:s0 pid=7037 comm="smbd" exe="/usr/sbin/smbd" sig=6 jan 22 08:38:58 ipa.win.lan systemd-coredump[7038]: Process 7037 (smbd) of user 0 dumped core. Stack trace of thread 7037: #0 0x7f1cb7bc8a98 raise (libc.so.6) #1 0x7f1cb7bca69a abort (libc.so.6) #2 0x7f1cbb5c060c smb_panic (libsamba-util.so.0) #3 0x7f1cb8168675 _talloc_free (libtalloc.so.2) #4 0x7f1cb87a206c lpcfg_string_free (libsamba-hostconfig.so.0) #5 0x7f1cb87a20a5 lpcfg_string_set (libsamba-hostconfig.so.0) #6 0x7f1cb9541208 lp_load_ex (libsmbconf.so.0) #7 0x7f1cb9540d5d lp_load_ex (libsmbconf.so.0) #8 0x7f1cb95415c0 lp_load_initial_only (libsmbconf.so.0) #9 0x55df01d405fb main (smbd) #10 0x7f1cb7bb4580 __libc_start_main (libc.so.6) #11 0x55df01d41b79 _start (smbd) -- Subject: Process 7037 (smbd) dumped core Anyone seen this? samba-4.3.4-0.fc23.x86_64 freeipa-server-4.2.3-1.1.fc23.x86_64 -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Authentication progres
Hi Matt, It already works fine to use kerberos ticket to access samba shares. -- john 2015-12-28 14:01 GMT+01:00 Matt .: > Hi guys, > > > How is the progres on the Samba (Share) Authentication for FreeIpa ? > > I hope we already have some work around to use the FreeIPA credentials > for authing network shares. > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OS X Yosemite unable to authenticate
Hi, Are you only having problems to login to login to OSX with the IPA user now? If that is the case then check the DNS settings you are using and make sure the IPA server is listed first and that it has full name. Exactly the same problem occurred for me with the slow logins to OSX which was due to the DNS settings and that OSX only used short name of IPA server during login (if I logged in as local user I could ping and lookup hosts using short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa <canep...@mmfg.it>: > I had to configure /etc/krb5.conf, and to avoid the requested reboot, I > did a "dscacheutil -flushcache", both as the logged in user and as root. > I tried enabling the anonymous bind and now also the directory browser > (and all the login process) works as expected. > > Nicola > > Il 21/12/15 17:39, Cal Sawyer ha scritto: > > Thanks, John and Nicola > > Kerberos occurred to me as well late in the day yesterday. Happily (?), > knit works fine simply specifying the user in question with no need to > suffix with the kerberos realm > > I did find that my test user had an expired password, which i fixed on the > IPA server. This was never flagged up under Linux, btw. It has not change > anything, however, other than not prompting for password changes that never > take effect. Funnily, it expired in the midst of testing - fun. > > I was mistaken when i said i was unable to log in - it turns out that it > takes almost 10 minutes for a login from the frintend to complete - i just > didn't wait long enough. 10 mins is of course unacceptable :) "su - user" > and "login user" fail outright after rejecting accept any user's password > > DNS is fine and i can resolve ldap and kerberos SRV records from the Mac > > In line with Nicola's experience, i can browse groups and users in the > Directory Editor and all attributes appear spot on. > > Besides modding /etc/pam.d/authorization, adding a corrected > edu.mit.kerberos to /LibraryPreferences and setting up the directory per > linsec.ca, can anyone think of something i may have missed? It's a real > shame that the documentation on this stops around 5 years ago. > > IPA devs: is there anything i should be on the lookout for in the dirsrv > or krb5 logs on the IPA master? I've disabled the secondary to prevent > replication from clouding the log events > > thanks, everyone > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com > > On 21/12/15 07:57, Nicola Canepa wrote: > > Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the > opposite problem: kinit works fine, while I'm unable to see users with > Directory Admin ((it always says it cant' connect, either with or without > SSL) > I disabled anonymous searches in 389-ds, by the way. > > Nicola > > Il 21/12/15 07:50, John Obaterspok ha scritto: > > Hi Cal, > > Does a kinit work from a terminal? Does it work if you use "kinit user" or > just if you use "kinit <user@REALM.suffix>user@REALM.suffix" > > -- john > > > 2015-12-20 15:09 GMT+01:00 Cal Sawyer <ca...@blue-bolt.com>: > >> Hi, all >> >> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >> 10.10.5 (Yosemite) client >> >> Using the excellent instructions at >> <http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server> >> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >> I've populated the specified files, d/l'd the cert, am able to configure >> Users and Groups objects/attribs and browse both from within OSX's >> Directory Utility.ldapsearch similarly returns the expected results. >> >> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >> system >> >> dirsrv log on the ipa master shows no apparent errors - remote auth >> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >> truth, there so much stuff there and being rather inexperienced with LDAP >> diags i might easily be missing something in the details >> >> The linsec.ca instructions were written in the 10.7-10.8 era so >> something may have changed since. Having said that, we've had no problems >> authenticating against our existing OpenLDAP server (which IPA is slated to >> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >> >> Hoping someone here h
Re: [Freeipa-users] OS X Yosemite unable to authenticate
Hi Cal, Does a kinit work from a terminal? Does it work if you use "kinit user" or just if you use "kinit user@REALM.suffix" -- john 2015-12-20 15:09 GMT+01:00 Cal Sawyer: > Hi, all > > I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX > 10.10.5 (Yosemite) client > > Using the excellent instructions at > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, > I've populated the specified files, d/l'd the cert, am able to configure > Users and Groups objects/attribs and browse both from within OSX's > Directory Utility.ldapsearch similarly returns the expected results. > > In spite of this, i'm unable to authenticate as any IPA-LDAP user on this > system > > dirsrv log on the ipa master shows no apparent errors - remote auth > attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the > truth, there so much stuff there and being rather inexperienced with LDAP > diags i might easily be missing something in the details > > The linsec.ca instructions were written in the 10.7-10.8 era so something > may have changed since. Having said that, we've had no problems > authenticating against our existing OpenLDAP server (which IPA is slated to > replace) right up to 10.10.5 with no zero to our Directory Utility setup. > > Hoping someone here has some contemporary experience with OSX and IPA and > for whom this issue rings a bell? > > many thanks > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW > +44 (0)20 7637 5575 | www.blue-bolt.com > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication
Thanks Simo & Fraser, Creating a .netrc file on the client computer with according to the SO postings with below content made things work perfectly! machine gitserver.my.lan username '' password '' machine gitserver username '' password '' I would like to use TLS and I've made it work by turning off ssl validation in git: git config --global http.sslVerify false If I would like to use ssl validation, is there some way to use a certificate for the CNAME? Seems I can only add certificate (at least from the UI) for a valid principal? (I'm using freeipa-server 4.2.3 on F23) Regards, -- john 2015-11-08 23:55 GMT+01:00 Simo Sorce <s...@redhat.com>: > On 08/11/15 08:07, John Obaterspok wrote: > >> Hello, >> >> Anyone got git-http-backend working with freeipa group auhentication and >> would like to share their apache .conf file? >> >> >> I've tried this on the IPA server with a dummy git repository setup in >> /opt/gitrepos/test1.git >> gitserver.my.lan is a CNAME for ipaserver.my.lan >> >> First, "git clone http://gitserver.my.lan/test1.git; prompts (even >> though I >> have a ticket) for user+pwd but still fails. >> >> Any suggestions are welcome! >> >> -- john >> >> >> >> >> DocumentRoot /opt/gitrepos >> >> # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' >> # restorecon -R -v /opt/gitrepos >> >> SetEnv GIT_PROJECT_ROOT /opt/gitrepos >> SetEnv GIT_HTTP_EXPORT_ALL >> SetEnv REMOTE_USER $REDIRECT_REMOTE_USER >> ScriptAlias / /usr/libexec/git-core/git-http-backend/ >> ServerName gitserver.my.lan >> >> >> Options Indexes >> AllowOverride None >> Require all granted >> >> >> >> Options Indexes >> AllowOverride None >> Require all granted >> >> >> >> AuthType Kerberos >> AuthName "Kerberos Login" >> KrbAuthRealm MY.LAN >> Krb5KeyTab /etc/httpd/conf/ipa.keytab >> KrbMethodNegotiate on >> KrbMethodK5Passwd off >> KrbSaveCredentials on >> KrbVerifyKDC on >> KrbServiceName HTTP >> >> AuthLDAPUrl >> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName >> Require ldap-group cn=ipausers,dc=my,dc=lan >> > > This should probably be somehting like: > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > Although you should probably create a git specific group, especially if > you want it to be a posix group that can own files (ipausers is not a posix > group and we are actually trying to phase it out) > > Also you are not doing LDAP authentication, you only want to do > authorization, and for that you may want to actually use nsswitch based > authorization which can be cached by sssd and not a query out to LDAP for > each connection. > Unfortunately the basic Apache modules do not support system group > authentication directly, so what you may do instead is to have a cron job > that do the following: > getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file > > And in apache have set the following directives instead of the above two: > AuthGroupFile /my/authorization/file > Require group git-users > > HTH, > Simo > > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSO Git http smart server and freeipa group authentication
Hello, Anyone got git-http-backend working with freeipa group auhentication and would like to share their apache .conf file? I've tried this on the IPA server with a dummy git repository setup in /opt/gitrepos/test1.git gitserver.my.lan is a CNAME for ipaserver.my.lan First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I have a ticket) for user+pwd but still fails. Any suggestions are welcome! -- john DocumentRoot /opt/gitrepos # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?' # restorecon -R -v /opt/gitrepos SetEnv GIT_PROJECT_ROOT /opt/gitrepos SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER $REDIRECT_REMOTE_USER ScriptAlias / /usr/libexec/git-core/git-http-backend/ ServerName gitserver.my.lan Options Indexes AllowOverride None Require all granted Options Indexes AllowOverride None Require all granted AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm MY.LAN Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbSaveCredentials on KrbVerifyKDC on KrbServiceName HTTP AuthLDAPUrl ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName Require ldap-group cn=ipausers,dc=my,dc=lan # Allow anyone authenticated users that are ina ipausers group to clone ~ ~ ~ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23
2015-11-05 17:07 GMT+01:00 John Obaterspok <john.obaters...@gmail.com>: > > > 2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > >> On Thu, 05 Nov 2015, John Obaterspok wrote: >> >>> Hi, >>> >>> I waited a couple of days and when "dnf list freeipa-server >>> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to >>> late that I received 4.2.2 during "dnf system-upgrade". >>> >>> Any ideas how to get it going again? Or is it easier to start from >>> scratch >>> if I only have ~ 10 IPA clients? >>> >> Did you already upgrade to 4.2.3? Make sure you have >> pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run >> ipa-server-upgrade. It should be able to recover. >> >> > Hi Alexander, > > Untfortunatly not, it's not able to recover: > > # rpm -q pki-base freeipa-server > pki-base-10.2.6-12.fc23.noarch > freeipa-server-4.2.3-1.fc23.x86_64 > > (Note I have pki-base, not pki-core... but I guess that was what you ment) > > # ipa-server-upgrade > session memcached servers not running > Missing version: no platform stored > Upgrading IPA: > [1/8]: saving configuration > [2/8]: disabling listeners > [3/8]: enabling DS global lock > [4/8]: starting directory server > [error] CalledProcessError: Command ''/bin/systemctl' 'start' > 'dirsrv@MY-LAN.service'' returned non-zero exit status 1 > [cleanup]: stopping directory server > [cleanup]: restoring configuration > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: Command ''/bin/systemctl' 'start' > 'dirsrv@MY-LAN.service'' returned non-zero exit status 1 > > ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent > attribute type "ipaPublicKey" > ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry > cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1) > is invalid, error code 21 ( > ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to > correct the reported problems and then restart the server. > systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited > status=1 > > # 99user.ldif first lines has the following > dn: cn=schema > objectclass: top > objectclass: ldapSubentry > objectclass: subschema > cn: schema > aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl > "anonymous, no acis"; allow (read, search, compare) userdn = > "ldap:///anyone;;) > modifiersname: cn=Directory Manager > > > Any ideas? > > -- john > I just found https://fedoraproject.org/wiki/Common_F23_bugs#freeipa-upgrade-fail which allowed me to run freeipa-server-upgrade successfully. Just a note: It says "Find the entry (split across three lines) that starts attributeTypes: ( 2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey'" However, it's all on one line without spaces Then make sure the text you replace with don't have extra spaces. Should be DESC 'IPA... & ...1466.115.121... Thanks! -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23
Hi, I waited a couple of days and when "dnf list freeipa-server --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to late that I received 4.2.2 during "dnf system-upgrade". Any ideas how to get it going again? Or is it easier to start from scratch if I only have ~ 10 IPA clients? -- john 2015-11-03 8:44 GMT+01:00 Martin Kosek: > On 11/02/2015 05:48 PM, Martin Kosek wrote: > > Hello everyone, > > > > Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The > release > > adds a lot of new exiting functionality and we are eager to hear your > thoughts > > on the release [1]. > > > > Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment > and > > fails on updating the LDAP schema. The problem is tracked in Red Hat > Bugzilla > > [2]. The problem is fixed in upstream project, the development team is > now > > working on releasing FreeIPA upstream release 4.2.3 ASAP and also > publishing it > > as a 0-day update for Fedora 23. This situation should be resolved within > > couple days, when the released build hits the official Fedora repos and > mirrors. > > > > Until the fixed FreeIPA version is released and in the Fedora repos, > please > > wait with updating your existing FreeIPA installation. > > > > We will keep you posted. We are very sorry for the inconvenience. > > > > [1] http://www.freeipa.org/page/Releases/4.2.0 > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905 > > > > The respective F23 updates are now heading to testing repo: > > FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e > pki-core: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23
2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > On Thu, 05 Nov 2015, John Obaterspok wrote: > >> Hi, >> >> I waited a couple of days and when "dnf list freeipa-server >> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to >> late that I received 4.2.2 during "dnf system-upgrade". >> >> Any ideas how to get it going again? Or is it easier to start from scratch >> if I only have ~ 10 IPA clients? >> > Did you already upgrade to 4.2.3? Make sure you have > pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run > ipa-server-upgrade. It should be able to recover. > > Hi Alexander, Untfortunatly not, it's not able to recover: # rpm -q pki-base freeipa-server pki-base-10.2.6-12.fc23.noarch freeipa-server-4.2.3-1.fc23.x86_64 (Note I have pki-base, not pki-core... but I guess that was what you ment) # ipa-server-upgrade session memcached servers not running Missing version: no platform stored Upgrading IPA: [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [error] CalledProcessError: Command ''/bin/systemctl' 'start' 'dirsrv@MY-LAN.service'' returned non-zero exit status 1 [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command ''/bin/systemctl' 'start' 'dirsrv@MY-LAN.service'' returned non-zero exit status 1 ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent attribute type "ipaPublicKey" ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1) is invalid, error code 21 ( ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to correct the reported problems and then restart the server. systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited status=1 # 99user.ldif first lines has the following dn: cn=schema objectclass: top objectclass: ldapSubentry objectclass: subschema cn: schema aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;) modifiersname: cn=Directory Manager Any ideas? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32
Re: [Freeipa-users] login delay with sssd
2015-06-02 12:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdiņš wrote: Ar laipniem sveicieniem, Ivars Strazdiņš On 2. jūn. 2015, at 07:21, Lukas Slebodnik lsleb...@redhat.com wrote: How many groups does problematic user have? I can call any user problematic, because all have login delays. sitaadmin user, being able to to login via ssh, probably has most groups - 4. Doesn’t seem too many, does it? siteadmin@mail:~$ id uid=9268000XX(siteadmin) gid=9268000XX(siteadmin) groups=9268000XX(siteadmin),9268Y(vpnusers),9268Z(mailusers),9268W(scanned) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I have sssh-1.12.2 installed as per Centos 7.1. I will have to wait until 1.12.4 or 5 is coming down the pipe with Centos updates. We plan on 7.1.z update, but with different bugzillas. Then we plan on putting 1.13 to 7.2 Hopefully that will resolve or mitigate the issue. I cannot create mess by putting Fedora updates into Centos, not sure if that's even possible. Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would be easier to test for you? Isn't there also the option to disable the selinux context in sssd.conf just to check that it does have an effect. Don't remember what that option was. --- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OSX login very slow
Hello, I'm using OSX 10.10.3 (Yosemite) and I've followed the Freeipa/OSX guide at linsec.ca. I can do the following with very fast response time: - id ipauser on osx host - klist/kdestroy/kinit a ticket - ssh via SSO to ipaserver with this ticket - ping osxhost osxhost.local from ipaserver - lookup users in OSX directory app - IPA server has green light in OSX network account server The thing that fails for me is login from OSX login window. Well, it doesn't fail but it took 12 minutes for an IPA user to login. Any ideas what to look for? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ticket delegation
2015-04-24 17:47 GMT+02:00 Rob Crittenden rcrit...@redhat.com: John Obaterspok wrote: Hello, I'm on F21 and if I login to my workstation I can then sso using ssh to host X. But then I'm also able to sso from x - y. If I'm on x and issue klist I see this: klist: No credentials cache found (ticket cache FILE:/tmp/krb5 Should I really be able to do this? --- john Did you add your ssh pubkey? ssh -vv will show you the auth method that it is using. Of course, I just forgot about it :) For the record, gssapi-with-mic was the auth method. FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it should be using KEYRING:persistent:uid:gid The host that I ssh'ed into had F20. Thanks Rob! -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow user logon with IPA
2015-04-15 15:08 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (15/04/15 08:53), Jakub Hrozek wrote: I pushed the selinux performance patches upstream yesterday. They will make their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for Fedora. Packages for fedora 21,22 are built. You just need to wait utill they are available in updates testing or you can download packages from koji. https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22 https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21 Please test and provide karma. Karma provided. For my setup I'm finally back to the 3-4 seconds login time for a user with only a handful of groups. Thanks! -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
Hi Dan, I had a problem that login time increased by ~ 15 seconds from F20 - F21. That was worked around by adding selinux_provider = none to the domain section in /etc/sssd/sssd.conf Have you checked that dns lookups + reverse lookups work on the ipa server? Is id -G the_user_name and is the user_name_name slow or fast? Did you check https://fedorahosted.org/sssd/wiki/Troubleshooting + -- john 2015-04-05 6:10 GMT+02:00 Dan Mossor danofs...@gmail.com: I've recently deployed a new domain based on 4.1.2 in F21. We've noticed an issue and can't quite seem to nail it down. The problem is that logins are taking an inordinate amount of time to complete - the fastest logon we can get using LDAP credentials is 8 seconds. During our testing, even logons to the IPA server itself took over 30 seconds to complete. I've narrowed this down to sssd, but that is as far as I can get. When cranking up debugging for sshd and PAM, I see a minimum 2 second delay between ssh handing off the authentication request to sssd and the reply back. The only troubleshooting I've done is with ssh, but the area that causes the most grief is Apache logins. We configured Apache to use PAM for auth through IPA, vice directly calling IPA itself. Logging in to our Redmine site takes users a minimum of 34 seconds to complete. Following this, a simple webpage containing two hyperlinks and two small thumbnail images takes over a minute to load on a gigabit network. The *only* thing changed in this environment was the IPA server. We moved the Redmine from our old network that was using IPA 3.x (F20 branch) to the new one. My initial reaction was that it was the VM that was hosting Redmine, but we've run these tests against bare metal machines in the same network and have the same issue. It appears that sssd is taking a very, very long time to talk to FreeIPA - even on the IPA server itself. However, Kerberos logins into the IPA web GUI are near instantaneous, while Username/Password logins take more than a few seconds. I need to get this solved. My developers don't appreciate the glory days of XP taking 5 minutes to log into an IIS 2.1 web server on the local network. I don't have the budget to keep them at the coffee pot waiting on the network. So, what further information do you need from me to track this one down? Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails
Hi Jan, See: https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html -- john 2015-03-24 17:58 GMT+01:00 Jan Pazdziora jpazdzi...@redhat.com: Hello, after enabling https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo I've installed freeipa-server bind bind-dyndb-ldap and run ipa-server-install --domain example.test The process failed at [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [error] CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ' returned non-zero exit status 1 and the log file ends with 2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so 2015-03-24T16:49:51Z DEBUG Initializing tokens 2015-03-24T16:49:51Z DEBUG Starting external process 2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' 2015-03-24T16:49:51Z DEBUG Process finished, return code=1 2015-03-24T16:49:51Z DEBUG stdout= 2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library. 2015-03-24T16:49:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 293, in __setup_softhsm ipautil.run(command, nolog=(pin, pin_so,)) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 346, in run raise CalledProcessError(p.returncode, arg_string, stdout) CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ' returned non-zero exit status 1 2015-03-24T16:49:51Z DEBUG [error] CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ' returned non-zero exit status 1 2015-03-24T16:49:51Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1302, in main dnskeysyncd.create_instance(api.env.host, api.env.realm) File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 146, in create_instance self.start_creation() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 293, in __setup_softhsm ipautil.run(command, nolog=(pin, pin_so,)) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 346, in run raise CalledProcessError(p.returncode, arg_string, stdout) 2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ' returned non-zero exit status 1 I've found discussion at https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html which seems related but it seems the issue is back or was never properly addressed. Attempt to run the command manually fails as well: # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' '--so-pin' ERROR: Could not load the library. I see the same bug both on host and in container. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] F21 update fails to start dirsrv due to missing libdes
setup-ds.pl --update corrected things for me. Thanks for the information! -- john 2015-02-27 14:31 GMT+01:00 Ludwig Krispenz lkris...@redhat.com: libdes was replaced by libpbe, see ticket: https://fedorahosted.org/389/ticket/4746 during the postinstall of the upgrade the DES config in the dse.ldif should be changed. There have been cases where the postinstall scripts were not propeerly executed. Could you stop your DS and run: setup-ds.pl --update if it still is not corrected, try setup-ds.pl -ddd --update On 02/27/2015 01:07 PM, John Obaterspok wrote: Hello, Anyone seen this after updating to 389-ds-base-1.3.3.8-1.fc21.x86_64 Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory Could not open library /usr/lib64/dirsrv/plugins/libdes-plugin.so for plugin DES # rpm -ql 389-ds-base | grep libdes | wc -l 0 -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] F21 update fails to start dirsrv due to missing libdes
Hello, Anyone seen this after updating to 389-ds-base-1.3.3.8-1.fc21.x86_64 Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory Could not open library /usr/lib64/dirsrv/plugins/libdes-plugin.so for plugin DES # rpm -ql 389-ds-base | grep libdes | wc -l 0 -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-12 10:13 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Mon, 12 Jan 2015, John Obaterspok wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com : To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? Its purpose is authentication. After you have been successfully recognized by the server, both client and server need to map your identity while authorizing your access to actual files. In CIFS there are two types of access control which are applied at the same time: - ACLs per file or directory - POSIX access control based on uid/gid of a process that accesses the file or directory Client-side checks in cifs.ko can be switched off by noperm option. In this case server side will be doing actual access enforcement, using the uid/gid mapped on the server side (based on the Kerberos principal), unless CIFS Unix Extensions were negotiated between cifs.ko and the server. In the latter case client will pass uid/gid of a client to the server and server will do the actual check using them instead of discovering them based on the authentication token. In case where there is a common identity store in use with Kerberos, it is often better to use cifs.ko option multiuser which will imply noperm and server will be doing all the checks. Simo also added that You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials. Well, I were actually using multiuser in the original test where I got permission denied but there is something weird going on. mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I also tried -o sec=krb5,multiuser,cache=none) Anyway, it works if I do the mount as root and then as user john gets the admin ticket *before* going to the share. Then it doesn't matter if I do kdestroy, I can still access a file that would require admin ticket. If I remount the share and go to share as john without admin ticket I can't access a file that would require admin ticket. If I get an admin ticket then I'm still not able to access the file. [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt [john@ipaserver mountpoint]$ cat test.txt Hello World [john@ipaserver mountpoint]$ id john uid=143444(john) gid=143444(john) groups=143444(john),1434400010(mediafiles) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_Ri45Eiw Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-14 21:54:24 2015-01-15 21:53:57 cifs/ipaserver.my@my.lan 2015-01-14 21:53:59 2015-01-15 21:53:57 krbtgt/my@my.lan [john@ipaserver mountpoint]$ kdestroy [john@ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw' not found [john@ipaserver mountpoint]$ cat test.txt Hello World [john@ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw' not found - -- then remount share. john has non-admin ticket - [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) groups=143444(john
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to be there? This is what I have: [root@ipaserver etc]# cat request-key.conf ### # snip #OP TYPEDESCRIPTION CALLOUT INFOPROGRAM ARG1 ARG2 ARG3 ... #== === === === === create dns_resolver * * /sbin/key.dns_resolver %k create userdebug:* negate /bin/keyctl negate %k 30 %S create userdebug:* rejected/bin/keyctl reject %k 30 %c %S create userdebug:* expired /bin/keyctl reject %k 30 %c %S create userdebug:* revoked /bin/keyctl reject %k 30 %c %S create userdebug:loop:** |/bin/cat create userdebug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S negate * * * /bin/keyctl negate %k 30 %S [root@ipaserver etc]# ls request-key.d/ cifs.idmap.conf cifs.spnego.conf id_resolver.conf [root@ipaserver etc]# cat request-key.d/cifs.idmap.conf create cifs.idmap* * /usr/sbin/cifs.idmap %k [root@ipaserver etc]# cat request-key.d/cifs.spnego.conf create cifs.spnego* * /usr/sbin/cifs.upcall %k -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 18:12 GMT+01:00 Alexander Bokovoy aboko...@redhat.com So if you have all these configs right, can you add --verbose to mount.cifs arguments _before_ -o options? mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 and you can enable debugging before mounting in /proc/fs/cifs/, see https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting -- [john@ipaserver ~]$ rpm -q cifs-utils cifs-utils-6.4-2.fc21.x86_64 [john@ipaserver mnt]# su root [root@ipaserver mnt]# kdestroy [root@ipaserver mnt]# kinit admin [root@ipaserver mnt]# klist Ticket cache: KEYRING:persistent:143444:krb_ccache_As3C1bl Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-09 22:40:37 2015-01-10 22:40:32 krbtgt/my@my.lan [root@ipaserver mnt]# [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 mointpoint mount.cifs kernel mount options: ip=192.168.0.103,unc=\\ipaserver.MY.LAN\TheShare,sec=krb5,user=john,pass= mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [fre jan 9 22:40:15 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:15 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:40:49 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:49 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:42:30 2015] fs/cifs/cifsfs.c: Devname: //ipaserver.MY.LAN/TheShare flags: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Username: john [fre jan 9 22:42:30 2015] fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 6 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: UNC: \\ipaserver.MY.LAN\TheShare [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Socket created [fre jan 9 22:42:30 2015] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 7 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Existing smb sess not found [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Requesting extended security. [fre jan 9 22:42:30 2015] fs/cifs/transport.c: For smb_command 114 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: Sending smb: smb_len=78 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Demultiplex PID: 20875 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: RFC1002 header 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/misc.c: checkSMB Length: 0xb9, smb_buf_length: 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Dialect: 2 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: negprot rc 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080f3fd TimeAdjust: -3600 [fre jan 9 22:42:30 2015] fs/cifs/sess.c: sess setup type 5 [fre jan 9 22:42:30 2015] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=ipaserver.MY.LAN;ip4=192.168.0.103;sec=krb5;uid=0x0;creduid=0x0;user=john;pid=0x5188 [fre jan 9 22:42:30 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 7) rc = -126 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 6) rc = -126 [fre jan 9 22:42:30 2015] CIFS VFS: cifs_mount failed w/return code = -126 Is it okay that the verbose output says sec=krb5,user=john,pass= I did su from john... -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? I didn't know about those files, so if there are no defaults then I guess I don't have a proper configuration. On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. Thanks Alexander, -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Mount cifs share using kerberos
Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem starting IPA after reboot
okay, I see. the below line caused a *new* keytab to be created and caused smb from starting. 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab I've fixed this and now ipa starts fine again. 2015-01-08 20:31 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello, I was trying out cifs mount when I ran into some problem where smb failed to load. What I've done was: 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab 2) pdbedit -L on ipaserver (which failed since I'm using registry) Then I got strange errors and tried reboot. Now initially smb failed to start, then after a minute or two ipa + kadmin also fails. I've noticed selinux complains about: - SELinux is preventing /usr/sbin/krb5kdc from write access on the sock_file /var/lib/sss/pipes/pac. - SELinux is preventing /usr/sbin/krb5kdc from connectto access on the unix_stream_socket /var/lib/sss/pipes/pac. I see the following in journal -b 20:19:44 smbd[2065]: [2015/01/08 20:19:44.736247, 0] ../source3/smbd/server.c:1269(main) 20:19:44 smbd[2065]: standard input is not a socket, assuming -D option 20:19:44 systemd[1]: smb.service: Supervising process 2066 which is not our child. We'll most likely not notice when it exits. 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803085, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:44 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803985, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) 20:19:44 smbd[2066]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket with dn=[Anonymous bind] Error: Local error 20:19:44 smbd[2066]: (unknown) 20:19:45 smbd[2066]: [2015/01/08 20:19:45.815968, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:45 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:46 smbd[2066]: [2015/01/08 20:19:46.826820, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:46 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:47 smbd[2066]: [2015/01/08 20:19:47.837775, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:47 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:48 smbd[2066]: [2015/01/08 20:19:48.848497, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:48 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:49 smbd[2066]: [2015/01/08 20:19:49.859177, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:49 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:50 smbd[2066]: [2015/01/08 20:19:50.869958, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:50 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:51 smbd[2066]: [2015/01/08 20:19:51.880575, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:51 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:52 smbd[2066]: [2015/01/08 20:19:52.890531, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:52 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:53 smbd[2066]: [2015/01/08 20:19:53.901092, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:53 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:54 smbd[2066]: [2015/01/08 20:19:54.912209, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:54 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:55 smbd[2066]: [2015/01/08 20:19:55.922373, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:55 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:56 smbd[2066]: [2015/01/08 20:19:56.932368, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:56 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:57 smbd[2066]: [2015/01/08 20:19:57.942731, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:57 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:58 smbd[2066]: [2015/01/08 20:19:58.953319, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:58 smbd[2066]: kerberos error: code=-1765328366, message=Clients credentials have been revoked 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed (0x04091068) 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: Error = 0x00C0 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed (0x04091068) 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal: Error = 0x00C0 20:19:59 smbd[2066]: [2015/01/08 20:19:59.963057, 0] ipa_sam.c:4128(bind_callback_cleanup) 20:19:59 smbd[2066]: kerberos error: code
Re: [Freeipa-users] Mount cifs share using kerberos
Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com: On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
Hello, Now I'm able to access samba network share from Win PC using my ipa user password. But I need to enter it each time. I have still not been able to logon to Win7 PC with my IPA user. Currently I get No mapping between account names and security IDs was done when I try to login. What I've done is this: 1. Created a dns entry for winpc + a host entry in web-ui, 2. On the IPA server I ran ipa-getkeytab -s ipa.fqdn -p host/ipa.fqdn -e arcfour-hmac -k krb5.keytab.winpc -P What I'm I suppose to do with the krb5.keytab.winpc file? Can't see any mention of this? On the Win PC I did: 1. ksetup /setdomain [REALM NAME] 2. ksetup /addkdc [REALM NAME] [ipa.fqdn] 3. ksetup /addkpasswd [REALM NAME] [ipa.fqdn] 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] 5. ksetup /mapuser * * -- john 2014-10-29 22:01 GMT+01:00 Loris Santamaria lo...@lgs.com.ve: El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió: Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. But, I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? I guess you should prepare the ipa server for a windows domain trust (even if you won't setup any trust with an ad domain), with ipa-adtrust-install. Beware that it will overwrite your smb.conf. With that configuration and the steps described in http://www.redhat.com/archives/freeipa-users/2013-September/msg00226.html you will be able to use the native windows kerberos libraries and you should be able to open a samba share with your kerberos credentials. Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
2014-11-02 21:51 GMT+01:00 Loris Santamaria lo...@lgs.com.ve: El dom, 02-11-2014 a las 19:54 +0100, John Obaterspok escribió: I have still not been able to logon to Win7 PC with my IPA user. Currently I get No mapping between account names and security IDs was done when I try to login. The keytab is not needed, you just have to generate it to set a password for the computer. Is this the same as the Set One Time Password action under enrollment in the web ui? You are supposed to use the same password in ipa-getkeytab and in the ksetup /setcomputerpassword commands Cough, cough. I just noticed that the Win PC I was experimenting with had Windows Home edition. It seems you need at least Pro/Ultimate editions to join a domain. -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
Hello, I might be interested in this as well. Does this mean it would be possible for a windows client to access samba FS through IPA provided credentials? Currently my Windows PC gets IPA ticket (through MIT kerberos application) and can use this ticket to login to Linux server via putty. I would jump up and down if I could access samba FS in the same way from Windows:) (I got sssd 1.12.1 and freeipa 4.1 running on F20) -- john 2014-10-23 12:32 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. bye, Sumit Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. *But,* I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? -- john 2014-10-29 20:54 GMT+01:00 Loris Santamaria lo...@lgs.com.ve: El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. It Works :D, and here is what I did: Test environment: One realm domain with two Centos 7 / ipa 3.3 masters, one trusted AD forest (windows 2008R2 controllers), one Centos 7 file server. Step 1) On the file server enable mkosek's COPR ipa repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa/ 2) Install required packages packages: yum -y install ipa-client sssd-libwbclient samba samba client 3) join file server to the ipa realm: ipa-client-install --mkhomedir Please note that this step fails, shortly after creating the keytab and configuring sssd, probably caused by the version mismatch between ipa server (3.3) and client (4.1). I will report the failure shortly. Because of the failure I had to complete part of the join procedure manually: authconfig --enablesssdauth --enablemkhomedir --update (on the client) ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server) 4) On the ipa server create the cifs principal for samba: ipa service-add cifs/sambatest.my.realm 5) Install keytab on the samba host: ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm -k /etc/samba/samba.keytab 6) Edit /etc/samba/smb.conf on the samba file server: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads [homes] browsable = no writable = yes [shared] path = /home/shared writable = yes browsable=yes write list = @admins 7) To enable samba /home sharing one should turn on a selinux boolean: setsebool -P samba_enable_home_dirs on 8) restart samba Testing: On another linux member of the IPA domain it is possible to connect to the samba shares using smbclient -k : kinit user@MY.REALM smbclient -k -L sambatest.my.realm smbclient -k //sambatest.my.realm/shared On a windows machine, member of the AD domain it is possible to connect to the samba shares typing in the windows explorer location bar: \\sambatest.my.realm Also, if the ad user is an (indirect) member of the IPA admins group, thanks to the trust relationship, with the above smb.conf he may have write access to the \shared folder. Thanks to the ipa and sssd teams for this
Re: [Freeipa-users] F20 Problem upgrading to 4.1
2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u named -f -g I can see: /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied) initializing DST: PKCS#11 initialization failed exiting (due to fatal error) For kadmin the error is due to not being able to connect to sldap I noticed that softhsm2-util --show-slots reported ERROR: Could not initialize the library. But that seemed to be because wasn't part of the update. After that I could show the default slot and then I manually called following (as root): /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin --so-pin But the problems won't go away. Any clues? -- john Hello, 1) can you share your /var/log/ipaupgrade.log ? Unfortunatly I removed the original ipaupgrade.log file when I did I retry to install freeipa-server. The current ipaupgrade.log has two errors: First) 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-10-26T12:45:15Z ERROR Update failed: Operations error: 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf Plugin,cn=plugins,cn=config 2014-10-26T12:45:15Z DEBUG - Second) It complains about not being able to start named-pkcs11 service. 2) your issue with softhsm can be caused by missing enviroment variable IPA internally uses SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots, and let me know if it works same with named-pkcs11, The filestamps for softhsm_pin tokens match the time I did the original update # ll /var/lib/ipa/dnssec/ -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens # ll /var/lib/ipa/dnssec/tokens/ total 0 # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots Available slots: Slot 0 Slot info: Description: SoftHSM slot 0 Manufacturer ID: SoftHSM project Hardware version: 2.0 Firmware version: 2.0 Token present:yes Token info: Manufacturer ID: SoftHSM project Model:SoftHSM v2 Hardware version: 2.0 Firmware version: 2.0 Serial number: Initialized: no User PIN init.: no Label: 3) can you share journalctl -u named-pkcs11 output? 10:35:48 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state. 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11. -- Reboot -- 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider 10:58:05 named-pkcs11[1496]: exiting (due to fatal error) 10:58:05 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state. 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11. ... After some fiddeling a restart says this: 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error: 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library) 19:26:21 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state. 4) I'm not aware of that we need, krb5-libs/openssl, I was getting this error if tokens directory doesnt exists, but IPA uses own configuration (see 2) not default. ok -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] F20 Problem upgrading to 4.1
Hello Martin, Still no go. I installed the softhsm-devel package (that only contains header files), removed the token directory, reinstalled the bind bind-pkcs11, did ipa-dns-install that completed ok (I guess): To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Directory Manager password: # ipa-upgradeconfig [Verifying that root certificate is published] *Failed to backup CS.cfg: no magic attribute 'dogtag'* [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named *Failed to restart named: Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1* [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful # systemctl restart named-pkcs11 journalctl -xn 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object store 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed 19:38:54 named-pkcs11[838]: exiting (due to fatal error) 19:38:54 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. It seems the problem is now there are no tokens: # ll /var/lib/ipa/dnssec/ total 4.0K -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin Any ideas? -- john 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 18:53, John Obaterspok wrote: 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u named -f -g I can see: /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied) initializing DST: PKCS#11 initialization failed exiting (due to fatal error) For kadmin the error is due to not being able to connect to sldap I noticed that softhsm2-util --show-slots reported ERROR: Could not initialize the library. But that seemed to be because wasn't part of the update. After that I could show the default slot and then I manually called following (as root): /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin --so-pin But the problems won't go away. Any clues? -- john Hello, 1) can you share your /var/log/ipaupgrade.log ? Unfortunatly I removed the original ipaupgrade.log file when I did I retry to install freeipa-server. The current ipaupgrade.log has two errors: First) 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-10-26T12:45:15Z ERROR Update failed: Operations error: 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf Plugin,cn=plugins,cn=config 2014-10-26T12:45:15Z DEBUG - Are there some information about entry which is updated above? Second) It complains about not being able to start named-pkcs11 service. 2) your issue with softhsm can be caused by missing enviroment variable IPA internally uses SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots, and let me know if it works same with named-pkcs11, The filestamps for softhsm_pin tokens match the time I did the original update # ll /var/lib/ipa/dnssec/ -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens # ll /var/lib/ipa/dnssec/tokens/ total 0 # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots Available slots: Slot 0 Slot
Re: [Freeipa-users] F20 Problem upgrading to 4.1
hmm... Could not connect to the Directory Server So I started it with start-dirsrv since systemctl start ipa failed. Then it was a breeze, ipa-dns-install worked fine. # systemctl --failed 0 loaded units listed. I haven't verified that it works, but I feel confident :) -- john 2014-10-27 20:09 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 19:57, John Obaterspok wrote: Hello Martin, Still no go. I installed the softhsm-devel package (that only contains header files), removed the token directory, reinstalled the bind bind-pkcs11, did ipa-dns-install that completed ok (I guess): To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Directory Manager password: # ipa-upgradeconfig [Verifying that root certificate is published] *Failed to backup CS.cfg: no magic attribute 'dogtag'* [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named *Failed to restart named: Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1* [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful # systemctl restart named-pkcs11 journalctl -xn 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object store 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed 19:38:54 named-pkcs11[838]: exiting (due to fatal error) 19:38:54 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. It seems the problem is now there are no tokens: # ll /var/lib/ipa/dnssec/ total 4.0K -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin This is interesting, ipa-dns-install should detect missing directory and create new one. Could you send me tail of /var/log/ipaserver-install.log, where DNS debug lines are? Martin^2 Any ideas? -- john 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 18:53, John Obaterspok wrote: 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u named -f -g I can see: /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied) initializing DST: PKCS#11 initialization failed exiting (due to fatal error) For kadmin the error is due to not being able to connect to sldap I noticed that softhsm2-util --show-slots reported ERROR: Could not initialize the library. But that seemed to be because wasn't part of the update. After that I could show the default slot and then I manually called following (as root): /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin --so-pin But the problems won't go away. Any clues? -- john Hello, 1) can you share your /var/log/ipaupgrade.log ? Unfortunatly I removed the original ipaupgrade.log file when I did I retry to install freeipa-server. The current ipaupgrade.log has two errors: First) 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-10-26T12:45:15Z ERROR Update failed: Operations error: 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf Plugin,cn=plugins,cn=config 2014-10-26T12:45:15Z DEBUG - Are there some information about entry which is updated above? Second) It complains about not being able to start named-pkcs11 service. 2
Re: [Freeipa-users] F20 Problem upgrading to 4.1
Hello Martin, It works perfectly again! note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed due to 389 wasn't started (failed to connect). Once it was started manually the ipa-dns-installed worked fine. Thanks a lot Martin, -- john 2014-10-27 20:40 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 20:34, John Obaterspok wrote: hmm... Could not connect to the Directory Server So I started it with start-dirsrv since systemctl start ipa failed. Then it was a breeze, ipa-dns-install worked fine. # systemctl --failed 0 loaded units listed. I'm lost, does IPA work or not? are all services running? (ipactl status) are tokens created in /var/lib/ipa/dnssec/tokens can you dig records from IPA DNS? Martin^2 I haven't verified that it works, but I feel confident :) -- john 2014-10-27 20:09 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 19:57, John Obaterspok wrote: Hello Martin, Still no go. I installed the softhsm-devel package (that only contains header files), removed the token directory, reinstalled the bind bind-pkcs11, did ipa-dns-install that completed ok (I guess): To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Directory Manager password: # ipa-upgradeconfig [Verifying that root certificate is published] *Failed to backup CS.cfg: no magic attribute 'dogtag'* [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named *Failed to restart named: Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1* [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful # systemctl restart named-pkcs11 journalctl -xn 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object store 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed 19:38:54 named-pkcs11[838]: exiting (due to fatal error) 19:38:54 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. It seems the problem is now there are no tokens: # ll /var/lib/ipa/dnssec/ total 4.0K -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin This is interesting, ipa-dns-install should detect missing directory and create new one. Could you send me tail of /var/log/ipaserver-install.log, where DNS debug lines are? Martin^2 Any ideas? -- john 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 18:53, John Obaterspok wrote: 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u named -f -g I can see: /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied) initializing DST: PKCS#11 initialization failed exiting (due to fatal error) For kadmin the error is due to not being able to connect to sldap I noticed that softhsm2-util --show-slots reported ERROR: Could not initialize the library. But that seemed to be because wasn't part of the update. After that I could show the default slot and then I manually called following (as root): /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin --so-pin But the problems won't go away. Any clues? -- john Hello, 1) can you share your /var/log/ipaupgrade.log ? Unfortunatly I removed the original ipaupgrade.log file when I did I retry to install freeipa-server. The current
Re: [Freeipa-users] dns stops working after upgrade
Hello Rob, Did systemd report any failed services? (systemctl --failed) -- john 2014-10-25 16:40 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: Hello all, I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main dns server. I've tried the upgrade to 4.1 using the copr repositorie. I performed the following steps: 1 apply latest fedora updates 2 shutdown system 3 create a snapshot from the freeipa vm as a backup (which is why I'm back at 3.3) 4 added the copr repo to my repositories 5 issue 'yum update' and grab a coffee 6 see the update complete and start to check if everything still works. all authentication seems to work fine, however all my local dns enties no longer work. all internet dns queries work fine, just not my own entries. they are all still there. so I shutdown my freeipa vm and reverted the snapshot, everything is back up and running again with 3.3.0 I've digged through my logs but see no errors whatsoever. Did I miss something that needs to be done when doing an upgrade ? Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] F20 Problem upgrading to 4.1
Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u named -f -g I can see: /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied) initializing DST: PKCS#11 initialization failed exiting (due to fatal error) For kadmin the error is due to not being able to connect to sldap I noticed that softhsm2-util --show-slots reported ERROR: Could not initialize the library. But that seemed to be because krb5-libs/openssl wasn't part of the update. After that I could show the default slot and then I manually called following (as root): /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin --so-pin But the problems won't go away. Any clues? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] DogTag memory usage. Alternatives?
Hello, I'm using FreeIPA for my home network and it works really great. FreeIPA is running on NAS server where hw isn't latest greatest. I've noticed the dogtag java/tomcat process is using up to 1 gig of RAM and the java process is usually in the top spot for powertop wakeups. Is it normal that it uses this much memory? Are there any alternatives? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
2014-03-23 19:45 GMT-04:00 Dmitri Pal d...@redhat.com 2014-03-23 9:01 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] kerberized vsftpd login problem
Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts
Hello, A couple of times each day the win 7 machine is not able to lookup hosts on the ipa domain. A ipconfig /renew always allows ipa hosts to be resolvable again. Any ideas why this happens? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts
Hello, I just experience this again.ipa server not pingable by name but by ip. Did a ipconfig /all file, then ipconfig /renew. Then only lines that differ is the lease expire: - Lease expires. . . . . . . . . . . : 2014-03-24 20:04:28 + Lease expires. . . . . . . . . . . : 2014-03-24 22:28:09 Any other suggestions? -- john 2014-03-23 18:52 GMT+01:00 Will Sheldon m...@willsheldon.com: What is the difference in the output of ipconfig /all before and after the ipconfig /renew? Kind regards, Will Sheldon On Sunday, March 23, 2014 at 1:21 AM, John Obaterspok wrote: Hello, A couple of times each day the win 7 machine is not able to lookup hosts on the ipa domain. A ipconfig /renew always allows ipa hosts to be resolvable again. Any ideas why this happens? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users