Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

2016-06-27 11:05 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (26/06/16 20:37), John Obaterspok wrote:
> >Hi,
> >
> >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName
> >to work.
> >F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't
> >work any more. Is there any chance 1.0.14 will make it in as an F24
> update?
> >(I can add karma if needed)
> >
> mod_nss-1.0.14-1 is only in rawhide (fc25)
> I cannot see such package in fedora 23.
>
> http://koji.fedoraproject.org/koji/packageinfo?packageID=2554
>
>
Hi Lukas,

When I ran F23 I installed mod_nss-1.0.14-1 from rawhide (fc25) in order to
fix the problem with using SubjectAltName in certificate.
I believe I manually installed 1.0.14 in april and this bug was fixed in
1.0.13 so that's why I was surprised F24 shipped with .12

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

Hi,

I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName
to work.
F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't
work any more. Is there any chance 1.0.14 will make it in as an F24 update?
(I can add karma if needed)

-- john

2016-04-25 19:26 GMT+02:00 John Obaterspok <john.obaters...@gmail.com>:

> Thanks Rob!
>
> I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server
> and it works like a charm.
>
> Thanks,
>
>john
>
> 2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>
>> John Obaterspok wrote:
>>
>>>
>>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com
>>> <mailto:ftwee...@redhat.com>>:
>>>
>>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
>>>  > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
>>> <mailto:rcrit...@redhat.com>>:
>>>
>>>  >
>>>  > > John Obaterspok wrote:
>>>  > >
>>>  > >> Hi,
>>>  > >>
>>>  > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
>>> ipa.my.lan
>>>  > >>
>>>  > >> I recently started to get nss error "SSL peer has no
>>> certificate for the
>>>  > >> requested DNS name." when I'm accesing my
>>> https://gitserver.my.lan
>>>  > >>
>>>  > >> Previously this worked fine if I had set "git config --global
>>>  > >> http.sslVerify false" according to
>>>  > >>
>>>
>>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>>  > >>
>>>  > >> Now I tried to solve this by adding a SubjectAltName to the
>>>  > >> HTTP/ipa.my.lan certitficate like this:
>>>  > >>
>>>  > >> status: MONITORING
>>>  > >> stuck: no
>>>  > >> key pair storage:
>>>  > >>
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>  > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>  > >> certificate:
>>>  > >>
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>  > >> Certificate DB'
>>>  > >> CA: IPA
>>>  > >> issuer: CN=Certificate Authority,O=MY.LAN
>>>  > >> subject: CN=ipa.my.lan,O=MY.LAN
>>>  > >> expires: 2018-02-06 19:24:52 UTC
>>>  > >> dns: gitserver.my.lan,ipa.my.lan
>>>  > >> principal name: http/ipa.my@my.lan
>>>  > >> key usage:
>>>  > >>
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>  > >> eku: id-kp-serverAuth,id-kp-clientAuth
>>>  > >> pre-save command:
>>>  > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>  > >> track: yes
>>>  > >> auto-renew: yes
>>>  > >>
>>>  > >> But I still get the below error:
>>>  > >>
>>>  > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>>>  > >> * SSL peer has no certificate for the requested DNS name
>>>  > >>
>>>  > >
>>>  > > What version of mod_nss? It recently added support for SNI. You
>>> can try
>>>  > > turning it off by adding NSSSNI off to
>>> /etc/httpd/conf.d/nss.conf but I'd
>>>  > > imagine you were already relying on it.
>>>  > >
>>>  > >
>>>  > Hi,
>>>  >
>>>  > Turning it off didn't help
>>>  >
>>>  > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
>>>  > I noticed it worked if I set "ServerName gitserver.my.lan" in
>>>  > gitserver.conf, but then I got the NAME ALERT when accessing
>>> ipa.my.lan.
>>>  >
>>>  > I then tried to put ipa.conf in  but then I
>>> got error
>>>  > about SSL_ERROR_RX_RECORD_TOO_LONG
>>>  >
>>>  > gitserver.conf has this:
>>&g

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

Thanks Rob!

I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server
and it works like a charm.

Thanks,

   john

2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> John Obaterspok wrote:
>
>>
>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com
>> <mailto:ftwee...@redhat.com>>:
>>
>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
>>  > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>>:
>>
>>  >
>>  > > John Obaterspok wrote:
>>  > >
>>  > >> Hi,
>>  > >>
>>  > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
>> ipa.my.lan
>>  > >>
>>  > >> I recently started to get nss error "SSL peer has no
>> certificate for the
>>  > >> requested DNS name." when I'm accesing my
>> https://gitserver.my.lan
>>  > >>
>>  > >> Previously this worked fine if I had set "git config --global
>>  > >> http.sslVerify false" according to
>>  > >>
>>
>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>  > >>
>>  > >> Now I tried to solve this by adding a SubjectAltName to the
>>  > >> HTTP/ipa.my.lan certitficate like this:
>>  > >>
>>  > >> status: MONITORING
>>  > >> stuck: no
>>  > >> key pair storage:
>>  > >>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>  > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>  > >> certificate:
>>  > >>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>  > >> Certificate DB'
>>  > >> CA: IPA
>>  > >> issuer: CN=Certificate Authority,O=MY.LAN
>>  > >> subject: CN=ipa.my.lan,O=MY.LAN
>>  > >> expires: 2018-02-06 19:24:52 UTC
>>  > >> dns: gitserver.my.lan,ipa.my.lan
>>  > >> principal name: http/ipa.my@my.lan
>>  > >> key usage:
>>  > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>  > >> eku: id-kp-serverAuth,id-kp-clientAuth
>>  > >> pre-save command:
>>  > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>  > >> track: yes
>>  > >> auto-renew: yes
>>  > >>
>>  > >> But I still get the below error:
>>  > >>
>>  > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>>  > >> * SSL peer has no certificate for the requested DNS name
>>  > >>
>>  > >
>>  > > What version of mod_nss? It recently added support for SNI. You
>> can try
>>  > > turning it off by adding NSSSNI off to
>> /etc/httpd/conf.d/nss.conf but I'd
>>  > > imagine you were already relying on it.
>>  > >
>>  > >
>>  > Hi,
>>  >
>>  > Turning it off didn't help
>>  >
>>  > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
>>  > I noticed it worked if I set "ServerName gitserver.my.lan" in
>>  > gitserver.conf, but then I got the NAME ALERT when accessing
>> ipa.my.lan.
>>  >
>>  > I then tried to put ipa.conf in  but then I
>> got error
>>  > about SSL_ERROR_RX_RECORD_TOO_LONG
>>  >
>>  > gitserver.conf has this:
>>  >
>>  > 
>>  > DocumentRoot /opt/wwwgit
>>  > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
>>  > SetEnv GIT_HTTP_EXPORT_ALL
>>  > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>>  > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
>>  >
>>  > ServerName gitserver.my.lan
>>  >
>>  >   
>>  >   Options Indexes
>>  >   AllowOverride None
>>  >   Require all granted
>>  >  
>>  >
>>  >  
>>  >   Options Indexes
>>  >   A

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com>:

> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote:
> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> >
> > > John Obaterspok wrote:
> > >
> > >> Hi,
> > >>
> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to
> ipa.my.lan
> > >>
> > >> I recently started to get nss error "SSL peer has no certificate for
> the
> > >> requested DNS name." when I'm accesing my https://gitserver.my.lan
> > >>
> > >> Previously this worked fine if I had set "git config --global
> > >> http.sslVerify false" according to
> > >>
> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
> > >>
> > >> Now I tried to solve this by adding a SubjectAltName to the
> > >> HTTP/ipa.my.lan certitficate like this:
> > >>
> > >> status: MONITORING
> > >> stuck: no
> > >> key pair storage:
> > >>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > >> certificate:
> > >>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > >> Certificate DB'
> > >> CA: IPA
> > >> issuer: CN=Certificate Authority,O=MY.LAN
> > >> subject: CN=ipa.my.lan,O=MY.LAN
> > >> expires: 2018-02-06 19:24:52 UTC
> > >> dns: gitserver.my.lan,ipa.my.lan
> > >> principal name: http/ipa.my@my.lan
> > >> key usage:
> > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > >> eku: id-kp-serverAuth,id-kp-clientAuth
> > >> pre-save command:
> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > >> track: yes
> > >> auto-renew: yes
> > >>
> > >> But I still get the below error:
> > >>
> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
> > >> * SSL peer has no certificate for the requested DNS name
> > >>
> > >
> > > What version of mod_nss? It recently added support for SNI. You can try
> > > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but
> I'd
> > > imagine you were already relying on it.
> > >
> > >
> > Hi,
> >
> > Turning it off didn't help
> >
> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1
> > I noticed it worked if I set "ServerName gitserver.my.lan" in
> > gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.
> >
> > I then tried to put ipa.conf in  but then I got error
> > about SSL_ERROR_RX_RECORD_TOO_LONG
> >
> > gitserver.conf has this:
> >
> > 
> > DocumentRoot /opt/wwwgit
> > SetEnv GIT_PROJECT_ROOT /opt/wwwgit
> > SetEnv GIT_HTTP_EXPORT_ALL
> > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
> > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
> >
> > ServerName gitserver.my.lan
> >
> >   
> >   Options Indexes
> >   AllowOverride None
> >   Require all granted
> >  
> >
> >  
> >   Options Indexes
> >   AllowOverride None
> >   Require all granted
> >  
> >
> > 
> >   #SSLRequireSSL
> >   AuthType Kerberos
> >   AuthName "Kerberos Login"
> >   KrbAuthRealm MY.LAN
> >   Krb5KeyTab /etc/httpd/conf/ipa.keytab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off # Set to on to query for pwd if
> negotiation
> > failed due to no ticket available
> >   KrbSaveCredentials on
> >   KrbVerifyKDC on
> >   KrbServiceName HTTP/ipa.my@my.lan
> >
> >   AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
> >   AuthLDAPBindDN
> "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
> >   AuthLDAPBindPassword "secret123abc"
> >   Require ldap-group
> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
> >  
> >
> > 
> >
> >
> > Any more ideas what I do wrong?
>
> It was suggested that this may be due to the certificate not being
> compliant with RFC 2818.  This is likely true, but I think it is 

Re: [Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> John Obaterspok wrote:
>
>> Hi,
>>
>> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan
>>
>> I recently started to get nss error "SSL peer has no certificate for the
>> requested DNS name." when I'm accesing my https://gitserver.my.lan
>>
>> Previously this worked fine if I had set "git config --global
>> http.sslVerify false" according to
>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html
>>
>> Now I tried to solve this by adding a SubjectAltName to the
>> HTTP/ipa.my.lan certitficate like this:
>>
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MY.LAN
>> subject: CN=ipa.my.lan,O=MY.LAN
>> expires: 2018-02-06 19:24:52 UTC
>> dns: gitserver.my.lan,ipa.my.lan
>> principal name: http/ipa.my@my.lan
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> But I still get the below error:
>>
>> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
>> * SSL peer has no certificate for the requested DNS name
>>
>
> What version of mod_nss? It recently added support for SNI. You can try
> turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd
> imagine you were already relying on it.
>
>
Hi,

Turning it off didn't help

I'm on F23 with latest updates so I have mod_nss-1.0.12-1
I noticed it worked if I set "ServerName gitserver.my.lan" in
gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan.

I then tried to put ipa.conf in  but then I got error
about SSL_ERROR_RX_RECORD_TOO_LONG

gitserver.conf has this:


DocumentRoot /opt/wwwgit
SetEnv GIT_PROJECT_ROOT /opt/wwwgit
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

ServerName gitserver.my.lan

  
  Options Indexes
  AllowOverride None
  Require all granted
 

 
  Options Indexes
  AllowOverride None
  Require all granted
 


  #SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbAuthRealm WIN.LAN
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbMethodNegotiate on
  KrbMethodK5Passwd off # Set to on to query for pwd if negotiation
failed due to no ticket available
  KrbSaveCredentials on
  KrbVerifyKDC on
  KrbServiceName HTTP/ipa.my@my.lan

  AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName
  AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan"
  AuthLDAPBindPassword "secret123abc"
  Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
 




Any more ideas what I do wrong?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] nss unrecognized name alert with SAN name

[John Obaterspok]

Hi,

I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan

I recently started to get nss error "SSL peer has no certificate for the
requested DNS name." when I'm accesing my https://gitserver.my.lan

Previously this worked fine if I had set "git config --global
http.sslVerify false" according to
https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html

Now I tried to solve this by adding a SubjectAltName to the HTTP/ipa.my.lan
certitficate like this:

status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MY.LAN
subject: CN=ipa.my.lan,O=MY.LAN
expires: 2018-02-06 19:24:52 UTC
dns: gitserver.my.lan,ipa.my.lan
principal name: http/ipa.my@my.lan
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

But I still get the below error:

* NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
* SSL peer has no certificate for the requested DNS name


Any ideas why?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Samba crashes with recent F23 update

[John Obaterspok]

Hello,

I'm running F23 and now IPA fails to start due to crash in smb:


-- Unit smb.service has begun starting up.
jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0
gid=0 ses=4294967295 subj=system_u:system_r:smbd_t:s0 pid=7037 comm="smbd"
exe="/usr/sbin/smbd" sig=6
jan 22 08:38:58 ipa.win.lan systemd-coredump[7038]: Process 7037 (smbd) of
user 0 dumped core.

  Stack trace of thread
7037:
  #0
 0x7f1cb7bc8a98 raise (libc.so.6)
  #1
 0x7f1cb7bca69a abort (libc.so.6)
  #2
 0x7f1cbb5c060c smb_panic (libsamba-util.so.0)
  #3
 0x7f1cb8168675 _talloc_free (libtalloc.so.2)
  #4
 0x7f1cb87a206c lpcfg_string_free (libsamba-hostconfig.so.0)
  #5
 0x7f1cb87a20a5 lpcfg_string_set (libsamba-hostconfig.so.0)
  #6
 0x7f1cb9541208 lp_load_ex (libsmbconf.so.0)
  #7
 0x7f1cb9540d5d lp_load_ex (libsmbconf.so.0)
  #8
 0x7f1cb95415c0 lp_load_initial_only (libsmbconf.so.0)
  #9
 0x55df01d405fb main (smbd)
  #10
0x7f1cb7bb4580 __libc_start_main (libc.so.6)
  #11
0x55df01d41b79 _start (smbd)
-- Subject: Process 7037 (smbd) dumped core

Anyone seen this?

samba-4.3.4-0.fc23.x86_64
freeipa-server-4.2.3-1.1.fc23.x86_64

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

[John Obaterspok]

Hi Matt,

It already works fine to use kerberos ticket to access samba shares.

-- john

2015-12-28 14:01 GMT+01:00 Matt . :

> Hi guys,
>
>
> How is the progres on the Samba (Share) Authentication for FreeIpa ?
>
> I hope we already have some work around to use the FreeIPA credentials
> for authing network shares.
>
> Matt
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[John Obaterspok]

Hi,

Are you only having problems to login to login to OSX with the IPA user
now? If that is the case then check the DNS settings you are using and make
sure the IPA server is listed first and that it has full name. Exactly the
same problem occurred for me with the slow logins to OSX which was due to
the DNS settings and that OSX only used short name of IPA server during
login (if I logged in as local user I could ping and lookup hosts using
short name)

-- john

2015-12-21 17:49 GMT+01:00 Nicola Canepa <canep...@mmfg.it>:

> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
> did a "dscacheutil -flushcache", both as the logged in user and as root.
> I tried enabling the anonymous bind and now also the directory browser
> (and all the login process) works as expected.
>
> Nicola
>
> Il 21/12/15 17:39, Cal Sawyer ha scritto:
>
> Thanks, John and Nicola
>
> Kerberos occurred to me as well late in the day yesterday.  Happily (?),
> knit works fine simply specifying the user in question with no need to
> suffix with the kerberos realm
>
> I did find that my test user had an expired password, which i fixed on the
> IPA server.  This was never flagged up under Linux, btw.  It has not change
> anything, however, other than not prompting for password changes that never
> take effect.  Funnily, it expired in the midst of testing - fun.
>
> I was mistaken when i said i was unable to log in - it turns out that it
> takes almost 10 minutes for a login from the frintend to complete - i just
> didn't wait long enough.  10 mins is of course unacceptable :)  "su - user"
> and "login user" fail outright after rejecting accept any user's password
>
> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
>
> In line with Nicola's experience, i can browse groups and users in the
> Directory Editor and all attributes appear spot on.
>
> Besides modding /etc/pam.d/authorization, adding a corrected
> edu.mit.kerberos to /LibraryPreferences and setting up the directory per
> linsec.ca, can anyone think of something i may have missed?  It's a real
> shame that the documentation on this stops around 5 years ago.
>
> IPA devs: is there anything i should be on the lookout for in the dirsrv
> or krb5 logs on the IPA master?  I've disabled the secondary to prevent
> replication from clouding the log events
>
> thanks, everyone
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 21/12/15 07:57, Nicola Canepa wrote:
>
> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
> opposite problem: kinit works fine, while I'm unable to see users with
> Directory Admin ((it always says it cant' connect, either with or without
> SSL)
> I disabled anonymous searches in 389-ds, by the way.
>
> Nicola
>
> Il 21/12/15 07:50, John Obaterspok ha scritto:
>
> Hi Cal,
>
> Does a kinit work from a terminal? Does it work if you use "kinit user" or
> just if you use "kinit <user@REALM.suffix>user@REALM.suffix"
>
> -- john
>
>
> 2015-12-20 15:09 GMT+01:00 Cal Sawyer <ca...@blue-bolt.com>:
>
>> Hi, all
>>
>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
>> 10.10.5 (Yosemite) client
>>
>> Using the excellent instructions at
>> <http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server>
>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
>> I've populated the specified files, d/l'd the cert, am able to configure
>> Users and Groups objects/attribs and browse both from within OSX's
>> Directory Utility.ldapsearch similarly returns the expected results.
>>
>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
>> system
>>
>> dirsrv log on the ipa master shows no apparent errors - remote auth
>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
>> truth, there so much stuff there and being rather inexperienced with LDAP
>> diags i might easily be missing something in the details
>>
>> The linsec.ca instructions were written in the 10.7-10.8 era so
>> something may have changed since.  Having said that, we've had no problems
>> authenticating against our existing OpenLDAP server (which IPA is slated to
>> replace) right up to 10.10.5 with no zero to our Directory Utility setup.
>>
>> Hoping someone here h

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[John Obaterspok]

Hi Cal,

Does a kinit work from a terminal? Does it work if you use "kinit user" or
just if you use "kinit user@REALM.suffix"

-- john


2015-12-20 15:09 GMT+01:00 Cal Sawyer :

> Hi, all
>
> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
> 10.10.5 (Yosemite) client
>
> Using the excellent instructions at
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
> I've populated the specified files, d/l'd the cert, am able to configure
> Users and Groups objects/attribs and browse both from within OSX's
> Directory Utility.ldapsearch similarly returns the expected results.
>
> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
> system
>
> dirsrv log on the ipa master shows no apparent errors - remote auth
> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
> truth, there so much stuff there and being rather inexperienced with LDAP
> diags i might easily be missing something in the details
>
> The linsec.ca instructions were written in the 10.7-10.8 era so something
> may have changed since.  Having said that, we've had no problems
> authenticating against our existing OpenLDAP server (which IPA is slated to
> replace) right up to 10.10.5 with no zero to our Directory Utility setup.
>
> Hoping someone here has some contemporary experience with OSX and IPA and
> for whom this issue rings a bell?
>
> many thanks
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW
> +44 (0)20 7637 5575 | www.blue-bolt.com
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

[John Obaterspok]

Thanks Simo & Fraser,

Creating a .netrc file on the client computer with according to the SO
postings with below content made things work perfectly!
machine gitserver.my.lan  username '' password ''
machine gitserver username '' password ''

I would like to use TLS and I've made it work by turning off ssl validation
in git:
git config --global http.sslVerify false

If I would like to use ssl validation, is there some way to use a
certificate for the CNAME? Seems I can only add certificate (at least from
the UI) for a valid principal?

(I'm using freeipa-server 4.2.3 on F23)

Regards,

-- john


2015-11-08 23:55 GMT+01:00 Simo Sorce <s...@redhat.com>:

> On 08/11/15 08:07, John Obaterspok wrote:
>
>> Hello,
>>
>> Anyone got git-http-backend working with freeipa group auhentication and
>> would like to share their apache .conf file?
>>
>>
>> I've tried this on the IPA server with a dummy git repository setup in
>> /opt/gitrepos/test1.git
>> gitserver.my.lan is a CNAME for ipaserver.my.lan
>>
>> First, "git clone http://gitserver.my.lan/test1.git; prompts (even
>> though I
>> have a ticket) for user+pwd but still fails.
>>
>> Any suggestions are welcome!
>>
>> -- john
>>
>>
>> 
>>
>>  DocumentRoot /opt/gitrepos
>>
>>  # semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
>>  # restorecon -R -v /opt/gitrepos
>>
>>  SetEnv GIT_PROJECT_ROOT /opt/gitrepos
>>  SetEnv GIT_HTTP_EXPORT_ALL
>>  SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
>>  ScriptAlias / /usr/libexec/git-core/git-http-backend/
>>  ServerName gitserver.my.lan
>>
>>  
>>  Options Indexes
>>  AllowOverride None
>>  Require all granted
>>  
>>
>>  
>>  Options Indexes
>>  AllowOverride None
>>  Require all granted
>>  
>>
>>  
>>  AuthType Kerberos
>>  AuthName "Kerberos Login"
>>  KrbAuthRealm MY.LAN
>>  Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>  KrbMethodNegotiate on
>>  KrbMethodK5Passwd off
>>  KrbSaveCredentials on
>>  KrbVerifyKDC on
>>  KrbServiceName HTTP
>>
>>  AuthLDAPUrl
>> ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
>>  Require ldap-group cn=ipausers,dc=my,dc=lan
>>
>
> This should probably be somehting like:
> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan
>
> Although you should probably create a git specific group, especially if
> you want it to be a posix group that can own files (ipausers is not a posix
> group and we are actually trying to phase it out)
>
> Also you are not doing LDAP authentication, you only want to do
> authorization, and for that you may want to actually use nsswitch based
> authorization which can be cached by sssd and not a query out to LDAP for
> each connection.
> Unfortunately the basic Apache modules do not support system group
> authentication directly, so what you may do instead is to have a cron job
> that do the following:
> getent group git-users | cut -d: -f1,4 |tr ',' ' ' > /my/authorization/file
>
> And in apache have set the following directives instead of the above two:
> AuthGroupFile /my/authorization/file
> Require group git-users
>
> HTH,
> Simo
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSO Git http smart server and freeipa group authentication

[John Obaterspok]

Hello,

Anyone got git-http-backend working with freeipa group auhentication and
would like to share their apache .conf file?


I've tried this on the IPA server with a dummy git repository setup in
/opt/gitrepos/test1.git
gitserver.my.lan is a CNAME for ipaserver.my.lan

First, "git clone http://gitserver.my.lan/test1.git; prompts (even though I
have a ticket) for user+pwd but still fails.

Any suggestions are welcome!

-- john




DocumentRoot /opt/gitrepos

# semanage fcontext -a -t git_rw_content_t '/opt/gitrepos(/.*)?'
# restorecon -R -v /opt/gitrepos

SetEnv GIT_PROJECT_ROOT /opt/gitrepos
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ServerName gitserver.my.lan


Options Indexes
AllowOverride None
Require all granted



Options Indexes
AllowOverride None
Require all granted



AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm MY.LAN
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName HTTP

AuthLDAPUrl
ldap://ipaserver.my.lan:389/dc=my,dc=lan?krbPrincipalName
Require ldap-group cn=ipausers,dc=my,dc=lan
# Allow anyone authenticated users that are ina ipausers
group to clone


~
~
~
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

2015-11-05 17:07 GMT+01:00 John Obaterspok <john.obaters...@gmail.com>:

>
>
> 2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
>
>> On Thu, 05 Nov 2015, John Obaterspok wrote:
>>
>>> Hi,
>>>
>>> I waited a couple of days and when "dnf list freeipa-server
>>> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
>>> late that I received 4.2.2 during "dnf system-upgrade".
>>>
>>> Any ideas how to get it going again? Or is it easier to start from
>>> scratch
>>> if I only have ~ 10 IPA clients?
>>>
>> Did you already upgrade to 4.2.3? Make sure you have
>> pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run
>> ipa-server-upgrade. It should be able to recover.
>>
>>
> Hi Alexander,
>
> Untfortunatly not, it's not able to recover:
>
> #  rpm -q pki-base freeipa-server
> pki-base-10.2.6-12.fc23.noarch
> freeipa-server-4.2.3-1.fc23.x86_64
>
> (Note I have pki-base, not pki-core... but I guess that was what you ment)
>
> #  ipa-server-upgrade
> session memcached servers not running
> Missing version: no platform stored
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [error] CalledProcessError: Command ''/bin/systemctl' 'start'
> 'dirsrv@MY-LAN.service'' returned non-zero exit status 1
>   [cleanup]: stopping directory server
>   [cleanup]: restoring configuration
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command ''/bin/systemctl' 'start'
> 'dirsrv@MY-LAN.service'' returned non-zero exit status 1
>
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent
> attribute type "ipaPublicKey"
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry
> cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1)
> is invalid, error code 21 (
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to
> correct the reported problems and then restart the server.
> systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited
> status=1
>
> # 99user.ldif first lines has the following
> dn: cn=schema
> objectclass: top
> objectclass: ldapSubentry
> objectclass: subschema
> cn: schema
> aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
> "anonymous, no acis"; allow (read, search, compare) userdn =
> "ldap:///anyone;;)
> modifiersname: cn=Directory Manager
>
>
> Any ideas?
>
> -- john
>

I just found
https://fedoraproject.org/wiki/Common_F23_bugs#freeipa-upgrade-fail which
allowed me to run freeipa-server-upgrade successfully.
Just a note:

It says "Find the entry (split across three lines) that starts attributeTypes:
( 2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey'"

However, it's all on one line without spaces
Then make sure the text you replace with don't have extra spaces. Should be
DESC 'IPA... & ...1466.115.121...

Thanks!

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

Hi,

I waited a couple of days and when "dnf list freeipa-server
--releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
late that I received 4.2.2 during "dnf system-upgrade".

Any ideas how to get it going again? Or is it easier to start from scratch
if I only have ~ 10 IPA clients?

-- john


2015-11-03 8:44 GMT+01:00 Martin Kosek :

> On 11/02/2015 05:48 PM, Martin Kosek wrote:
> > Hello everyone,
> >
> > Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The
> release
> > adds a lot of new exiting functionality and we are eager to hear your
> thoughts
> > on the release [1].
> >
> > Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment
> and
> > fails on updating the LDAP schema. The problem is tracked in Red Hat
> Bugzilla
> > [2]. The problem is fixed in upstream project, the development team is
> now
> > working on releasing FreeIPA upstream release 4.2.3 ASAP and also
> publishing it
> > as a 0-day update for Fedora 23. This situation should be resolved within
> > couple days, when the released build hits the official Fedora repos and
> mirrors.
> >
> > Until the fixed FreeIPA version is released and in the Fedora repos,
> please
> > wait with updating your existing FreeIPA installation.
> >
> > We will keep you posted. We are very sorry for the inconvenience.
> >
> > [1] http://www.freeipa.org/page/Releases/4.2.0
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
> >
>
> The respective F23 updates are now heading to testing repo:
>
> FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
> pki-core: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f
>
> Martin
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Thu, 05 Nov 2015, John Obaterspok wrote:
>
>> Hi,
>>
>> I waited a couple of days and when "dnf list freeipa-server
>> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
>> late that I received 4.2.2 during "dnf system-upgrade".
>>
>> Any ideas how to get it going again? Or is it easier to start from scratch
>> if I only have ~ 10 IPA clients?
>>
> Did you already upgrade to 4.2.3? Make sure you have
> pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run
> ipa-server-upgrade. It should be able to recover.
>
>
Hi Alexander,

Untfortunatly not, it's not able to recover:

#  rpm -q pki-base freeipa-server
pki-base-10.2.6-12.fc23.noarch
freeipa-server-4.2.3-1.fc23.x86_64

(Note I have pki-base, not pki-core... but I guess that was what you ment)

#  ipa-server-upgrade
session memcached servers not running
Missing version: no platform stored
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [error] CalledProcessError: Command ''/bin/systemctl' 'start'
'dirsrv@MY-LAN.service'' returned non-zero exit status 1
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/bin/systemctl' 'start' 'dirsrv@MY-LAN.service''
returned non-zero exit status 1

ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent attribute
type "ipaPublicKey"
ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry
cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1)
is invalid, error code 21 (
ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to
correct the reported problems and then restart the server.
systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited
status=1

# 99user.ldif first lines has the following
dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
"anonymous, no acis"; allow (read, search, compare) userdn =
"ldap:///anyone;;)
modifiersname: cn=Directory Manager


Any ideas?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IDM/ipa slow login

[John Obaterspok]

Hi Seli,

In /etc/sssd/sssd.conf add below:
 selinux_provider=none
to the domain section. Then restart sssd.

-- john


2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com:

 Here's the sssd_domain log part during an ssh

 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info]
 (0x0200): Got request for [0x3][1][name=test]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain]
 (0x0400): Changing request domain from [bioinf.local] to [bioinf.local]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_initgr_next_base] (0x0400): Searching for users with base
 [cn=accounts,dc=bioinf,dc=local]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
 [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local].
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
 errmsg set
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
 (0x0400): Save user
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_primary_name] (0x0400): Processing object test
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
 (0x0400): Processing user test
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
 (0x0400): Adding original memberOf attributes to [test].
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
 (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of
 [test].
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
 (0x0400): Storing info for user test
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_primary_name] (0x0400): Processing object test
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
 (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
 [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local].
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
 errmsg set
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
 [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local].
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
 errmsg set
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_primary_name] (0x0400): Processing object ipausers
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_primary_name] (0x0400): Processing object bioinfo
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_groups_next_base] (0x0400): Searching for groups with base
 [cn=accounts,dc=bioinf,dc=local]
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
 [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local].
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
 errmsg set
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
 domain SID from [(null)]
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_nested_group_recv] (0x0400): 0 users found in the hash table
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
 [sdap_get_primary_name] (0x0400): Processing object test
 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group]
 (0x0400): Processing group test
 (Thu Aug 13 15:22:32 

Re: [Freeipa-users] login delay with sssd

[John Obaterspok]

2015-06-02 12:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com:

 On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdiņš wrote:
 
 
 
  Ar laipniem sveicieniem,
  Ivars Strazdiņš
 
   On 2. jūn. 2015, at 07:21, Lukas Slebodnik lsleb...@redhat.com
 wrote:
  
   How many groups does problematic user have?
 
  I can call any user problematic, because all have login delays.
  sitaadmin user, being able to to login via ssh, probably has most groups
 - 4. Doesn’t seem too many, does it?
 
  siteadmin@mail:~$ id
  uid=9268000XX(siteadmin) gid=9268000XX(siteadmin)
 groups=9268000XX(siteadmin),9268Y(vpnusers),9268Z(mailusers),9268W(scanned)
 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 
  I have sssh-1.12.2 installed as per Centos 7.1.
  I will have to wait until 1.12.4 or 5 is coming down the pipe with
 Centos updates.

 We plan on 7.1.z update, but with different bugzillas.

 Then we plan on putting 1.13 to 7.2

  Hopefully that will resolve or mitigate the issue.
  I cannot create mess by putting Fedora updates into Centos, not sure if
 that's even possible.

 Lukas keeps the 1.12 branch builds in his COPR repo, maybe those would
 be easier to test for you?


Isn't there also the option to disable the selinux context in sssd.conf
just to check that it does have an effect. Don't remember what that option
was.

--- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OSX login very slow

[John Obaterspok]

Hello,

I'm using OSX 10.10.3 (Yosemite) and I've followed the Freeipa/OSX guide at
linsec.ca.
I can do the following with very fast response time:
- id ipauser on osx host
- klist/kdestroy/kinit a ticket
- ssh via SSO to ipaserver with this ticket
- ping osxhost  osxhost.local from ipaserver
- lookup users in OSX directory app
- IPA server has green light in OSX network account server

The thing that fails for me is login from OSX login window. Well, it
doesn't fail but it took 12 minutes for an IPA user to login.

Any ideas what to look for?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa-samba integration and windows clients

[John Obaterspok]

I have about the same setup:

This is the setup (everything is up-to-date):
- ipa-server: F21, ipa-server 4.1, samba 4.1
- win-client: Windows 7 Home Premium

I tried to enroll the win-client in the domain but failed on the windows
side due to home editions not being able to join a domain.
But I can still access shares from the win-client by user/pwd

The only difference in my setup is that I use samba server on the
ipa-server itself.

-- john

2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com:

 On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote:
  By coincidence I posted a very similar question yesterday -
  https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html.
 
  +1 for the necessary support for out-of-domain Windows clients and
 NTLMSSP.
 
  Is there a time-table for this?

 It is a nice-to-have feature for the next SSSD version (1.13, this
 summber),
 but my hopes are not high that we're going to make it. I think 1.14 is more
 realistic.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ticket delegation

[John Obaterspok]

2015-04-24 17:47 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 John Obaterspok wrote:
  Hello,
 
  I'm on F21 and if I login to my workstation I can then sso using ssh to
  host X. But then I'm also able to sso from x - y.
 
  If I'm on x and issue klist I see this:
  klist: No credentials cache found (ticket cache FILE:/tmp/krb5
 
  Should I really be able to do this?
 
  --- john
 
 

 Did you add your ssh pubkey? ssh -vv will show you the auth method that
 it is using.


Of course, I just forgot about it :)
For the record, gssapi-with-mic was the auth method.


 FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it
 should be using KEYRING:persistent:uid:gid


The host that I ssh'ed into had F20.

Thanks Rob!

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Slow user logon with IPA

[John Obaterspok]

2015-04-15 15:08 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com:

 On (15/04/15 08:53), Jakub Hrozek wrote:
 I pushed the selinux performance patches upstream yesterday. They will
 make
 their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for
 Fedora.
 
 Packages for fedora 21,22 are built.
 You just need to wait utill they are available in updates testing
 or you can download packages from koji.

 https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22
 https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21

 Please test and provide karma.



Karma provided.

For my setup I'm finally back to the 3-4 seconds login time for a user with
only a handful of groups.
Thanks!

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

[John Obaterspok]

Hi Dan,

I had a problem that login time increased by ~ 15 seconds from F20 - F21.
That was worked around by adding selinux_provider = none to the domain
section in /etc/sssd/sssd.conf

Have you checked that dns lookups + reverse lookups work on the ipa server?
Is id -G the_user_name and is the user_name_name slow or fast?
Did you check https://fedorahosted.org/sssd/wiki/Troubleshooting +


-- john

2015-04-05 6:10 GMT+02:00 Dan Mossor danofs...@gmail.com:

 I've recently deployed a new domain based on 4.1.2 in F21. We've noticed
 an issue and can't quite seem to nail it down. The problem is that logins
 are taking an inordinate amount of time to complete - the fastest logon we
 can get using LDAP credentials is 8 seconds. During our testing, even
 logons to the IPA server itself took over 30 seconds to complete.

 I've narrowed this down to sssd, but that is as far as I can get. When
 cranking up debugging for sshd and PAM, I see a minimum 2 second delay
 between ssh handing off the authentication request to sssd and the reply
 back. The only troubleshooting I've done is with ssh, but the area that
 causes the most grief is Apache logins. We configured Apache to use PAM for
 auth through IPA, vice directly calling IPA itself. Logging in to our
 Redmine site takes users a minimum of 34 seconds to complete. Following
 this, a simple webpage containing two hyperlinks and two small thumbnail
 images takes over a minute to load on a gigabit network.

 The *only* thing changed in this environment was the IPA server. We moved
 the Redmine from our old network that was using IPA 3.x (F20 branch) to the
 new one. My initial reaction was that it was the VM that was hosting
 Redmine, but we've run these tests against bare metal machines in the same
 network and have the same issue. It appears that sssd is taking a very,
 very long time to talk to FreeIPA - even on the IPA server itself.

 However, Kerberos logins into the IPA web GUI are near instantaneous,
 while Username/Password logins take more than a few seconds.

 I need to get this solved. My developers don't appreciate the glory days
 of XP taking 5 minutes to log into an IIS 2.1 web server on the local
 network. I don't have the budget to keep them at the coffee pot waiting on
 the network. So, what further information do you need from me to track this
 one down?

 Dan

 --
 Dan Mossor
 Systems Engineer at Large
 Fedora KDE WG | Fedora QA Team | Fedora Server SIG
 Fedora Infrastructure Apprentice
 FAS: dmossor IRC: danofsatx
 San Antonio, Texas, USA

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

[John Obaterspok]

Hi Jan,

See:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html
https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html

-- john

2015-03-24 17:58 GMT+01:00 Jan Pazdziora jpazdzi...@redhat.com:


 Hello,

 after enabling


 https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo

 I've installed

 freeipa-server bind bind-dyndb-ldap

 and run

 ipa-server-install --domain example.test

 The process failed at

   [3/7]: setting up kerberos principal
   [4/7]: setting up SoftHSM
   [error] CalledProcessError: Command ''/usr/bin/softhsm2-util'
 '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
 '--so-pin' ' returned non-zero exit status 1
 Unexpected error - see /var/log/ipaserver-install.log for details:
 CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
 '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
 returned non-zero exit status 1

 and the log file ends with

 2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
 2015-03-24T16:49:51Z DEBUG Initializing tokens
 2015-03-24T16:49:51Z DEBUG Starting external process
 2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token'
 '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' 
 2015-03-24T16:49:51Z DEBUG Process finished, return code=1
 2015-03-24T16:49:51Z DEBUG stdout=
 2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library.

 2015-03-24T16:49:51Z DEBUG Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)
   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py,
 line 293, in __setup_softhsm
 ipautil.run(command, nolog=(pin, pin_so,))
   File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 346,
 in run
 raise CalledProcessError(p.returncode, arg_string, stdout)
 CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
 '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
 returned non-zero exit status 1

 2015-03-24T16:49:51Z DEBUG   [error] CalledProcessError: Command
 ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC'
 '--pin'  '--so-pin' ' returned non-zero exit status 1
 2015-03-24T16:49:51Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
 642, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-server-install, line 1302, in main
 dnskeysyncd.create_instance(api.env.host, api.env.realm)

   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py,
 line 146, in create_instance
 self.start_creation()

   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 382, in start_creation
 run_step(full_msg, method)

   File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
 line 372, in run_step
 method()

   File
 /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py,
 line 293, in __setup_softhsm
 ipautil.run(command, nolog=(pin, pin_so,))

   File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 346,
 in run
 raise CalledProcessError(p.returncode, arg_string, stdout)

 2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed,
 exception: CalledProcessError: Command ''/usr/bin/softhsm2-util'
 '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
 '--so-pin' ' returned non-zero exit status 1

 I've found discussion at


 https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html

 which seems related but it seems the issue is back or was never
 properly addressed.

 Attempt to run the command manually fails as well:

 # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util
 '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
 '--so-pin' 
 ERROR: Could not load the library.

 I see the same bug both on host and in container.

 --
 Jan Pazdziora
 Principal Software Engineer, Identity Management Engineering, Red Hat

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] F21 update fails to start dirsrv due to missing libdes

[John Obaterspok]

setup-ds.pl --update corrected things for me.

Thanks for the information!

-- john

2015-02-27 14:31 GMT+01:00 Ludwig Krispenz lkris...@redhat.com:

  libdes was replaced by libpbe, see ticket:
 https://fedorahosted.org/389/ticket/4746

 during the postinstall of the upgrade the DES config in the dse.ldif
 should be changed. There have been cases where the postinstall scripts were
 not propeerly executed.
 Could you stop your DS and run:

 setup-ds.pl --update

 if it still is not corrected, try
 setup-ds.pl -ddd --update


 On 02/27/2015 01:07 PM, John Obaterspok wrote:

 Hello,

  Anyone seen this after updating to 389-ds-base-1.3.3.8-1.fc21.x86_64

  Netscape Portable Runtime error -5977:
 /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file:
 No such file or directory
 Could not open library /usr/lib64/dirsrv/plugins/libdes-plugin.so for
 plugin DES

  # rpm -ql 389-ds-base  | grep libdes | wc -l
 0

  -- john




 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] F21 update fails to start dirsrv due to missing libdes

[John Obaterspok]

Hello,

Anyone seen this after updating to 389-ds-base-1.3.3.8-1.fc21.x86_64

Netscape Portable Runtime error -5977:
/usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file:
No such file or directory
Could not open library /usr/lib64/dirsrv/plugins/libdes-plugin.so for
plugin DES

# rpm -ql 389-ds-base  | grep libdes | wc -l
0

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

2015-01-12 10:13 GMT+01:00 Alexander Bokovoy aboko...@redhat.com:

 On Mon, 12 Jan 2015, John Obaterspok wrote:

 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com:

  On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:
  2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com
 :
 
   To get the whole root environment you have to run
   su - root
   did you try with it?
  
 
  ahh... that works fine Gianluca!
 
  Final question, if I have a file on the share like:
   [john@ipaserver mountpoint]$ ll test.txt
   -rwxr-. 1 root admins 12 11 jan 10.42 test.txt
 
  Should I be able to access it if I aquire an admin ticket? Currently I
 get
  Permission denied
 
  [john@ipaserver mountpoint]$ id
  uid=143444(john) gid=143444(john) grupper=143444(john)
  context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 
  [john@ipaserver mountpoint]$ getfacl test.txt
  # file: test.txt
  # owner: root
  # group: admins
  user::rwx
  group::r--
  other::---
 
  [john@ipaserver mountpoint]$ id admin
  uid=143440(admin) gid=143440(admins) groups=143440(admins)
 
  [john@ipaserver mountpoint]$ klist
  Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf
  Default principal: ad...@my.lan
 
  Valid starting   Expires  Service principal
  2015-01-11 10:43:52  2015-01-12 10:43:50  krbtgt/my@my.lan
 
  [john@ipaserver mountpoint]$ cat test.txt
  cat: test.txt: Permission denied

 Looks like your account needs to be in the 'admins' group in order to
 access the file.

 Acquiring the admin ticket doesn't switch the user ID nor add you to the
 group..


  I thought the krb5 mount option would allow ticked based access to the
 file.
 Is the purpose of the krb5 mount option just used during mounting of the
 share? Otherwise I see no difference compared to not using krb5 mount
 option!?

 Its purpose is authentication. After you have been successfully
 recognized by the server, both client and server need to map your
 identity while authorizing your access to actual files.

 In CIFS there are two types of access control which are applied at the
 same time:
 - ACLs per file or directory
 - POSIX access control based on uid/gid of a process that accesses the
   file or directory

 Client-side checks in cifs.ko can be switched off by noperm option. In
 this case server side will be doing actual access enforcement, using the
 uid/gid mapped on the server side (based on the Kerberos principal),
 unless CIFS Unix Extensions were negotiated between cifs.ko and the
 server. In the latter case client will pass uid/gid of a client to the
 server and server will do the actual check using them instead of
 discovering them based on the authentication token.

 In case where there is a common identity store in use with Kerberos, it
 is often better to use cifs.ko option multiuser which will imply noperm
 and server will be doing all the checks.


Simo also added that You need to pass the 'multiuser' option at mount time
for that, the
default for cifs.ko is still to just use the mount credentials.

Well, I were actually using multiuser in the original test where I got
permission denied but there is something weird going on.

mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I
also tried -o sec=krb5,multiuser,cache=none)

Anyway, it works if I do the mount as root and then as user john gets the
admin ticket *before* going to the share. Then it doesn't matter if I do
kdestroy, I can still access a file that would require admin ticket.
If I remount the share and go to share as john without admin ticket I can't
access a file that would require admin ticket. If I get an admin ticket
then I'm still not able to access the file.

[john@ipaserver mountpoint]$ ll test.txt
-rwxr-. 1 root admins 12 11 jan 10.42 test.txt

[john@ipaserver mountpoint]$ cat test.txt
Hello World

[john@ipaserver mountpoint]$ id john
uid=143444(john) gid=143444(john)
groups=143444(john),1434400010(mediafiles)

[john@ipaserver mountpoint]$ klist
Ticket cache: KEYRING:persistent:143444:krb_ccache_Ri45Eiw
Default principal: ad...@my.lan

Valid starting   Expires  Service principal
2015-01-14 21:54:24  2015-01-15 21:53:57  cifs/ipaserver.my@my.lan
2015-01-14 21:53:59  2015-01-15 21:53:57  krbtgt/my@my.lan

[john@ipaserver mountpoint]$ kdestroy
[john@ipaserver mountpoint]$ klist
klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw'
not found

[john@ipaserver mountpoint]$ cat test.txt
Hello World

[john@ipaserver mountpoint]$ klist
klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw'
not found

-
-- then remount share. john has non-admin ticket 
-

[john@ipaserver mountpoint]$ id
uid=143444(john) gid=143444(john)
groups=143444(john

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com:

 On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:
  2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com:
 
   To get the whole root environment you have to run
   su - root
   did you try with it?
  
 
  ahh... that works fine Gianluca!
 
  Final question, if I have a file on the share like:
   [john@ipaserver mountpoint]$ ll test.txt
   -rwxr-. 1 root admins 12 11 jan 10.42 test.txt
 
  Should I be able to access it if I aquire an admin ticket? Currently I
 get
  Permission denied
 
  [john@ipaserver mountpoint]$ id
  uid=143444(john) gid=143444(john) grupper=143444(john)
  context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 
  [john@ipaserver mountpoint]$ getfacl test.txt
  # file: test.txt
  # owner: root
  # group: admins
  user::rwx
  group::r--
  other::---
 
  [john@ipaserver mountpoint]$ id admin
  uid=143440(admin) gid=143440(admins) groups=143440(admins)
 
  [john@ipaserver mountpoint]$ klist
  Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf
  Default principal: ad...@my.lan
 
  Valid starting   Expires  Service principal
  2015-01-11 10:43:52  2015-01-12 10:43:50  krbtgt/my@my.lan
 
  [john@ipaserver mountpoint]$ cat test.txt
  cat: test.txt: Permission denied

 Looks like your account needs to be in the 'admins' group in order to
 access the file.

 Acquiring the admin ticket doesn't switch the user ID nor add you to the
 group..


I thought the krb5 mount option would allow ticked based access to the
file.
Is the purpose of the krb5 mount option just used during mounting of the
share? Otherwise I see no difference compared to not using krb5 mount
option!?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com:

 To get the whole root environment you have to run
 su - root
 did you try with it?


ahh... that works fine Gianluca!

Final question, if I have a file on the share like:
 [john@ipaserver mountpoint]$ ll test.txt
 -rwxr-. 1 root admins 12 11 jan 10.42 test.txt

Should I be able to access it if I aquire an admin ticket? Currently I get
Permission denied

[john@ipaserver mountpoint]$ id
uid=143444(john) gid=143444(john) grupper=143444(john)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[john@ipaserver mountpoint]$ getfacl test.txt
# file: test.txt
# owner: root
# group: admins
user::rwx
group::r--
other::---

[john@ipaserver mountpoint]$ id admin
uid=143440(admin) gid=143440(admins) groups=143440(admins)

[john@ipaserver mountpoint]$ klist
Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf
Default principal: ad...@my.lan

Valid starting   Expires  Service principal
2015-01-11 10:43:52  2015-01-12 10:43:50  krbtgt/my@my.lan

[john@ipaserver mountpoint]$ cat test.txt
cat: test.txt: Permission denied
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com:

 On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and
 /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch
 Kerberos keys and map IDs of CIFS identities. These configurations are
 part of cifs-utils package which also supplies mount.cifs.



I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to
be there?
This is what I have:

[root@ipaserver etc]# cat request-key.conf
###
#  snip 


#OP TYPEDESCRIPTION CALLOUT INFOPROGRAM ARG1 ARG2 ARG3 ...
#== === === ===
===
create  dns_resolver *  *   /sbin/key.dns_resolver %k
create  userdebug:* negate  /bin/keyctl negate %k 30 %S
create  userdebug:* rejected/bin/keyctl reject %k 30 %c
%S
create  userdebug:* expired /bin/keyctl reject %k 30 %c
%S
create  userdebug:* revoked /bin/keyctl reject %k 30 %c
%S
create  userdebug:loop:**   |/bin/cat
create  userdebug:* *
/usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate  *   *   *   /bin/keyctl negate %k 30 %S

[root@ipaserver etc]# ls request-key.d/
cifs.idmap.conf   cifs.spnego.conf  id_resolver.conf

[root@ipaserver etc]# cat request-key.d/cifs.idmap.conf
create  cifs.idmap* * /usr/sbin/cifs.idmap %k

[root@ipaserver etc]# cat request-key.d/cifs.spnego.conf
create  cifs.spnego* * /usr/sbin/cifs.upcall %k


-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

2015-01-09 18:12 GMT+01:00 Alexander Bokovoy aboko...@redhat.com

 So if you have all these configs right, can you add --verbose to
 mount.cifs arguments _before_ -o options?

 mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5

 and you can enable debugging before mounting in /proc/fs/cifs/, see
 https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
 --


[john@ipaserver ~]$ rpm -q cifs-utils
cifs-utils-6.4-2.fc21.x86_64

[john@ipaserver mnt]# su root
[root@ipaserver mnt]# kdestroy
[root@ipaserver mnt]# kinit admin
[root@ipaserver mnt]# klist
Ticket cache: KEYRING:persistent:143444:krb_ccache_As3C1bl
Default principal: ad...@my.lan

Valid starting   Expires  Service principal
2015-01-09 22:40:37  2015-01-10 22:40:32  krbtgt/my@my.lan

[root@ipaserver mnt]#
[root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare --verbose
-o sec=krb5 mointpoint
mount.cifs kernel mount options:
ip=192.168.0.103,unc=\\ipaserver.MY.LAN\TheShare,sec=krb5,user=john,pass=
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

[fre jan  9 22:40:15 2015] CIFS VFS: Send error in SessSetup = -126
[fre jan  9 22:40:15 2015] CIFS VFS: cifs_mount failed w/return code = -126
[fre jan  9 22:40:49 2015] CIFS VFS: Send error in SessSetup = -126
[fre jan  9 22:40:49 2015] CIFS VFS: cifs_mount failed w/return code = -126
[fre jan  9 22:42:30 2015] fs/cifs/cifsfs.c: Devname:
//ipaserver.MY.LAN/TheShare flags: 0
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: Username: john
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: file mode: 0x1ed  dir mode:
0x1ed
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_mount as
Xid: 6 with uid: 0
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: UNC:
\\ipaserver.MY.LAN\TheShare
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: Socket created
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380
rcvtimeo 0x1b58
[fre jan  9 22:42:30 2015] fs/cifs/fscache.c:
cifs_fscache_get_client_cookie: (0x88007a28dc00/0x8800736ee000)
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses
as Xid: 7 with uid: 0
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: Existing smb sess not found
[fre jan  9 22:42:30 2015] fs/cifs/cifssmb.c: Requesting extended security.
[fre jan  9 22:42:30 2015] fs/cifs/transport.c: For smb_command 114
[fre jan  9 22:42:30 2015] fs/cifs/transport.c: Sending smb: smb_len=78
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: Demultiplex PID: 20875
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: RFC1002 header 0xb5
[fre jan  9 22:42:30 2015] fs/cifs/misc.c: checkSMB Length: 0xb9,
smb_buf_length: 0xb5
[fre jan  9 22:42:30 2015] fs/cifs/transport.c: cifs_sync_mid_result:
cmd=114 mid=1 state=4
[fre jan  9 22:42:30 2015] fs/cifs/cifssmb.c: Dialect: 2
[fre jan  9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
0xbb92
[fre jan  9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
0x1bb92
[fre jan  9 22:42:30 2015] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6
0x1
[fre jan  9 22:42:30 2015] fs/cifs/cifssmb.c: negprot rc 0
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: Security Mode: 0x3
Capabilities: 0x8080f3fd TimeAdjust: -3600
[fre jan  9 22:42:30 2015] fs/cifs/sess.c: sess setup type 5
[fre jan  9 22:42:30 2015] fs/cifs/cifs_spnego.c: key description =
ver=0x2;host=ipaserver.MY.LAN;ip4=192.168.0.103;sec=krb5;uid=0x0;creduid=0x0;user=john;pid=0x5188
[fre jan  9 22:42:30 2015] CIFS VFS: Send error in SessSetup = -126
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving
cifs_get_smb_ses (xid = 7) rc = -126
[fre jan  9 22:42:30 2015] fs/cifs/fscache.c:
cifs_fscache_release_client_cookie: (0x88007a28dc00/0x8800736ee000)
[fre jan  9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount
(xid = 6) rc = -126
[fre jan  9 22:42:30 2015] CIFS VFS: cifs_mount failed w/return code = -126

Is it okay that the verbose output says sec=krb5,user=john,pass= I
did su from john...

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com:

 On Thu, 08 Jan 2015, John Obaterspok wrote:

 Hello,

 I've tried to do the following on the client (and also on the ipaserver
 itself) where I want to the the ipaserver share mounted.

 [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o
 sec=krb5
 mountpoint
 mount error(126): Required key not available
 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

 (root has an admin ticket aquired)

 Any hints for a newbie?

 Do you have proper configuration in request-key.conf(5)?


I didn't know about those files, so if there are no defaults then I guess I
don't have a proper configuration.


 On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and
 /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch
 Kerberos keys and map IDs of CIFS identities. These configurations are
 part of cifs-utils package which also supplies mount.cifs.


Thanks Alexander,

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

Hello,

I have a samba share on the freeipa 4.1 server that I want to mount from
another client that is part of the ipa domain
I've tried:
mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5

Shouldn't I be able to do the mount this way?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem starting IPA after reboot

[John Obaterspok]

okay, I see. the below line caused a *new* keytab to be created and caused
smb from starting.

1) ipa-getkeytab -s ipaserver  -p cifs/ipaserver.my.lan -k /etc/krb5.keytab

I've fixed this and now ipa starts fine again.

2015-01-08 20:31 GMT+01:00 John Obaterspok john.obaters...@gmail.com:

 Hello,

 I was trying out cifs mount when I ran into some problem where smb failed
 to load. What I've done was:

 1) ipa-getkeytab -s ipaserver  -p cifs/ipaserver.my.lan -k /etc/krb5.keytab

 2) pdbedit -L on ipaserver (which failed since I'm using registry)

 Then I got strange errors and tried reboot. Now initially smb failed to
 start, then after a minute or two ipa + kadmin also fails.

 I've noticed selinux complains about:
 - SELinux is preventing /usr/sbin/krb5kdc from write access on the
 sock_file /var/lib/sss/pipes/pac.
 - SELinux is preventing /usr/sbin/krb5kdc from connectto access on the
 unix_stream_socket /var/lib/sss/pipes/pac.

 I see the following in journal -b

 20:19:44 smbd[2065]: [2015/01/08 20:19:44.736247,  0]
 ../source3/smbd/server.c:1269(main)
 20:19:44 smbd[2065]: standard input is not a socket, assuming -D option
 20:19:44 systemd[1]: smb.service: Supervising process 2066 which is not
 our child. We'll most likely not notice when it exits.
 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803085,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:44 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:44 smbd[2066]: [2015/01/08 20:19:44.803985,  0]
 ../source3/lib/smbldap.c:998(smbldap_connect_system)
 20:19:44 smbd[2066]: failed to bind to server
 ldapi://%2fvar%2frun%2fslapd-MY-LAN.socket with dn=[Anonymous bind]
 Error: Local error
 20:19:44 smbd[2066]: (unknown)
 20:19:45 smbd[2066]: [2015/01/08 20:19:45.815968,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:45 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:46 smbd[2066]: [2015/01/08 20:19:46.826820,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:46 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:47 smbd[2066]: [2015/01/08 20:19:47.837775,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:47 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:48 smbd[2066]: [2015/01/08 20:19:48.848497,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:48 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:49 smbd[2066]: [2015/01/08 20:19:49.859177,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:49 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:50 smbd[2066]: [2015/01/08 20:19:50.869958,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:50 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:51 smbd[2066]: [2015/01/08 20:19:51.880575,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:51 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:52 smbd[2066]: [2015/01/08 20:19:52.890531,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:52 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:53 smbd[2066]: [2015/01/08 20:19:53.901092,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:53 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:54 smbd[2066]: [2015/01/08 20:19:54.912209,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:54 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:55 smbd[2066]: [2015/01/08 20:19:55.922373,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:55 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:56 smbd[2066]: [2015/01/08 20:19:56.932368,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:56 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:57 smbd[2066]: [2015/01/08 20:19:57.942731,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:57 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:58 smbd[2066]: [2015/01/08 20:19:58.953319,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:58 smbd[2066]: kerberos error: code=-1765328366, message=Clients
 credentials have been revoked
 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed
 (0x04091068)
 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal:
 Error = 0x00C0
 20:19:59 named-pkcs11[1536]: OSSLRSA.cpp(999): RSA verify failed
 (0x04091068)
 20:19:59 named-pkcs11[1536]: pkcs11rsa_link.c:496: pkcs_C_VerifyFinal:
 Error = 0x00C0
 20:19:59 smbd[2066]: [2015/01/08 20:19:59.963057,  0]
 ipa_sam.c:4128(bind_callback_cleanup)
 20:19:59 smbd[2066]: kerberos error: code

Re: [Freeipa-users] Mount cifs share using kerberos

[John Obaterspok]

Hello,

I've tried to do the following on the client (and also on the ipaserver
itself) where I want to the the ipaserver share mounted.

[root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5
mountpoint
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

(root has an admin ticket aquired)

Any hints for a newbie?

-- john

2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com:

 On Thu, 8 Jan 2015 10:01:50 +0100
 John Obaterspok john.obaters...@gmail.com wrote:

  Hello,
 
  I have a samba share on the freeipa 4.1 server that I want to mount
  from another client that is part of the ipa domain
  I've tried:
  mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5
 
  Shouldn't I be able to do the mount this way?
 
  -- john

 You should be able to, what's the error ?

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

[John Obaterspok]

Hello,

Now I'm able to access samba network share from Win PC using my ipa user 
password. But I need to enter it each time.

I have still not been able to logon to Win7 PC with my IPA user. Currently
I get No mapping between account names and security IDs was done when I
try to login.

What I've done is this:
 1. Created a dns entry for winpc + a host entry in web-ui,
 2. On the IPA server I ran ipa-getkeytab -s ipa.fqdn -p
host/ipa.fqdn -e arcfour-hmac -k krb5.keytab.winpc -P

What I'm I suppose to do with the krb5.keytab.winpc file? Can't see any
mention of this?


On the Win PC I did:
 1. ksetup /setdomain [REALM NAME]
 2. ksetup /addkdc [REALM NAME] [ipa.fqdn]
 3. ksetup /addkpasswd [REALM NAME] [ipa.fqdn]
 4. ksetup /setcomputerpassword [MACHINE_PASSWORD]
 5. ksetup /mapuser * *


-- john

2014-10-29 22:01 GMT+01:00 Loris Santamaria lo...@lgs.com.ve:

 El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió:
  Hello,
 
 
  I've tried this as well. My IPA is not connected to an AD. My smb.conf
  looks almost the same. The differences are:
  - I got the default workgroup set (MY or something)
  - No FILE:/ prefix for keytab file
 
 
  I had the samba and ipserver on the same box so I just had to add the
  cifs server and get keytab file in the same way.
  I was a bit surprised to see that accessing samba using smbclient -k
  \\... worked right away from a linux box. Then stopped working if I
  did kdestroy.
 
 
  But, I never got it to work from Windows. The Windows PC is not joined
  to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes
  and can sshlogin via putty without password.
 
 
  Any ideas on how to get this going from Windows as well?

 I guess you should prepare the ipa server for a windows domain trust
 (even if you won't setup any trust with an ad domain), with
 ipa-adtrust-install. Beware that it will overwrite your smb.conf.

 With that configuration and the steps described in
 http://www.redhat.com/archives/freeipa-users/2013-September/msg00226.html
 you will be able to use the native windows kerberos libraries and you
 should be able to open a samba share with your kerberos credentials.

 Best regards


 --
 Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
 Links Global Services, C.A.http://www.lgs.com.ve
 Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
 
 If I'd asked my customers what they wanted, they'd have said
 a faster horse - Henry Ford

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

[John Obaterspok]

2014-11-02 21:51 GMT+01:00 Loris Santamaria lo...@lgs.com.ve:

 El dom, 02-11-2014 a las 19:54 +0100, John Obaterspok escribió:


  I have still not been able to logon to Win7 PC with my IPA user.
  Currently I get No mapping between account names and security IDs was
  done when I try to login.

 The keytab is not needed, you just have to generate it to set a password
 for the computer.


Is this the same as the Set One Time Password action under enrollment in
the web ui?


 You are supposed to use the same password in ipa-getkeytab and in the
 ksetup /setcomputerpassword commands


Cough, cough. I just noticed that the Win PC I was experimenting with had
Windows Home edition. It seems you need at least Pro/Ultimate editions to
join a domain.


-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

[John Obaterspok]

Hello,

I might be interested in this as well. Does this mean it would be possible
for a windows client to access samba FS through IPA provided credentials?
Currently my Windows PC gets IPA ticket (through MIT kerberos application)
and can use this ticket to login to Linux server via putty. I would jump up
and down if I could access samba FS in the same way from Windows:)

(I got sssd 1.12.1 and freeipa 4.1 running on F20)

-- john

2014-10-23 12:32 GMT+02:00 Sumit Bose sb...@redhat.com:

 On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote:
  El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
   On 10/20/2014 09:15 AM, Loris Santamaria wrote:
 
  [...]
 
   
Trying to join the server to the domain (net rpc join -U domainadmin
 -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.
   
Seems to me that the samba ipasam backend on ipa doesn't like
 something
in the host or the domain computers group object in ldap, but I
 cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.
 
   Do I get it right that you really looking for
   https://fedorahosted.org/sssd/ticket/1588 that was just released
   upstream?
   It would be cool if you can try using SSSD 1.12.1 under Samba FS in
   the use case you have and provide feedback on how it works for you.
  
   AFAIU you install Samba FS and then use ipa-client to configure SSSD
   under it and it should work.
   If not we probably should document it (but I do not see any special
   design page which leads me to the above expectation).
 
  Ok, I'll happily try sssd 1.12.1.
 
  Just a question, in smb.conf one should use security = domain or
  security = ads?

 'ads' because we want to use Kerberos. But there some other
 configuration options which needs attention, e.g. you have to create a
 keytab for the cifs service and make it available to samba. I'll try to
 set up an small howto page listing the needed steps and come back to you
 early next week.

 bye,
 Sumit

 
  Best regards
 
  --
  Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
  Links Global Services, C.A.http://www.lgs.com.ve
  Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
  
  If I'd asked my customers what they wanted, they'd have said
  a faster horse - Henry Ford



  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go To http://freeipa.org for more info on the project

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

[John Obaterspok]

Hello,

I've tried this as well. My IPA is not connected to an AD. My smb.conf
looks almost the same. The differences are:
- I got the default workgroup set (MY or something)
- No FILE:/ prefix for keytab file

I had the samba and ipserver on the same box so I just had to add the cifs
server and get keytab file in the same way.
I was a bit surprised to see that accessing samba using smbclient -k
\\... worked right away from a linux box. Then stopped working if I did
kdestroy.

*But,* I never got it to work from Windows. The Windows PC is not joined to
any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can
sshlogin via putty without password.

Any ideas on how to get this going from Windows as well?

-- john

2014-10-29 20:54 GMT+01:00 Loris Santamaria lo...@lgs.com.ve:

 El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió:
  On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote:
   El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
On 10/20/2014 09:15 AM, Loris Santamaria wrote:
  
   [...]
  

 Trying to join the server to the domain (net rpc join -U
 domainadmin -S
 ipaserver) fails, and it causes a samba crash on the ipa server.
 Investigating the cause of the crash I found that pdbedit crashes
 as
 well (backtrace attached). I couldn't get a meaningful backtrace
 from
 the samba crash however I attached it as well.

 Seems to me that the samba ipasam backend on ipa doesn't like
 something
 in the host or the domain computers group object in ldap, but I
 cannot
 see what could be the problem. Perhaps someone more familiar with
 the
 ipasam code can spot it quickly.
  
Do I get it right that you really looking for
https://fedorahosted.org/sssd/ticket/1588 that was just released
upstream?
It would be cool if you can try using SSSD 1.12.1 under Samba FS in
the use case you have and provide feedback on how it works for you.
   
AFAIU you install Samba FS and then use ipa-client to configure SSSD
under it and it should work.
If not we probably should document it (but I do not see any special
design page which leads me to the above expectation).
  
   Ok, I'll happily try sssd 1.12.1.
  
   Just a question, in smb.conf one should use security = domain or
   security = ads?
 
  'ads' because we want to use Kerberos. But there some other
  configuration options which needs attention, e.g. you have to create a
  keytab for the cifs service and make it available to samba. I'll try to
  set up an small howto page listing the needed steps and come back to you
  early next week.

 It Works :D, and here is what I did:

 Test environment: One realm domain with two Centos 7 / ipa 3.3 masters,
 one trusted AD forest (windows 2008R2 controllers), one Centos 7 file
 server.

 Step 1) On the file server enable mkosek's COPR ipa repo:
 https://copr.fedoraproject.org/coprs/mkosek/freeipa/

 2) Install required packages packages:
 yum -y install ipa-client sssd-libwbclient samba samba client

 3) join file server to the ipa realm:
 ipa-client-install --mkhomedir

 Please note that this step fails, shortly after creating the keytab and
 configuring sssd, probably caused by the version mismatch between ipa
 server (3.3) and client (4.1). I will report the failure shortly.
 Because of the failure I had to complete part of the join procedure
 manually:
 authconfig --enablesssdauth --enablemkhomedir --update (on the client)
 ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server)

 4) On the ipa server create the cifs principal for samba:
 ipa service-add cifs/sambatest.my.realm

 5) Install keytab on the samba host:
 ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm
 -k /etc/samba/samba.keytab

 6) Edit /etc/samba/smb.conf on the samba file server:
 [global]
 workgroup = MY
 realm = MY.REALM
 dedicated keytab file = FILE:/etc/samba/samba.keytab
 kerberos method = dedicated keytab
 log file = /var/log/samba/log.%m
 security = ads

 [homes]
 browsable = no
 writable = yes

 [shared]
 path = /home/shared
 writable = yes
 browsable=yes
 write list = @admins

 7) To enable samba /home sharing one should turn on a selinux boolean:
 setsebool -P samba_enable_home_dirs on

 8) restart samba

 Testing:

 On another linux member of the IPA domain it is possible to connect to
 the samba shares using smbclient -k :
 kinit user@MY.REALM
 smbclient -k -L sambatest.my.realm
 smbclient -k //sambatest.my.realm/shared

 On a windows machine, member of the AD domain it is possible to connect
 to the samba shares typing in the windows explorer location bar:
 \\sambatest.my.realm
 Also, if the ad user is an (indirect) member of the IPA admins group,
 thanks to the trust relationship, with the above smb.conf he may have
 write access to the \shared folder.

 Thanks to the ipa and sssd teams for this 

Re: [Freeipa-users] F20 Problem upgrading to 4.1

[John Obaterspok]

2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com:

  On 26/10/14 21:39, John Obaterspok wrote:

 Hi,

  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
 3.3.5 to 4.1. The yum update reported just a single error:

  Could not load host key: /etc/ssh/ssh_host_dsa_key

  After reboot I had 3 services that failed to start:
 ipa, kadmin, named-pkcs11

  Doing strace -f named-pkcs11 -u named -f -g I can see:
 /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)


  For kadmin the error is due to not being able to connect to sldap

  I noticed that softhsm2-util --show-slots reported ERROR: Could not
 initialize the library. But that seemed to be because   wasn't part of the
 update. After that I could show the default slot and then I manually called
 following (as root):

  /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
  --so-pin 

  But the problems won't go away. Any clues?

  -- john




  Hello,

 1)
 can you share your /var/log/ipaupgrade.log ?


Unfortunatly I removed the original ipaupgrade.log file when I did I retry
to install freeipa-server. The current ipaupgrade.log has two errors:
First)

2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG -

Second) It complains about not being able to start named-pkcs11 service.



 2)
 your issue with softhsm can be caused by missing enviroment variable
 IPA internally uses

 SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
 please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
 --show-slots, and let me know if it works

 same with named-pkcs11,


The filestamps for softhsm_pin  tokens match the time I did the original
update

# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

# ll /var/lib/ipa/dnssec/tokens/
total 0

# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
Available slots:
Slot 0
Slot info:
Description:  SoftHSM slot 0
Manufacturer ID:  SoftHSM project
Hardware version: 2.0
Firmware version: 2.0
Token present:yes
Token info:
Manufacturer ID:  SoftHSM project
Model:SoftHSM v2
Hardware version: 2.0
Firmware version: 2.0
Serial number:
Initialized:  no
User PIN init.:   no
Label:

3)
 can you share journalctl -u named-pkcs11 output?


10:35:48 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.
-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.

... After some fiddeling a restart says this:

19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_bo
19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.

4)
 I'm not aware of that we need, krb5-libs/openssl, I was getting this error
 if tokens directory doesnt exists, but IPA uses own configuration (see 2)
 not default.


 ok
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

[John Obaterspok]

Hello Martin,

Still no go.

I installed the softhsm-devel package (that only contains header files),
removed the token directory, reinstalled the bind  bind-pkcs11, did
ipa-dns-install that completed ok (I guess):

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:

# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl' 'restart'
'named-pkcs11.service'' returned non-zero exit status 1*
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful


# systemctl restart named-pkcs11  journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object
store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed
19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.


It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin

Any ideas?

-- john

2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com:

  On 27/10/14 18:53, John Obaterspok wrote:



 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com:

  On 26/10/14 21:39, John Obaterspok wrote:

 Hi,

  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
 3.3.5 to 4.1. The yum update reported just a single error:

  Could not load host key: /etc/ssh/ssh_host_dsa_key

  After reboot I had 3 services that failed to start:
 ipa, kadmin, named-pkcs11

  Doing strace -f named-pkcs11 -u named -f -g I can see:
 /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)


  For kadmin the error is due to not being able to connect to sldap

  I noticed that softhsm2-util --show-slots reported ERROR: Could not
 initialize the library. But that seemed to be because   wasn't part of the
 update. After that I could show the default slot and then I manually called
 following (as root):

  /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
  --so-pin 

  But the problems won't go away. Any clues?

  -- john




  Hello,

 1)
 can you share your /var/log/ipaupgrade.log ?


  Unfortunatly I removed the original ipaupgrade.log file when I did I
 retry to install freeipa-server. The current ipaupgrade.log has two errors:
 First)

  2014-10-26T12:45:15Z DEBUG Live 1, updated 1
 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
 'Operations error'}
 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
 Plugin,cn=plugins,cn=config
 2014-10-26T12:45:15Z DEBUG -

 Are there some information about entry which is updated above?


  Second) It complains about not being able to start named-pkcs11 service.



  2)
 your issue with softhsm can be caused by missing enviroment variable
 IPA internally uses

 SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
 please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
 --show-slots, and let me know if it works

 same with named-pkcs11,


  The filestamps for softhsm_pin  tokens match the time I did the
 original update

  # ll /var/lib/ipa/dnssec/
 -rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
 drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

  # ll /var/lib/ipa/dnssec/tokens/
 total 0

  # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
 Available slots:
 Slot 0
 Slot

Re: [Freeipa-users] F20 Problem upgrading to 4.1

[John Obaterspok]

hmm... Could not connect to the Directory Server

So I started it with start-dirsrv since systemctl start ipa failed. Then
it was a breeze, ipa-dns-install worked fine.

# systemctl --failed
0 loaded units listed.

I haven't verified that it works, but I feel confident :)

-- john


2014-10-27 20:09 GMT+01:00 Martin Basti mba...@redhat.com:

  On 27/10/14 19:57, John Obaterspok wrote:

 Hello Martin,

  Still no go.

  I installed the softhsm-devel package (that only contains header files),
 removed the token directory, reinstalled the bind  bind-pkcs11, did
 ipa-dns-install that completed ok (I guess):

  To accept the default shown in brackets, press the Enter key.

  Existing BIND configuration detected, overwrite? [no]: yes
 Directory Manager password:

  # ipa-upgradeconfig
 [Verifying that root certificate is published]
 *Failed to backup CS.cfg: no magic attribute 'dogtag'*
 [Migrate CRL publish directory]
 CRL tree already moved
 [Verifying that CA proxy configuration is correct]
 [Verifying that KDC configuration is using ipa-kdb backend]
 [Fixing trust flags in /etc/httpd/alias]
 Trust flags already processed
 [Fix DS schema file syntax]
 Syntax already fixed
 [Removing RA cert from DS NSS database]
 RA cert already removed
 [Removing self-signed CA]
 [Checking for deprecated KDC configuration files]
 [Checking for deprecated backups of Samba configuration files]
 [Setting up Firefox extension]
 [Add missing CA DNS records]
 IPA CA DNS records already processed
 [Removing deprecated DNS configuration options]
 [Ensuring minimal number of connections]
 [Enabling serial autoincrement in DNS]
 [Updating GSSAPI configuration in DNS]
 [Updating pid-file configuration in DNS]
 [Masking named]
 Changes to named.conf have been made, restart named
 *Failed to restart named: Command ''/bin/systemctl' 'restart'
 'named-pkcs11.service'' returned non-zero exit status 1*
 [Verifying that CA service certificate profile is updated]
 [Update certmonger certificate renewal configuration to version 2]
 [Enable PKIX certificate path discovery and validation]
 PKIX already enabled
 The ipa-upgradeconfig command was successful


  # systemctl restart named-pkcs11  journalctl -xn
  19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
 object store in /var/lib/ipa/dnssec/tokens
 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
 store
 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed
 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
 code=exited status=1
 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
 with native PKCS#11.


  It seems the problem is now there are no tokens:
  # ll /var/lib/ipa/dnssec/
 total 4.0K
 -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin


 This is interesting, ipa-dns-install should detect missing directory and
 create new one.
 Could you send me tail of /var/log/ipaserver-install.log, where DNS debug
 lines are?

 Martin^2


  Any ideas?

  -- john

 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com:

   On 27/10/14 18:53, John Obaterspok wrote:



 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com:

  On 26/10/14 21:39, John Obaterspok wrote:

 Hi,

  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
 3.3.5 to 4.1. The yum update reported just a single error:

  Could not load host key: /etc/ssh/ssh_host_dsa_key

  After reboot I had 3 services that failed to start:
 ipa, kadmin, named-pkcs11

  Doing strace -f named-pkcs11 -u named -f -g I can see:
 /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)


  For kadmin the error is due to not being able to connect to sldap

  I noticed that softhsm2-util --show-slots reported ERROR: Could not
 initialize the library. But that seemed to be because   wasn't part of the
 update. After that I could show the default slot and then I manually called
 following (as root):

  /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
  --so-pin 

  But the problems won't go away. Any clues?

  -- john




  Hello,

 1)
 can you share your /var/log/ipaupgrade.log ?


  Unfortunatly I removed the original ipaupgrade.log file when I did I
 retry to install freeipa-server. The current ipaupgrade.log has two errors:
 First)

  2014-10-26T12:45:15Z DEBUG Live 1, updated 1
 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
 {'desc': 'Operations error'}
 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
 Plugin,cn=plugins,cn=config
 2014-10-26T12:45:15Z DEBUG -

  Are there some information about entry which is updated above?


  Second) It complains about not being able to start named-pkcs11 service.



  2

Re: [Freeipa-users] F20 Problem upgrading to 4.1

[John Obaterspok]

Hello Martin,

It works perfectly again!

note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed
due to 389 wasn't started (failed to connect). Once it was started manually
the ipa-dns-installed worked fine.

Thanks a lot Martin,

-- john


2014-10-27 20:40 GMT+01:00 Martin Basti mba...@redhat.com:

  On 27/10/14 20:34, John Obaterspok wrote:

 hmm... Could not connect to the Directory Server

  So I started it with start-dirsrv since systemctl start ipa failed.
 Then it was a breeze, ipa-dns-install worked fine.

  # systemctl --failed
 0 loaded units listed.

 I'm lost, does IPA work or not?
 are all services running? (ipactl status)
 are tokens created in /var/lib/ipa/dnssec/tokens
 can you dig records from IPA DNS?

 Martin^2


  I haven't verified that it works, but I feel confident :)

  -- john


 2014-10-27 20:09 GMT+01:00 Martin Basti mba...@redhat.com:

   On 27/10/14 19:57, John Obaterspok wrote:

 Hello Martin,

  Still no go.

  I installed the softhsm-devel package (that only contains header
 files), removed the token directory, reinstalled the bind  bind-pkcs11,
 did ipa-dns-install that completed ok (I guess):

  To accept the default shown in brackets, press the Enter key.

  Existing BIND configuration detected, overwrite? [no]: yes
 Directory Manager password:

  # ipa-upgradeconfig
 [Verifying that root certificate is published]
 *Failed to backup CS.cfg: no magic attribute 'dogtag'*
 [Migrate CRL publish directory]
 CRL tree already moved
 [Verifying that CA proxy configuration is correct]
 [Verifying that KDC configuration is using ipa-kdb backend]
 [Fixing trust flags in /etc/httpd/alias]
 Trust flags already processed
 [Fix DS schema file syntax]
 Syntax already fixed
 [Removing RA cert from DS NSS database]
 RA cert already removed
 [Removing self-signed CA]
 [Checking for deprecated KDC configuration files]
 [Checking for deprecated backups of Samba configuration files]
 [Setting up Firefox extension]
 [Add missing CA DNS records]
 IPA CA DNS records already processed
 [Removing deprecated DNS configuration options]
 [Ensuring minimal number of connections]
 [Enabling serial autoincrement in DNS]
 [Updating GSSAPI configuration in DNS]
 [Updating pid-file configuration in DNS]
 [Masking named]
 Changes to named.conf have been made, restart named
 *Failed to restart named: Command ''/bin/systemctl' 'restart'
 'named-pkcs11.service'' returned non-zero exit status 1*
 [Verifying that CA service certificate profile is updated]
 [Update certmonger certificate renewal configuration to version 2]
 [Enable PKIX certificate path discovery and validation]
 PKIX already enabled
 The ipa-upgradeconfig command was successful


  # systemctl restart named-pkcs11  journalctl -xn
  19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
 object store in /var/lib/ipa/dnssec/tokens
 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
 store
 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization
 failed
 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
 code=exited status=1
 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
 with native PKCS#11.


  It seems the problem is now there are no tokens:
  # ll /var/lib/ipa/dnssec/
 total 4.0K
 -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin


  This is interesting, ipa-dns-install should detect missing directory
 and create new one.
 Could you send me tail of /var/log/ipaserver-install.log, where DNS debug
 lines are?

 Martin^2


  Any ideas?

  -- john

 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com:

   On 27/10/14 18:53, John Obaterspok wrote:



 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com:

  On 26/10/14 21:39, John Obaterspok wrote:

 Hi,

  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
 3.3.5 to 4.1. The yum update reported just a single error:

  Could not load host key: /etc/ssh/ssh_host_dsa_key

  After reboot I had 3 services that failed to start:
 ipa, kadmin, named-pkcs11

  Doing strace -f named-pkcs11 -u named -f -g I can see:
 /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)


  For kadmin the error is due to not being able to connect to sldap

  I noticed that softhsm2-util --show-slots reported ERROR: Could not
 initialize the library. But that seemed to be because   wasn't part of the
 update. After that I could show the default slot and then I manually called
 following (as root):

  /usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
  --so-pin 

  But the problems won't go away. Any clues?

  -- john




  Hello,

 1)
 can you share your /var/log/ipaupgrade.log ?


  Unfortunatly I removed the original ipaupgrade.log file when I did I
 retry to install freeipa-server. The current

Re: [Freeipa-users] dns stops working after upgrade

[John Obaterspok]

Hello Rob,

Did systemd report any failed services? (systemctl --failed)


-- john

2014-10-25 16:40 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello all,

 I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main
 dns server.

 I've tried the upgrade to 4.1 using the copr repositorie.

 I performed the following steps:

 1 apply latest fedora updates
 2 shutdown system
 3 create a snapshot from the freeipa vm as a backup (which is why I'm back
 at 3.3)
 4 added the copr repo to my repositories
 5 issue 'yum update' and grab a coffee
 6 see the update complete and start to check if everything still works.
 all authentication seems to work fine, however all my local dns enties no
 longer work.
 all internet dns queries work fine, just not my own entries.
 they are all still there.

 so I shutdown my freeipa vm and reverted the snapshot, everything is back
 up and running again with 3.3.0

 I've digged through my logs but see no errors whatsoever.

 Did I miss something that needs to be done when doing an upgrade ?

 Rob

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] F20 Problem upgrading to 4.1

[John Obaterspok]

Hi,

I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5
to 4.1. The yum update reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing strace -f named-pkcs11 -u named -f -g I can see:
   /var/lib/softhsm/tokens/ = -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to connect to sldap

I noticed that softhsm2-util --show-slots reported ERROR: Could not
initialize the library. But that seemed to be because krb5-libs/openssl
wasn't part of the update. After that I could show the default slot and
then I manually called following (as root):

/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
 --so-pin 

But the problems won't go away. Any clues?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] DogTag memory usage. Alternatives?

[John Obaterspok]

Hello,

I'm using FreeIPA for my home network and it works really great.
FreeIPA is running on NAS server where hw isn't latest  greatest.
I've noticed the dogtag java/tomcat process is using up to 1 gig of
RAM and the java process is usually in the top spot for powertop
wakeups.

Is it normal that it uses this much memory? Are there any alternatives?

-- john

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kerberized vsftpd login problem

[John Obaterspok]

2014-03-23 19:45 GMT-04:00  Dmitri Pal d...@redhat.com
 2014-03-23 9:01 GMT+01:00 John Obaterspok john.obaters...@gmail.com:
 
  Hello,
 
  How do I get vsftpd login to work with an existing ticket?
  I've added ftp as an identity service (ftp/ipaserver.my@my.lan)
  Is there anything else I need to do to allow ftp login to vsftpd?

 What ftp client and server are you using?
 Do you know whether they are actually supporting Kerberos?
 May be consider other tools like scp instead?

I'm using vsftpd with default settings in Fedora 20 + ftp client from
krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more.
/etc/pam.d/vsftpd looks like this:

#%PAM-1.0
sessionoptional pam_keyinit.soforce revoke
auth   required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth   required pam_shells.so
auth   include  password-auth
accountinclude  password-auth
sessionrequired pam_loginuid.so
sessioninclude  password-auth

 Perhaps I need to change something in the pam file in order to allow sso?

-- john

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] kerberized vsftpd login problem

[John Obaterspok]

Hello,

How do I get vsftpd login to work with an existing ticket?
I've added ftp as an identity service (ftp/ipaserver.my@my.lan)

Is there anything else I need to do to allow ftp login to vsftpd?

-- john
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts

[John Obaterspok]

Hello,

A couple of times each day the win 7 machine is not able to lookup hosts on
the ipa domain. A ipconfig /renew always allows ipa hosts to be resolvable
again.

Any ideas why this happens?

-- john
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts

[John Obaterspok]

Hello,

I just experience this again.ipa server not pingable by name but by ip. Did
a ipconfig /all  file, then ipconfig /renew. Then only lines that differ
is the lease expire:

-   Lease expires. . . . . . . . . . . : 2014-03-24 20:04:28
+  Lease expires. . . . . . . . . . . : 2014-03-24 22:28:09

Any other suggestions?

-- john


2014-03-23 18:52 GMT+01:00 Will Sheldon m...@willsheldon.com:


  What is the difference in the output of ipconfig /all before and after
 the ipconfig /renew?


 Kind regards,

 Will Sheldon

 On Sunday, March 23, 2014 at 1:21 AM, John Obaterspok wrote:

 Hello,

 A couple of times each day the win 7 machine is not able to lookup hosts
 on the ipa domain. A ipconfig /renew always allows ipa hosts to be
 resolvable again.

 Any ideas why this happens?

 -- john
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users