Re: [Freeipa-users] RHEL 7 Upgrade experience so far
On 2014-08-28 10:58, Nicklas Björk wrote: > 2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable > to validate security domain user/password through REST interface. > Interface not available Digging a bit further I found the following in /var/lib/pki-ca/logs/debug on the FreeIPA master. All lines share the common prefix [09/Sep/2014:14:30:27][TP-Processor6]. CMSServlet:service() uri = /ca/agent/ca/updateDomainXML CMSServlet::service() param name='name' value='"/var/lib/pki/pki-tomcat"' CMSServlet::service() param name='ncsport' value='8443' CMSServlet::service() param name='sport' value='None' CMSServlet::service() param name='operation' value='remove' CMSServlet::service() param name='adminsport' value='8443' CMSServlet::service() param name='list' value='caList' CMSServlet::service() param name='type' value='CA' CMSServlet::service() param name='agentsport' value='8443' CMSServlet::service() param name='host' value='replica.example.net' CMSServlet: caUpdateDomainXML start to service. UpdateDomainXML: processing... UpdateDomainXML process: authentication starts IP: 192.168.1.20 AuthMgrName: certUserDBAuthMgr CMSServlet: retrieving SSL certificate CMSServlet: certUID=CN=CA Subsystem,O=EXAMPLE.NET CertUserDBAuth: started CertUserDBAuth: Retrieving client certificate CertUserDBAuth: Got client certificate Authentication: client certificate found In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA Subsystem,O=EXAMPLE.NET] authentication failure CMSServlet: curDate=Tue Sep 09 14:30:27 CEST 2014 id=caUpdateDomainXML time=5 What kind of authentication is it complaining about, and is it possible to repair it? Nicklas signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
I have been following this thread with great interest, as I have
encountered similar problems with our migration from 3.0.0-37 on CentOS
6.5 to 3.3.3-28 on CentOS 7. I have been able to solve a few of them
with manual patching, but there is still something going on that will
make the CA replication to fail.
The following changes have been made to the environments:
- On the replica,
/usr/lib/python2.7/site-packages/ipaserver/install/replication.py has
been patched to handle multiple values of nsDS5ReplicaId on the master.
- /usr/share/ipa/html/ca.crt used to contain our local root certificate
as well as the IPA CA-certificate, which caused the replica installation
to fail. The root certificate was removed from this file, the replica
gpg-bundle recreated, and the installation would happily continue.
- /etc/httpd/conf.d/ipa-pki-proxy.conf has been patched to contain the
profileSubmit-patch to the ee port-line
and have also tried with and without the additions to the admin port and
installer-line
Checking the log files on the 3.3.3 replica, there are a few error
messages, which I am not sure how to resolve.
/var/log/ipareplica-install.log ends with the following lines:
2014-08-27T14:44:15Z DEBUG Starting external process
2014-08-27T14:44:15Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8
2014-08-27T14:45:19Z DEBUG Process finished, return code=1
2014-08-27T14:45:19Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpxkixl8.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable
to validate security domain user/password through REST interface.
Interface not available
pkispawn: ERROR... Exception from Java Configuration
Servlet: Error while updating security domain: java.io.IOException: 2
2014-08-27T14:45:19Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8' returned non-zero exit status 1
2014-08-27T14:45:19Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 667, in main
CA = cainstance.install_replica_ca(config)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1678, in install_replica_ca
subject_base=config.subject_base)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
478, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-08-27T14:45:19Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed
/var/log/pki/pki-ca-spawn.20140827164415.log reveals these error messages:
2014-08-27 16:44:16 pkispawn: INFO ... executing 'systemctl
start pki-tomcatd@pki-tomcat.service'
2014-08-27 16:44:18 pkispawn: DEBUG... No connection -
server may still be down
2014-08-27 16:44:18 pkispawn: DEBUG... No connection -
exception thrown: [Errno 111] Connection refused
2014-08-27 16:44:26 pkispawn: DEBUG... 0CArunning10.0.5-3.el7
2014-08-27 16:44:27 pkispawn: INFO ... constructing PKI
configuration data.
2014-08-27 16:44:27 pkispawn: INFO ... configuring PKI
configuration data.
2014-08-27 16:45:19 pkispawn: ERROR... Exception from Java
Configuration Servlet: Error while updating security domain:
java.io.IOException: 2
2014-08-27 16:45:19 pkispawn: DEBUG... Error Type: HTTPError
2014-08-27 16:45:19 pkispawn: DEBUG... Error Message: 500
Server Error: Internal Server Error
2014-08-27 16:45:19 pkispawn: DEBUG... File
"/usr/sbin/pkispawn", line 374, in main
rv = instance.spawn()
File
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line
128, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
line 2998, in configure_pki_data
response = client.configure(data)
File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
configure
r = self.connection.post('/rest/installer/configure', data, headers)
File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 638,
in raise_for_status
raise http_error
In /var/log/pki/pki-tomcat/catalina.out one can read:
Aug 27, 2014 4:44:22 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki
[Freeipa-users] ca.crt contains more than one certificate
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
7 using migration. I seem to have run into some certificate problems and
the replica installation halts half-way through. We have a simple
CA-structure, where FreeIPA has been installed as a sub-ca directly
under ca root ca.
A replica bundle was created on the master using:
ipa-replica-prepare replica.example.net --ip-address 192.168.100.2
the gpg-file was copied to replica:/var/lib/ipa and the following
command was executed:
ipa-replica-install --mkhomedir -d --setup-ca --setup-dns
--no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg
During the first attempt, I was instructed to also run
copy-schema-to-ca.py on the master server, which has been done. The
replica installation halts complainig that ca.crt contains more than one
certificate. Both the FreeIPA CA and the Root CA certificates are in
that file.
Debug output in /var/log/ipareplica-install.log tells the following:
2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance
2014-08-08T12:22:08Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -N -f
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -i
/tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -L
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
CN=Example Root CA,O=Example AB,,
EXAMPLE.NET IPA CA ,,
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 664, in main
ds = install_replica_ds(config)
File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
360, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
606, in enable_ssl
ca_file=self.ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 841, in create_from_pkcs12
self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 240, in import_pem_cert
location)
2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed,
exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more
than one certificate
Is there anything obvious that is wrong or odd with this setup or process?
Best regards
Nicklas Björk
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Pure Kerberos login on Windows stopped working
On 2013-11-13 20:00, Simo Sorce wrote: > On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote: >> On 2013-11-12 21:39, Simo Sorce wrote: >>> On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: >>>> In our evironment we have very limited amount of shared virtual Windows >>>> 7 machines. We haven't really seen any value in setting up an AD domain >>>> for them, but have been relying on pure Kerberos authentication using >>>> the ksetup procedure >>>> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). >>>> >>>> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add >>>> SIDs to all old user accounts (the newer ones would already have a SID), >>>> but that made the Kerberos logon stop working for remote desktop >>>> connections. Logging on to the console using the same Kerberos >>>> credentials would still work... This seems to be directly related to the >>>> addition of SIDs in LDAP, as removing the object class ipantuserattrs >>>> and the SID would get it back in order again. >>>> >>>> Are there any known tricks that could be applied to the Windows machines >>>> (or to FreeIPA for that matter) that would make this work again? >>> >>> It's odd that adding the SIDs make it not work, I remember reports of >>> people being happy to see it work better. >>> >>> We do have a way to disable setting the MS-PAC on tickets, but I fear it >>> is only for TGS requests and not for the TGT. >>> >>> Have you added SIDs because you are using a trust relationship with an >>> AD domain, and you just wish not to use them for these few Windows >>> machines ? >>> >>> Simo. >>> >> >> Rather than the SIDs, it was the NT-hash I was looking for, to be used >> in a Radius implementation. The task in LDAP to make the update also >> added SIDs to all user accounts. >> >> The mentioned few Windows machines are the only ones here and there is >> also no AD available. At an earlier stage I may have tried making a >> trust using the ipa-adtrust-install against a test-AD that was available >> for some time, but it's long gone and there are currently no configured >> trusts. > > I see, but the SID is required by the objectclass that allows you to set > the NThash. One way to resolve that would be to use a different > objectclass so you do not have to set the SID, but I ma not sure NThash > would be automatically refreshed at password change then. > > Can you tell me exactly what error do your Win7 machines return ? > > Simo. > I have actually spent a few hours today trying to figure out under what circumstances it stops working. It seems like authentication with Kerberos always works, but for some reason it won't let the user create a session when connecting using RDP, when the SID is available in the directory (thus also in the kerberos ticket, I would assume?). The local user account is in the Administrators as well as the Remote Desktop Users groups, but the error message given at logon is "The requested session access is denied.". There must be some way to get more information on what the system is doing and what it wants. Perhaps it would be possible to increase the amount of debugging information in the event viewer? Maybe it would start working again if I flipped the right 0 to a 1 somewhere in the deep registry forest... Nicklas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Pure Kerberos login on Windows stopped working
On 2013-11-12 21:39, Simo Sorce wrote: > On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: >> In our evironment we have very limited amount of shared virtual Windows >> 7 machines. We haven't really seen any value in setting up an AD domain >> for them, but have been relying on pure Kerberos authentication using >> the ksetup procedure >> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). >> >> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add >> SIDs to all old user accounts (the newer ones would already have a SID), >> but that made the Kerberos logon stop working for remote desktop >> connections. Logging on to the console using the same Kerberos >> credentials would still work... This seems to be directly related to the >> addition of SIDs in LDAP, as removing the object class ipantuserattrs >> and the SID would get it back in order again. >> >> Are there any known tricks that could be applied to the Windows machines >> (or to FreeIPA for that matter) that would make this work again? > > It's odd that adding the SIDs make it not work, I remember reports of > people being happy to see it work better. > > We do have a way to disable setting the MS-PAC on tickets, but I fear it > is only for TGS requests and not for the TGT. > > Have you added SIDs because you are using a trust relationship with an > AD domain, and you just wish not to use them for these few Windows > machines ? > > Simo. > Rather than the SIDs, it was the NT-hash I was looking for, to be used in a Radius implementation. The task in LDAP to make the update also added SIDs to all user accounts. The mentioned few Windows machines are the only ones here and there is also no AD available. At an earlier stage I may have tried making a trust using the ipa-adtrust-install against a test-AD that was available for some time, but it's long gone and there are currently no configured trusts. /Nicklas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Pure Kerberos login on Windows stopped working
In our evironment we have very limited amount of shared virtual Windows 7 machines. We haven't really seen any value in setting up an AD domain for them, but have been relying on pure Kerberos authentication using the ksetup procedure (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). Recently the LDAP in our FreeIPA 3.0 was updated with the task to add SIDs to all old user accounts (the newer ones would already have a SID), but that made the Kerberos logon stop working for remote desktop connections. Logging on to the console using the same Kerberos credentials would still work... This seems to be directly related to the addition of SIDs in LDAP, as removing the object class ipantuserattrs and the SID would get it back in order again. Are there any known tricks that could be applied to the Windows machines (or to FreeIPA for that matter) that would make this work again? Best regards Nicklas Björk ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Generating SIDs for old user accounts on FreeIPA 3.0
Hi list,
We are running FreeIPA 3.0 with an installation that has been with us
since the 2.x-era. We had a situation where we needed the NT password
hash, which wasn't generated in earlier versions of FreeIPA, and would
not be available for old user accounts even on this newer version. New
user accounts would get them set upon creation.
On #freeipa at FreeNode, ab was kind enough to guide me through the
process of starting an ldap-task to add the needed attributes to the old
accounts. I thought I'd share this in case anyone else would ask the
same question. The procedure is also described on slide 11 in this
presentation http://www.freeipa.org/images/4/49/Freeipa30_Trust_Basics.odp.
1) Make sure you have /usr/lib{,64}/dirsrv/plugins/libipa_sidgen.so and
/usr/lib{,64}/dirsrv/plugins/libipa_sidgen_task.so on your system.
2) Copy /usr/share/ipa/ipa-sidgen-task-run.ldif, edit nsslapd-basedn to
match your base dn. (grep basedn /etc/ipa/default.conf | cut -d= -f2-)
3) ldapadd the ldif to cn=config, to start the task.
I am not sure under which circumstances when the NT hash is
automagically updated, but setting a new user password did update all
password fields.
Best regards,
Nicklas Björk
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
