Re: [Freeipa-users] RHEL 7 Upgrade experience so far
On 2014-08-28 10:58, Nicklas Björk wrote: > 2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable > to validate security domain user/password through REST interface. > Interface not available Digging a bit further I found the following in /var/lib/pki-ca/logs/debug on the FreeIPA master. All lines share the common prefix [09/Sep/2014:14:30:27][TP-Processor6]. CMSServlet:service() uri = /ca/agent/ca/updateDomainXML CMSServlet::service() param name='name' value='"/var/lib/pki/pki-tomcat"' CMSServlet::service() param name='ncsport' value='8443' CMSServlet::service() param name='sport' value='None' CMSServlet::service() param name='operation' value='remove' CMSServlet::service() param name='adminsport' value='8443' CMSServlet::service() param name='list' value='caList' CMSServlet::service() param name='type' value='CA' CMSServlet::service() param name='agentsport' value='8443' CMSServlet::service() param name='host' value='replica.example.net' CMSServlet: caUpdateDomainXML start to service. UpdateDomainXML: processing... UpdateDomainXML process: authentication starts IP: 192.168.1.20 AuthMgrName: certUserDBAuthMgr CMSServlet: retrieving SSL certificate CMSServlet: certUID=CN=CA Subsystem,O=EXAMPLE.NET CertUserDBAuth: started CertUserDBAuth: Retrieving client certificate CertUserDBAuth: Got client certificate Authentication: client certificate found In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA Subsystem,O=EXAMPLE.NET] authentication failure CMSServlet: curDate=Tue Sep 09 14:30:27 CEST 2014 id=caUpdateDomainXML time=5 What kind of authentication is it complaining about, and is it possible to repair it? Nicklas signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
I have been following this thread with great interest, as I have encountered similar problems with our migration from 3.0.0-37 on CentOS 6.5 to 3.3.3-28 on CentOS 7. I have been able to solve a few of them with manual patching, but there is still something going on that will make the CA replication to fail. The following changes have been made to the environments: - On the replica, /usr/lib/python2.7/site-packages/ipaserver/install/replication.py has been patched to handle multiple values of nsDS5ReplicaId on the master. - /usr/share/ipa/html/ca.crt used to contain our local root certificate as well as the IPA CA-certificate, which caused the replica installation to fail. The root certificate was removed from this file, the replica gpg-bundle recreated, and the installation would happily continue. - /etc/httpd/conf.d/ipa-pki-proxy.conf has been patched to contain the profileSubmit-patch to the ee port-line and have also tried with and without the additions to the admin port and installer-line Checking the log files on the 3.3.3 replica, there are a few error messages, which I am not sure how to resolve. /var/log/ipareplica-install.log ends with the following lines: 2014-08-27T14:44:15Z DEBUG Starting external process 2014-08-27T14:44:15Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8 2014-08-27T14:45:19Z DEBUG Process finished, return code=1 2014-08-27T14:45:19Z DEBUG stdout=Loading deployment configuration from /tmp/tmpxkixl8. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2014-08-27T14:45:19Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpxkixl8' returned non-zero exit status 1 2014-08-27T14:45:19Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 638, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 667, in main CA = cainstance.install_replica_ca(config) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1678, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2014-08-27T14:45:19Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed /var/log/pki/pki-ca-spawn.20140827164415.log reveals these error messages: 2014-08-27 16:44:16 pkispawn: INFO ... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2014-08-27 16:44:18 pkispawn: DEBUG... No connection - server may still be down 2014-08-27 16:44:18 pkispawn: DEBUG... No connection - exception thrown: [Errno 111] Connection refused 2014-08-27 16:44:26 pkispawn: DEBUG... 0CArunning10.0.5-3.el7 2014-08-27 16:44:27 pkispawn: INFO ... constructing PKI configuration data. 2014-08-27 16:44:27 pkispawn: INFO ... configuring PKI configuration data. 2014-08-27 16:45:19 pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2014-08-27 16:45:19 pkispawn: DEBUG... Error Type: HTTPError 2014-08-27 16:45:19 pkispawn: DEBUG... Error Message: 500 Server Error: Internal Server Error 2014-08-27 16:45:19 pkispawn: DEBUG... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 128, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 2998, in configure_pki_data response = client.configure(data) File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in configure r = self.connection.post('/rest/installer/configure', data, headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 638, in raise_for_status raise http_error In /var/log/pki/pki-tomcat/catalina.out one can read: Aug 27, 2014 4:44:22 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /var/lib/pki/pki
[Freeipa-users] ca.crt contains more than one certificate
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS 7 using migration. I seem to have run into some certificate problems and the replica installation halts half-way through. We have a simple CA-structure, where FreeIPA has been installed as a sub-ca directly under ca root ca. A replica bundle was created on the master using: ipa-replica-prepare replica.example.net --ip-address 192.168.100.2 the gpg-file was copied to replica:/var/lib/ipa and the following command was executed: ipa-replica-install --mkhomedir -d --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg During the first attempt, I was instructed to also run copy-schema-to-ca.py on the master server, which has been done. The replica installation halts complainig that ca.crt contains more than one certificate. Both the FreeIPA CA and the Root CA certificates are in that file. Debug output in /var/log/ipareplica-install.log tells the following: 2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance 2014-08-08T12:22:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -N -f /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-EXAMPLE-NET/ -i /tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -L 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u CN=Example Root CA,O=Example AB,, EXAMPLE.NET IPA CA ,, 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 638, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 664, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds ca_file=config.dir + "/ca.crt", File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 360, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 606, in enable_ssl ca_file=self.ca_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 841, in create_from_pkcs12 self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 240, in import_pem_cert location) 2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed, exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more than one certificate Is there anything obvious that is wrong or odd with this setup or process? Best regards Nicklas Björk signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Pure Kerberos login on Windows stopped working
On 2013-11-13 20:00, Simo Sorce wrote: > On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote: >> On 2013-11-12 21:39, Simo Sorce wrote: >>> On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: >>>> In our evironment we have very limited amount of shared virtual Windows >>>> 7 machines. We haven't really seen any value in setting up an AD domain >>>> for them, but have been relying on pure Kerberos authentication using >>>> the ksetup procedure >>>> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). >>>> >>>> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add >>>> SIDs to all old user accounts (the newer ones would already have a SID), >>>> but that made the Kerberos logon stop working for remote desktop >>>> connections. Logging on to the console using the same Kerberos >>>> credentials would still work... This seems to be directly related to the >>>> addition of SIDs in LDAP, as removing the object class ipantuserattrs >>>> and the SID would get it back in order again. >>>> >>>> Are there any known tricks that could be applied to the Windows machines >>>> (or to FreeIPA for that matter) that would make this work again? >>> >>> It's odd that adding the SIDs make it not work, I remember reports of >>> people being happy to see it work better. >>> >>> We do have a way to disable setting the MS-PAC on tickets, but I fear it >>> is only for TGS requests and not for the TGT. >>> >>> Have you added SIDs because you are using a trust relationship with an >>> AD domain, and you just wish not to use them for these few Windows >>> machines ? >>> >>> Simo. >>> >> >> Rather than the SIDs, it was the NT-hash I was looking for, to be used >> in a Radius implementation. The task in LDAP to make the update also >> added SIDs to all user accounts. >> >> The mentioned few Windows machines are the only ones here and there is >> also no AD available. At an earlier stage I may have tried making a >> trust using the ipa-adtrust-install against a test-AD that was available >> for some time, but it's long gone and there are currently no configured >> trusts. > > I see, but the SID is required by the objectclass that allows you to set > the NThash. One way to resolve that would be to use a different > objectclass so you do not have to set the SID, but I ma not sure NThash > would be automatically refreshed at password change then. > > Can you tell me exactly what error do your Win7 machines return ? > > Simo. > I have actually spent a few hours today trying to figure out under what circumstances it stops working. It seems like authentication with Kerberos always works, but for some reason it won't let the user create a session when connecting using RDP, when the SID is available in the directory (thus also in the kerberos ticket, I would assume?). The local user account is in the Administrators as well as the Remote Desktop Users groups, but the error message given at logon is "The requested session access is denied.". There must be some way to get more information on what the system is doing and what it wants. Perhaps it would be possible to increase the amount of debugging information in the event viewer? Maybe it would start working again if I flipped the right 0 to a 1 somewhere in the deep registry forest... Nicklas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Pure Kerberos login on Windows stopped working
On 2013-11-12 21:39, Simo Sorce wrote: > On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: >> In our evironment we have very limited amount of shared virtual Windows >> 7 machines. We haven't really seen any value in setting up an AD domain >> for them, but have been relying on pure Kerberos authentication using >> the ksetup procedure >> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). >> >> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add >> SIDs to all old user accounts (the newer ones would already have a SID), >> but that made the Kerberos logon stop working for remote desktop >> connections. Logging on to the console using the same Kerberos >> credentials would still work... This seems to be directly related to the >> addition of SIDs in LDAP, as removing the object class ipantuserattrs >> and the SID would get it back in order again. >> >> Are there any known tricks that could be applied to the Windows machines >> (or to FreeIPA for that matter) that would make this work again? > > It's odd that adding the SIDs make it not work, I remember reports of > people being happy to see it work better. > > We do have a way to disable setting the MS-PAC on tickets, but I fear it > is only for TGS requests and not for the TGT. > > Have you added SIDs because you are using a trust relationship with an > AD domain, and you just wish not to use them for these few Windows > machines ? > > Simo. > Rather than the SIDs, it was the NT-hash I was looking for, to be used in a Radius implementation. The task in LDAP to make the update also added SIDs to all user accounts. The mentioned few Windows machines are the only ones here and there is also no AD available. At an earlier stage I may have tried making a trust using the ipa-adtrust-install against a test-AD that was available for some time, but it's long gone and there are currently no configured trusts. /Nicklas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Pure Kerberos login on Windows stopped working
In our evironment we have very limited amount of shared virtual Windows 7 machines. We haven't really seen any value in setting up an AD domain for them, but have been relying on pure Kerberos authentication using the ksetup procedure (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA). Recently the LDAP in our FreeIPA 3.0 was updated with the task to add SIDs to all old user accounts (the newer ones would already have a SID), but that made the Kerberos logon stop working for remote desktop connections. Logging on to the console using the same Kerberos credentials would still work... This seems to be directly related to the addition of SIDs in LDAP, as removing the object class ipantuserattrs and the SID would get it back in order again. Are there any known tricks that could be applied to the Windows machines (or to FreeIPA for that matter) that would make this work again? Best regards Nicklas Björk ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Generating SIDs for old user accounts on FreeIPA 3.0
Hi list, We are running FreeIPA 3.0 with an installation that has been with us since the 2.x-era. We had a situation where we needed the NT password hash, which wasn't generated in earlier versions of FreeIPA, and would not be available for old user accounts even on this newer version. New user accounts would get them set upon creation. On #freeipa at FreeNode, ab was kind enough to guide me through the process of starting an ldap-task to add the needed attributes to the old accounts. I thought I'd share this in case anyone else would ask the same question. The procedure is also described on slide 11 in this presentation http://www.freeipa.org/images/4/49/Freeipa30_Trust_Basics.odp. 1) Make sure you have /usr/lib{,64}/dirsrv/plugins/libipa_sidgen.so and /usr/lib{,64}/dirsrv/plugins/libipa_sidgen_task.so on your system. 2) Copy /usr/share/ipa/ipa-sidgen-task-run.ldif, edit nsslapd-basedn to match your base dn. (grep basedn /etc/ipa/default.conf | cut -d= -f2-) 3) ldapadd the ldif to cn=config, to start the task. I am not sure under which circumstances when the NT hash is automagically updated, but setting a new user password did update all password fields. Best regards, Nicklas Björk ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users