Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Terry John
Ok thanks for that but I've had to give up, our freeipa server is too critical to our business for me to continue even with outages of one or two minutes. The Ciphers below were not recognised and when I just tried to remove the export ciphers from the original list I got this error (Netscape

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Prasun Gera
Can someone at RH update this article https://access.redhat.com/articles/1467293 ? I found it to be fairly useful, but I'm not sure if it's up to date. On Thu, Jan 28, 2016 at 11:04 AM, Terry John < terry.j...@completeautomotivesolutions.co.uk> wrote: > Ok thanks for that but I've had to give

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat
Sure. Attached the stack trace with debuginfo installed. Thanks much! On 28 January 2016 at 16:53, Sumit Bose wrote: > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote: > > gdb stacktrace attached. > > Can you install the debuginfo with > > debuginfo-install

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread David Zabner
Any guess as what it would be then? The location that is “missing a file” is specified by the gssapi config in /etc/httpd/conf.d/ipa.conf. So I assumed that this would be a mod_gssapi failure… Thanks for your help, David > On Jan 28, 2016, at 5:55 AM, Simo Sorce wrote: > >

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

2016-01-28 Thread Izzo, Anthony
I should add that some of my team members have tried serializing their instance launches, and this problem does not seem to occur under those circumstances. (That's not a solution, just a data point for those interested in this behavior). Thanks. From: Izzo, Anthony (U.S. Person) Sent:

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

2016-01-28 Thread David Zabner
This sounds exactly like the problem I am having. I will attach my error log. Is this what yours looks like? error_log Description: error_log On Jan 28, 2016, at 1:10 PM, Izzo, Anthony wrote:I’m seeing what feels like a concurrency error.  I’m in a cloud environment and

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Sumit Bose
On Thu, Jan 28, 2016 at 09:36:55PM +0530, Prashant Bapat wrote: > Sure. Attached the stack trace with debuginfo installed. > > Thanks much! This looks very much like the issue Simo fixed recently, but unfortunately I think it is so recent that it is not available in any release package.

Re: [Freeipa-users] SSSD Crash Causing Inaccessibility

2016-01-28 Thread Lukas Slebodnik
On (28/01/16 16:25), Jeff Hallyburton wrote: >We saw the following happen on a system today, and wanted to follow up: > >System became unresponsive to ssh logins with the error: > >ssh -v incentives01 > //snip ># cat /var/log/sssd/sssd.log > >(Thu Jan 28 20:15:56 2016) [sssd] [mt_svc_sigkill]

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

2016-01-28 Thread Endi Sukma Dewata
Hi, If you're cloning from an IPA running on RHEL/CentOS 6 with CA signed by another CA you are likely hitting this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1291747 The bug has been fixed in this package: pki-ca-9.0.3-45. You'll need to install it on the master, then restart the

[Freeipa-users] SSSD Crash Causing Inaccessibility

2016-01-28 Thread Jeff Hallyburton
We saw the following happen on a system today, and wanted to follow up: System became unresponsive to ssh logins with the error: ssh -v incentives01 OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 4:

Re: [Freeipa-users] SSSD Crash Causing Inaccessibility

2016-01-28 Thread Jeff Hallyburton
Application logs showed this to be due to an OOM error, so no need to chase this further. Thanks for the quick response! Jeff Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: supp...@bloomip.com Billing Support: bill...@bloomip.com

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

2016-01-28 Thread Sumit Bose
On Wed, Jan 27, 2016 at 06:53:43PM +, Birnbaum, Warren (ETW) wrote: > I started this post with a simple question: ³is it possible to have HBAC > work with AD authenticated users². I was not able from the tips provided > to get any further with this. > > What I have not been able to have

Re: [Freeipa-users] SSSD and DNS

2016-01-28 Thread Jakub Hrozek
On Wed, Jan 27, 2016 at 10:53:00AM -0700, Sean Hogan wrote: > > > Hi All, > > Tue Jan 26 19:01:32 2016) [sssd] [ping_check] (0x0020): A service PING > timed out on [ssh]. Attempt [0] > (Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING > timed out on [sudo]. Attempt [0] >

Re: [Freeipa-users] Cross Domain Trust

2016-01-28 Thread Zoske, Fabian
Thank you Jakub, this solves the issue. Best regards, Fabian -Ursprüngliche Nachricht- Von: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Jakub Hrozek Gesendet: Montag, 18. Januar 2016 18:46 An: freeipa-users@redhat.com Betreff: Re:

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread Martin Kosek
On 01/26/2016 10:20 PM, David Zabner wrote: Hi All, I am working on automated deployment of ipa clients through a program called salt and have been seeing an issue. Specifically, calls to ipa.server.internal/ipa/json occasionally return a 500 error. This tends to occur while using

Re: [Freeipa-users] Centos 7, CA log files, bug report?

2016-01-28 Thread Martin Basti
On 27.01.2016 22:20, Lachlan Musicman wrote: Hi, Not sure if this is a bug or if I'm ignorant of the RH world, but when I try to do a fresh IPA install on Centos 7.2, I'm getting failures here: [1/27]: creating certificate server user [2/27]: configuring certificate server instance

Re: [Freeipa-users] ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTUserAttrs"

2016-01-28 Thread Sumit Bose
On Wed, Jan 27, 2016 at 02:51:07PM -0600, Anil Kommareddy wrote: > Hi All, > > > > I have an ipa-server-4.2.0-15.el7_2.3.x86_64 on which I installed > ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 and ran "ipa-adtrust-install > --add-sids" command. After some initial issues it started working

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Sumit Bose
On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote: > Hi, > > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7 > replicas in different regions. Earlier there was only 1 replica. Since I > added new replicas, on the master node, once in a while the kerberos >

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Christian Heimes
On 2016-01-28 13:32, Terry John wrote: > I'm really confused now. After the problem where my feeipa server would not > start and I had to use the backup I'm trying to do things in small steps. > > Listening to everything that has been said (thanks) I edited > slapd-/dse.ldif

[Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Rob Verduijn
Hello, I've set up an ipa-server with an one way trust to a windows 2012r2 controller. All works on this server. I can login with ad accounts on this server. I added an ipa replica, and checked it all worked. Now I tried ipa-trust-add --add-agents on the first ipa server. restarted ipa on both

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Terry John
I'm really confused now. After the problem where my feeipa server would not start and I had to use the backup I'm trying to do things in small steps. Listening to everything that has been said (thanks) I edited slapd-/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines nsSSL3Ciphers: to

[Freeipa-users] netapp unable to do ldap lookups over ssl to RHEL 7.2 ipa server

2016-01-28 Thread Roderick Johnstone
Hi My netapp filer is happily doing ldap over ssl lookups for account information to my RHEL 6.7 testing ipa server (ipa-server-3.0.0-47.el6_7.1.x86_64). However, when I switch the filer to use my RHEL 7.2 ipa server (ipa-server-4.2.0-15.el7_2.3.x86_64) the lookup doesn't work. In the

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat
Thanks Sumit. >From the logs there is nothing unusual around the time of core dump. I found this one line odd though. *Jan 26 03:15:58 ipa.example.net krb5kdc[4471](Error): worker 4473 exited with status 134* Let me try to get the full BT. On 28 January 2016 at 13:54,

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Sumit Bose
On Thu, Jan 28, 2016 at 04:27:52PM +0530, Prashant Bapat wrote: > Thanks Sumit. > > From the logs there is nothing unusual around the time of core dump. I ah sorry, I wasn't clear here. I was not looking for unusual messages but I wanted to find out which request might have caused the crash.

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat
gdb stacktrace attached. On 28 January 2016 at 16:27, Prashant Bapat wrote: > Thanks Sumit. > > From the logs there is nothing unusual around the time of core dump. I > found this one line odd though. > > *Jan 26 03:15:58 ipa.example.net >

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Prashant Bapat
Thanks Lukas. I'm exploring moving to CentOS for our setup so that I get the advantage of longer release cycles. On 28 January 2016 at 16:41, Lukas Slebodnik wrote: > On (28/01/16 16:27), Prashant Bapat wrote: > >Thanks Sumit. > > > >>From the logs there is nothing unusual

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread Simo Sorce
Doesn't look related to mod_auth_gssapi, it's past it. - Original Message - > From: "Martin Kosek" > To: "David Zabner" , freeipa-users@redhat.com, "Simo Sorce" > > Sent: Thursday, January 28, 2016 4:42:57 AM > Subject: Re:

Re: [Freeipa-users] Kerberos process coredump | authentication fails

2016-01-28 Thread Lukas Slebodnik
On (28/01/16 16:27), Prashant Bapat wrote: >Thanks Sumit. > >>From the logs there is nothing unusual around the time of core dump. I >found this one line odd though. > >*Jan 26 03:15:58 ipa.example.net >krb5kdc[4471](Error): worker 4473 exited with status 134* > > >Let me

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Rob Crittenden
Prasun Gera wrote: > Can someone at RH update this > article https://access.redhat.com/articles/1467293 ? I found it to be > fairly useful, but I'm not sure if it's up to date. mod_nss was rebased from 1.0.8 to 1.0.10 in 7.2 which added TLSv1.2 support. I'll notify the author. rob > > On Thu,

[Freeipa-users] Server error with multiple clients joining domain simultaneously

2016-01-28 Thread Izzo, Anthony
I'm seeing what feels like a concurrency error. I'm in a cloud environment and launching a group of instances which are all trying to join a domain at about the same time via ipa-client-install. Some of these operations succeed, and others fail. The error message on those that fail is that

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Rob Crittenden
Terry John wrote: > I'm really confused now. After the problem where my feeipa server would not > start and I had to use the backup I'm trying to do things in small steps. > > Listening to everything that has been said (thanks) I edited > slapd-/dse.ldif slapd-PKI-IPA/dse.ldif and changed the

Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Jakub Hrozek
On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote: > hmmm > It suddenly started to work.weird. > > On both servers I changed dns_lookup_realm = true (was false) > stoped sssd and cleared the sssd cache > rm /var/lib/sss/db/* > started sssd and it works now it's hard to tell w/o

Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Rob Verduijn
hmmm It suddenly started to work.weird. On both servers I changed dns_lookup_realm = true (was false) stoped sssd and cleared the sssd cache rm /var/lib/sss/db/* started sssd and it works now But I find it hard to believe that was the cause. Is there a cache involved somewhere ? Rob

Re: [Freeipa-users] netapp unable to do ldap lookups over ssl to RHEL 7.2 ipa server

2016-01-28 Thread Christian Heimes
On 2016-01-28 13:51, Roderick Johnstone wrote: > Hi > > My netapp filer is happily doing ldap over ssl lookups for account > information to my RHEL 6.7 testing ipa server > (ipa-server-3.0.0-47.el6_7.1.x86_64). > > However, when I switch the filer to use my RHEL 7.2 ipa server >

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread Simo Sorce
It is where mod_auth_gssapi drops the ccache file indeed. But if it failed to do so you should have an authentication error in the logs. Can you check if you see anything in the error log, perhaps rasing logging level to debug. Simo. - Original Message - > From: "David Zabner"

Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Jakub Hrozek
On Thu, Jan 28, 2016 at 03:36:04PM +0100, Jakub Hrozek wrote: > On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote: > > hmmm > > It suddenly started to work.weird. > > > > On both servers I changed dns_lookup_realm = true (was false) > > stoped sssd and cleared the sssd cache > >