subject:"Re\: \[Freeipa\-users\] adding replica centos 7 to centos 6 fails \[error\] ObjectclassViolation\: attribute \"unhashed#user#password\" not allowed"

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

2016-09-15 Thread Natxo Asenjo

hi,

the fact the the usercertificate attribute of uid=admin,ou=people,o=ipaca
is expired could this be the cause of these problems as well?

How can I renew this certificate?



--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

2016-09-13 Thread Natxo Asenjo

ok, again some progress.

I found this thread:
https://www.mail-archive.com/freeipa-users@redhat.com/msg21107.html

And the symptons match: this Idm environment was installed in november
2012, and has been upgraded a few times (time flies).

All the certificates are valid:

[root@kdc01 ~]$ getcert list | grep expire
expires: 2016-10-12 10:49:24 UTC
expires: 2016-10-12 10:49:25 UTC
expires: 2016-10-12 10:49:24 UTC
expires: 2018-09-03 12:24:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC
expires: 2018-09-03 12:23:14 UTC

root@kdc01 ~]$ pki-server ca-group-member-find "Subsystem Group"
  User ID: CA-kdc01.unix.iriszorg.nl-9443
  Common Name: CA-kdc01.unix.iriszorg.nl-9443
  Surname: CA-kdc01.unix.iriszorg.nl-9443
  Type: agentType
  Description: 2;240;CN=Certificate Authority,O=UNIX.IRISZORG.NL;CN=CA
Subsystem,O=UNIX.IRISZORG.NL
  E-mail:

  User ID: CA-kdc02.unix.iriszorg.nl-9443
  Common Name: CA-kdc02.unix.iriszorg.nl-9443
  Surname: CA-kdc02.unix.iriszorg.nl-9443
  Type: agentType
  Description: 2;4;CN=Certificate Authority,O=UNIX.IRISZORG.NL;CN=CA
Subsystem,O=UNIX.IRISZORG.NL


so according to the posts in the mailing list thread, the description field
has the serial number of the certificates, in this case, 240 and 4

and that appears to match with this info:

[root@kdc01 ~]$ certutil -d /var/lib/pki-ca/alias/ -L -n 'subsystemCert
cert-pki-ca' | grep -i serial
Serial Number: 240 (0xf0)
Serial Number: 4 (0x4)

although the one with serial 4 is expired

So, how to procede next?

Do I need to modify the usercertificate attribute of
uid=CA-kdc01.unix.iriszorg.nl-9443,ou=people,o=ipaca?

step 1: dump cert info to temp file:
certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" -a >
/tmp/subsystemcert.pem

In my case, because of the expired certificate, I get 2 certificates.

step 2: strip begin/end headers of temp certificate:
echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
CERTIFICATE-$/{:1;n;/^-END
CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'

step 3: modify usercertificate attribute of
uid=CA-kdc01.unix.iriszorg.nl-9443,ou=people,o=ipaca with string generated
in step 2.

step 4: reload ipa/reboot server.


is my procedure correct?

-- 
regards,
Natxo




On Tue, Sep 13, 2016 at 2:39 PM, Natxo Asenjo 
wrote:

>
>
> On Tue, Sep 13, 2016 at 2:10 PM, Natxo Asenjo 
> wrote:
>
>> hi,
>>
>> when trying to add a replica to the Idm environment of a host running
>> centos 7 (fully patched) to an existing centos 6.8 realm I get this error:
>>
>
> ok, some progress. I found this:
>
> https://fedorahosted.org/389/ticket/470
>
> So I went ahead and rebooted the master 6.8 kdc I was replicating from and
> then it failed in the certificate server instance:
>
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpyHV1BW''
> returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
> configuration failed.
>
>
> But there is no /var/log/pki-ca-install.log :
>
> # ls -ltr /var/log/
> total 1708
> drwx--. 2 root   root  6 Jun 10  2014 ppp
> drwxr-xr-x. 2 ntpntp   6 May 31 12:29 ntpstats
> drwx--. 2 root   root  6 Jul 18 17:30 httpd
> drwxr-x---. 2 sssd   sssd  6 Aug  2 18:58 sssd
> -rw---. 1 root   root  0 Sep 13 13:19 tallylog
> drwx--. 3 root   root 16 Sep 13 13:19 samba
> -rw---. 1 root   root  0 Sep 13 13:20 spooler
> drwxr-xr-x. 2 root   root   4096 Sep 13 13:23 anaconda
> drwxr-x---. 2 root   root 22 Sep 13 13:23 audit
> drwxr-xr-x. 2 root   root 22 Sep 13 13:23 tuned
> drwxrwx---. 2 tomcat root 25 Sep 13 13:31 tomcat
> -rw---. 1 root   root  15126 Sep 13 13:31 yum.log
> -rw---. 1 root   root   8786 Sep 13 13:31 ipaupgrade.log
> -rw-r--r--. 1 root   root  94862 Sep 13 13:59 dmesg.old
> -rw---. 1 root   root  18112 Sep 13 14:29 ipaclient-install.log
> -rw---. 1 root   root  40193 Sep 13 14:29 ipaclient-uninstall.log
> -rw---. 1 root   root  35796 Sep 13 14:29 ipaserver-uninstall.log
> -rw-r--r--. 1 root   root  94862 Sep 13 14:30 dmesg
> -rw-r--r--. 1 root   root   8591 Sep 13 14:30 boot.log
> -rw---. 1 root   root   2587 Sep 13 14:30 cron
> -rw-r--r--. 1 root   root200 Sep 13 14:30 wpa_supplicant.log
> -rw---. 1 root   root958 Sep 13 14:30 maillog
> -rw---. 1 root   utmp768 Sep 13 14:30 btmp
> -

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

2016-09-13 Thread Natxo Asenjo

On Tue, Sep 13, 2016 at 2:10 PM, Natxo Asenjo 
wrote:

> hi,
>
> when trying to add a replica to the Idm environment of a host running
> centos 7 (fully patched) to an existing centos 6.8 realm I get this error:
>

ok, some progress. I found this:

https://fedorahosted.org/389/ticket/470

So I went ahead and rebooted the master 6.8 kdc I was replicating from and
then it failed in the certificate server instance:

ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpyHV1BW''
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration
failed.

But there is no /var/log/pki-ca-install.log :

# ls -ltr /var/log/
total 1708
drwx--. 2 root   root  6 Jun 10  2014 ppp
drwxr-xr-x. 2 ntpntp   6 May 31 12:29 ntpstats
drwx--. 2 root   root  6 Jul 18 17:30 httpd
drwxr-x---. 2 sssd   sssd  6 Aug  2 18:58 sssd
-rw---. 1 root   root  0 Sep 13 13:19 tallylog
drwx--. 3 root   root 16 Sep 13 13:19 samba
-rw---. 1 root   root  0 Sep 13 13:20 spooler
drwxr-xr-x. 2 root   root   4096 Sep 13 13:23 anaconda
drwxr-x---. 2 root   root 22 Sep 13 13:23 audit
drwxr-xr-x. 2 root   root 22 Sep 13 13:23 tuned
drwxrwx---. 2 tomcat root 25 Sep 13 13:31 tomcat
-rw---. 1 root   root  15126 Sep 13 13:31 yum.log
-rw---. 1 root   root   8786 Sep 13 13:31 ipaupgrade.log
-rw-r--r--. 1 root   root  94862 Sep 13 13:59 dmesg.old
-rw---. 1 root   root  18112 Sep 13 14:29 ipaclient-install.log
-rw---. 1 root   root  40193 Sep 13 14:29 ipaclient-uninstall.log
-rw---. 1 root   root  35796 Sep 13 14:29 ipaserver-uninstall.log
-rw-r--r--. 1 root   root  94862 Sep 13 14:30 dmesg
-rw-r--r--. 1 root   root   8591 Sep 13 14:30 boot.log
-rw---. 1 root   root   2587 Sep 13 14:30 cron
-rw-r--r--. 1 root   root200 Sep 13 14:30 wpa_supplicant.log
-rw---. 1 root   root958 Sep 13 14:30 maillog
-rw---. 1 root   utmp768 Sep 13 14:30 btmp
-rw-rw-r--. 1 root   utmp  13056 Sep 13 14:30 wtmp
-rw-r--r--. 1 root   root 291416 Sep 13 14:30 lastlog
-rw---. 1 root   root   7318 Sep 13 14:31 ipareplica-conncheck.log
drwxr-xr-x. 3 root   root 35 Sep 13 14:31 dirsrv
drwxr-xr-x. 4 root   root   4096 Sep 13 14:32 pki
-rw---. 1 root   root  87106 Sep 13 14:32 secure
-rw---. 1 root   root 742436 Sep 13 14:32 messages
-rw---. 1 root   root 202169 Sep 13 14:33 ipareplica-install.log

In the ipa-replica-install.log , though, I find this:

pkispawn: ERROR... Exception from Java Configuration Servlet:
500 Server Error: Internal Server Error
pkispawn: ERROR... ParseError: not well-formed (invalid token):
line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Clone
does not have all the required certificates"}

Any clue?

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

3 matches

Site Navigation

Mail list logo

Footer information