Re: [Freeipa-users] authenticating with dns

2017-02-26 Thread Aaron Young
learned some things in the last few days

I believe one of the root problems I have, if not THE root problem, is that
I cannot start pki-tomcatd on my nyc01ipa02 machine. I now believe that if
I could get that machine to work correctly, I could get all the others

So, I get this in my logs

from /var/log/pki/pki-tomcat/ca/debug

> LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca
> SSLClientCertificatSelectionCB: Entering!
> Candidate cert: subsystemCert cert-pki-ca
> SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert
> cert-pki-ca
> SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
> SSL handshake happened
> Could not connect to LDAP server host nyc01ipa02.mf port 636 Error
> netscape.ldap.LDAPException: Authentication failed (49)



from /var/log/dirsrv/slapd-MF/errors

> slapi_search_internal ("o=ipaca", subtree, seeAlso=CN=CA Subsystem,O=MF)
> err 32



which makes me think that the problem is the CA Subsystem secret isn't
available

when I do a "getcert list" I see that there are 8 keys

certificate: 'auditSigningCert
certificate: 'ocspSigningCert
certificate: 'subsystemCert
certificate: 'caSigningCert
certificate: 'ipaCert'
certificate: 'Server-Cert
certificate: 'Server-Cert'
certificate: 'Server-Cert'

should there be others?

also, I found this link
https://fedorahosted.org/freeipa/ticket/5100#comment:9
and this person outlined the a number of steps (I included them below) and
they seem reasonable to fix a problem like I'm experiencing...however, I
don't know how to do step 1. If anyone knows how to do that...?


   1. Make changes to cause FreeIPA to think it is CA-less.


   1. Extract CA signing key from a replica info file.


   1. Run ipa-ca-install to install the CA on one of the IPA servers, with
   external CA. This will generate a new private key and CSR to send to
   external CA.


   1. Replace the new private key generated for the CSR, with the private
   key from the replica info file.


   1. Continue the ipa-ca-install with the CA signing certificate from the
   replica info file.


   1. Manually adjust serial number ranges to ensure the new CA instance
   does not issue certs with serial numbers that collide with certs issued by
   the original CA instance. (This might have to be hacked into the
   ipa-ca-install process).


   1. Depending on whether your CA is self-signed, might need to tell
   certmonger to track the CA signing certificate.






On Thu, Feb 23, 2017 at 11:57 AM, Aaron Young 
wrote:

> And yes, I learned to stop using kadmin after I made that note
>
> On Thu, Feb 23, 2017 at 11:56 AM, Aaron Young 
> wrote:
>
>> on ld4ipa01, I removed it with ipa-server-install --uninstall
>>
>> this was an attempt to recreate the replica from nyc02ipa02
>>
>> On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti  wrote:
>>
>>>
>>>
>>> On 22.02.2017 23:26, Aaron Young wrote:
>>>
>>> Hello Everyone
>>>
>>> I recently lost the master master IPA server setup by the previous
>>> administrator.
>>> As it stands now, if I try to add a new client, in order to standup a
>>> new replica, I get errors while trying to setup DNS. This led me to look at
>>> how authentication worked (I'm new to IPA) and I learned about the kerberos
>>> tools
>>>
>>> I don't know if I'm familiar enough with the terminology to adequately
>>> describe what I'm experiencing, so I'll give you some of the commands and
>>> their results
>>>
>>> but first, a bit on the design
>>>
>>> before I got to this, we had
>>>
>>> a <-> b <-> c <-> d
>>>
>>> b was the master master
>>>
>>> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not
>>> pictured, I discovered them later when c and d started having problems)
>>>
>>> a - nyc01ipa02
>>> b - nyc01ipa01
>>> c - ld4ipa01
>>> d - ld4ipa02
>>>
>>> currently, I have nyc02ipa02 <-> nyc01ipa02
>>>
>>> the reason I have it limited like this is because all the other servers
>>> stopped replicating for one reason or another (mainly that they can't
>>> authenticate or in one case, there was a database record corruption)
>>>
>>> Anyway, here are some activities and logs from the latest round of fixes
>>> and information activities I've been engaging in
>>>
>>> 22:54:32 root@nyc01ipa02:~# kinit admin
>>> kinit: Clients credentials have been revoked while getting initial
>>> credentials
>>>
>>> Reading through this
>>>  tells me
>>> that
>>>
>>> # kadmin: modprinc -unlock PRINCNAME
>>>
>>> will unlock an account...but if I can't get in
>>>
>>> 22:54:37 root@nyc01ipa02:~# kadmin
>>> Authenticating as principal root/admin@MF with password.
>>> kadmin: Client 'root/admin@MF' not found in Kerberos database while
>>> initializing kadmin interface
>>>
>>> on ld4ipa02, did a
>>>
>>> # ipa-client-install --uninstall
>>>
>>> then
>>>
>>> # ipa-client-install --force-join 

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Aaron Young
And yes, I learned to stop using kadmin after I made that note

On Thu, Feb 23, 2017 at 11:56 AM, Aaron Young 
wrote:

> on ld4ipa01, I removed it with ipa-server-install --uninstall
>
> this was an attempt to recreate the replica from nyc02ipa02
>
> On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti  wrote:
>
>>
>>
>> On 22.02.2017 23:26, Aaron Young wrote:
>>
>> Hello Everyone
>>
>> I recently lost the master master IPA server setup by the previous
>> administrator.
>> As it stands now, if I try to add a new client, in order to standup a new
>> replica, I get errors while trying to setup DNS. This led me to look at how
>> authentication worked (I'm new to IPA) and I learned about the kerberos
>> tools
>>
>> I don't know if I'm familiar enough with the terminology to adequately
>> describe what I'm experiencing, so I'll give you some of the commands and
>> their results
>>
>> but first, a bit on the design
>>
>> before I got to this, we had
>>
>> a <-> b <-> c <-> d
>>
>> b was the master master
>>
>> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not
>> pictured, I discovered them later when c and d started having problems)
>>
>> a - nyc01ipa02
>> b - nyc01ipa01
>> c - ld4ipa01
>> d - ld4ipa02
>>
>> currently, I have nyc02ipa02 <-> nyc01ipa02
>>
>> the reason I have it limited like this is because all the other servers
>> stopped replicating for one reason or another (mainly that they can't
>> authenticate or in one case, there was a database record corruption)
>>
>> Anyway, here are some activities and logs from the latest round of fixes
>> and information activities I've been engaging in
>>
>> 22:54:32 root@nyc01ipa02:~# kinit admin
>> kinit: Clients credentials have been revoked while getting initial
>> credentials
>>
>> Reading through this
>>  tells me
>> that
>>
>> # kadmin: modprinc -unlock PRINCNAME
>>
>> will unlock an account...but if I can't get in
>>
>> 22:54:37 root@nyc01ipa02:~# kadmin
>> Authenticating as principal root/admin@MF with password.
>> kadmin: Client 'root/admin@MF' not found in Kerberos database while
>> initializing kadmin interface
>>
>> on ld4ipa02, did a
>>
>> # ipa-client-install --uninstall
>>
>> then
>>
>> # ipa-client-install --force-join --enable-dns-updates --permit -f
>> --ssh-trust-dns --request-cert --automount-location=LD4 --enable-dns-updates
>>
>> DNS did not update, here is the relevant portion from
>> /var/log/ipaclient-install.log
>>
>> 2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to 
>> /etc/ipa/.dns_update.txt:
>> 2017-02-20T18:46:49Z DEBUG debug
>>
>> update delete ld4ipa02.mf. IN A
>> show
>> send
>>
>> update delete ld4ipa02.mf. IN 
>> show
>> send
>>
>> update add ld4ipa02.mf. 1200 IN A 10.102.100.140
>> show
>> send
>>
>> 2017-02-20T18:46:49Z DEBUG Starting external process
>> 2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
>> 2017-02-20T18:46:49Z DEBUG Process finished, return code=1
>> 2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> ld4ipa02.mf. 0 ANY A
>>
>> 2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;ld4ipa02.mf. IN SOA
>>
>> ;; AUTHORITY SECTION:
>> mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600
>>
>> Found zone name: mf
>> The master is: ld4ipa01.mf
>> start_gssrequest
>> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code 
>> may provide more information, Minor = Server DNS/ld4ipa01.mf@MF not found in 
>> Kerberos database.
>>
>> 2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g 
>> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>> 2017-02-20T18:46:49Z ERROR Failed to update DNS records.
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN 
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: 140.100.102.10.in-addr.arpa. 
>> IN PTR
>> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>> 2017-02-20T18:46:49Z WARNING Missing A/ record(s) for host ld4ipa02.mf: 
>> 10.102.100.140.
>> 2017-02-20T18:46:49Z WARNING Missing reverse record(s) for address(es): 
>> 10.102.100.140.
>>
>> Why isn't there an entry for "DNS/ld4ipa01.mf@MF" in the Kerberos
>> database?
>>
>> klist -ktK /etc/dirsrv/ds.keytab on ld4ipa01 returns
>>
>> Keytab name: FILE:/etc/dirsrv/ds.keytab
>> 
>> KVNO Timestamp Principal
>>  --- 

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Aaron Young
on ld4ipa01, I removed it with ipa-server-install --uninstall

this was an attempt to recreate the replica from nyc02ipa02

On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti  wrote:

>
>
> On 22.02.2017 23:26, Aaron Young wrote:
>
> Hello Everyone
>
> I recently lost the master master IPA server setup by the previous
> administrator.
> As it stands now, if I try to add a new client, in order to standup a new
> replica, I get errors while trying to setup DNS. This led me to look at how
> authentication worked (I'm new to IPA) and I learned about the kerberos
> tools
>
> I don't know if I'm familiar enough with the terminology to adequately
> describe what I'm experiencing, so I'll give you some of the commands and
> their results
>
> but first, a bit on the design
>
> before I got to this, we had
>
> a <-> b <-> c <-> d
>
> b was the master master
>
> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 (not
> pictured, I discovered them later when c and d started having problems)
>
> a - nyc01ipa02
> b - nyc01ipa01
> c - ld4ipa01
> d - ld4ipa02
>
> currently, I have nyc02ipa02 <-> nyc01ipa02
>
> the reason I have it limited like this is because all the other servers
> stopped replicating for one reason or another (mainly that they can't
> authenticate or in one case, there was a database record corruption)
>
> Anyway, here are some activities and logs from the latest round of fixes
> and information activities I've been engaging in
>
> 22:54:32 root@nyc01ipa02:~# kinit admin
> kinit: Clients credentials have been revoked while getting initial
> credentials
>
> Reading through this
>  tells me
> that
>
> # kadmin: modprinc -unlock PRINCNAME
>
> will unlock an account...but if I can't get in
>
> 22:54:37 root@nyc01ipa02:~# kadmin
> Authenticating as principal root/admin@MF with password.
> kadmin: Client 'root/admin@MF' not found in Kerberos database while
> initializing kadmin interface
>
> on ld4ipa02, did a
>
> # ipa-client-install --uninstall
>
> then
>
> # ipa-client-install --force-join --enable-dns-updates --permit -f
> --ssh-trust-dns --request-cert --automount-location=LD4 --enable-dns-updates
>
> DNS did not update, here is the relevant portion from
> /var/log/ipaclient-install.log
>
> 2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to 
> /etc/ipa/.dns_update.txt:
> 2017-02-20T18:46:49Z DEBUG debug
>
> update delete ld4ipa02.mf. IN A
> show
> send
>
> update delete ld4ipa02.mf. IN 
> show
> send
>
> update add ld4ipa02.mf. 1200 IN A 10.102.100.140
> show
> send
>
> 2017-02-20T18:46:49Z DEBUG Starting external process
> 2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> 2017-02-20T18:46:49Z DEBUG Process finished, return code=1
> 2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ld4ipa02.mf. 0 ANY A
>
> 2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;ld4ipa02.mf. IN SOA
>
> ;; AUTHORITY SECTION:
> mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600
>
> Found zone name: mf
> The master is: ld4ipa01.mf
> start_gssrequest
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code 
> may provide more information, Minor = Server DNS/ld4ipa01.mf@MF not found in 
> Kerberos database.
>
> 2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g 
> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
> 2017-02-20T18:46:49Z ERROR Failed to update DNS records.
> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A
> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN 
> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
> 2017-02-20T18:46:49Z DEBUG DNS resolver: Query: 140.100.102.10.in-addr.arpa. 
> IN PTR
> 2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
> 2017-02-20T18:46:49Z WARNING Missing A/ record(s) for host ld4ipa02.mf: 
> 10.102.100.140.
> 2017-02-20T18:46:49Z WARNING Missing reverse record(s) for address(es): 
> 10.102.100.140.
>
> Why isn't there an entry for "DNS/ld4ipa01.mf@MF" in the Kerberos
> database?
>
> klist -ktK /etc/dirsrv/ds.keytab on ld4ipa01 returns
>
> Keytab name: FILE:/etc/dirsrv/ds.keytab 
> KVNO Timestamp Principal
>  --- --
> 
> 2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF (0x696a502bc73d209acdd36c42242f
> 7f8aff9dbba1073b34ea018ed3bd9cdfd970)
> 2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF (0xe031464b6948ea34f4291d40fca7
> a21e)
> 2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF 

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Martin Basti



On 22.02.2017 23:26, Aaron Young wrote:

Hello Everyone

I recently lost the master master IPA server setup by the previous 
administrator.
As it stands now, if I try to add a new client, in order to standup a 
new replica, I get errors while trying to setup DNS. This led me to 
look at how authentication worked (I'm new to IPA) and I learned about 
the kerberos tools


I don't know if I'm familiar enough with the terminology to adequately 
describe what I'm experiencing, so I'll give you some of the commands 
and their results


but first, a bit on the design

before I got to this, we had

a <-> b <-> c <-> d

b was the master master

a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 
(not pictured, I discovered them later when c and d started having 
problems)


a - nyc01ipa02
b - nyc01ipa01
c - ld4ipa01
d - ld4ipa02

currently, I have nyc02ipa02 <-> nyc01ipa02
the reason I have it limited like this is because all the other 
servers stopped replicating for one reason or another (mainly that 
they can't authenticate or in one case, there was a database record 
corruption)
Anyway, here are some activities and logs from the latest round of 
fixes and information activities I've been engaging in


22:54:32 root@nyc01ipa02:~# kinit admin
kinit: Clients credentials have been revoked while getting initial 
credentials


Reading through this 
 tells 
me that


# kadmin: modprinc -unlock PRINCNAME

will unlock an account...but if I can't get in

22:54:37 root@nyc01ipa02:~# kadmin
Authenticating as principal root/admin@MF with password.
kadmin: Client 'root/admin@MF' not found in Kerberos database
while initializing kadmin interface

on ld4ipa02, did a

# ipa-client-install --uninstall

then

# ipa-client-install --force-join --enable-dns-updates --permit -f
--ssh-trust-dns --request-cert --automount-location=LD4
--enable-dns-updates

DNS did not update, here is the relevant portion from 
/var/log/ipaclient-install.log


2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to 
/etc/ipa/.dns_update.txt:
2017-02-20T18:46:49Z DEBUG debug

update delete ld4ipa02.mf. IN A
show
send

update delete ld4ipa02.mf. IN 
show
send

update add ld4ipa02.mf. 1200 IN A 10.102.100.140
show
send

2017-02-20T18:46:49Z DEBUG Starting external process
2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt
2017-02-20T18:46:49Z DEBUG Process finished, return code=1
2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ld4ipa02.mf. 0 ANY A

2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ld4ipa02.mf. IN SOA

;; AUTHORITY SECTION:
mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600

Found zone name: mf
The master is: ld4ipa01.mf
start_gssrequest
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor 
code may provide more information, Minor = Server DNS/ld4ipa01.mf@MF not found 
in Kerberos database.

2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2017-02-20T18:46:49Z ERROR Failed to update DNS records.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN 
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z DEBUG DNS resolver: Query:140.100.102.10.in-addr.arpa 
. IN PTR
2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
2017-02-20T18:46:49Z WARNING Missing A/ record(s) for host ld4ipa02.mf: 
10.102.100.140.
2017-02-20T18:46:49Z WARNING Missing reverse record(s) for address(es): 
10.102.100.140.

Why isn't there an entry for "DNS/ld4ipa01.mf@MF" in the Kerberos 
database?


klist -ktK /etc/dirsrv/ds.keytab on ld4ipa01 returns

Keytab name: FILE:/etc/dirsrv/ds.keytab

KVNO Timestamp Principal
 ---
--
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x696a502bc73d209acdd36c42242f7f8aff9dbba1073b34ea018ed3bd9cdfd970)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0xe031464b6948ea34f4291d40fca7a21e)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0xe94a1c98fe79b6317901435d9e9e0257cefe438ff2ec527f)
2 11/17/2016 20:38:39 ldap/ld4ipa01.mf@MF
(0x6aaf4c7fa6b51b9de032b7c6428307b5)
2 11/17/2016