Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Now all is ok :) # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: --- Added Active Directory trust for realm "mydomain.com" --- Realm name: mydomain.com Domain NetBIOS name: MYDOMAIN Domain Security Identifier: S-x-x-xx-xx-xx-x SID blacklist incoming: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx SID blacklist outgoing: S-x-x-xx, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-x, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x-xx, S-x-x, S-x-x, S-x-x, S-x-x, S-x-x-xx, S-x-x-xx Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Thanks for your support. Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Sorry, I've read ipv6.disable=1 in this article http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I understood wrong this prerequisite and went directly to the next chapter, in my mind I was conviced that IPv6 must be disabled :) I will try with IPv6 enabled, and then I will tell you if it is ok. Thanks, Morgan 2015-09-09 18:53 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander >> >> IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on >> my >> WIndows 2012. >> I have read in a freeipa article to disable IPv6. >> > Sorry, and why you did decide to disable IPv6 stack? FreeIPA article > explicitly talks about not disabling IPv6. > > Samba and FreeIPA LDAP code require working IPv6 stack on the machine. > You can have a system without IPv6 addresses but do not disable the > infrastructure. All contemporary networking applications are written > with the idea that you can use IPv6-only functions and work on both IPv4 > and IPv6 at the same time. See ipv6(7) manual page: > > > IPv4 connections can be handled with the v6 API by using the > v4-mapped-on-v6 address type; thus a program needs to support only this > API type to support both protocols. This is handled transparently by the > address handling functions in the C library. > > IPv4 and IPv6 share the local port space. When you get an IPv4 > connection or packet to a IPv6 socket, its source address will be mapped > to v6 and it will be mapped to v6. > > > > > I've 2 Domain Controller with Windows Server 2012 and (at this time) one >> new freeipa server, just installed, in the same network. >> AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. >> I've installed bind in IPA that contains only ipa.mydomain.com zone. >> In AD servers is configured mydomain.com zone, with ipa.mydomain.com >> delegation to linux server (192.168.0.65). >> > > > Do you have other question of my setup? >> Let me know, thanks. >> Morgan >> >> >> 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : >> >> On Wed, 09 Sep 2015, Morgan Marodin wrote: >>> >>> Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? >>> >>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >>> ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe >>> has to be there. >>> >>> Can you explain what is your setup in detail? >>> >>> -- >>> / Alexander Bokovoy >>> >>> >> >>
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. Sorry, and why you did decide to disable IPv6 stack? FreeIPA article explicitly talks about not disabling IPv6. Samba and FreeIPA LDAP code require working IPv6 stack on the machine. You can have a system without IPv6 addresses but do not disable the infrastructure. All contemporary networking applications are written with the idea that you can use IPv6-only functions and work on both IPv4 and IPv6 at the same time. See ipv6(7) manual page: IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program needs to support only this API type to support both protocols. This is handled transparently by the address handling functions in the C library. IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6. I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. I've installed bind in IPA that contains only ipa.mydomain.com zone. In AD servers is configured mydomain.com zone, with ipa.mydomain.com delegation to linux server (192.168.0.65). Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Hi Alexander IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my WIndows 2012. I have read in a freeipa article to disable IPv6. I've 2 Domain Controller with Windows Server 2012 and (at this time) one new freeipa server, just installed, in the same network. AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM. I've installed bind in IPA that contains only ipa.mydomain.com zone. In AD servers is configured mydomain.com zone, with ipa.mydomain.com delegation to linux server (192.168.0.65). Do you have other question of my setup? Let me know, thanks. Morgan 2015-09-09 16:01 GMT+02:00 Alexander Bokovoy : > On Wed, 09 Sep 2015, Morgan Marodin wrote: > >> Hi Alexander. >> >> Ok, after enabling debugging I have these logs: >> --- >> ==> /var/log/httpd/error_log <== >> INFO: Current debug levels: >> all: 100 >> tdb: 100 >> printdrivers: 100 >> lanman: 100 >> smb: 100 >> rpc_parse: 100 >> rpc_srv: 100 >> rpc_cli: 100 >> passdb: 100 >> sam: 100 >> auth: 100 >> winbind: 100 >> vfs: 100 >> idmap: 100 >> quota: 100 >> acls: 100 >> locking: 100 >> msdfs: 100 >> dmapi: 100 >> registry: 100 >> scavenger: 100 >> dns: 100 >> ldb: 100 >> pm_process() returned Yes >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'sasl-DIGEST-MD5' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> Using binding ncacn_np:srv01.ipa.mydomain.com[,] >> s4_tevent: Added timed event "dcerpc_connect_timeout_handler": >> 0x7f8a3c224990 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 >> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 >> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" >> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" >> Mapped to DCERPC endpoint \pipe\lsarpc >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 >> netmask=255.255.255.0 >> > Do you have IPv6 stack enabled? > > [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] >> ../lib/util/tevent_debug.c:63(samba_tevent_debug) >> s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 >> [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, >> 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) >> pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 >> [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, >> 21740), real(21740, 0), class=rpc_srv] >> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) >> tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and >> user IPA\admin failed: No such file or directory >> > I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe > has to be there. > > Can you explain what is your setup in detail? > > -- > / Alexander Bokovoy > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Wed, 09 Sep 2015, Morgan Marodin wrote: Hi Alexander. Ok, after enabling debugging I have these logs: --- ==> /var/log/httpd/error_log <== INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:srv01.ipa.mydomain.com[,] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f8a3c224990 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170 s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0 s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger" s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 added interface eth0 ip=192.168.0.65 bcast=192.168.0.255 netmask=255.255.255.0 Do you have IPv6 stack enabled? [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug) s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0 [2015/09/09 08:45:05.032353, 4, pid=11196, effective(21740, 21740), real(21740, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (21740, 21740) - sec_ctx_stack_ndx = 0 [2015/09/09 08:45:05.032421, 2, pid=11196, effective(21740, 21740), real(21740, 0), class=rpc_srv] ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p) tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc and user IPA\admin failed: No such file or directory I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe has to be there. Can you explain what is your setup in detail? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Tue, 08 Sep 2015, Morgan Marodin wrote: Also doing trust manually (as explained here http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail in the same mode: # ipa trust-add --type=ad MYDOMAIN.COM --trust-secret Shared secret for the trust: ipa: ERROR: Cannot find specified domain or server name ==> /var/log/httpd/access_log <== 192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json HTTP/1.1" 200 185 ==> /var/log/httpd/error_log <== [Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO: [jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'MYDOMAIN.COM', trust_type=u'ad', trust_secret=u'', all=False, raw=False, version=u'2.112'): NotFound Enable debugging as instructed on the page you refer above, and provide me with the output as the pages tells you. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Also doing trust manually (as explained here http://www.freeipa.org/page/Active_Directory_trust_setup) the command fail in the same mode: # ipa trust-add --type=ad MYDOMAIN.COM --trust-secret Shared secret for the trust: ipa: ERROR: Cannot find specified domain or server name ==> /var/log/httpd/access_log <== 192.168.0.65 - - [08/Sep/2015:17:50:21 +0200] "POST /ipa/session/json HTTP/1.1" 200 185 ==> /var/log/httpd/error_log <== [Tue Sep 08 17:50:22.183939 2015] [:error] [pid 4265] ipa: INFO: [jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'MYDOMAIN.COM', trust_type=u'ad', trust_secret=u'', all=False, raw=False, version=u'2.112'): NotFound ==> /var/log/samba/log.winbindd-idmap <== [2015/09/08 17:50:22.178007, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.178984, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.179771, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 17:50:22.179863, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * :( Morgan 2015-09-08 15:21 GMT+02:00 Alexander Bokovoy : > On Tue, 08 Sep 2015, Morgan Marodin wrote: > >> I've solved this error, reading this forum: >> https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html >> >> But now when I try to trust to my Active Directory I see these errors: >> >> # ipa trust-add --type=ad mydomain.com --admin Administrator --password >> Active Directory domain administrator's password: >> ipa: ERROR: CIFS server communication error: code "-1073741258", >> message "The connection was refused" (both may be "None") >> >> Here my logs: >> >> ==> /var/log/httpd/error_log <== >> Failed to connect host 192.168.0.65 on port 135 - >> NT_STATUS_CONNECTION_REFUSED >> Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 >> - >> NT_STATUS_CONNECTION_REFUSED. >> [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: >> [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com', >> trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', >> all=False, raw=False, version=u'2.112'): RemoteRetrieveError >> >> ==> /var/log/samba/log.192.168.0.65 <== >> [2015/09/08 15:01:50.833128, 1] >> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> Username IPA\admin is invalid on this system >> > This is your problem. Does your system have SSSD actually running? > > > List of ports that smbd should be listening on on IPA master: > # netstat -nltup|grep smbd > tcp0 0 0.0.0.0:135 0.0.0.0:* LISTEN > 12420/smbd tcp0 0 0.0.0.0:139 0.0.0.0:* > LISTEN 12417/smbd tcp0 0 0.0.0.0:445 >0.0.0.0:* LISTEN 12417/smbd tcp0 0 > 0.0.0.0:10240.0.0.0:* LISTEN 12422/smbd tcp6 >0 0 :::135 :::* LISTEN 12420/smbd > tcp6 0 0 :::139 :::* LISTEN > 12417/smbd tcp6 0 0 :::445 :::* > LISTEN 12417/smbd tcp6 0 0 :::1024 > :::* LISTEN 12422/smbd > > -- > / Alexander Bokovoy > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
Hi Alexander, thanks for your support. These are my open ports after running sssd: # netstat -nltup | grep smbd tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3149/smbd tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3149/smbd After running SSD error doing trust changes: # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name Logs: ==> /var/log/httpd/error_log <== [Tue Sep 08 15:14:46.486031 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_session] ad...@ipa.mydomain.com: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', realm_server=u'srv01.MYDOMAIN.com', all=False, raw=False, version=u'2.112'): NotFound ==> /var/log/samba/log.winbindd-idmap <== [2015/09/08 15:14:46.482578, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/09/08 15:14:46.483715, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * But DNS seems ok: # dig SRV _ldap._tcp.ipa.mydomain.com @dc01.mydomain.com ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._ tcp.ipa.mydomain.com @dc01.mydomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.ipa.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipa.mydomain.com. 83913 IN SRV 0 100 389 srv01.ipa.mydomain.com. ;; ADDITIONAL SECTION: srv01.ipa.mydomain.com. 3600 IN A 192.168.0.65 ;; Query time: 1 msec ;; SERVER: 192.168.0.31#53(192.168.0.31) ;; WHEN: Tue Sep 08 15:39:03 CEST 2015 ;; MSG SIZE rcvd: 122 # dig SRV _ldap._tcp.ipa.mydomain.com @localhost ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._ tcp.ipa.mydomain.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18190 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.ipa.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipa.mydomain.com. 86400 IN SRV 0 100 389 srv01.ipa.mydomain.com. ;; AUTHORITY SECTION: ipa.mydomain.com. 86400 IN NS srv01.ipa.mydomain.com. ;; ADDITIONAL SECTION: srv01.ipa.mydomain.com. 86400 IN A 192.168.0.65 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 08 15:32:50 CEST 2015 ;; MSG SIZE rcvd: 136 # dig SRV _ldap._tcp.mydomain.com @dc01.mydomain.com ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @ dc01.mydomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60503 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com. _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com. ;; ADDITIONAL SECTION: dc02.mydomain.com. 3600 IN A 192.168.0.15 dc01.mydomain.com. 3600 IN A 192.168.0.31 ;; Query time: 1 msec ;; SERVER: 192.168.0.31#53(192.168.0.31) ;; WHEN: Tue Sep 08 15:33:27 CEST 2015 ;; MSG SIZE rcvd: 172 # dig SRV _ldap._tcp.mydomain.com @localhost ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> SRV _ldap._tcp.mydomain.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36890 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.mydomain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc02.mydomain.com. _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 dc01.mydomain.com. ;; AUTHORITY SECTION: . 78287 IN NS c.root-servers.net. . 78287 IN NS g.root-servers.net. . 78287 IN NS f.root-servers.net. . 78287 IN NS e.root-servers.net. . 78287 IN NS i.root-servers.net. . 78287 IN NS b.root-servers.net. . 78287 IN NS d.root-servers.net. . 78287 IN NS m.root-servers.net. . 78287 IN NS h.root-servers.net. . 78287 IN NS a.root-servers.net. . 78287 IN NS j.root-servers.net.
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
On Tue, 08 Sep 2015, Morgan Marodin wrote: I've solved this error, reading this forum: https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html But now when I try to trust to my Active Directory I see these errors: # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741258", message "The connection was refused" (both may be "None") Here my logs: ==> /var/log/httpd/error_log <== Failed to connect host 192.168.0.65 on port 135 - NT_STATUS_CONNECTION_REFUSED Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED. [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.112'): RemoteRetrieveError ==> /var/log/samba/log.192.168.0.65 <== [2015/09/08 15:01:50.833128, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username IPA\admin is invalid on this system This is your problem. Does your system have SSSD actually running? List of ports that smbd should be listening on on IPA master: # netstat -nltup|grep smbd tcp0 0 0.0.0.0:135 0.0.0.0:* LISTEN 12420/smbd tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 12417/smbd tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 12417/smbd tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 12422/smbd tcp6 0 0 :::135 :::* LISTEN 12420/smbd tcp6 0 0 :::139 :::* LISTEN 12417/smbd tcp6 0 0 :::445 :::* LISTEN 12417/smbd tcp6 0 0 :::1024 :::* LISTEN 12422/smbd -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER
I've solved this error, reading this forum: https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html But now when I try to trust to my Active Directory I see these errors: # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741258", message "The connection was refused" (both may be "None") Here my logs: ==> /var/log/httpd/error_log <== Failed to connect host 192.168.0.65 on port 135 - NT_STATUS_CONNECTION_REFUSED Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 - NT_STATUS_CONNECTION_REFUSED. [Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO: [jsonserver_kerb] ad...@ipa.mydomain.com: trust_add(u'mydomain.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.112'): RemoteRetrieveError ==> /var/log/samba/log.192.168.0.65 <== [2015/09/08 15:01:50.833128, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username IPA\admin is invalid on this system [2015/09/08 15:01:50.833200, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2015/09/08 15:01:50.833236, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED [2015/09/08 15:01:50.852169, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username IPA\admin is invalid on this system [2015/09/08 15:01:50.85, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2015/09/08 15:01:50.852256, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED I don't see any 135 TCP listening port, doing tcpdump I see that it tryes to do a connection in its 135 port. What am I missing? Thanks, Morgan > Subject: [Freeipa-users] freeipa cert validation failed, > SEC_ERROR_UNTRUSTED_ISSUER Date: Tue, 08 Sep 2015 11:00:49 +0200 > > To: > Hi everyone. > > I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like > distribution. > > The installation was ok, but now I've some problems operating via CLI: > # ipa user-show admin > ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O= > IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer > has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': > (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted by the user. > > I've got the same problem connectiong via curl, but after doing these > command for curl now it works, but not for ipa cli operations: > -- > # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt > # certutil -L -d /etc/pki/nssdb > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > IPA CA CT,C,C > # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ > # update-ca-trust extract > -- > > And also this command doesn't work: > # ipa trust-add --type=ad mydomain.com --admin Administrator --password > ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O= > IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer > has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json': > (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted by the user. > > So ... what's the problem? > > Let me know, thanks. > Morgan > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project