Re: [Freeipa-devel] ipa-server-install Unable to set admin password
tatiana philippova wrote: Hi Rob, many thanks for reply, here is information requested On Fri, Jan 8, 2010 at 4:10 AM, Rob Crittenden wrote: tatiana philippova wrote: Hi , I have an issue with freeipa v 1.9.0.pre1 on Fedora12 (virtual) ..actually - not just one issue, a couple of them. freeipa rpms were built from tarball (downloaded from official site) ipa-server-1.9.0.pre1-0.fc12.x86_64 ipa-client-1.9.0.pre1-0.fc12.x86_64 ipa-server-selinux-1.9.0.pre1-0.fc12.x86_64 ipa-python-1.9.0.pre1-0.fc12.x86_64 ipa-admintools-1.9.0.pre1-0.fc12.x86_64 the first issue appears during server setup: #ipa-server-install -N .. Applying LDAP updates restarting the directory server restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.xe_hlt.db Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w pass1 -P /etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2 uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned non-zero exit status 1 also noticed next in /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors : [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key failed [Bad encryption type] [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding failed Well, that explains why the admin password wasn't set. Simo, any thoughts? ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password and the kerberos principal key in sync. What version of krb5-server do you have installed? rpm -q krb5-server .. when I start ldappasswd manually with the same parametres - ldap_simple_bind: No such object Can you provide a log snippet from the 389ds access log (/var/log/slapd-INTERNAL-MYNET-COM/access) showing these? when command manually started: /usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w pass1 -P /etc/dirsrv/slapd-INTERNAL-MYNET-COM//cert8.db -ZZZ -s pass2 uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com ldap_simple_bind: No such object /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access: [08/Jan/2010:10:24:50 +1300] conn=13 fd=69 slot=69 connection from ::1 to ::1 [08/Jan/2010:10:24:50 +1300] conn=13 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [08/Jan/2010:10:24:50 +1300] conn=13 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [08/Jan/2010:10:24:50 +1300] conn=13 SSL 128-bit RC4 [08/Jan/2010:10:24:50 +1300] conn=13 op=1 BIND dn="cn=Directory" method=128 version=3 [08/Jan/2010:10:24:50 +1300] conn=13 op=2 UNBIND [08/Jan/2010:10:24:50 +1300] conn=13 op=2 fd=69 closed - U1 [08/Jan/2010:10:24:51 +1300] conn=13 op=1 RESULT err=32 tag=97 nentries=0 etime=1 You need to put quotes around "cn=Directory Manager". output from ldapsearch: ldapsearch -x -D "cn=Directory Manager" -w pass1 -b cn=users,cn=accounts,dc=internal,dc=mynet,dc=com krbprincipalname=admin krbPrincipalKey # extended LDIF # # LDAPv3 # base with scope subtree # filter: krbprincipalname=admin # requesting: krbPrincipalKey # # search result search: 2 result: 0 Success # numResponses: 1 The krbprinicpalname would be ad...@internal.mynet.com ops, sorry. here is correct output: [r...@freeipa log]# ldapsearch -x -D "cn=Directory Manager" -w pass1 -b cn=users,cn=accounts,dc=internal,dc=mynet,dc=com krbprincipalname=ad...@internal.mynet.com krbPrincipalKey # extended LDIF # # LDAPv3 # base with scope subtree # filter: krbprincipalname=ad...@internal.mynet.com # requesting: krbPrincipalKey. # # admin, users, accounts, internal.MYNET.COM dn: uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Ok, that is about what I would expect since the password setting failed. and in /var/log/dirsrv/slapd-INTERNAL-MYNET-COM/access: [08/Jan/2010:10:27:14 +1300] conn=15 fd=69 slot=69 connection from 127.0.0.1 to 127.0.0.1 [08/Jan/2010:10:27:14 +1300] conn=15 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [08/Jan/2010:10:27:14 +1300] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [08/Jan/2010:10:27:14 +1300] conn=15 op=1 SRCH base="cn=users,cn=accounts,dc=internal,dc=mynet,dc=com" scope=2 filter="(krbprincipalname=ad...@internal.mynet.com)" attrs="krbPrincipalKey" [08/Jan/2010:10:27:14 +1300] conn=15 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [08/Jan/2010:10:27:14 +1300] conn=15 op=2 UNBIND [08/Jan/2010:10:27:14 +1300] conn=15 op=2 fd=69 closed - U1 the second issue: The password for this file is in /etc/dirsrv/slapd-INTERNAL-MYNET-COM/pwdfile.txt but in log file 2010-01-07 21:36:44,054 INFO pk12util: PKCS12 EXPORT SUCCESSFUL 2010-01-07 21:36:44,103 INFO certutil: Could not find: CA certificate : security library: bad database. Can you see what certificates exist in the database? certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/ [r...@freeipa log]# certutil -L -d /etc/dirsrv/slapd-INTERNAL-MYNET-COM/ Certificate Nickname Trust Attributes SSL
Re: [Freeipa-devel] [PATCH] Add Kerberos Ticket Policy management plugin.
Pavel Zuna wrote: Alright, here's my first shot at the Kerberos Ticket Policy management plugin. It is also a "new type" of plugin. What I mean by that is that it takes an optional primary key (username) as its first argument. If used, policy for a specific user is being managed. If not, the global policy is being managed. If there's no value defined for a specific user, the global value is displayed instead. This pattern could also be applied to the pwpolicy plugin. The pwpolicy plugin currently doesn't even use the baseldap classes and is a bit buggy*. So, if nobody minds, I'd like to rewrite it to use this pattern. It should only take a few hours. * minor bugs in pwpolicy plugin: - it says that higher number in cosPriority means higher priority, this isn't true - it is impossible to modify cosPriority using pwpolicy-mod, it throws an exception, because it tries to set it in the wrong entry Pavel I'm having a problem getting this to apply to the tip. Does this depend on some other patches? patching file ipalib/plugins/baseldap.py Hunk #5 succeeded at 346 (offset 152 lines). Hunk #6 FAILED at 363. Hunk #7 FAILED at 422. Hunk #8 FAILED at 506. Hunk #9 succeeded at 208 (offset -163 lines). Hunk #10 succeeded at 566 (offset 152 lines). Hunk #11 succeeded at 267 (offset -163 lines). Hunk #12 succeeded at 873 (offset 150 lines). 3 out of 12 hunks FAILED -- saving rejects to file ipalib/plugins/baseldap.py.rej patching file ipalib/plugins/krbtpolicy.py rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] ipa-server-install Unable to set admin password
Rob Crittenden wrote: > tatiana philippova wrote: >> also noticed next in >> /var/log/dirsrv/slapd-INTERNAL-BULLETIN-NET/errors : >> [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - krb5_c_string_to_key >> failed [Bad encryption type] >> [08/Jan/2010:10:02:38 +1300] ipa_pwd_extop - key encryption/encoding >> failed > > Well, that explains why the admin password wasn't set. Simo, any > thoughts? > > ipa_pwd_extop is the 389-ds plugin we use to keep the LDAP password > and the kerberos principal key in sync. > > What version of krb5-server do you have installed? rpm -q krb5-server If it is F12 the Kerberos version should be 1.7. Can it be that we have an incompatibility with 1.7 in our plugin? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 342 control the certificate subject in dogtag
On Fri, 2009-12-18 at 11:05 -0500, Rob Crittenden wrote: > Use the caIPAserviceCert profile for issuing service certs. > > This profile enables subject validation and ensures that the subject > that the CA issues is uniform. The client can only request a specific > CN, the rest of the subject is fixed. > > This is the first step of allowing the subject to be set at installation > time. > > Also fix 2 more issues related to the return results migration. > > Note that with the selfsign plugin it will still issue the subject that > was in the CSR. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 345 fix pwpolicy plugin
Allow the priority to be updated and fix the description of priority ordering. Lower wins, not higher. I also had to add the option to not normalize to a few more functions in ldap2. I have to craft a very specifically-formatted DN for it to be understood by the krb5 server. rob freeipa-345-pwpolicy.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 344 require fully-qualified hostname in ipa-join
Require a fully-qualified hostname in ipa-join. The server side will enforce this as well but better to catch it early. rob freeipa-344-join.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Allow creation of new connections by unshared instances of backend.Connectible.
On Tue, 2010-01-05 at 14:10 +0100, Pavel Zuna wrote: > The backend.Connectible base class was designed, so that only one instance of > each subclass is used at a time. Connectible generates a Connection object > for > each thread and stores it in thread-local storage (context). Subclasses > access > this object through the Connectible.conn property. > > This is a good thing, because one instance of the class can be shared by all > threads and each thread has its own connection. Unfortunately, this is also a > limitation. If a thread needs a second connection (to a different host for > example) - it can't do it. Not even by creating a new instance of the > Connectible subclass. > > Ok, let's move from theory to practice: > > The LDAP backend is currently only used by the Executioner backend, so that > plugins can connect to the IPA DS. > > In the migration plugin, we need a second connection to the DS we're > migrating > from. The last version had to use low level python-ldap calls to achieve this. > > In the installer we're still using legacy code from v1. Using ldap2 would be > simpler and we could drop ~1000 lines code. (I already started rewriting a > few > parts to see if it would work.) > > Proposed solution: > > Make it possible to create unshared instances of Connectible subclasses. > > This would be achieved by passing shared_instance=False (couldn't come up > with a > better name) to the object constructor explicitly. Normally, Connection > objects > are stored in thread-local storage under the subclass name (e.g. "ldap2"). > Unshared instances would store their Connection objects under subclass name + > unique instances ID (e.g. "ldap2_218adsfka7"). > > This is the only solution I could come up with, that doesn't involve breaking > a > lot of stuff - it just adds a new way of using the code we already have. > > The attached patches show how it would be done. > > Pavel I'm fine with this approach as the solution you propose is quite unobtrusive. Is this the final patch then, or will you make further changes or bundle it with another patch? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
