[Freeipa-users] Re: Group membership expiration

2017-07-27 Thread Rob Crittenden via FreeIPA-users 
Prashant Bapat via FreeIPA-users wrote:
> Hi FreeIPA Users,
> 
> Is there a way to make the group membership have an optional expiration
> date. This expiration date can be set by the admin. 

No, there is no way to do this in IPA.

> Any pointers to how this can be implemented would be very helpful.

It would be tricky to do especially depending on the granularity needed.
It isn't something that the IPA server would do, the clients (which may
cache) would also need to evaluate the expiration dates for them to be
really meaningful.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-27 Thread pgb 205 via FreeIPA-users 
Here is the log that I sent in yesterday. With
server1 and server2 down, but server3 up.

kdc=server1
kdc=server2
kdc=server3
kdc_master=server1
kdc_master=server2
kdc_master=server3

kinit tries server1 and server2 but never even attempts server3
KRB5_TRACE=/dev/stdout kinit user(a)test.domain 
[12536] 1501112935.251721: Getting initial credentials for user(a)test.domain 
[12536] 1501112935.251917: Sending request (181 bytes) to test.domain
[12536] 1501112935.251956: Resolving hostname server1
[12536] 1501112935.252875: Sending initial UDP request to dgram server1_ip:88
[12536] 1501112936.253962: Resolving hostname server2
[12536] 1501112936.255680: Retrying AS request with master KDC
[12536] 1501112936.255699: Getting initial credentials for user(a)test.domain
[12536] 1501112936.255763: Sending request (181 bytes) to test.domain (master)
[12536] 1501112936.255779: Resolving hostname server1
[12536] 1501112936.256379: Sending initial UDP request to dgram server1_ip:88
[12536] 1501112937.257451: Resolving hostname server2
kinit: Invalid argument while getting initial credentials

kinit with following configuration will work, however.
kdc=server1
kdc=server2
kdc=server3
kdc_master=server1
# kdc_master=server2
kdc_master=server3
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cronjob requesting krb tickets

2017-07-27 Thread Anton Semjonov via FreeIPA-users 
>> It's much simpler to use a keytab for your service and let Kerberos
>> acquire a TGT automatically. You can either place the keytab in a
>> special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to
>> handle the keytab for you. With a client keytab, you don't have to call
>> kinit at all.
> 
> OK, I'd seen references to using keytabs with cron. I'll go down that
> route. Thank you.

I've had a similar situation recently and found that GSSProxy works
nicely for this purpose.

Since I found documentation to be a little scattered: GSSProxy in its
(ipa-)default configuration (on CentOS) looks for client keytabs in
'/var/lib/gssproxy/clients/$EUID.keytab'. Then, whenever a user accesses
a kerberized NFS mount, GSSProxy 'automagically' gets a ticket and saves
that in '/var/lib/gssproxy/clients/krb5cc_$EUID'. All while the keytab
and cache are both inaccessible to the user.

So in the simplest case:

# kinit $user
# ipa-getkeytab -p $user \
 -k /var/lib/gssproxy/clients/$(id -u $user).keytab

.. and then just make sure gssproxy.service is started and the script
runs as that user but don't bother with tickets.

I could not get this to work for system users, i.e. service principals
of the form 'apache/$hostname@$REALM', though. They are able to access
the share but I couldn't figure out how to properly map the username to
enable write access aswell.

- Anton
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Free IPA trust based AD users are not prompted for smart card pin.

2017-07-27 Thread Frank Rey via FreeIPA-users 
I have tried adding the certificate to default trust view and am still not
prompted for pin


-- Forwarded message --
From: "Frank Rey" 
Date: Jul 24, 2017 7:45 PM
Subject: Free IPA trust based AD users are not prompted for smart card pin.
To: "FreeIPA users list" 
Cc:

I cannot get smart card login to work for users from my AD trust on IPA
clients. The users have working smart card login on windows.
What should i look at. The IPA is Version 4.4.0  on RHEL 7.3 and the main
test computer is RHEL 6.8.  I have no issues getting it to work for IDM
users. I have the certificate attached to the user account in AD as its
usercertifcate. I cannot find much info on how to troubleshoot certificates
for AD based users. ipa find-certs only shows certs for idm users.


"Ra
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Mark Haney via FreeIPA-users 
Heh. That's the EXACT SAME error I kept getting whether I ran the
install-ca from an existing replica, or when adding a CA while installing a
new replica. Glad I'm not the only one seeing such weird errors.

On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

>
>
> On 07/27/2017 06:06 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:
>
>
>
> On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:
>
> On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:
>
> Hi all,
>I would appreciate any help on my attempt to promote an existing client
> to replica. After client installation, I added replica-to-be to ipaservers
> hostgroup and then run "replica-install --setup-ca" but unfortunately I end
> up with the errors below. Both master and client have
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> Thanks in advance,
> Petros
>
> 
> _
> On replica-to-be:
>
> [...]
> Done configuring ipa-otpd.
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>[1/26]: creating certificate server user
>[2/26]: creating certificate server db
>[3/26]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
>
>[4/26]: creating installation admin user
>[5/26]: setting up certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned
> non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>[error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
> configuration failed.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
>
> 
> _
> /var/log/ipareplica-install.log
>
> [...]
> Import complete
> ---
> Imported certificates in /etc/pki/pki-tomcat/alias:
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
>
> Installation failed:
>
>
> Please check the CA logs in /var/log/pki/pki-tomcat/ca.
>
> 2017-07-27T06:57:54Z DEBUG stderr=
> 2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status
> 1
> 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
> 2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
>File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
>  run_step(full_msg, method)
>File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
>  method()
>File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 586, in __spawn_instance
>  DogtagInstance.spawn_instance(self, cfg_file)
>File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 181, in spawn_instance
>  self.handle_setup_error(e)
>File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 420, in handle_setup_error
>  raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> 2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration
> failed.
> 2017-07-27T06:57:54Z DEBUG   File "/usr/lib/python2.7/site-
> packages/ipapython/admintool.py", line 171, in execute
>  return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 318, in run
>  cfgr.run()
>File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 310, in run
>  self.execute()
>File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 332, in execute
>  for nothing in self._executor():
>File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Florence Blanc-Renaud via FreeIPA-users 

On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote:



On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:

On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:

Hi all,
   I would appreciate any help on my attempt to promote an existing 
client to replica. After client installation, I added replica-to-be 
to ipaservers hostgroup and then run "replica-install --setup-ca" 
but unfortunately I end up with the errors below. Both master and 
client have ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks in advance,
Petros

_ 


On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f 
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more 
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information


_ 
/var/log/ipareplica-install.log


[...]
Import complete
---
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: 
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned 
non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the 
following files/directories for more information:

2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 449, in start_creation

 run_step(full_msg, method)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 439, in run_step

 method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line 586, in __spawn_instance

 DogtagInstance.spawn_instance(self, cfg_file)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance

 self.handle_setup_error(e)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error

 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration 
failed.
2017-07-27T06:57:54Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 
171, in execute

 return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", 
line 318, in run

 cfgr.run()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
310, in run

 self.execute()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
332, in execute

 for nothing in self._executor():
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
372, in __runner

 self._handle_exception(exc_info)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
394, in _handle_exception

 six.reraise(*exc_info)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
362, in __runner

 step()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
359, in 

 step = lambda: next(self.__gen)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 
81, in run_generator_with_yield_from

 six.reraise(*exc_info)
   File

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Petros Triantafyllidis via FreeIPA-users 



On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:

On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:

Hi all,
   I would appreciate any help on my attempt to promote an existing 
client to replica. After client installation, I added replica-to-be 
to ipaservers hostgroup and then run "replica-install --setup-ca" 
but unfortunately I end up with the errors below. Both master and 
client have ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks in advance,
Petros

_ 


On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f 
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more 
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information


_ 
/var/log/ipareplica-install.log


[...]
Import complete
---
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: 
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned 
non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the 
following files/directories for more information:

2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 449, in start_creation

 run_step(full_msg, method)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 439, in run_step

 method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line 586, in __spawn_instance

 DogtagInstance.spawn_instance(self, cfg_file)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance

 self.handle_setup_error(e)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error

 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration 
failed.
2017-07-27T06:57:54Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 
171, in execute

 return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", 
line 318, in run

 cfgr.run()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
310, in run

 self.execute()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
332, in execute

 for nothing in self._executor():
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
372, in __runner

 self._handle_exception(exc_info)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
394, in _handle_exception

 six.reraise(*exc_info)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
362, in __runner

 step()
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 
359, in 

 step = lambda: next(self.__gen)
   File 
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 
81, in run_generator_with_yield_from

 six.reraise(*exc_info)
   File

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-27 Thread Jakub Hrozek via FreeIPA-users 
On Thu, Jul 27, 2017 at 02:19:38PM +, pgb205 via FreeIPA-users wrote:
> Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy 
> krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records.
> Can you also please comment on why I'm only getting lookups on the first two 
> kdc's listed in krb5.conf

I'm really not sure. I would say the same what Sumit did in his reply
(and he actually tested his setup) and same as Sumit, I'm not aware of
any limits.

It would be nice to illustrate the problems you are seeing with logs..
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-27 Thread pgb205 via FreeIPA-users 
Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy 
krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records.
Can you also please comment on why I'm only getting lookups on the first two 
kdc's listed in krb5.conf
thank you so much and I'm bookmarking your blog.

Date: Thu, 27 Jul 2017 10:01:11 +0200
From: Jakub Hrozek 
Subject: [Freeipa-users] Re: Krb5.conf only sees first two kdc servers
To: freeipa-users@lists.fedorahosted.org
Message-ID: <20170727080111.ekj3mqbuilkrlxpa@hendrix>
Content-Type: text/plain; charset=iso-8859-1

On Thu, Jul 27, 2017 at 02:15:33AM +, Michael Papet via FreeIPA-users wrote:
> >If the _srv_ is enabled then am i correct in assuming that we wouldn't even 
> >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable 
> >to authenticate.
> In my experience, sssd relies upon the local kerberos stack.  Maybe others 
> have different experiences.
> mpapet

This really depends on what domain the user is authenticating from.

If the user comes from the joined domain, then currently sssd resolves
the KDC on its own and puts the address of the KDC server into the list
of KDC addresses known by libkrb5 via a locator plugin:
    
https://jhrozek.wordpress.com/2014/11/04/how-does-sssd-interact-with-tools-like-kinit/

But for users from trusted domains (typically when talking about IPA-AD
trusts), this is currently not done and sssd just calls a kinit
equivalent and pretty much relies on what is already configured in
krb5.conf.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Florence Blanc-Renaud via FreeIPA-users 

On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote:

On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:

Hi all,
   I would appreciate any help on my attempt to promote an existing 
client to replica. After client installation, I added replica-to-be 
to ipaservers hostgroup and then run "replica-install --setup-ca" but 
unfortunately I end up with the errors below. Both master and client 
have ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks in advance,
Petros

_ 


On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 
minutes 30 seconds

   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f 
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more 
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information


_ 
/var/log/ipareplica-install.log


[...]
Import complete
---
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: 
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned 
non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the 
following files/directories for more information:

2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
449, in start_creation

 run_step(full_msg, method)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
439, in run_step

 method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line 586, in __spawn_instance

 DogtagInstance.spawn_instance(self, cfg_file)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance

 self.handle_setup_error(e)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error

 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration 
failed.
2017-07-27T06:57:54Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, 
in execute

 return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", 
line 318, in run

 cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 310, in run

 self.execute()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 332, in execute

 for nothing in self._executor():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 372, in __runner

 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception

 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner

 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in 

 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

 value = gen.send(prev_value)

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-27 Thread Prasun Gera via FreeIPA-users 
Sorry about this rather long thread, and I appreciate all the help. After
adding the new ca, the new tracking requests show the status as
"CA_WORKING" instead of "MONITORING".

For example, the replica shows this for one of the requests:
Request ID '20170727122353':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=ORG.EDU
subject: CN=Certificate Authority,O=ORG.EDU
expires: 2035-04-08 17:34:47 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes

Same status for subsystemCert cert-pki-ca. However, ipaCert shows
monitoring, which is also tracked by dogtag-ipa-ca-renew-agent. There are
still a few more left that I need to add. Is this status normal ?


On Mon, Jul 24, 2017 at 6:19 AM, Florence Blanc-Renaud 
wrote:

> On 07/23/2017 01:29 AM, Prasun Gera via FreeIPA-users wrote:
>
>> I tried to replicate every one of those on the replica, but I've hit a
>> snag. The following CA only exists on the master, but not on the replica:
>>
>> CA 'dogtag-ipa-ca-renew-agent':
>> is-default: no
>> ca-type: EXTERNAL
>> helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
>>
>> I didn't notice that there were two different
>> CAs, dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent; the former is
>> there on the replica. I seem to have accidentally assigned
>> dogtag-ipa-renew-agent to ipaCert on the replica. It didn't show any
>> errors, and seems to be monitoring. I stopped creating the monitoring
>> requests once I realized this. How do I fix this ?
>>
>> Hi,
>
> you need first to add the CA on the replica with getcert add-ca:
> $ sudo getcert add-ca -c dogtag-ipa-ca-renew-agent -e
> /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
>
> Then fix the CA used to renew ipaCert:
> - stop tracking with dogtag-ipa-renew-agent
> $ sudo getcert stop-tracking -i 
>
> - start tracking with dogtag-ipa-ca-renew-agent using getcert
> start-tracking + the same options as you did except for the -c
> dogtag-ipa-ca-renew-agent
>
> HTH,
> Flo
>
>
>
>> On Wed, Jul 19, 2017 at 6:23 AM, Fraser Tweedale > > wrote:
>>
>> On Wed, Jul 19, 2017 at 05:31:20AM -0400, Prasun Gera wrote:
>> > Thank you, Fraser. That works. I also added the post-script command
>> > "/usr/libexec/ipa/certmonger/restart_httpd". Upon comparing with
>> the
>> > master, there are quite a few certs that are tracked on the master,
>> and
>> > none on the replica. Do I need to do this same exercise for every
>> cert on
>> > the replica ? These are the nicknames of the certs that are tracked
>> on the
>> > master:
>> >
>> >- location='/etc/httpd/alias',nickname='Signing-Cert'
>> >- location='/etc/pki/pki-tomcat/alias',nickname='auditSigningC
>> ert
>> >cert-pki-ca'
>> >- location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> >cert-pki-ca'
>> >- location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> >cert-pki-ca'
>> >- location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> >cert-pki-ca'
>> >- location='/etc/httpd/alias',nickname='ipaCert'
>> >- location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca'
>> >- location='/etc/dirsrv/slapd-ORG',nickname='Server-Cert'
>> >- location='/etc/httpd/alias',nickname='Server-Cert'
>> >
>> Strongly advised to track these with equivalent parameters to what
>> you find on the master.
>>
>> Cheers,
>> Fraser
>>
>> >
>> > On Mon, Jul 17, 2017 at 8:58 PM, Fraser Tweedale <
>> ftwee...@redhat.com >
>> > wrote:
>> >
>> > > On Mon, Jul 17, 2017 at 02:06:36PM -0400, Prasun Gera wrote:
>> > > > Hi Fraser,
>> > > > I ran that command on the replica (which is where it needs to
>> be run,
>> > > right
>> > > > ? ), and it finished without any error. However, when I called
>> > > ipa-getcert
>> > > > list, it shows an error:
>> > > >
>> > > > Request ID '20170717180008':
>> > > > status: MONITORING
>> > > > * ca-error: Unable to determine principal name for signing
>> request.*
>> > > > stuck: no
>> > > > key pair storage:
>> > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > > > certificate:
>> > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert

[Freeipa-users] Re: Cronjob requesting krb tickets

2017-07-27 Thread Christian Heimes via FreeIPA-users 
On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote:
> Hi all,
> 
> I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on
> on a few computers on my small network.
> 
> So far, I've managed to setup up automounting of krb5i-protected shares
> on my NAS. I can see that, when I log in a kerberos ticket is arranged
> and then that is used to authenticate to the NFS server.
> 
> What I'm now wondering about is how things work with cron. I would like
> to leave some of my machines unattended, but still have them run cron
> jobs that access the NFS filesystems.
> 
> Is this a non-problem (i.e. is cron going to be able to access my files
> without interaction, in the same way that it would on a regular system?)
> Or do I need to arrange something beforehand to allow cron access (I've
> seen various references to S4U2Proxy, to creating a "user/cron@REALM"
> user and mapping that to just "user@REALM" and also to simply running
> kinit before each job.)
> 
> Pointers to documentation would be useful.
> 
> For reference, I'm running FreeIPA on Fedora 25, but my client machines
> are typically Debian 9.

You don't have to resort to a cron job to request and refresh a TGT.
It's much simpler to use a keytab for your service and let Kerberos
acquire a TGT automatically. You can either place the keytab in a
special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to
handle the keytab for you. With a client keytab, you don't have to call
kinit at all.

Christian

-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander



signature.asc
Description: OpenPGP digital signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Cronjob requesting krb tickets

2017-07-27 Thread Darac Marjal via FreeIPA-users 

Hi all,

I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on
on a few computers on my small network.

So far, I've managed to setup up automounting of krb5i-protected shares
on my NAS. I can see that, when I log in a kerberos ticket is arranged
and then that is used to authenticate to the NFS server.

What I'm now wondering about is how things work with cron. I would like
to leave some of my machines unattended, but still have them run cron
jobs that access the NFS filesystems.

Is this a non-problem (i.e. is cron going to be able to access my files
without interaction, in the same way that it would on a regular system?)
Or do I need to arrange something beforehand to allow cron access (I've
seen various references to S4U2Proxy, to creating a "user/cron@REALM"
user and mapping that to just "user@REALM" and also to simply running
kinit before each job.)

Pointers to documentation would be useful.

For reference, I'm running FreeIPA on Fedora 25, but my client machines
are typically Debian 9.

Many thanks.

--
For more information, please reread.


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Florence Blanc-Renaud via FreeIPA-users 

On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote:

Hi all,
   I would appreciate any help on my attempt to promote an existing 
client to replica. After client installation, I added replica-to-be to 
ipaservers hostgroup and then run "replica-install --setup-ca" but 
unfortunately I end up with the errors below. Both master and client 
have ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks in advance,
Petros

_
On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

   [1/26]: creating certificate server user
   [2/26]: creating certificate server db
   [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

   [4/26]: creating installation admin user
   [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f 
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   
/var/log/pki/pki-tomcat

   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


_ 
/var/log/ipareplica-install.log


[...]
Import complete
---
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the 
following files/directories for more information:

2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 449, in start_creation

 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 439, in run_step

 method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
586, in __spawn_instance

 DogtagInstance.spawn_instance(self, cfg_file)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance

 self.handle_setup_error(e)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error

 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute

 return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 
318, in run

 cfgr.run()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 310, in run

 self.execute()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 332, in execute

 for nothing in self._executor():
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 372, in __runner

 self._handle_exception(exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception

 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner

 step()
   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in 

 step = lambda: next(self.__gen)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

 six.reraise(*exc_info)
   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

 value = gen.send(prev_value)
   File

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-07-27 Thread Jakub Hrozek via FreeIPA-users 
On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via FreeIPA-users 
wrote:
> I uploaded krb5_child.log and ldap_child.log to
> https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD

I think the child just times out during TGT validation, see:
(Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135280.837647: Sending request (2132 bytes) to AD.COM
(Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135280.838622: Resolving hostname RO1-INF-ADS-002.ad.com.
(Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135280.839154: Sending initial UDP request to dgram 
10.248.40.11:88
(Thu Jul 27 06:01:21 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135281.840215: Resolving hostname ns1-inf-ads-001.ad.com.
(Thu Jul 27 06:01:21 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135281.841223: Sending initial UDP request to dgram 
10.3.200.10:88
(Thu Jul 27 06:01:22 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135282.842291: Resolving hostname inf-p-sy2-ad-01.ad.com.
(Thu Jul 27 06:01:22 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135282.843245: Sending initial UDP request to dgram 
192.168.1.10:88
(Thu Jul 27 06:01:23 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135283.844311: Resolving hostname inf-p-sy2-ad-02.ad.com.
(Thu Jul 27 06:01:23 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135283.845251: Sending initial UDP request to dgram 
192.168.1.11:88
(Thu Jul 27 06:01:24 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135284.846318: Resolving hostname RO1-INF-ADS-001.ad.com.
(Thu Jul 27 06:01:24 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135284.847243: Sending initial UDP request to dgram 
10.248.40.10:88
(Thu Jul 27 06:01:25 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135285.848311: Resolving hostname ns1-inf-ads-002.ad.com.
(Thu Jul 27 06:01:25 2017) [[sssd[krb5_child[2765 [sss_child_krb5_trace_cb] 
(0x4000): [2765] 1501135285.849256: Sending initial UDP request to dgram 
10.3.200.11:88

(This is the last message from PID 2765, so it was probably killed)

If the servers are reachable you can just increase the krb5_child timeout
in sssd.conf..
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] replica-install --setup-ca fails

2017-07-27 Thread Petros Triantafyllidis via FreeIPA-users 

Hi all,
  I would appreciate any help on my attempt to promote an existing 
client to replica. After client installation, I added replica-to-be to 
ipaservers hostgroup and then run "replica-install --setup-ca" but 
unfortunately I end up with the errors below. Both master and client 
have ipa-server-4.4.0-14.el7.centos.7.x86_64

Thanks in advance,
Petros

_
On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

  [1/26]: creating certificate server user
  [2/26]: creating certificate server db
  [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [4/26]: creating installation admin user
  [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f 
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERRORThe 
ipa-replica-install command failed. See /var/log/ipareplica-install.log 
for more information


_ 
/var/log/ipareplica-install.log


[...]
Import complete
---
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the 
following files/directories for more information:

2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 449, in start_creation

run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 439, in run_step

method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
586, in __spawn_instance

DogtagInstance.spawn_instance(self, cfg_file)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 181, in spawn_instance

self.handle_setup_error(e)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 420, in handle_setup_error

raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute

return_value = self.run()
 File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 
318, in run

cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 310, in run

self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 332, in execute

for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 372, in __runner

self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 394, in _handle_exception

six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 362, in __runner

step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 359, in 

step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 81, in run_generator_with_yield_from

six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", 
line 59, in run_generator_with_yield_from

value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", 
line 586, in _configure

next(executor)
  File