[Freeipa-users] Re: ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

[amitj1jan--- via FreeIPA-users]

By PROD/DR, I meant Production/Disaster Recovery environment.
And yes there are two IPA servers in both PROD/DR environment.

Also, came across the fact that while in PROD, SSL was implemented using 
self-signed certs(where things r working), In DR environment CA signed certs 
were used later for SSL implementation.

Is there a chance something gone wrong in SSL implementation(using CA signed 
certs) and resulting in this issue.

What can we do to resolve this issue?

We were thinking of two options, if above is true:
a. Possible work around, if it is there to fix this
a. or if "a" is not possible , revert to self-signed certs SSL 

What u suggest.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

[Rob Crittenden via FreeIPA-users]

amitj1jan--- via FreeIPA-users wrote:
> By PROD/DR, I meant Production/Disaster Recovery environment.
> And yes there are two IPA servers in both PROD/DR environment.
> 
> Also, came across the fact that while in PROD, SSL was implemented using 
> self-signed certs(where things r working), In DR environment CA signed certs 
> were used later for SSL implementation.
> 
> Is there a chance something gone wrong in SSL implementation(using CA signed 
> certs) and resulting in this issue.
> 
> What can we do to resolve this issue?
> 
> We were thinking of two options, if above is true:
> a. Possible work around, if it is there to fix this
> a. or if "a" is not possible , revert to self-signed certs SSL 
> 
> What u suggest.

I need more information on your environment. Are PROD and DR completely
separately installed IPA environments or do you just treat them as separate?

From your original e-mail (completely stripped out of your response) it
looked like the reverse of what you just said. PROD was using an IPA CA
and DR was using self-signed certs.

The underlying reason for the error is that on DR the NSS database was
replaced with a new one containing only self-signed certs. When a host
or service with a cert is deleted and a CA is configured IPA will
attempt to revoke the cert. This is where it is failing for you, because
ipaCert (the RA agent cert used to talk to dogtag) is completely missing.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA Certs for Chromebooks CMC,SCEP and extensions

[David Harvey via FreeIPA-users]

Hi FreeIPA users,

As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",

I'm looking into using FreeIPA and Dogtag to provide network certs for
Chromebooks (from reading so far it looks like I'll need to use SCEP or CMC
- the latter being preferred).
Has anyone achieved this, or can anyone offer any pointers to either the
server or client/extension side hurdles?

Kind regards,

David
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] NTP

[Andrew Meyer via FreeIPA-users]

I need some clarification on this.  I have my FreeIPA server in talking.  NTP 
is working.  However Some servers are getting ntp drift.  If I go into 
/etc/ntp.conf I see that at the bottom FreeIPA adds server at the bottom of the 
file.
### Added by IPA Installer ###server 127.127.1.0 iburstfudge 127.127.1.0 
stratum 10server 1.2.3.4   # added by /sbin/dhclient-scriptserver 5.6.7.8   # 
added by /sbin/dhclient-scriptserver 9.0.1.2   # added by 
/sbin/dhclient-scriptserver 3.4.5.6   # added by 
/sbin/dhclient-script[centos@freeipa03 ~]$
But under the public servers at the top should I leave the the centos public 
ntp servers?  Should I add the FreeIPA servers?___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA Certs for Chromebooks CMC,SCEP and extensions

[Rob Crittenden via FreeIPA-users]

David Harvey via FreeIPA-users wrote:
> Hi FreeIPA users,
> 
> As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",
> 
> I'm looking into using FreeIPA and Dogtag to provide network certs for
> Chromebooks (from reading so far it looks like I'll need to use SCEP or
> CMC - the latter being preferred).
> Has anyone achieved this, or can anyone offer any pointers to either the
> server or client/extension side hurdles?

IPA doesn't provide direct support itself but its CA is dogtag. You
probably will need to check with the dogtag folks for more details (they
soemtimes lurk on the list so maybe one will chime in).

dogtag supports SCEP for sure, http://www.dogtagpki.org/wiki/SCEP

You just won't get IPA integration this way: issued certs won't be
automatically added to services/hosts/users, won't be revoked on
removal, etc.

The way I've done SCEP with dogtag is create a username/pin on the
dogtag side and do SCEP enrollment using that.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA Certs for Chromebooks CMC,SCEP and extensions

[David Harvey via FreeIPA-users]

Awesome, thanks for the info Rob. I will check out your method. It looks
like it (Dogtag) has some improvimg CMC support too, so will have a dig.

On Tue, 3 Apr 2018, 18:19 Rob Crittenden,  wrote:

> David Harvey via FreeIPA-users wrote:
> > Hi FreeIPA users,
> >
> > As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN",
> >
> > I'm looking into using FreeIPA and Dogtag to provide network certs for
> > Chromebooks (from reading so far it looks like I'll need to use SCEP or
> > CMC - the latter being preferred).
> > Has anyone achieved this, or can anyone offer any pointers to either the
> > server or client/extension side hurdles?
>
> IPA doesn't provide direct support itself but its CA is dogtag. You
> probably will need to check with the dogtag folks for more details (they
> soemtimes lurk on the list so maybe one will chime in).
>
> dogtag supports SCEP for sure, http://www.dogtagpki.org/wiki/SCEP
>
> You just won't get IPA integration this way: issued certs won't be
> automatically added to services/hosts/users, won't be revoked on
> removal, etc.
>
> The way I've done SCEP with dogtag is create a username/pin on the
> dogtag side and do SCEP enrollment using that.
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: NTP

[Rob Crittenden via FreeIPA-users]

Andrew Meyer via FreeIPA-users wrote:
> I need some clarification on this.  I have my FreeIPA server in
> talking.  NTP is working.  However Some servers are getting ntp drift. 
> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
> at the bottom of the file.
> 
> ### Added by IPA Installer ###
> server 127.127.1.0 iburst
> fudge 127.127.1.0 stratum 10
> server 1.2.3.4   # added by /sbin/dhclient-script
> server 5.6.7.8   # added by /sbin/dhclient-script
> server 9.0.1.2   # added by /sbin/dhclient-script
> server 3.4.5.6   # added by /sbin/dhclient-script
> [centos@freeipa03 ~]$
> 
> But under the public servers at the top should I leave the the centos
> public ntp servers?  Should I add the FreeIPA servers?

The theory for making IPA an NTP server was that even if time was off on
the IPA master it would be sharing its same incorrect time with all its
clients so they would all be in the same time universe and things would
continue to work.

It wouldn't hurt if you re-ordered things (I think). Just keep an eye on
it for a while.

Is this real hardware or VMs? In the past (like many moons ago) one
particular VM tech was particularly bad at time keeping so extra work
was needed on the VM host to ensure its RTC was passed into the VMs.

I wonder if connectivity to the centos pool is a problem, or if a VM, it
has bad timing.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: NTP

[Andrew Meyer via FreeIPA-users]

This is a mix of VMware VMs an AWS instances.  All CentOS 7. 

On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden  
wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> I need some clarification on this.  I have my FreeIPA server in
> talking.  NTP is working.  However Some servers are getting ntp drift. 
> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
> at the bottom of the file.
> 
> ### Added by IPA Installer ###
> server 127.127.1.0 iburst
> fudge 127.127.1.0 stratum 10
> server 1.2.3.4   # added by /sbin/dhclient-script
> server 5.6.7.8   # added by /sbin/dhclient-script
> server 9.0.1.2   # added by /sbin/dhclient-script
> server 3.4.5.6   # added by /sbin/dhclient-script
> [centos@freeipa03 ~]$
> 
> But under the public servers at the top should I leave the the centos
> public ntp servers?  Should I add the FreeIPA servers?

The theory for making IPA an NTP server was that even if time was off on
the IPA master it would be sharing its same incorrect time with all its
clients so they would all be in the same time universe and things would
continue to work.

It wouldn't hurt if you re-ordered things (I think). Just keep an eye on
it for a while.

Is this real hardware or VMs? In the past (like many moons ago) one
particular VM tech was particularly bad at time keeping so extra work
was needed on the VM host to ensure its RTC was passed into the VMs.

I wonder if connectivity to the centos pool is a problem, or if a VM, it
has bad timing.

rob


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: NTP

[Rob Crittenden via FreeIPA-users]

Andrew Meyer wrote:
> This is a mix of VMware VMs an AWS instances.  All CentOS 7.

It was VMware that had the poor time keeping but this was 7 or 8 years
ago in the Fedora 11/12 time period. I'd find it hard to believe the
same time problems exist today but some googling might turn up something
for you.

rob

> 
> 
> On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden 
> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
> 
>> I need some clarification on this.  I have my FreeIPA server in
>> talking.  NTP is working.  However Some servers are getting ntp drift. 
>> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
>> at the bottom of the file.
>>
>> ### Added by IPA Installer ###
>> server 127.127.1.0 iburst
>> fudge 127.127.1.0 stratum 10
>> server 1.2.3.4   # added by /sbin/dhclient-script
>> server 5.6.7.8   # added by /sbin/dhclient-script
>> server 9.0.1.2   # added by /sbin/dhclient-script
>> server 3.4.5.6   # added by /sbin/dhclient-script
>> [centos@freeipa03  ~]$
>>
>> But under the public servers at the top should I leave the the centos
>> public ntp servers?  Should I add the FreeIPA servers?
> 
> 
> The theory for making IPA an NTP server was that even if time was off on
> the IPA master it would be sharing its same incorrect time with all its
> clients so they would all be in the same time universe and things would
> continue to work.
> 
> It wouldn't hurt if you re-ordered things (I think). Just keep an eye on
> it for a while.
> 
> Is this real hardware or VMs? In the past (like many moons ago) one
> particular VM tech was particularly bad at time keeping so extra work
> was needed on the VM host to ensure its RTC was passed into the VMs.
> 
> I wonder if connectivity to the centos pool is a problem, or if a VM, it
> has bad timing.
> 
> rob
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: NTP

[Andrew Meyer via FreeIPA-users]

Thank you sir.  I'll mix up the order of public ntp servers and see what 
happens. 

On Tuesday, April 3, 2018 1:24 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer wrote:
> This is a mix of VMware VMs an AWS instances.  All CentOS 7.

It was VMware that had the poor time keeping but this was 7 or 8 years
ago in the Fedora 11/12 time period. I'd find it hard to believe the
same time problems exist today but some googling might turn up something
for you.

rob

> 
> 
> On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden 
> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
> 
>> I need some clarification on this.  I have my FreeIPA server in
>> talking.  NTP is working.  However Some servers are getting ntp drift. 
>> If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server
>> at the bottom of the file.
>>
>> ### Added by IPA Installer ###
>> server 127.127.1.0 iburst
>> fudge 127.127.1.0 stratum 10
>> server 1.2.3.4   # added by /sbin/dhclient-script
>> server 5.6.7.8   # added by /sbin/dhclient-script
>> server 9.0.1.2   # added by /sbin/dhclient-script
>> server 3.4.5.6   # added by /sbin/dhclient-script
>> [centos@freeipa03  ~]$
>>
>> But under the public servers at the top should I leave the the centos
>> public ntp servers?  Should I add the FreeIPA servers?
> 
> 
> The theory for making IPA an NTP server was that even if time was off on
> the IPA master it would be sharing its same incorrect time with all its
> clients so they would all be in the same time universe and things would
> continue to work.
> 
> It wouldn't hurt if you re-ordered things (I think). Just keep an eye on
> it for a while.
> 
> Is this real hardware or VMs? In the past (like many moons ago) one
> particular VM tech was particularly bad at time keeping so extra work
> was needed on the VM host to ensure its RTC was passed into the VMs.
> 
> I wonder if connectivity to the centos pool is a problem, or if a VM, it
> has bad timing.
> 
> rob
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

[lejeczek via FreeIPA-users]

On 29/03/18 12:43, Florence Blanc-Renaud wrote:

On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote:

hi guys,

I fail to troubleshoot this here:

$ ipactl start --ignore-service-failures
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing 
normal operation


Hi,

pki-tomcatd may fail to start when the subsystemCert 
cert-pki-ca did not properly get renewed. Please find more 
information in this blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ 



Flo


Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

logs in /var/log/pki/pki-tomcat:
localhost.2018-03-28.log
...
Mar 28, 2018 11:35:14 AM 
org.apache.catalina.core.StandardHostValve invoke

SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
?? at 
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) 

?? at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) 

?? at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) 

?? at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) 

?? at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
?? at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) 

?? at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
?? at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) 

?? at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) 

?? at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) 

?? at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 

?? at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 

?? at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 


?? at java.lang.Thread.run(Thread.java:748)


in catalina.2018-03-28.log:
...
Mar 28, 2018 11:41:35 AM 
org.apache.catalina.core.ContainerBase backgroundProcess
WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@1e572093 background 
process
javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
?? at 
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
?? at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) 

?? at 
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) 

?? at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) 

?? at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) 

?? at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) 

?? at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) 


?? at java.lang.Thread.run(Thread.java:748)


Would you able to conclude anything from those errors? 
What might be a problem?


many thanks, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org




I have followed those instructions from the link and it 
seems that both certutil & ldap have the same certificate.

However I also see:

$ sudo journalctl -lf -o cat -u dirsrv@
...
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
[03/Apr/2018:19:30:53.962565693 +0100] - ERR - 
slapi_ldap_bind - Error: could not send startTLS request: 
error -11 (Connect error)
[03/Apr/2018:19:30:53.965606137 +0100] - ERR - 
slapi_ldap_bind - Error: could not send startTLS request: 
error -11 (Connect error)

GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
..

and in /var/log/pki/pki-tomcat/ca/debug

[03/Apr/2018:19:09:45][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
[03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate 
cert: Server-Cert cert-pki-ca
[03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate 
cert: caSigningCert cert-pki-ca
[03/Apr/2018:19:09:45][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: null
[03/Apr/2018:19:09:45][localhost-startStop-1]: SSL handshake 
happened
Could not connect to LDAP server host rider.pri

[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

[Zarko Dudic via FreeIPA-users]

Hi there,

Seems I have to kinit every time in order to run ipa command, as a quick 
fix!?


The client is ipa-client-4.5.0-22.0.1.el7_4.x86_64
Servers are ipa-server-4.4.0-12.0.1.el7.x86_64

This has started recently and I am not able to track any changes that 
could cause this. This happens:


# kinit
# ipa -d -vv user-find  bob

- get good results. Then run same command again.

# ipa -d -vv user-find  bob

ipa: DEBUG: New HTTP connection (ldap03.pls.com)
ipa: DEBUG: HTTP connection destroyed (ldap03.pls.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in 
single_request

    if not self._auth_complete(response):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in 
_auth_complete

    message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response

[can provide more info if needed].


The kinit allows only next run to be successful.
I notice that problem occurs only with ldap03, ldap03 is called when 
running ipa for the second time. And after kinit, another servers are 
queried, not ldap03, hence no issue.
Another longer time 'fix' is in /etc/hosts, assigning IP (of another 
server) to ldap03, basically "avoiding" ldap03.


Any idea for troubleshoot is appreciated. Thanks in advance!


--
Thanks,
Zarko
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Third Party SSL for HTTP and Certmonger SSL for LDAP

[Alka Murali via FreeIPA-users]

Hi Rob,

I am planning to revert my existing third party SSL certs for HTTP and LDAP
Services back to CertMonger cert. Is there any way to revert the certs back
to CertMonger certs.

Awaiting your response.

On Tue, Apr 3, 2018 at 9:56 AM, Alka Murali 
wrote:

> Hi Rob,
>
> Thanks for your reply.
>
> >> Sure. We'd need to know what version of IPA you have.
>
> My FreeIPA Server is running on Version 4.4
>
> Here is the result of the command "getcert list -d
> /etc/dirsrv/slapd-YOUR-REALM -n Server-Cert" for my FreeIPA Server:
>
> -
>
> Number of certificates and requests being tracked: 7.
>
> Request ID '20170622062025':
>
> status: CA_UNCONFIGURED
>
> ca-error: Unable to determine principal name for signing request.
>
> stuck: yes
>
> key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-*-*-*',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-*-*-*/pwdfile.txt'
>
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-*-*-*',nickname='
> Server-Cert'
>
> CA: IPA
>
> issuer:
>
> subject:
>
> expires: unknown
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv *-*-*
>
> track: yes
>
> auto-renew: yes
> --
>
> Several months before, I have installed the third party SSL for HTTP/LDAP
> services using the link below:
>
> 
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> 
>
> Please let me know if there is any abnormality in the current SSL
> installation. Also kindly provide me the steps to use Third party SSL for
> HTTP and Certmonger cert for LDAP.
>
> On Mon, Apr 2, 2018 at 10:18 PM, Rob Crittenden 
> wrote:
>
>> Alka Murali via FreeIPA-users wrote:
>> > Hello Team,
>> >
>> > Right now, I am using third party SSL for both HTTP and LDAP services.
>> > However I would like to know if there is any way to use third party SSL
>> > for HTTP alone and certmonger SSL for LDAP services.
>>
>> Sure. We'd need to know what version of IPA you have. There may already
>> be a certmonger-tracked cert. To see if there is and the status run:
>>
>> # getcert list -d /etc/dirsrv/slapd-YOUR-REALM -n Server-Cert
>>
>> rob
>>
>
>
>
> --
> Regards,
> Alka Murali
>



-- 
Regards,
Alka Murali
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response

[Alexander Bokovoy via FreeIPA-users]

On ti, 03 huhti 2018, Zarko Dudic via FreeIPA-users wrote:

Hi there,

Seems I have to kinit every time in order to run ipa command, as a 
quick fix!?


The client is ipa-client-4.5.0-22.0.1.el7_4.x86_64
Servers are ipa-server-4.4.0-12.0.1.el7.x86_64

This has started recently and I am not able to track any changes that 
could cause this. This happens:


# kinit
# ipa -d -vv user-find  bob

- get good results. Then run same command again.

# ipa -d -vv user-find  bob

ipa: DEBUG: New HTTP connection (ldap03.pls.com)
ipa: DEBUG: HTTP connection destroyed (ldap03.pls.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in 
single_request

    if not self._auth_complete(response):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in 
_auth_complete

    message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response

[can provide more info if needed].


The kinit allows only next run to be successful.
I notice that problem occurs only with ldap03, ldap03 is called when 
running ipa for the second time. And after kinit, another servers are 
queried, not ldap03, hence no issue.
Another longer time 'fix' is in /etc/hosts, assigning IP (of another 
server) to ldap03, basically "avoiding" ldap03.


Any idea for troubleshoot is appreciated. Thanks in advance!

What gssproxy version do you have?
It looks like one of the issues with gssproxy we had recently where a
race condition in gssproxy cause it to create a ccache with unreadable
keys.

You may want to try packages from
https://copr.fedorainfracloud.org/coprs/rharwood/gssproxy/ to test it.

IPA master needs a full reboot after applying the packages.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org