date:20200317

[Freeipa-users] Re: Certificates for embeded devices and old equipment.

2020-03-17 Thread Rob Crittenden via FreeIPA-users

Kendrick . via FreeIPA-users wrote:
> due to all that has been going on it took a while to get back to this issue.  
> it was multiple things happening at the same time.  1) firmware on one device 
> needed to be updated to accept certs properly.  
> 2) unknown lockup issues,  I rebuilt the vm from scratch to re-verify results 
> and it works fine now.  
> 3) web interface stupidity which it does not give a proper error message.  
> after trying them in the console i got errors like host name does not match 
> or cert missing domain etc. after trying for some time i corrected all the 
> information in the consoles so they would build a proper cert and import it.  
> I was not getting proper errors from the console before so i suspect the 
> previous install had issues. 
> 
> the ui was useless for importing the csr even when every thing was correct. 
> the exported part was usable though.I am left with 1 device that i have 
> to generate every thing for it on a seperate system and then import it the 
> exact directions are " Uploaded certificates must be in OpenSSL PEM format 
> with an unencrypted private key."  i have not had a chance to poke at that 
> one yet and dont have much of an idea on how to do that properly. 

Still at a loss for what it is you're working on, where the errors are
coming from or what we can do to assist.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] add freeipa root cert to chrome on a non ipa client system.

2020-03-17 Thread Kendrick . via FreeIPA-users

I have a manjorao desktop in the environment that i need to be able to access 
the freeipa based systems and not get cert errors every where. I will probably 
attempt to build the client on that system in the future but right now i just 
need the certs freeipa made to be valid.  

how does one go about exporting the root cert and then importing it in a way 
chrome will accept its validity or is that a matter of getting the enterprise 
tools to force it to work?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

2020-03-17 Thread Rob Crittenden via FreeIPA-users

Diadormu ZMJ via FreeIPA-users wrote:
> Thanks,
> 
> are --raw and other options used in the same way?

By data type, yes.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Certificates for embeded devices and old equipment.

2020-03-17 Thread Kendrick . via FreeIPA-users

due to all that has been going on it took a while to get back to this issue.  
it was multiple things happening at the same time.  1) firmware on one device 
needed to be updated to accept certs properly.  
2) unknown lockup issues,  I rebuilt the vm from scratch to re-verify results 
and it works fine now.  
3) web interface stupidity which it does not give a proper error message.  
after trying them in the console i got errors like host name does not match or 
cert missing domain etc. after trying for some time i corrected all the 
information in the consoles so they would build a proper cert and import it.  I 
was not getting proper errors from the console before so i suspect the previous 
install had issues. 

the ui was useless for importing the csr even when every thing was correct. the 
exported part was usable though.I am left with 1 device that i have to 
generate every thing for it on a seperate system and then import it the exact 
directions are " Uploaded certificates must be in OpenSSL PEM format with an 
unencrypted private key."  i have not had a chance to poke at that one yet and 
dont have much of an idea on how to do that properly. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

2020-03-17 Thread Diadormu ZMJ via FreeIPA-users

Thanks,

are --raw and other options used in the same way?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [Freeipa-devel] FreeIPA 4.8.5 released

2020-03-17 Thread Alexander Bokovoy via FreeIPA-users


On ti, 17 maalis 2020, Alexander Bokovoy via FreeIPA-devel wrote:

Hello!

The FreeIPA team would like to announce FreeIPA 4.8.5 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30-32 versions will be available soon.


The delivery of Fedora builds is delayed as we found a bug in
selinux-policy package that prevents us from building FreeIPA in Rawhide.




== Highlights in 4.8.5 ==

- [8214] openDNSSEC 2.1 support

- [8221] AJP connector protection
 for Dogtag/FreeIPA communication for CVE-2020-1938 mitigation. Fedora
 and RHEL do not force encrypted AJP connector by default with 9.0.31
 but FreeIPA 4.8.5 will convert to encrypted AJP channel on upgrade or
 at a new deployment. Use of AJP is limited to localhost connections
 with integrated CA already.

- Default authentication indicators are now documented in FreeIPA
 workshop, 
https://github.com/freeipa/freeipa-workshop/blob/master/11-kerberos-ticket-policy.rst

- [6891] FreeIPA SELinux policy is now part of the upstream packaging
 and replaces distribution-wide policies.

- New internal mechanism to promote Trust Agents in 
 ipa-adtrust-install, to allow configuring schema compatibility plugin
 on remote replicas.

- [8124] New "ipa-cacert-manage delete" command to allow pruning a CA
 certificate from LDAP store

=== Enhancements ===

- Backup / restore tools now check whether packages for various optional
 IPA master features installed before restore

- IPA CLI commands for DNS operations display additional attributes and
 handle optional parameters when a record is removed

- Additional checks for external CA certificate properties during
 installation

- Minor content improvements in ipa-client-samba's tool output

- Preliminary support for building with MIT Kerberos 1.18

- Increased test coverage in upstream test suite

- Ability to test multi-host scenarios in upstream CI using Azure
 Pipelines

=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.8.5 is a stabilization release for the features delivered as a
part of 4.8.0 release series.

There are more than 50 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list 
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.


== Resolved tickets ==
* [https://pagure.io/freeipa/issue/6891 #6891] Move FreeIPA SELinux policy from 
system policy to project policy
* [https://pagure.io/freeipa/issue/7522 #7522] Disable cert publishing in dogtag
* [https://pagure.io/freeipa/issue/7537 #7537] PR-CI: external_ca tests are 
hitting timeout
* [https://pagure.io/freeipa/issue/7600 #7600] Enable compat tree to provide 
information about AD users and groups on trust agents
* [https://pagure.io/freeipa/issue/7630 #7630] ipa-restore should check that 
optional feature packages are installed before restoring a backup using a 
feature
* [https://pagure.io/freeipa/issue/7744 #7744] ipa-replica-install picks wrong 
replica for CA initial replication
* [https://pagure.io/freeipa/issue/7830 #7830] FreeIPA installation fails with 
389-DS 1.4.0.20-1
* [https://pagure.io/freeipa/issue/7856 #7856] Nightly test failure in 
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
* [https://pagure.io/freeipa/issue/7861 #7861] Make IPADiscovery available in 
PyPI packages
* [https://pagure.io/freeipa/issue/7909 #7909] Wrong evaluation of replication 
update status
* [https://pagure.io/freeipa/issue/7917 #7917] Occasional 'whoami.data is 
undefined' error in FreeIPA web UI
* [https://pagure.io/freeipa/issue/7938 #7938] 'ipa dnszone-show/find' should display "Dynamic 
Update" and "Bind update policy" by default
* [https://pagure.io/freeipa/issue/7941 #7941] ipapython/dn_ctypes.py: 
libldap_r shared library missing
* [https://pagure.io/freeipa/issue/7942 #7942] WebUI test for automount is 
broken
* [https://pagure.io/freeipa/issue/7948 #7948] [FIPS] Use 3DES for certificate 
encryption when creating a PKCS#12
* [https://pagure.io/freeipa/issue/7953 #7953] ipa-pwd-extop: do not remove 
MagicRegen mod, replace it
* [https://pagure.io/freeipa/issue/7965 #7965] Stop using 389-ds legacy tools 
for backup and restore
* [https://pagure.io/freeipa/issue/7974 #7974] Nightly test failure in 
ipatests.test_integration.test_user_permissions.TestUserPermissions
* [https://pagure.io/freeipa/issue/7984 #7984] make sure 'make fastlint' 
processes Python .in files
* [https://pagure.io/freeipa/issue/7987 #7987] Python shebang: Use isolated mode
* [https://pagure.io/freeipa/issue/7989 #7989] Pytest4.2+ errors
* [https://pagure.io/freeipa/issue/7990 #7990] Assumptions about systemd name 
of `named`
* [https://pagure.io/freeipa/issue/7998 #7998] Use system-wide crypto policy in 
TLS client
* [https://pagure.io/freeipa/issue/8001 #8001] Need de

[Freeipa-users] Re: Some users unable to log in to host

2020-03-17 Thread Rob Crittenden via FreeIPA-users

Kristian Petersen via FreeIPA-users wrote:
> I ran that and the sshd service shows access granted True even though
> ssh-ing in doesn't work.  Does the user have to have both login and sshd
> to login via ssh?  Other users that have the same permissions are able
> to get in OK which is why this is so confusing.

No, they are different pam services.

You'll need to bump up sssd debugging on the client side to see what is
going on.

rob

> 
> On Tue, Mar 17, 2020 at 1:04 AM Angus Clarke  > wrote:
> 
> Hello
> 
> I suggest running the hbactest function, somrthing like:
> 
> ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login
> 
> Regards
> Angus
> 
> 
> *From:* Kristian Petersen via FreeIPA-users
>  >
> *Sent:* 16 March 2020 21:57
> *To:* FreeIPA users list  >
> *Cc:* Kristian Petersen  >
> *Subject:* [Freeipa-users] Some users unable to log in to host
>  
> Hey all,
> 
> I have a user that is trying to log into a host that is configured
> to have access restricted via an HBAC rule.  This user is a
> member of one of the groups defined in the HBAC rule that should be
> granted access.  When this user tries to SSH in to this host, they
> get 3 consecutive password prompts like "Password:" and then one
> like "username@domain's password:" and then they get a response of
> "Permission denied, please try again."  I am not seeing any entries
> in the messages log or secure log for this user from these log in
> attempts.  Anyone have any thoughts about why this is happening?
> -- 
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
> 
> 
> 
> -- 
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

2020-03-17 Thread Rob Crittenden via FreeIPA-users

Peter Tselios via FreeIPA-users wrote:
> By the way, the information you provided are the complete opposite of the 
> information here: 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-replica_installing-identity-management#installing-an-ipa-replica-without-a-ca_install-replica
> 
> Which clearly implies that it's not an issue. 
> 
> And for completion: 
> ipa-server-4.6.5
> CentOS 7.7

Well, you're comparing the RHEL 8 (4.8.x) docs vs the RHEL 7 runtime
(4.6.x). In this case it's the same but it's risky to use docs from a
later release.

Yes, the docs should state that a client install is necessary in advance
though it is an omission and I don't see any implicit references that it
should work without it.

I believe using a PKCS#12 file with the full chain included will work.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore and the issues

2020-03-17 Thread Rob Crittenden via FreeIPA-users

Ian Kumlien wrote:
> Sorry for the high latency, there has been quite a bit of prio 1
> things that needed
> fixing that's been delaying this
> 
> On Wed, Feb 5, 2020 at 7:13 PM Rob Crittenden  wrote:
>>
>> Please keep responses on the list.
>>
>> Ian Kumlien wrote:
>>> ipa find-user admin
>>> ipa: ERROR: No valid Negotiate header in server response
>>>
>>> And a lot of krb issues according to the http logs
>>
>> I think we need to see the logs to diagnose.
> 
> httpd/error_log:
> [Tue Mar 17 10:25:19.273326 2020] [auth_gssapi:error] [pid 24047:tid
> 140398705956608] [client 10.0.0.15:52430] GSS ERROR
> gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS
> failure.  Minor code may provide more information ( SPNEGO cannot find
> mechanisms to negotiate)]
> [Tue Mar 17 10:25:19.277017 2020] [wsgi:error] [pid 24045:tid
> 140398987495168] [remote 100.94.37.38:34088] ipa: INFO: 401
> Unauthorized: No session cookie found
> 
>>> I wasn't expecting this - since all keys should be the same as the one
>>> installed - which is why i asked about any changes to the ldap data
>>
>> It could happen, for example, if you had gotten a new keytab for one or
>> more service and restored old data. Unlikely, but possible.
> 
> Thats exactly whats happened, could I just do a ldap-updater script to
> update the keys?

There is no current automation to refresh all kerberos keytabs. You
would need to run ipa-getkeytab on each one individually. I'd only renew
ones that are out-of-sync though.

rob

> 
>> Comparing the klist output with kvno for all the keytabs and principals
>> will tell you.
>>
>> rob
>>
>>> If there is something more specific you want me to look at, just let me know
>>>
>>> On Wed, Feb 5, 2020 at 4:54 PM Rob Crittenden  wrote:

 Ian Kumlien via FreeIPA-users wrote:
> Hi,
>
> Due to issues, I'm trying to do a partial restore of all the "important 
> bits"
>
> But if I do ipa-restore --online --data --backend=userRoot $BACKUP
>
> I end up in a semiworking environment - the webui doen't work - kinit 
> does...
>
> ipa doesn't etc..
>

 It doesn't work how? What have you done to troubleshoot? What do the
 logs say?

 rob

>>>
>>
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Some users unable to log in to host

2020-03-17 Thread Kristian Petersen via FreeIPA-users

I ran that and the sshd service shows access granted True even though
ssh-ing in doesn't work.  Does the user have to have both login and sshd to
login via ssh?  Other users that have the same permissions are able to get
in OK which is why this is so confusing.

On Tue, Mar 17, 2020 at 1:04 AM Angus Clarke  wrote:

> Hello
>
> I suggest running the hbactest function, somrthing like:
>
> ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login
>
> Regards
> Angus
>
> --
> *From:* Kristian Petersen via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>
> *Sent:* 16 March 2020 21:57
> *To:* FreeIPA users list 
> *Cc:* Kristian Petersen 
> *Subject:* [Freeipa-users] Some users unable to log in to host
>
> Hey all,
>
> I have a user that is trying to log into a host that is configured to have
> access restricted via an HBAC rule.  This user is a member of one of the
> groups defined in the HBAC rule that should be granted access.  When this
> user tries to SSH in to this host, they get 3 consecutive password prompts
> like "Password:" and then one like "username@domain's password:" and then
> they get a response of "Permission denied, please try again."  I am not
> seeing any entries in the messages log or secure log for this user from
> these log in attempts.  Anyone have any thoughts about why this is
> happening?
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
>


-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

2020-03-17 Thread Peter Tselios via FreeIPA-users

By the way, the information you provided are the complete opposite of the 
information here: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-replica_installing-identity-management#installing-an-ipa-replica-without-a-ca_install-replica

Which clearly implies that it's not an issue. 

And for completion: 
ipa-server-4.6.5
CentOS 7.7
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

2020-03-17 Thread Peter Tselios via FreeIPA-users

Many thanks to all. 
This means I have a lt of work ahead of me. 
I am using ansible for the installation and for the moment I don't use the 
freeipa modules. 
I will try with a p12 file and see if there is any improvement, if not, I will 
fall back to ipa-client install. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

2020-03-17 Thread LHEUREUX Bernard via FreeIPA-users

You must first install the ipa-client !
And you can pass your certs option in the ipa-client-install, then the 
ipa-replica-install will use them and perform the replication from your primary 
server with the correct certs...

-Message d'origine-
De : Peter Tselios via FreeIPA-users 
[mailto:freeipa-users@lists.fedorahosted.org]
Envoyé : mardi 17 mars 2020 13:17
À : freeipa-users@lists.fedorahosted.org
Cc : Peter Tselios 
Objet : [Freeipa-users] ipa-replica-install fails when I use custom certificates

I have installed the ipa server by using the following command:

-
 ipa-server-install
 --realm "EXAMPLE.COM" -p 'password' -a 'password'
 --hostname="server.example.com" -n example.com
 --ip-address="10.1.4.2"
 --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
 --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
 --dirsrv-pin=''
 --http-cert-file=/etc/pki/tls/certs/example.com.crt
 --http-cert-file=/etc/pki/tls/private/example.com.pem
 --http-pin=''
 --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
 --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
 --mkhomedir -N
 --no-host-dns
 --unattended
-


Which works perfectly fine.
However, I cannot make it work with ipa-replica-install since there is no 
option for --ca-cert-file.

So, how can I install a replica with custom certificates?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Ce message transmis par voie électronique ainsi que toutes ses annexes 
contiennent des informations qui peuvent être confidentielles ou protégées. Ces 
informations sont uniquement destinées à l’usage des personnes ou des entités 
précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces 
destinataires, soyez conscient que toute forme, partielle ou complète, de 
divulgation, copie, distribution ou utilisation de ces informations est 
strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous 
en informer par téléphone ou par message électronique et détruire les 
informations immédiatement. Ce message n’engage que son signataire et 
aucunement son employeur.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

2020-03-17 Thread François Cami via FreeIPA-users

On Tue, Mar 17, 2020 at 1:18 PM Peter Tselios via FreeIPA-users
 wrote:
>
> I have installed the ipa server by using the following command:
>
> -
>  ipa-server-install
>  --realm "EXAMPLE.COM" -p 'password' -a 'password'
>  --hostname="server.example.com" -n example.com
>  --ip-address="10.1.4.2"
>  --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
>  --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
>  --dirsrv-pin=''
>  --http-cert-file=/etc/pki/tls/certs/example.com.crt
>  --http-cert-file=/etc/pki/tls/private/example.com.pem
>  --http-pin=''
>  --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
>  --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
>  --mkhomedir -N
>  --no-host-dns
>  --unattended
> -
>
>
> Which works perfectly fine.
> However, I cannot make it work with ipa-replica-install since there is no 
> option for --ca-cert-file.

Have you tried it? The CA cert should be pulled from the server.
Please post the complete log if it does not work, and the IPA version.

> So, how can I install a replica with custom certificates?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ipa-replica-install fails when I use custom certificates

2020-03-17 Thread Peter Tselios via FreeIPA-users

I have installed the ipa server by using the following command: 

-
 ipa-server-install
 --realm "EXAMPLE.COM" -p 'password' -a 'password'
 --hostname="server.example.com" -n example.com
 --ip-address="10.1.4.2"
 --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
 --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
 --dirsrv-pin=''
 --http-cert-file=/etc/pki/tls/certs/example.com.crt
 --http-cert-file=/etc/pki/tls/private/example.com.pem
 --http-pin=''
 --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
 --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
 --mkhomedir -N
 --no-host-dns
 --unattended
-


Which works perfectly fine. 
However, I cannot make it work with ipa-replica-install since there is no 
option for --ca-cert-file.

So, how can I install a replica with custom certificates?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

2020-03-17 Thread thierry bordaz via FreeIPA-users




On 3/17/20 12:14 PM, Lukasz Jaworski via FreeIPA-users wrote:

Hi,

nsslapd-conntablesize = 1024 - I’ve changed on one server to 2028
nsslapd-reservedescriptors: 64 - I don’t know if increase this value?
currentconnections: 960

opened fd (chnaged conntablesize):
find /proc/23515/fd | wc -l
1043

on bad server:
currentconnections: 958 (bad no errors at this moment)
find /proc/172473/fd|wc -l
1028

It looks like change nsslapd-conntablesize fix my. problems.


Great !
Indeed nsslapd-maxdescriptors is a limitation of the connection table in 
case conntablesize is set too high.


thierry


Best regards,
Ender





On 17 Mar 2020, at 09:49, thierry bordaz via FreeIPA-users 
 wrote:

Hi,

At startup DS creates a connection table with a fixed size.
The message "setup_pr_read_pds - Not listening for new connections - too many fds 
open" means that the number of established connections exhausted the table limit.

What are the values of nsslapd-conntablesize and nsslapd-reservedescriptors ?
How many established connections (logconv on access logs or SRCH cn=monitor) ?

regards
thierry

On 3/17/20 9:35 AM, Lukasz Jaworski via FreeIPA-users wrote:

Hi,
I've upgraded freeipa 4.6.x environment on Fedora 27 to 4.8.4 on fedora 31.
- remove old replica
- install fedora 31
- connect as new replica...

now:
389-ds-base-1.4.2.8-3.fc31.x86_64
freeipa-server-4.8.4-2.fc31.x86_64

after that, I have many errors:
setup_pr_read_pds - Not listening for new connections - too many fds open

It looks like fd limit 1024
I've checked:

nsslapd-maxdescriptors:
ldapsearch -xLLL -b "cn=config" -D 'cn=Directory Manager' -W cn=config 
nsslapd-maxdescriptors
Enter LDAP Password:
dn: cn=config
nsslapd-maxdescriptors: 524288

/proc/limits:
cat /proc/2164872/limits
Limit Soft Limit   Hard Limit   Units
Max cpu time  unlimitedunlimitedseconds
Max file size unlimitedunlimitedbytes
Max data size unlimitedunlimitedbytes
Max stack size8388608  unlimitedbytes
Max core file sizeunlimitedunlimitedbytes
Max resident set  unlimitedunlimitedbytes
Max processes 515206   515206   processes
Max open files524288   524288   files
Max locked memory 6553665536bytes
Max address space unlimitedunlimitedbytes
Max file locksunlimitedunlimitedlocks
Max pending signals   515206   515206   signals
Max msgqueue size 819200   819200   bytes
Max nice priority 00
Max realtime priority 00
Max realtime timeout  unlimitedunlimitedus


dirsrv log:
[17/Mar/2020:09:12:18.119324801 +0100] - INFO - main - Setting the maximum file 
descriptor limit to: 524288

find /proc/2164872/fd | wc -l
1037

It looks like 1024 is connection limit.

Any idea what I've done wrong?

Best regards,
Ender - Lukasz Jaworski



___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

—
Łukasz Jaworski







___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fe

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

2020-03-17 Thread Florence Blanc-Renaud via FreeIPA-users


On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote:

Hello Flo,

thank you for your response.

[root@srv01 ~]# ipa config-show | grep renewal
   IPA CA renewal master: srv01.arteris.com

We followed following step, but Certificates will not renew.

Stopped NTP and went back to 2018-05-11
systemctl restart certmonger.service

no luck, so we did

Stopped NTP and went back to 2018-05-11
systemctl restart certmonger.service
stopped FreeIPA - ipactl stop
Started services manually as per this RedHat doc 
.
getcert list     shows either SUBMITTING, CA_UNREACHABLE or 
NEED_TO_SUBMIT



Hi,
you need to wait a while for certmonger to renew all the certs. As the 
new output shows, some progress was made: the LDAP certificate was renewed.

You can try:
getcert resubmit -i 20180315021503
then wait for the RA cert to move to MONITORING and do the same for each 
cert that needs to be renewed (resubmit, wait for the cert to move to 
MONITORING, etc...).


flo


[root@srv01 ~]# getcert list

Number of certificates and requests being tracked: 8.

Request ID '20180228053337':

status: MONITORING

stuck: no

key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'

certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'

CA: SelfSign

issuer: CN=srv01.example.com,O=EXAMPLE.COM

subject: CN=srv01.example.com,O=EXAMPLE.COM

expires: 2021-01-11 21:56:57 UTC

principal name: krbtgt/example@example.com 



certificate template/profile: KDCs_PKINIT_Certs

pre-save command:

post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert

track: yes

auto-renew: yes

Request ID '20180315021457':

status: SUBMITTING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'


CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=CA Audit,O=EXAMPLE.COM

expires: 2020-02-25 04:27:49 UTC

key usage: digitalSignature,nonRepudiation

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"


track: yes

auto-renew: yes

Request ID '20180315021500':

status: SUBMITTING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'


CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=OCSP Subsystem,O=EXAMPLE.COM

expires: 2020-02-25 04:28:38 UTC

eku: id-kp-OCSPSigning

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"


track: yes

auto-renew: yes

Request ID '20180315021501':

status: SUBMITTING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'


CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=CA Subsystem,O=EXAMPLE.COM

expires: 2020-02-25 04:31:47 UTC

key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"


track: yes

auto-renew: yes

Request ID '20180315021502':

status: MONITORING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'


CA: dogtag-ipa-ca-renew-agent-reuse

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=Certificate Authority,O=EXAMPLE.COM

expires: 2038-03-07 03:47:46 UTC

key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"


track: yes

auto-renew: yes

Request ID '20180315021503':

status: CA_UNREACHABLE

ca-error: Error 28 connecting to 
https://srv01.example.com:8443/ca/agent/ca/profileReview: Timeout was 
reached.


stuck: no

key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'

certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EX

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

2020-03-17 Thread Lukasz Jaworski via FreeIPA-users

Hi,

nsslapd-conntablesize = 1024 - I’ve changed on one server to 2028
nsslapd-reservedescriptors: 64 - I don’t know if increase this value?
currentconnections: 960

opened fd (chnaged conntablesize):
find /proc/23515/fd | wc -l
1043

on bad server:
currentconnections: 958 (bad no errors at this moment)
find /proc/172473/fd|wc -l
1028

It looks like change nsslapd-conntablesize fix my. problems.

Best regards,
Ender




> On 17 Mar 2020, at 09:49, thierry bordaz via FreeIPA-users 
>  wrote:
> 
> Hi,
> 
> At startup DS creates a connection table with a fixed size.
> The message "setup_pr_read_pds - Not listening for new connections - too many 
> fds open" means that the number of established connections exhausted the 
> table limit.
> 
> What are the values of nsslapd-conntablesize and nsslapd-reservedescriptors ?
> How many established connections (logconv on access logs or SRCH cn=monitor) ?
> 
> regards
> thierry
> 
> On 3/17/20 9:35 AM, Lukasz Jaworski via FreeIPA-users wrote:
>> Hi,
>> I've upgraded freeipa 4.6.x environment on Fedora 27 to 4.8.4 on fedora 31.
>> - remove old replica
>> - install fedora 31
>> - connect as new replica...
>> 
>> now:
>> 389-ds-base-1.4.2.8-3.fc31.x86_64
>> freeipa-server-4.8.4-2.fc31.x86_64
>> 
>> after that, I have many errors: 
>> setup_pr_read_pds - Not listening for new connections - too many fds open
>> 
>> It looks like fd limit 1024
>> I've checked:
>> 
>> nsslapd-maxdescriptors:
>> ldapsearch -xLLL -b "cn=config" -D 'cn=Directory Manager' -W cn=config 
>> nsslapd-maxdescriptors
>> Enter LDAP Password: 
>> dn: cn=config
>> nsslapd-maxdescriptors: 524288
>> 
>> /proc/limits:
>> cat /proc/2164872/limits 
>> Limit Soft Limit   Hard Limit   Units
>>  
>> Max cpu time  unlimitedunlimitedseconds  
>>  
>> Max file size unlimitedunlimitedbytes
>>  
>> Max data size unlimitedunlimitedbytes
>>  
>> Max stack size8388608  unlimitedbytes
>>  
>> Max core file sizeunlimitedunlimitedbytes
>>  
>> Max resident set  unlimitedunlimitedbytes
>>  
>> Max processes 515206   515206   
>> processes 
>> Max open files524288   524288   files
>>  
>> Max locked memory 6553665536bytes
>>  
>> Max address space unlimitedunlimitedbytes
>>  
>> Max file locksunlimitedunlimitedlocks
>>  
>> Max pending signals   515206   515206   signals  
>>  
>> Max msgqueue size 819200   819200   bytes
>>  
>> Max nice priority 00
>> Max realtime priority 00
>> Max realtime timeout  unlimitedunlimitedus   
>>  
>> 
>> 
>> dirsrv log:
>> [17/Mar/2020:09:12:18.119324801 +0100] - INFO - main - Setting the maximum 
>> file descriptor limit to: 524288
>> 
>> find /proc/2164872/fd | wc -l
>> 1037
>> 
>> It looks like 1024 is connection limit.
>> 
>> Any idea what I've done wrong?
>> 
>> Best regards,
>> Ender - Lukasz Jaworski
>> 
>> 
>> 
>> ___
>> FreeIPA-users mailing list -- 
>> freeipa-users@lists.fedorahosted.org
>> 
>> To unsubscribe send an email to 
>> freeipa-users-le...@lists.fedorahosted.org
>> 
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> 
>> List Guidelines: 
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> 
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

— 
Łukasz Jaworski








smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore and the issues

2020-03-17 Thread Ian Kumlien via FreeIPA-users

Sorry for the high latency, there has been quite a bit of prio 1
things that needed
fixing that's been delaying this

On Wed, Feb 5, 2020 at 7:13 PM Rob Crittenden  wrote:
>
> Please keep responses on the list.
>
> Ian Kumlien wrote:
> > ipa find-user admin
> > ipa: ERROR: No valid Negotiate header in server response
> >
> > And a lot of krb issues according to the http logs
>
> I think we need to see the logs to diagnose.

httpd/error_log:
[Tue Mar 17 10:25:19.273326 2020] [auth_gssapi:error] [pid 24047:tid
140398705956608] [client 10.0.0.15:52430] GSS ERROR
gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS
failure.  Minor code may provide more information ( SPNEGO cannot find
mechanisms to negotiate)]
[Tue Mar 17 10:25:19.277017 2020] [wsgi:error] [pid 24045:tid
140398987495168] [remote 100.94.37.38:34088] ipa: INFO: 401
Unauthorized: No session cookie found

> > I wasn't expecting this - since all keys should be the same as the one
> > installed - which is why i asked about any changes to the ldap data
>
> It could happen, for example, if you had gotten a new keytab for one or
> more service and restored old data. Unlikely, but possible.

Thats exactly whats happened, could I just do a ldap-updater script to
update the keys?

> Comparing the klist output with kvno for all the keytabs and principals
> will tell you.
>
> rob
>
> > If there is something more specific you want me to look at, just let me know
> >
> > On Wed, Feb 5, 2020 at 4:54 PM Rob Crittenden  wrote:
> >>
> >> Ian Kumlien via FreeIPA-users wrote:
> >>> Hi,
> >>>
> >>> Due to issues, I'm trying to do a partial restore of all the "important 
> >>> bits"
> >>>
> >>> But if I do ipa-restore --online --data --backend=userRoot $BACKUP
> >>>
> >>> I end up in a semiworking environment - the webui doen't work - kinit 
> >>> does...
> >>>
> >>> ipa doesn't etc..
> >>>
> >>
> >> It doesn't work how? What have you done to troubleshoot? What do the
> >> logs say?
> >>
> >> rob
> >>
> >
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

2020-03-17 Thread Florence Blanc-Renaud via FreeIPA-users


On 3/17/20 10:21 AM, Diadormu ZMJ via FreeIPA-users wrote:

example: api.Command.user_show(u'admin')
I want to add a --all option like the command line
I want to process freeipa users and host information with python


Hi,

you can simply call api.Command.user_show(u'admin', all=True)

flo


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA 4.8.5 released

2020-03-17 Thread Alexander Bokovoy via FreeIPA-users


Hello!

The FreeIPA team would like to announce FreeIPA 4.8.5 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30-32 versions will be available soon.

== Highlights in 4.8.5 ==

- [8214] openDNSSEC 2.1 support

- [8221] AJP connector protection
  for Dogtag/FreeIPA communication for CVE-2020-1938 mitigation. Fedora
  and RHEL do not force encrypted AJP connector by default with 9.0.31
  but FreeIPA 4.8.5 will convert to encrypted AJP channel on upgrade or
  at a new deployment. Use of AJP is limited to localhost connections
  with integrated CA already.

- Default authentication indicators are now documented in FreeIPA
  workshop, https://github.com/freeipa/freeipa-workshop/blob/master/11-kerberos-ticket-policy.rst 


- [6891] FreeIPA SELinux policy is now part of the upstream packaging
  and replaces distribution-wide policies.

- New internal mechanism to promote Trust Agents in 
  ipa-adtrust-install, to allow configuring schema compatibility plugin
  on remote replicas.

- [8124] New "ipa-cacert-manage delete" command to allow pruning a CA
  certificate from LDAP store

=== Enhancements ===

- Backup / restore tools now check whether packages for various optional
  IPA master features installed before restore

- IPA CLI commands for DNS operations display additional attributes and
  handle optional parameters when a record is removed

- Additional checks for external CA certificate properties during
  installation

- Minor content improvements in ipa-client-samba's tool output

- Preliminary support for building with MIT Kerberos 1.18

- Increased test coverage in upstream test suite

- Ability to test multi-host scenarios in upstream CI using Azure
  Pipelines

=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.8.5 is a stabilization release for the features delivered as a
part of 4.8.0 release series.

There are more than 50 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list 
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.


== Resolved tickets ==
* [https://pagure.io/freeipa/issue/6891 #6891] Move FreeIPA SELinux policy from 
system policy to project policy
* [https://pagure.io/freeipa/issue/7522 #7522] Disable cert publishing in dogtag
* [https://pagure.io/freeipa/issue/7537 #7537] PR-CI: external_ca tests are 
hitting timeout
* [https://pagure.io/freeipa/issue/7600 #7600] Enable compat tree to provide 
information about AD users and groups on trust agents
* [https://pagure.io/freeipa/issue/7630 #7630] ipa-restore should check that 
optional feature packages are installed before restoring a backup using a 
feature
* [https://pagure.io/freeipa/issue/7744 #7744] ipa-replica-install picks wrong 
replica for CA initial replication
* [https://pagure.io/freeipa/issue/7830 #7830] FreeIPA installation fails with 
389-DS 1.4.0.20-1
* [https://pagure.io/freeipa/issue/7856 #7856] Nightly test failure in 
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
* [https://pagure.io/freeipa/issue/7861 #7861] Make IPADiscovery available in 
PyPI packages
* [https://pagure.io/freeipa/issue/7909 #7909] Wrong evaluation of replication 
update status
* [https://pagure.io/freeipa/issue/7917 #7917] Occasional 'whoami.data is 
undefined' error in FreeIPA web UI
* [https://pagure.io/freeipa/issue/7938 #7938] 'ipa dnszone-show/find' should display "Dynamic 
Update" and "Bind update policy" by default
* [https://pagure.io/freeipa/issue/7941 #7941] ipapython/dn_ctypes.py: 
libldap_r shared library missing
* [https://pagure.io/freeipa/issue/7942 #7942] WebUI test for automount is 
broken
* [https://pagure.io/freeipa/issue/7948 #7948] [FIPS] Use 3DES for certificate 
encryption when creating a PKCS#12
* [https://pagure.io/freeipa/issue/7953 #7953] ipa-pwd-extop: do not remove 
MagicRegen mod, replace it
* [https://pagure.io/freeipa/issue/7965 #7965] Stop using 389-ds legacy tools 
for backup and restore
* [https://pagure.io/freeipa/issue/7974 #7974] Nightly test failure in 
ipatests.test_integration.test_user_permissions.TestUserPermissions
* [https://pagure.io/freeipa/issue/7984 #7984] make sure 'make fastlint' 
processes Python .in files
* [https://pagure.io/freeipa/issue/7987 #7987] Python shebang: Use isolated mode
* [https://pagure.io/freeipa/issue/7989 #7989] Pytest4.2+ errors
* [https://pagure.io/freeipa/issue/7990 #7990] Assumptions about systemd name 
of `named`
* [https://pagure.io/freeipa/issue/7998 #7998] Use system-wide crypto policy in 
TLS client
* [https://pagure.io/freeipa/issue/8001 #8001] Need default authentication 
indicators for SPAKE, PKINIT and encrypted challenge preauth
* [https://pagure.io/freeipa/issue/8004 #8004] RHEL 8 uses nis-domainname 
instead of rhel-domainname
* [https

[Freeipa-users] How to add options to api.Command of python ipalib module

2020-03-17 Thread Diadormu ZMJ via FreeIPA-users

example: api.Command.user_show(u'admin')
I want to add a --all option like the command line
I want to process freeipa users and host information with python
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

2020-03-17 Thread thierry bordaz via FreeIPA-users


Hi,

At startup DS creates a connection table with a fixed size.
The message "setup_pr_read_pds - Not listening for new connections - too 
many fds open" means that the number of established connections 
exhausted the table limit.


What are the values of nsslapd-conntablesize and 
nsslapd-reservedescriptors ?
How many established connections (logconv on access logs or SRCH 
cn=monitor) ?


regards
thierry

On 3/17/20 9:35 AM, Lukasz Jaworski via FreeIPA-users wrote:

Hi,
I've upgraded freeipa 4.6.x environment on Fedora 27 to 4.8.4 on 
fedora 31.

- remove old replica
- install fedora 31
- connect as new replica...

now:
389-ds-base-1.4.2.8-3.fc31.x86_64
freeipa-server-4.8.4-2.fc31.x86_64

after that, I have many errors:
setup_pr_read_pds - Not listening for new connections - too many fds open

It looks like fd limit 1024
I've checked:

nsslapd-maxdescriptors:
ldapsearch -xLLL -b "cn=config" -D 'cn=Directory Manager' -W cn=config 
nsslapd-maxdescriptors

Enter LDAP Password:
dn: cn=config
nsslapd-maxdescriptors: 524288

/proc/limits:
cat /proc/2164872/limits
Limit                     Soft Limit           Hard Limit       Units
Max cpu time              unlimited            unlimited      seconds
Max file size             unlimited            unlimited      bytes
Max data size             unlimited            unlimited      bytes
Max stack size            8388608              unlimited      bytes
Max core file size        unlimited            unlimited      bytes
Max resident set          unlimited            unlimited      bytes
Max processes             515206               515206       processes
Max open files            524288               524288       files
Max locked memory         65536                65536      bytes
Max address space         unlimited            unlimited      bytes
Max file locks            unlimited            unlimited      locks
Max pending signals       515206               515206       signals
Max msgqueue size         819200               819200       bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited      us


dirsrv log:
[17/Mar/2020:09:12:18.119324801 +0100] - INFO - main - Setting the 
maximum file descriptor limit to: 524288


find /proc/2164872/fd | wc -l
1037

It looks like 1024 is connection limit.

Any idea what I've done wrong?

Best regards,
Ender - Lukasz Jaworski


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] setup_pr_read_pds - Not listening for new connections - too many fds open

2020-03-17 Thread Lukasz Jaworski via FreeIPA-users

Hi,
I've upgraded freeipa 4.6.x environment on Fedora 27 to 4.8.4 on fedora 31.
- remove old replica
- install fedora 31
- connect as new replica...

now:
389-ds-base-1.4.2.8-3.fc31.x86_64
freeipa-server-4.8.4-2.fc31.x86_64

after that, I have many errors:
setup_pr_read_pds - Not listening for new connections - too many fds open

It looks like fd limit 1024
I've checked:

nsslapd-maxdescriptors:
ldapsearch -xLLL -b "cn=config" -D 'cn=Directory Manager' -W cn=config
nsslapd-maxdescriptors
Enter LDAP Password:
dn: cn=config
nsslapd-maxdescriptors: 524288

/proc/limits:
cat /proc/2164872/limits
Limit Soft Limit   Hard Limit   Units

Max cpu time  unlimitedunlimitedseconds

Max file size unlimitedunlimitedbytes

Max data size unlimitedunlimitedbytes

Max stack size8388608  unlimitedbytes

Max core file sizeunlimitedunlimitedbytes

Max resident set  unlimitedunlimitedbytes

Max processes 515206   515206
processes
Max open files524288   524288   files

Max locked memory 6553665536bytes

Max address space unlimitedunlimitedbytes

Max file locksunlimitedunlimitedlocks

Max pending signals   515206   515206   signals

Max msgqueue size 819200   819200   bytes

Max nice priority 00
Max realtime priority 00
Max realtime timeout  unlimitedunlimitedus



dirsrv log:
[17/Mar/2020:09:12:18.119324801 +0100] - INFO - main - Setting the maximum
file descriptor limit to: 524288

find /proc/2164872/fd | wc -l
1037

It looks like 1024 is connection limit.

Any idea what I've done wrong?

Best regards,
Ender - Lukasz Jaworski
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

2020-03-17 Thread Florence Blanc-Renaud via FreeIPA-users


On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote:

Hello,

We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
Went back in time to 2016-06-11 as well as 2020-02-20, restarted 
"certmonger", didn't update.



Hi,

you need to check first which server is your renewal master:

$ kinit admin

$ ipa config-show | grep renewal


The output should display the name of the renewal master. This host is 
the first server that needs to be fixed.



In the getcert list output that you provided, we can see that:

- the PKI certificates shared between the servers expired on 2020-02-25 
(auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, 
subsystemCert cert-ki-ca)


- the CA cert is still valid

- the RA cert expired on 2018-06-15

- the HTTP and LDAP server certs expired on 2020-03-07


You need to carefully pick the date you go back in time: at that given 
date, all the certs must be valid (not expired yet but *already valid*). 
From your output, the date needs to be before 2018-06-15 but after 

2018-03-08 (=the validFrom date for the PKI certs).


HTH,

flo

FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0, 
API_VERSION: 2.228*


whileipactl start, it will not start pki-tomcat with 
message,pki-tomcatd Service: STOPPED.


Referring toRob's blog 



[root@srv01 ~]# curl --cacert /etc/ipa/ca.crt 
-v[https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain


* About to connect() to srv01.example.com port 8443 (#0)

*Trying 192.168.10.146...

* Connected to srv01.example.com (192.168.10.146) port 8443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*CAfile: /etc/ipa/ca.crt

CApath: none

* Server certificate:

*subject: CN=srv01.example.com,O=EXAMPLE.COM

*start date: Dec 26 21:02:44 2016 GMT

*expire date: Dec 16 21:02:44 2018 GMT

*common name: srv01.example.com

*issuer: CN=Certificate Authority,O=EXAMPLE.COM

* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)

* Peer's certificate issuer has been marked as not trusted by the user.

* Closing connection 0

curl: (60) Peer's certificate issuer has been marked as not trusted by 
the user.


More details here:http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the 
defaultbundle file isn't adequate, you can specify an alternate 
fileusing the --cacert option.


If this HTTPS server uses a certificate signed by a CA represented 
inthe bundle, the certificate verification probably failed due to 
aproblem with the certificate (it might be expired, or the name 
mightnot match the domain name in the URL).


If you'd like to turn off curl's verification of the certificate, 
usethe -k (or --insecure) option.



While, CA cert check asper 
,


[root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'


Number of certificates and requests being tracked: 8.

Request ID '20180315021502':

status: MONITORING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'


CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=Certificate Authority,O=EXAMPLE.COM

expires: 2038-03-07 03:47:46 UTC

key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"


track: yes

auto-renew: yes

We also have few others certificates, which are not renewed.


[root@srv01 ~]# getcert list

Number of certificates and requests being tracked: 8.

Request ID '20180228053337':

status: MONITORING

stuck: no

key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'

certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'

CA: SelfSign

issuer: CN=srv01.example.com,O=EXAMPLE.COM

subject: CN=srv01.example.com,O=EXAMPLE.COM

expires: 2021-01-11 21:56:57 UTC

principal name:krbtgt/example@example.com 



certificate template/profile: KDCs_PKINIT_Certs

pre-save command:

post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert

track: yes

auto-renew: yes

Request ID '20180315021457':

status: MONITORING

stuck: no

key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set


certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'


CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certi

[Freeipa-users] Re: Some users unable to log in to host

2020-03-17 Thread Angus Clarke via FreeIPA-users

Hello

I suggest running the hbactest function, somrthing like:

ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login

Regards
Angus


From: Kristian Petersen via FreeIPA-users 
Sent: 16 March 2020 21:57
To: FreeIPA users list 
Cc: Kristian Petersen 
Subject: [Freeipa-users] Some users unable to log in to host

Hey all,

I have a user that is trying to log into a host that is configured to have 
access restricted via an HBAC rule.  This user is a member of one of the groups 
defined in the HBAC rule that should be granted access.  When this user tries 
to SSH in to this host, they get 3 consecutive password prompts like 
"Password:" and then one like "username@domain's password:" and then they get a 
response of "Permission denied, please try again."  I am not seeing any entries 
in the messages log or secure log for this user from these log in attempts.  
Anyone have any thoughts about why this is happening?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Certificates for embeded devices and old equipment.

[Freeipa-users] add freeipa root cert to chrome on a non ipa client system.

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

[Freeipa-users] Re: Certificates for embeded devices and old equipment.

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

[Freeipa-users] Re: [Freeipa-devel] FreeIPA 4.8.5 released

[Freeipa-users] Re: Some users unable to log in to host

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Freeipa-users] Re: ipa-restore and the issues

[Freeipa-users] Re: Some users unable to log in to host

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Freeipa-users] ipa-replica-install fails when I use custom certificates

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

[Freeipa-users] Re: ipa-restore and the issues

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

[Freeipa-users] FreeIPA 4.8.5 released

[Freeipa-users] How to add options to api.Command of python ipalib module

[Freeipa-users] Re: setup_pr_read_pds - Not listening for new connections - too many fds open

[Freeipa-users] setup_pr_read_pds - Not listening for new connections - too many fds open

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

[Freeipa-users] Re: Some users unable to log in to host

26 matches

Site Navigation

Mail list logo

Footer information