[Freeipa-users] Re: Need help with confusing query results

2022-01-31 Thread Edward Valley via FreeIPA-users 
Hi Thierry,

Do you want the output of:
ldapsearch -LLL -h localhost -x -D "cn=Directory Manager" -w "..." \
-b "cn=users,cn=accounts,dc=..." '(uid=user1)' '*'

Or are you talking about something else?

Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] 'transportCert cert-pki-kra' mix up

2022-01-31 Thread GH via FreeIPA-users 
I've got two ancient (3.1?) IPA servers that have been upgraded over time.  
Last January things got really goofy with certificates and I got it all sorted. 
 However, now I've got an old issue creeping back in.  The 'transportCert 
cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate.  
This is a multi-master setup.  The signing master seems to be the one that's 
off.  It's tracking the updated original 'transportCert cert-pki-kra' 
certificate.  However, the "secondary" master is tracking a newly generated 
'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing. 
 Neither one of the certificates is expired.  Everything else seems to be in 
working order.  Here is ipa-healthcheck's only relevant error:

"source": "ipahealthcheck.dogtag.ca", 
"kw": {
  "msg": "Certificate 'transportCert cert-pki-kra' does not match the value 
of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg", 
  "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", 
  "directive": "ca.connector.KRA.transportCert", 
  "key": "transportCert cert-pki-kra"
}, 

So, what should I copy where to get this sorted?  It seems like the updated 
original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then 
manually scp the NSS files from "primary" to "secondary"?  What commands would 
you use to do this?  I've got a lot of commands noted and am beginning to get 
confused as to which ones should be used to get this sorted.  Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread code bugs via FreeIPA-users 
Thank you Rob, I am having exactly the same problem.

On Tue, Feb 1, 2022 at 12:55 AM Rob Crittenden  wrote:

> code bugs via FreeIPA-users wrote:
> > Thank you for your prompt response.
> > here is the out put of /var/log/krb5kdc.log during my login attempt.
> [snip]
> > Feb 01 00:25:44 ipa1.example.com 
> > krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different
> > to local domain SID or any trusted domain SID: local
> > [S-1-5-21-4170108275-2486169439-623049963], PAC
> > [S-1-5-21-4279381677-1236361367-2895659079]
>
> This is the problem.
>
> See
>
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6
>
> rob
>
> >
> >
> > There is not much activity log in  /var/log/httpd/error_log:
> >
> > [Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid
> > 139780524480256] [remote 10.2.3.188:49652 ]
> > ipa: INFO: [jsonserver_i18n_messages] UNKNOWN:
> > i18n_messages(version='2.245'): SUCCESS
> > [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid
> > 139780524480256] [remote 10.2.3.188:49753 ]
> > ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
> > Minor code may provide more information, Minor (2598844948): TGT has
> > been revoked
> >
> > On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy  > > wrote:
> >
> > On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
> > >Hello,
> > >
> > >-IPA WebGUI login fails with "Login failed due to an unknown reason"
> > >-After upgrading IPA, can no longer log into the WebGUI
> > >Version/Release/Distribution
> > >
> > >$ cat /etc/centos-release
> > >CentOS Linux release 8.5.2111
> > >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client
> > 389-ds-base
> > >pki-ca krb5-server
> > >package freeipa-server is not installed
> > >package freeipa-client is not installed
> > >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> > >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> > >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
> > >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
> > >krb5-server-1.18.2-14.el8.x86_64
> > >Additional info:
> > >
> > >tail /var/log/httpd/error_log
> > >
> > >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404
> > ] ipa:
> > >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
> > Minor code
> > >may provide more information, Minor (2598844948): TGT has been
> revoked
> >
> > Please show entries in /var/log/krb5kdc.log corresponding to this
> > timeframe. If TGT is revoked, it most likely is documented why in
> that
> > log. Also, if possible, show other requests in httpd's error_log for
> the
> > same timeframe -- if that was Web UI login, there would be few around
> > this error.
> >
> > One possible problem could be what is documented in
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
> > but then it would not be possible to get a Kerberos ticket in kinit
> as
> > well. Perhaps, you have a problem with anonymous PKINIT on this host
> > instead.
> >
> > >
> > >further,
> > >
> > >   1. default "admin" user can IPA WebGUIlogin
> > >   2. other users cannot login  IPA WebGUIlogin, but can login
> > using cli
> > >   (kinit)
> > >   3. when i create a new user, the new user can login IPA WebGUI.
> >
> >
> >
> >
> > --
> > / Alexander Bokovoy
> > Sr. Principal Software Engineer
> > Security / Identity Management Engineering
> > Red Hat Limited, Finland
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread code bugs via FreeIPA-users 
Thanks Alexander, looks like the same problem.

On Tue, Feb 1, 2022 at 12:59 AM Alexander Bokovoy 
wrote:

> On Вт, 01 фев 2022, code bugs wrote:
> >Thank you for your prompt response.
> >here is the out put of /var/log/krb5kdc.log during my login attempt.
> >
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
> >aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
> >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
> 10.2.1.50:
> >NEEDED_PREAUTH: host/ipa1.example@example.com for krbtgt/
> >example@example.com, Additional pre-authentication required
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
> >aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
> >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)})
> 10.2.1.50:
> >ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
> >ipa1.example@example.com for krbtgt/example@example.com
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
> >ipa1.example@example.com for ldap/ipa1.example@example.com
> >Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/
> >example@example.com, Additional pre-authentication required
> >Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> >WELLKNOWN/anonym...@example.com for krbtgt/example@example.com
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >NEEDED_PREAUTH: mukh...@example.com for krbtgt/example@example.com,
> >Additional pre-authentication required
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
> >tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> >mukh...@example.com for krbtgt/example@example.com
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC
> >record claims domain SID different to local domain SID or any trusted
> >domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
> >S-1-5-21-4279381677-1236361367-2895659079]
>
> Ok, this looks exactly like a problem I referenced. Please follow that
> thread with solutions.
>
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ :
> >handle_authdata (-1765328364)
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes
> >{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
> >camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
> >aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
> >HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)}
> >mukh...@example.com for HTTP/ipa1.example@example.com, TGT has been
> >revoked
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12
> >Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC
> >record claims domain SID different to

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread Alexander Bokovoy via FreeIPA-users 

On Вт, 01 фев 2022, code bugs wrote:

Thank you for your prompt response.
here is the out put of /var/log/krb5kdc.log during my login attempt.

Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50:
NEEDED_PREAUTH: host/ipa1.example@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50:
ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
ipa1.example@example.com for krbtgt/example@example.com
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
ipa1.example@example.com for ldap/ipa1.example@example.com
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/anonym...@example.com for krbtgt/example@example.com
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
NEEDED_PREAUTH: mukh...@example.com for krbtgt/example@example.com,
Additional pre-authentication required
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
mukh...@example.com for krbtgt/example@example.com
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC
record claims domain SID different to local domain SID or any trusted
domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
S-1-5-21-4279381677-1236361367-2895659079]


Ok, this looks exactly like a problem I referenced. Please follow that
thread with solutions.


Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ :
handle_authdata (-1765328364)
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)}
mukh...@example.com for HTTP/ipa1.example@example.com, TGT has been
revoked
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC
record claims domain SID different to local domain SID or any trusted
domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
S-1-5-21-4279381677-1236361367-2895659079]
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ :
handle_authdata (-1765328364)
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread Rob Crittenden via FreeIPA-users 
code bugs via FreeIPA-users wrote:
> Thank you for your prompt response.
> here is the out put of /var/log/krb5kdc.log during my login attempt.
[snip]
> Feb 01 00:25:44 ipa1.example.com 
> krb5kdc[3754](Error): PAC issue: PAC record claims domain SID different
> to local domain SID or any trusted domain SID: local
> [S-1-5-21-4170108275-2486169439-623049963], PAC
> [S-1-5-21-4279381677-1236361367-2895659079]

This is the problem.

See
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6

rob

> 
> 
> There is not much activity log in  /var/log/httpd/error_log:
> 
> [Tue Feb 01 00:20:59.340501 2022] [wsgi:error] [pid 10150:tid
> 139780524480256] [remote 10.2.3.188:49652 ]
> ipa: INFO: [jsonserver_i18n_messages] UNKNOWN:
> i18n_messages(version='2.245'): SUCCESS
> [Tue Feb 01 00:25:44.539447 2022] [wsgi:error] [pid 10149:tid
> 139780524480256] [remote 10.2.3.188:49753 ]
> ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. 
> Minor code may provide more information, Minor (2598844948): TGT has
> been revoked
> 
> On Tue, Feb 1, 2022 at 12:17 AM Alexander Bokovoy  > wrote:
> 
> On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:
> >Hello,
> >
> >-IPA WebGUI login fails with "Login failed due to an unknown reason"
> >-After upgrading IPA, can no longer log into the WebGUI
> >Version/Release/Distribution
> >
> >$ cat /etc/centos-release
> >CentOS Linux release 8.5.2111
> >$ rpm -q freeipa-server freeipa-client ipa-server ipa-client
> 389-ds-base
> >pki-ca krb5-server
> >package freeipa-server is not installed
> >package freeipa-client is not installed
> >ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> >ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
> >389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
> >pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
> >krb5-server-1.18.2-14.el8.x86_64
> >Additional info:
> >
> >tail /var/log/httpd/error_log
> >
> >[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404
> ] ipa:
> >INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure.
> Minor code
> >may provide more information, Minor (2598844948): TGT has been revoked
> 
> Please show entries in /var/log/krb5kdc.log corresponding to this
> timeframe. If TGT is revoked, it most likely is documented why in that
> log. Also, if possible, show other requests in httpd's error_log for the
> same timeframe -- if that was Web UI login, there would be few around
> this error.
> 
> One possible problem could be what is documented in
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
> but then it would not be possible to get a Kerberos ticket in kinit as
> well. Perhaps, you have a problem with anonymous PKINIT on this host
> instead.
> 
> >
> >further,
> >
> >   1. default "admin" user can IPA WebGUIlogin
> >   2. other users cannot login  IPA WebGUIlogin, but can login
> using cli
> >   (kinit)
> >   3. when i create a new user, the new user can login IPA WebGUI.
> 
> 
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread code bugs via FreeIPA-users 
Thank you for your prompt response.
here is the out put of /var/log/krb5kdc.log during my login attempt.

Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50:
NEEDED_PREAUTH: host/ipa1.example@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), camellia128-cts-cmac(25),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.2.1.50:
ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
ipa1.example@example.com for krbtgt/example@example.com
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657110, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/
ipa1.example@example.com for ldap/ipa1.example@example.com
Feb 01 00:25:10 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
NEEDED_PREAUTH: WELLKNOWN/anonym...@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Feb 01 00:25:43 ipa1.example.com krb5kdc[3753](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/anonym...@example.com for krbtgt/example@example.com
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
NEEDED_PREAUTH: mukh...@example.com for krbtgt/example@example.com,
Additional pre-authentication required
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
ISSUE: authtime 1643657144, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
mukh...@example.com for krbtgt/example@example.com
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](Error): PAC issue: PAC
record claims domain SID different to local domain SID or any trusted
domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
S-1-5-21-4279381677-1236361367-2895659079]
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ :
handle_authdata (-1765328364)
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.2.1.50:
HANDLE_AUTHDATA: authtime 1643657144, etypes {rep=UNSUPPORTED:(0)}
mukh...@example.com for HTTP/ipa1.example@example.com, TGT has been
revoked
Feb 01 00:25:44 ipa1.example.com krb5kdc[3754](info): closing down fd 12
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](Error): PAC issue: PAC
record claims domain SID different to local domain SID or any trusted
domain SID: local [S-1-5-21-4170108275-2486169439-623049963], PAC [
S-1-5-21-4279381677-1236361367-2895659079]
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ :
handle_authdata (-1765328364)
Feb 01 00:25:44 ipa1.example.com krb5kdc[3755](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19),

[Freeipa-users] Re: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread Alexander Bokovoy via FreeIPA-users 

On la, 29 tammi 2022, code bugs via FreeIPA-users wrote:

Hello,

-IPA WebGUI login fails with "Login failed due to an unknown reason"
-After upgrading IPA, can no longer log into the WebGUI
Version/Release/Distribution

$ cat /etc/centos-release
CentOS Linux release 8.5.2111
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
krb5-server-1.18.2-14.el8.x86_64
Additional info:

tail /var/log/httpd/error_log

[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code
may provide more information, Minor (2598844948): TGT has been revoked


Please show entries in /var/log/krb5kdc.log corresponding to this
timeframe. If TGT is revoked, it most likely is documented why in that
log. Also, if possible, show other requests in httpd's error_log for the
same timeframe -- if that was Web UI login, there would be few around
this error.

One possible problem could be what is documented in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU
but then it would not be possible to get a Kerberos ticket in kinit as
well. Perhaps, you have a problem with anonymous PKINIT on this host
instead.



further,

  1. default "admin" user can IPA WebGUIlogin
  2. other users cannot login  IPA WebGUIlogin, but can login using cli
  (kinit)
  3. when i create a new user, the new user can login IPA WebGUI.





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Fwd: IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread code bugs via FreeIPA-users 
Hello,
I am having an issue after upgrading the IPA. details are as follows.

-IPA WebGUI login fails with "Login failed due to an unknown reason"
-After upgrading IPA, can no longer log into the WebGUI
Version/Release/Distribution

$ cat /etc/centos-release
CentOS Linux release 8.5.2111
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
krb5-server-1.18.2-14.el8.x86_64
Additional info:

tail /var/log/httpd/error_log

[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code
may provide more information, Minor (2598844948): TGT has been revoked

further,

   1. default "admin" user can IPA WebGUIlogin
   2. other users cannot login  IPA WebGUIlogin, but can login using cli
   (kinit)
   3. when i create a new user, the new user can login IPA WebGUI.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] IPA WebGUI login fails with "Login failed due to an unknown reason"

2022-01-31 Thread code bugs via FreeIPA-users 
Hello,

-IPA WebGUI login fails with "Login failed due to an unknown reason"
-After upgrading IPA, can no longer log into the WebGUI
Version/Release/Distribution

$ cat /etc/centos-release
CentOS Linux release 8.5.2111
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base
pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
ipa-client-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64
389-ds-base-1.4.3.23-12.module_el8.5.0+1056+b3c5a4b9.x86_64
pki-ca-10.11.2-2.module_el8.5.0+945+a81e57da.noarch
krb5-server-1.18.2-14.el8.x86_64
Additional info:

tail /var/log/httpd/error_log

[wsgi:error] [pid 8833:tid 139812622513920] [remote 10.2.3.80:51404] ipa:
INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code
may provide more information, Minor (2598844948): TGT has been revoked

further,

   1. default "admin" user can IPA WebGUIlogin
   2. other users cannot login  IPA WebGUIlogin, but can login using cli
   (kinit)
   3. when i create a new user, the new user can login IPA WebGUI.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: freeipa with sudo and 2FA (OTP)

2022-01-31 Thread kolev rub via FreeIPA-users 
Many thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"

2022-01-31 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi

this error is also a known issue,  #8865
 [Tracker] ipa-replica-install fails
on 2nd run (f35+) /  #3544 
ipa-replica-install fails to reinstall a replica (rawhide)
It's been fixed with pki updates 11.1.0-0.1.alpha1 and 11.0.2-1.fc35 on
fedora.

The workaround is to manually delete the entry uid=CA--8443,ou=People,o=ipaca before calling ipa-replica-install, for
instance with:
# ldapdelete -D "cn=Directory Manager" -w $PWD
uid=CA-replica1.ipa.test-8443,ou=People,o=ipaca

You will need to do the whole process with ipa server-del /
ipa-server-install --uninstall etc...
HTH,
flo

On Fri, Jan 28, 2022 at 7:07 PM Brian J. Murrell 
wrote:

> On Fri, 2022-01-28 at 16:02 +0100, Florence Blanc-Renaud wrote:
> > Hi,
> > you can do
> > (on another server)
> > $ ipa server-del --force server.example.com
>
> # ipa server-del --force server.example.com
> Removing server.example.com from replication topology, please wait...
> ipa: WARNING: Forcing removal of server.example.com
> ipa: WARNING: Failed to cleanup server.example.com DNS entries: no
> matching entry found
> ipa: WARNING: You may need to manually remove them from the tree
> ipa: WARNING: Server has already been deleted
> ---
> Deleted IPA server "server.example.com"
> ---
>
> > This should clean up all references to server.example.com
>
> Hopefully it did. :-)
>
> > (on server.example.com)
> > $ ipa-client-install --uninstall -U
> > $ kdestroy -A
> > $ ipa-client-install ...
> > $ kinit admin
> > $ ipa-replica-install ...
>
> This has now gotten as far as:
>
>
> # ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns
> --no-forwarders
> ...
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>   [1/29]: creating certificate server db
>   [2/29]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 12 seconds elapsed
> Update succeeded
>
>   [3/29]: creating ACIs for admin
>   [4/29]: creating installation admin user
>   [5/29]: configuring certificate server instance
> Failed to configure CA instance
> See the installation logs and the following files/directories for more
> information:
>   /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> CA configuration failed.
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
> At the end of /var/log/ipareplica-install.log is the error:
>
> com.netscape.certsrv.base.ConflictingOperationException: Entry already
> exists.
> at
> com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45)
> at
> com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720)
> at
> org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180)
> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at org.dogtagpki.cli.CLI.execute(CLI.java:357)
> at
> org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93)
> at
> org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123)
> Caused by: netscape.ldap.LDAPException: error result (68); Already exists
> at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
> at netscape.ldap.LDAPConnection.add(Unknown Source)
> at netscape.ldap.LDAPConnection.add(Unknown Source)
> at netscape.ldap.LDAPConnection.add(Unknown Source)
> at
> com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717)
> ... 7 more
> CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--',
> '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath',
> '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*',
> '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory',
> '-Dcatalina.base=/var/lib/pki/pki-tomcat',
> '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=',
> '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp',
> '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties',
> '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager',
> '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI',
> 'ca-user-add', '--full-name', 'CA-server.example.com-8443', '--type',
> 'agentType', '--state', '1', '--debug', 'CA-server.example.com-8443']'
> returned non-zero exit status 255.
>   File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line
> 575, in main
>

[Freeipa-users] Re: Need help with confusing query results

2022-01-31 Thread Thierry Bordaz via FreeIPA-users 

Hi Edward,

It is looking the fixup task stop upon the first error. I do not know if 
it is intentional or a bug. The error is possibly related to schema 
checking, could you send the ldif format of entry 'uid=user1, 
cn=users,...' ?


regards
thierry


On 1/29/22 11:36 PM, Edward Valley via FreeIPA-users wrote:

Hi Thierry,

Manually creating the task makes it run, but not with the expected result:

DATE_NOW="$(date +%s)"
ldapmodify -h localhost -D "cn=Directory Manager" -w "..." -a < fixup 
failed -> uid=user1,cn=users,cn=accounts,dc=... Operation
[...] - INFO - plugins/entryuuid/src/lib.rs:182 - task_handler -> fixup 
complete, success!

It simply stops when attempting to change the first user matching the filter.
If the filter directly points to a user that already has an entryUUID 
attribute, a success message is printed.

The error is maybe not related to the plugin, but I don't have any replication 
problem.
It isn't clear to me.

Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure