[Freeipa-users] Re: ERR - attrlist_replace - attr_replace (nsslapd-referral,

2018-08-01 Thread James Harrison via FreeIPA-users
Any ideas, anyone? 
 
  On Tue, 31 Jul 2018 at 13:22, James Harrison via 
FreeIPA-users wrote:   Hello,
We have a machine with the following set up:
CentOS Linux release 7.4.1708 (Core)ipa-server-4.5.0-21.el7.centos.2.2.x86_64
CA-less setup 

We're getting a lot of errors on one of our FreeIPA servers. Hope you can help.
Many thanksJames Harrison

[31/Jul/2018:12:19:05.542401358 +0100] - ERR - cos-plugin - cos_dn_defs_cb - 
Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jul/2018:12:19:05.611267011 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.613868420 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.634974836 +0100] - ERR - schema-compat-plugin - 
schema-compat-plugin tree scan will start in about 5 seconds!
[31/Jul/2018:12:19:05.646685174 +0100] - ERR - set_krb5_creds - Could not get 
initial credentials for principal [ldap/pul-system-01.DOMAINNAME@DOMAINNAME] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[31/Jul/2018:12:19:05.657290290 +0100] - INFO - slapd_daemon - slapd started.  
Listening on All Interfaces port 389 for LDAP requests
[31/Jul/2018:12:19:05.660478907 +0100] - INFO - slapd_daemon - Listening on All 
Interfaces port 636 for LDAPS requests
[31/Jul/2018:12:19:05.664268080 +0100] - INFO - slapd_daemon - Listening on 
/var/run/slapd-INT-DOMAIN-COM.socket for LDAPI requests
[31/Jul/2018:12:19:05.712942138 +0100] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - 
agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" 
(pul-system-02:389) - Replication bind with GSSAPI auth failed: LDAP error -6 
(Unknown authentication method) (SASL(-4): no mechanism available: No worthy 
mechs found)
[31/Jul/2018:12:19:08.916600270 +0100] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - 
agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" 
(pul-system-02:389): Replication bind with GSSAPI auth resumed
[31/Jul/2018:12:19:11.139026788 +0100] - ERR - schema-compat-plugin - warning: 
no entries set up under cn=computers, cn=compat,dc=int,dc=DOMAIN,dc=com
[31/Jul/2018:12:19:11.143128988 +0100] - ERR - schema-compat-plugin - Finished 
plugin initialization.
[31/Jul/2018:12:19:26.258468102 +0100] - ERR - ipa-topology-plugin - 
ipa_topo_util_get_replica_conf: server configuration missing
[31/Jul/2018:12:19:26.261488755 +0100] - ERR - ipa-topology-plugin - 
ipa_topo_util_get_replica_conf: cannot create replica
[31/Jul/2018:12:19:41.405312942 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.407352984 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.409312145 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.484329977 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.489032389 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.490775486 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.882743610 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.887246145 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.889667896 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74AVLHM4KQ3NT67RGABKUJOL4CTCLW6X/
  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send

[Freeipa-users] ERR - attrlist_replace - attr_replace (nsslapd-referral,

2018-07-31 Thread James Harrison via FreeIPA-users
Hello,
We have a machine with the following set up:
CentOS Linux release 7.4.1708 (Core)ipa-server-4.5.0-21.el7.centos.2.2.x86_64
CA-less setup 

We're getting a lot of errors on one of our FreeIPA servers. Hope you can help.
Many thanksJames Harrison

[31/Jul/2018:12:19:05.542401358 +0100] - ERR - cos-plugin - cos_dn_defs_cb - 
Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jul/2018:12:19:05.611267011 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.613868420 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.634974836 +0100] - ERR - schema-compat-plugin - 
schema-compat-plugin tree scan will start in about 5 seconds!
[31/Jul/2018:12:19:05.646685174 +0100] - ERR - set_krb5_creds - Could not get 
initial credentials for principal [ldap/pul-system-01.DOMAINNAME@DOMAINNAME] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[31/Jul/2018:12:19:05.657290290 +0100] - INFO - slapd_daemon - slapd started.  
Listening on All Interfaces port 389 for LDAP requests
[31/Jul/2018:12:19:05.660478907 +0100] - INFO - slapd_daemon - Listening on All 
Interfaces port 636 for LDAPS requests
[31/Jul/2018:12:19:05.664268080 +0100] - INFO - slapd_daemon - Listening on 
/var/run/slapd-INT-DOMAIN-COM.socket for LDAPI requests
[31/Jul/2018:12:19:05.712942138 +0100] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - 
agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" 
(pul-system-02:389) - Replication bind with GSSAPI auth failed: LDAP error -6 
(Unknown authentication method) (SASL(-4): no mechanism available: No worthy 
mechs found)
[31/Jul/2018:12:19:08.916600270 +0100] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - 
agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" 
(pul-system-02:389): Replication bind with GSSAPI auth resumed
[31/Jul/2018:12:19:11.139026788 +0100] - ERR - schema-compat-plugin - warning: 
no entries set up under cn=computers, cn=compat,dc=int,dc=DOMAIN,dc=com
[31/Jul/2018:12:19:11.143128988 +0100] - ERR - schema-compat-plugin - Finished 
plugin initialization.
[31/Jul/2018:12:19:26.258468102 +0100] - ERR - ipa-topology-plugin - 
ipa_topo_util_get_replica_conf: server configuration missing
[31/Jul/2018:12:19:26.261488755 +0100] - ERR - ipa-topology-plugin - 
ipa_topo_util_get_replica_conf: cannot create replica
[31/Jul/2018:12:19:41.405312942 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.407352984 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.409312145 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.484329977 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.489032389 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.490775486 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.882743610 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.887246145 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.889667896 +0100] - ERR - attrlist_replace - attr_replace 
(nsslapd-referral, 
ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74AVLHM4KQ3NT67RGABKUJOL4CTCLW6X/


[Freeipa-users] Re: Freeipa connecting to Redhat IPA server.

2017-12-15 Thread James Harrison via FreeIPA-users
Hi,How much RAM does the FreeIPA server have?
Thanks
 

On Friday, 15 December 2017, 04:17:52 GMT, Tony Delov via FreeIPA-users 
 wrote:  
 
 I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, 
to a Redhat IPA server that has a trusted connection to Microsoft AD server.

Ssh authentications are pretty slow, however, once I do get on, I find sudo 
commands often do not work for several minutes saying I am not in the "not in 
the sudoers file.". This is even though, I am in the same group on the 
access.conf file and a sudoers file.

I think the initial slowness is due to the fact that our AD system has lots of 
groups and I am part of many large groups with many users. I've been checking 
the sssd cache file, and I can see that ssh authentication does not even start 
until almost all groups I am a member of have been added to the cache. However, 
that does not explain why sudo is being delayed as the groups are already 
cached.

Has anyone got any advice about setting up a freeipa-client on Ubuntu to 
connect to a Redhat IPA server?
Has anyone else experienced difficulties with sudo commands?
Group membership not listing all the groups a person is a member off all the 
time.id 




IPA Client.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
 
# dpkg --list | grep freeipa
ii  freeipa-client 4.3.1-0ubuntu1   
  amd64    FreeIPA centralized identity framework -- client
ii  freeipa-common 4.3.1-0ubuntu1   
  all  FreeIPA centralized identity framework -- common files

IPA Server
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)


# rpm -qa | grep "ipa-"
sssd-ipa-1.15.2-50.el7_4.6.x86_64
ipa-common-4.5.0-21.el7_4.2.2.noarch
ipa-server-4.5.0-21.el7_4.2.2.x86_64
ipa-client-common-4.5.0-21.el7_4.2.2.noarch
ipa-client-4.5.0-21.el7_4.2.2.x86_64
ipa-server-common-4.5.0-21.el7_4.2.2.noarch
ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64




RegardsTony D



 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing

2017-12-14 Thread James Harrison via FreeIPA-users
Hello,I'm reinstalling a replica FreeIPA server in a CA-less environment.
I'm looked online and found: 
https://www.redhat.com/archives/freeipa-users/2016-December/msg00391.html which 
is similar (or exactly the problem), but theres no solid resolution. I recopied 
/etc/ipa/ca.crt to the new server from an existing ipa server. 
[root@cro-lv-ipa-01 log]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@cro-lv-ipa-01 log]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core) 

Not sure what to do. 
Really appreciate any help.
Many thanksJames

Below is a snip from log files:Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com 
ns-slapd[19065]: [14/Dec/2017:15:34:34.546670082 +] - NOTICE - 
NSMMReplicationPlugin - multimaster_be_state_change - Replica 
dc=int,dc=DOMAIN,dc=com is going offline; disabling replication
Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:34.756581200 +] - INFO - dblayer_instance_start - Import 
is running with nsslapd-db-private-import-mem on; No other process is allowed 
to access the database
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 1
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 2
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 3
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.608407982 +] - INFO - import_monitor_threads - import 
userRoot: Workers finished; cleaning up...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.845823301 +] - INFO - import_monitor_threads - import 
userRoot: Workers cleaned up.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.862303717 +] - INFO - import_main_offline - import 
userRoot: Indexing complete.  Post-processing...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.879128392 +] - INFO - import_main_offline - import 
userRoot: Generating numsubordinates (this may take several minutes to 
complete)...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.926416316 +] - INFO - import_main_offline - import 
userRoot: Generating numSubordinates complete.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.937805159 +] - INFO - ldbm_get_nonleaf_ids - import 
userRoot: Gathering ancestorid non-leaf IDs...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.954558879 +] - INFO - ldbm_get_nonleaf_ids - import 
userRoot: Finished gathering ancestorid non-leaf IDs.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.988095437 +] - INFO - 
ldbm_ancestorid_new_idl_create_index - import userRoot: Creating ancestorid 
index (new idl)...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.037871941 +] - INFO - 
ldbm_ancestorid_new_idl_create_index - import userRoot: Created ancestorid 
index (new idl).
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.054977988 +] - INFO - import_main_offline - import 
userRoot: Flushing caches...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.071740106 +] - INFO - import_main_offline - import 
userRoot: Closing files...
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.087512816 +] - INFO - import_main_offline - import 
userRoot: Import complete.  Processed 2258 entries in 5 seconds. (451.60 
entries/sec)
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.108388854 +] - ERR - ipa-topology-plugin - 
ipa_topo_be_state_change - backend userRoot is coming online; checking domain 
level and init shared topology
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.144415357 +] - NOTICE - NSMMReplicationPlugin - 
multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is coming online; 
enabling replication
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.194223235 +] - ERR - cos-plugin - cos_dn_defs_cb - 
Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.216305850 +] - ERR - NSACLPlugin - acl_parse - The 
ACL target cn=groups,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread James Harrison via FreeIPA-users
UPDATE:
The principle info wrong. I did this and the error hasnt shown up since:
[root@ipa-02 ~]# ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p 
host/ipa-02 --retrieve
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Thanks for all your help.
 

On Monday, 4 December 2017, 09:53:55 GMT, Sumit Bose via FreeIPA-users 
 wrote:  
 
 On Mon, Dec 04, 2017 at 09:37:41AM +, James Harrison wrote:
>  I ran the ipa-getkeytab command you suggested below:
> This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" 
> user. I got the same result with the admin user.
> 
> 
> ~] IPA-02 #  kinit IPAUSER Password for x_ipau...@int.example.com: 
> 
> ~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p 
> IPAUSER --retrieve
> Failed to parse result: Insufficient access rights

The keytab content should be protected like a clear text password, hence
not even IPA admin users have access by default and I would recommend to
only use the --retrieve option of ipa-getkeytab if it is really needed,
i.e. that the keys really have to be used at two different places and
there is no other secure way to copy the keytab content. If you just
want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve
option.

If you still want to use --retrieve, you can find the details about
setting the permissions e.g. at
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management.

HTH

bye,
Sumit

> 
> Failed to get keytab
> 
> 
> Many thanks
> 
>    On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users 
> wrote:  
>  
>  On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users 
>wrote:
> > Hello the list,
> > 
> >  
> > 
> > I've seen this issue on the list several times, but I've not yet seen a
> > solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> > (we have other SLES hosts are fine), were seeing this error when users try
> > and login, they just keep getting the Password: prompt and are unable to log
> > in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> > changed to protect the innocent.
> > 
> >  
> > 
> > In this hosts /var/log/sssd/ldap_child.log
> > 
> > <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> > Preauthentication failed
> > 
> > <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> > Preauthentication failed
> > 
> >  
> > 
> > On the FreeIPA server from /var/log/krb5kdc.log
> > 
> >  
> > 
> > 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> >  
> > 
> > On the host in question klist gives the following (note that kinit works,
> > even if ssh login does not):
> > 
> >  
> > 
> > sles01:~ # klist -kte
> > 
> > Keytab name: FILE:/etc/krb5.keytab
> > 
> > KVNO Timestamp        Principal
> > 
> >  -
> > 
> > 
> >    1 12/01/17 04:30:40 host/sles01.example@example.org
> > 

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread James Harrison via FreeIPA-users
 I ran the ipa-getkeytab command you suggested below:
This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. 
I got the same result with the admin user.


~] IPA-02 #  kinit IPAUSER Password for x_ipau...@int.example.com: 

~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER 
--retrieve
Failed to parse result: Insufficient access rights

Failed to get keytab


Many thanks

On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users 
 wrote:  
 
 On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> I've seen this issue on the list several times, but I've not yet seen a
> solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> (we have other SLES hosts are fine), were seeing this error when users try
> and login, they just keep getting the Password: prompt and are unable to log
> in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> changed to protect the innocent.
> 
>  
> 
> In this hosts /var/log/sssd/ldap_child.log
> 
> <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> Preauthentication failed
> 
> <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> Preauthentication failed
> 
>  
> 
> On the FreeIPA server from /var/log/krb5kdc.log
> 
>  
> 
> 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
>  
> 
> On the host in question klist gives the following (note that kinit works,
> even if ssh login does not):
> 
>  
> 
> sles01:~ # klist -kte
> 
> Keytab name: FILE:/etc/krb5.keytab
> 
> KVNO Timestamp        Principal
> 
>  -
> 
> 
>    1 12/01/17 04:30:40 host/sles01.example@example.org
> (aes256-cts-hmac-sha1-96)
> 
>    1 12/01/17 04:30:40 host/sles01.example@example.org

    ^^^

> (aes128-cts-hmac-sha1-96)
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> kinit: Preauthentication failed while getting initial credentials
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> sles01:~ # kvno host/sles01.example@example.org
> 
> host/sles01.example@example.org: kvno = 3

                                            ^^^

The host keys stored in /etc/krb5.keytab got out of sync, the keytab
still has KVNO 1 while the current one is already 3.

Most probably someone called ipa-getkeytab without writing the result
back to /etc/krb5.keytab. ipa-getkeytab be default will generate new
keys, you have to use the option --retrieve to get the current keys.

To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf
option on sles01.example.org to update /etc/krb5.keytab.

HTH

bye,
Sumit

> 
>  
> 
> Also, I've compared NTP and there's only ~2.5ms offset between the two
> hosts.
> 
>  
> 
> Increasing the logging level of sssd to debug_level=9 which does not
> generate more logs.
> 

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe 

[Freeipa-users] GSSAPI-encrypted LDAP connection

2017-12-01 Thread James Harrison via FreeIPA-users
Hello,One one of our FreeIPA servers we are seeing the following messages from 
journal -f 

Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 
17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: 
host/ipa-01.int.domain@int.domain.com for 
krbtgt/int.domain@int.domain.com, Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Failed to 
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: 
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: 
Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 
17 16 23 25 26 20 19}) 10.3.5.88: NEEDED_PREAUTH: 
host/ipa-01.int.domain@int.domain.com for 
krbtgt/int.domain@int.domain.com, Additional pre-authentication required
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): preauth 
(encrypted_timestamp) verify failure: Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): AS_REQ (8 etypes {18 
17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: 
host/ipa-01.int.domain@int.domain.com for 
krbtgt/int.domain@int.domain.com, Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Failed to 
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: 
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: 
Preauthentication failed

[root@pul-lv-ipa-01 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228

I[root@pul-lv-ipa-01 log]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core) 

Many thanks for any help,
Regards,James Harrison

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] FreeIPA server: Replication issues

2017-11-15 Thread James Harrison via FreeIPA-users
 Hello,I am using Centos to host our FreeIPA servers. We have a CA-less setup.
I have upgraded to Centos 7.4 and FreeIPA version : VERSION: 4.5.0, 
API_VERSION: 2.228
The upgrade of both went off without any seen errors.
However, now I am getting the following messages on each server (12 in total): 
"ERR - attrlist_replace - attr_replace (nsslapd-referral" messages
Firstly, are these messages real problems I need to deal with?Secondly, if they 
are problems, how do I fix them? I have searched the internet and found lots of 
confusing mail threads, but no howto style document.
Thanks for any help.
Regards,James Harrison___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org