Re: [Freeipa-users] KPasswd TCP issues

[ninibaba]

> On Tue, Feb 19, 2013 at 03:29:03PM -0700, ninib...@worldd.org
wrote:

>>

>>

>> ?

>> ?

>> Actually

>> i'd like to take that back now, it works fine when running
kpasswd, but

>> if

>> user password is expired when SSH to client, during the reset it
only

>> tried UDP same if issuing passwd command as well.

>

>

> Both use sssd here which in theory should behave as kpasswd. Can you
run

> sssd with a high debug level, run the passwd command again and
send

> logs? If you prefer you can send them as PM to me. Most
interesting

> would be krb5_child.log but the others miht be useful as well.

>

> bye,

> Sumit

>> ___

>> Freeipa-users mailing list

>> Freeipa-users@redhat.com

>> https://www.redhat.com/mailman/listinfo/freeipa-users

>

>
�
I found my issue by disabled SELinux on the
client, also did a search and found this bug related to my issue
exactly:
�
https://bugzilla.redhat.com/show_bug.cgi?id=889251
�
The
selinux-policy in CentOS 6 is not the same as the 
current�selinux-policy-3.7.19-190.el6 in RHEL 6,
CentOS 6 is using�selinux-policy-3.7.19-155.el6
�
Thank you
for everyone's help, reviewing the krb5_child.log led me to search SELinux
audit log which turned up the problem while looking for denied
messages.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] --external-ca is a bit confusing.

[Kendrick .]

I am trying to get cacert to sign the csr.  I have tried searching about it
and cant figure out what is what.  some information i have found suggests
it wont be possible.

when I go to get the csr signed i get

"The following hostnames were rejected because the system couldn't link
them to your account, if they are valid please verify the domains against
your account.
Rejected: Certificate
Authority"


I would prefer my certificates to be valid on the internet as some of the
user certs would be used to sign emails and such.  any advice would be
appriciated.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Rich Megginson]

On 02/20/2013 06:43 PM, Bret Wortman wrote:


Mine was not.


What platform?  What version of 389-ds-base?


—
Bret Wortman


On Wed, Feb 20, 2013 at 8:16 PM, Rich Megginson > wrote:


On 02/20/2013 06:00 PM, KodaK wrote:



On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman
mailto:bret.wort...@damascusgrp.com>> wrote:

Eureka!

Someone had deleted the contents of
/etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a
saved copy and now everything's working as expected.

Thanks everyone for your contributions, patience, and
indulgence. And for a wonderful product!


I wouldn't be too sure that someone deleted it.  A couple of
weeks ago I had a crash and half of my replicas had an empty
dse.ldif.  I think you and I may be hitting a bug.


were these virtual machines?



--Jason


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

Mine was not. 
—
Bret Wortman

On Wed, Feb 20, 2013 at 8:16 PM, Rich Megginson 
wrote:

> On 02/20/2013 06:00 PM, KodaK wrote:
>>
>>
>> On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman 
>> mailto:bret.wort...@damascusgrp.com>> 
>> wrote:
>>
>> Eureka!
>>
>> Someone had deleted the contents of
>> /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a saved
>> copy and now everything's working as expected.
>>
>> Thanks everyone for your contributions, patience, and indulgence.
>> And for a wonderful product!
>>
>>
>> I wouldn't be too sure that someone deleted it.  A couple of weeks ago 
>> I had a crash and half of my replicas had an empty dse.ldif.  I think 
>> you and I may be hitting a bug.
> were these virtual machines?
>>
>> --Jason
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Rich Megginson]

On 02/20/2013 06:00 PM, KodaK wrote:



On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman 
mailto:bret.wort...@damascusgrp.com>> 
wrote:


Eureka!

Someone had deleted the contents of
/etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a saved
copy and now everything's working as expected.

Thanks everyone for your contributions, patience, and indulgence.
And for a wonderful product!


I wouldn't be too sure that someone deleted it.  A couple of weeks ago 
I had a crash and half of my replicas had an empty dse.ldif.  I think 
you and I may be hitting a bug.


were these virtual machines?



--Jason


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[KodaK]

On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman
wrote:

> Eureka!
>
> Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I
> replaced it from a saved copy and now everything's working as expected.
>
> Thanks everyone for your contributions, patience, and indulgence. And for
> a wonderful product!
>
>
I wouldn't be too sure that someone deleted it.  A couple of weeks ago I
had a crash and half of my replicas had an empty dse.ldif.  I think you and
I may be hitting a bug.

--Jason
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

I'm running 2.2.0-1.fc17.x86_64

And FWIW, the replica data file I was able to create after this just
installed successfully on the new host.



*
*
*Bret Wortman*

http://damascusgrp.com/ 
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 9:47 AM, Rob Crittenden  wrote:

> Bret Wortman wrote:
>
>> Eureka!
>>
>> Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.**ldif.
>> I replaced it from a saved copy and now everything's working as expected.
>>
>> Thanks everyone for your contributions, patience, and indulgence. And
>> for a wonderful product!
>>
>
> Glad you're up and running again.
>
> I'm curious, what version are you running?
>
> rob
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Rob Crittenden]

Bret Wortman wrote:

Eureka!

Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif.
I replaced it from a saved copy and now everything's working as expected.

Thanks everyone for your contributions, patience, and indulgence. And
for a wonderful product!


Glad you're up and running again.

I'm curious, what version are you running?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[John Dennis]

On 02/20/2013 08:43 AM, Bret Wortman wrote:
> [root@oldmaster]# pkicontrol start ca PKI-IPA

PKI-IPA is an invalid 'pki-ca' instance
[root@oldmaster]#

Is there another, preferred way to start it?


pkiconsole is used to monitor/configure your instance, it's a GUI 
application. Perhaps it can also be used to start/stop instances but 
I've never seen it used that way and we don't use pkiconsole at all.


Normally the pki-ca instance is controlled using the same service 
commands for any other daemon. Some of this has been in flux so the 
details may depend on your exact OS. If you don't provide a specific 
instance to start/stop then the service command will apply the action to 
all your instances, usaully this is fine as usaully you only have one 
instance.


As for debugging what is going on. pki-ca is a tomcat instance. You need 
to locate it's log files under /var/log depending on the release it can 
be named slightly differently but it should be obvious. You need to 
understand how a tomcat instance starts, again this depends on the 
release. Early start up messages will be written to catalina.out, those 
are tomcat specific messages, if you have problems opening sockets (for 
instance bad certs) it should show up in this file. Once tomcat hands 
control over to the application (i.e. pki-ca) you will see messages in 
the "debug" file located under the /var/log/pki-ca (or whatever, depends 
on the release) directory. As I said it should be easy to find. Look in 
that file for obvious problems.


HTH,

I forget the exact version you're running on which OS. If the above is 
not specific enough we can get the dogtag folks to jump in.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

Eureka!

Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I
replaced it from a saved copy and now everything's working as expected.

Thanks everyone for your contributions, patience, and indulgence. And for a
wonderful product!


*
*
*Bret Wortman*

http://damascusgrp.com/ 
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 9:34 AM, Bret Wortman
wrote:

> I think this keeps coming back to the fact that ldap isn't listening on
> 7389 for some reason. When I try to *really* manually start pki-ca like
> this, it complains about ldap before dying:
>
> # sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath
> :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp
> -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> org.apache.catalina.startup.Bootstrap start
> :
> :
> Could not connect to LDAP server host oldmaster.my.com port 7389 Error
> netscape.ldap.LDAPException: failed to connect to server ldap://
> oldmaster.my.com:7389 (91)
> [root@oldmaster]#
>
> This bears out what I see in /var/log/pki-ca/catalina.out too.
>
>
>
> *
> *
> *Bret Wortman*
> 
> http://damascusgrp.com/ 
> http://twitter.com/BretWortman
>
>
> On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman <
> bret.wort...@damascusgrp.com> wrote:
>
>> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce  wrote:
>>
>>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
>>> > Digging further into my logs this morning, I've discovered that
>>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
>>> > either. How can I tell why this isn't
>>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
>>> > to, it's just the PKI piece that seems to be dead.
>>> >
>>> >
>>> > Nothing in /etc/pki-ca has changed since last year, and the last
>>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
>>> > Feb 5. I just can't tell what that change was
>>>
>>> What error do you get if you try to start it ?
>>>
>>
>> [root@oldmaster]# pkicontrol start ca PKI-IPA
>> PKI-IPA is an invalid 'pki-ca' instance
>> [root@oldmaster]#
>>
>> Is there another, preferred way to start it?
>>
>>
>>
>>> >
>>> > Would a key change or certificate change have affected this?
>>>
>>> An expired CA cert might cause the server to stop, but then you would
>>> see expired certs all over and also the main IPA instance would not
>>> start.
>>> >
>>> > Worst case, if I do something like this:
>>> >
>>> >
>>> > # ipa-server-install -U --uninstall
>>> > # ipa-server-install
>>> >
>>> You will completely obliterate all your data.
>>>
>>> > will I lose the hosts, policies & users I already have configured?
>>> > Does this stand a chance of getting me back up to where I can clone
>>> > this box and get healthy again?
>>> >
>>> Healthy will be, but with no data, don't do it. (and I suggest you make
>>> a full backup just in case)
>>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

I think this keeps coming back to the fact that ldap isn't listening on
7389 for some reason. When I try to *really* manually start pki-ca like
this, it complains about ldap before dying:

# sudo -u pkiuser -s /usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp
-Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
:
:
Could not connect to LDAP server host oldmaster.my.com port 7389 Error
netscape.ldap.LDAPException: failed to connect to server ldap://
oldmaster.my.com:7389 (91)
[root@oldmaster]#

This bears out what I see in /var/log/pki-ca/catalina.out too.



*
*
*Bret Wortman*

http://damascusgrp.com/ 
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 8:43 AM, Bret Wortman
wrote:

> On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce  wrote:
>
>> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
>> > Digging further into my logs this morning, I've discovered that
>> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
>> > either. How can I tell why this isn't
>> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
>> > to, it's just the PKI piece that seems to be dead.
>> >
>> >
>> > Nothing in /etc/pki-ca has changed since last year, and the last
>> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
>> > Feb 5. I just can't tell what that change was
>>
>> What error do you get if you try to start it ?
>>
>
> [root@oldmaster]# pkicontrol start ca PKI-IPA
> PKI-IPA is an invalid 'pki-ca' instance
> [root@oldmaster]#
>
> Is there another, preferred way to start it?
>
>
>
>> >
>> > Would a key change or certificate change have affected this?
>>
>> An expired CA cert might cause the server to stop, but then you would
>> see expired certs all over and also the main IPA instance would not
>> start.
>> >
>> > Worst case, if I do something like this:
>> >
>> >
>> > # ipa-server-install -U --uninstall
>> > # ipa-server-install
>> >
>> You will completely obliterate all your data.
>>
>> > will I lose the hosts, policies & users I already have configured?
>> > Does this stand a chance of getting me back up to where I can clone
>> > this box and get healthy again?
>> >
>> Healthy will be, but with no data, don't do it. (and I suggest you make
>> a full backup just in case)
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC

[Rodney L. Mercer]

On Tue, 2013-02-19 at 21:05 -0500, Dmitri Pal wrote:
> On 02/19/2013 09:14 AM, Rodney L. Mercer wrote:
> >
> > On Sun, 2013-02-17 at 13:31 -0500, Dmitri Pal wrote:
> >> On 02/16/2013 12:14 PM, Mercer, Rodney wrote:
> >>> 
> >>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> >>> on behalf of Sigbjorn Lie [sigbj...@nixtra.com]
> >>> Sent: Saturday, February 16, 2013 6:29 AM
> >>> To: freeipa-users@redhat.com
> >>> Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory 
> >>> synchronisation and Solaris RBAC
> >>>
> >>> On 02/15/2013 10:31 PM, Dmitri Pal wrote:
>  On 02/15/2013 09:17 AM, Rodney L. Mercer wrote:
> > On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote:
> >> I agree with schema support being enough for now. I do not expect the
> >> ipa mgmt tools to support Solaris rbac mgmt.
> >>
> >> The ipa mgmt tools are great, but I already have other data in the ipa
> >> ldap that I have to manage manually anyway.
> >>
> >>
> >>
> >> Rgds,
> >> Siggi
> >>
> >>
> >>
> >> Rob Crittenden  wrote:
> >>  Dag Wieers wrote:
> >>  On Thu, 14 Feb 2013, Rob Crittenden wrote:
> >>
> >>  Sigbjorn Lie wrote:
> >>  On 02/13/2013 04:10 PM, Rob 
> >> Crittenden wrote:
> >>
> >>  Also since we also 
> >> require compatibility with Solaris, and roles
> >>  (RBAC)
> >>  is currently used on 
> >> Solaris, does IPA support RBAC on Solar
> >>   is ?
> >>  (We
> >>  noticed that RBAC 
> >> mentioned in the IPA web interface only
> >>  relates to > >  IPA
> >>  management).
> >>  No, IPA doesn't 
> >> support RBAC on Solaris.
> >>
> >>  I've come across the same issue. This 
> >> is just a matter of extending the
> >>  schema.
> >>
> >>  Would there be any interest for 
> >> adding the Solaris RBAC schema as a
> >>  part
> >>  of the standard IPA distributed LDAP 
> >> schema?
> > Consider the following: What else would have to be put in to support
> > this?
> > Once the schema is established, can SSSD be extended to use this and
> > potentially be referenced in nsswitch.conf as it is implemented on
> > Solaris? IE:
> > tail -5 /etc/nsswitch.conf
> > user_attr:  sssd
> > auth_attr:  sssd
> > prof_attr:  sssd
> > exec_attr:  sssd
> > project:sssd
>  Before we define how it is passed/exposed it would nice to understand
>  who on Linux will be consuming it out of SSSD?
> 
> >>> I don't think Linux would consume these attributes. They are specific to
> >>> the Role Based Access Control solution implemented in Solaris.
> >>>
> >>>
> >>> Rgds,
> >>> Siggi
> >>>
> >>> --
> >>>
> >>> Yes, I understand that Linux has no mechanism currently built in to 
> >>> consume these Solaris name server switch attributes. But, If the Solaris 
> >>> RBAC schema is included as
> >>> part of the standard IPA distributed LDAP schema, My question is how hard 
> >>> would it be to create an extension using SSSD/pam to do so?
> >>>
> >>> I agree that it is too much to ask for a full Solaris style RBAC 
> >>> implementation on RHEL. 
> >>>
> >>> We have an application that currently uses the Solaris RBAC structure to 
> >>> authorize user/role accesses within the application.
> >>>
> >>> Our goal is to use existing OS calls or possibly extending SSSD to allow 
> >>> system calls that would give  us back an answer to attrbutes placed 
> >>> within the LDAP
> >>> tree that  are composed in like fashion as how they are stored in  
> >>> Solaris. Defining the schema seemed to be well received and I understand 
> >>> that it is intended that it would be there to support Solaris clients.
> >>> If SSSD could be extended to access these attributes and possibly pam 
> >>> modules to allow Linux clients to take advantage of this RBAC schema, 
> >>> then our application could perform as it does on Solaris. It would also
> >>> open up the opportunity for other vendors to consider moving their 
> >>> Solaris RBAC applications to RHEL. 
> >>>
> >>> I think with that as a goal, we could then create users and SELinux roles 
> >>> that are defined within the RBAC based schema much like our current 

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

On Wed, Feb 20, 2013 at 8:40 AM, Simo Sorce  wrote:

> On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
> > Digging further into my logs this morning, I've discovered that
> > there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
> > either. How can I tell why this isn't
> > running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
> > to, it's just the PKI piece that seems to be dead.
> >
> >
> > Nothing in /etc/pki-ca has changed since last year, and the last
> > updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
> > Feb 5. I just can't tell what that change was
>
> What error do you get if you try to start it ?
>

[root@oldmaster]# pkicontrol start ca PKI-IPA
PKI-IPA is an invalid 'pki-ca' instance
[root@oldmaster]#

Is there another, preferred way to start it?



> >
> > Would a key change or certificate change have affected this?
>
> An expired CA cert might cause the server to stop, but then you would
> see expired certs all over and also the main IPA instance would not
> start.
> >
> > Worst case, if I do something like this:
> >
> >
> > # ipa-server-install -U --uninstall
> > # ipa-server-install
> >
> You will completely obliterate all your data.
>
> > will I lose the hosts, policies & users I already have configured?
> > Does this stand a chance of getting me back up to where I can clone
> > this box and get healthy again?
> >
> Healthy will be, but with no data, don't do it. (and I suggest you make
> a full backup just in case)
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Simo Sorce]

On Wed, 2013-02-20 at 08:08 -0500, Bret Wortman wrote:
> Digging further into my logs this morning, I've discovered that
> there's no new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5
> either. How can I tell why this isn't
> running? /var/log/dirsrv/slapd-MY-COM is getting updated and logged
> to, it's just the PKI piece that seems to be dead.
> 
> 
> Nothing in /etc/pki-ca has changed since last year, and the last
> updates to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on
> Feb 5. I just can't tell what that change was

What error do you get if you try to start it ?
> 
> Would a key change or certificate change have affected this?

An expired CA cert might cause the server to stop, but then you would
see expired certs all over and also the main IPA instance would not
start.
> 
> Worst case, if I do something like this:
> 
> 
> # ipa-server-install -U --uninstall
> # ipa-server-install
> 
You will completely obliterate all your data.

> will I lose the hosts, policies & users I already have configured?
> Does this stand a chance of getting me back up to where I can clone
> this box and get healthy again?
> 
Healthy will be, but with no data, don't do it. (and I suggest you make
a full backup just in case)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

And just in case this is informative:

[root@oldmaster]# pkicontrol start ca PKI-IPA
PKI-IPA is an invalid 'pki-ca' instance
[root@oldmaster]#


*
*
*Bret Wortman*

http://damascusgrp.com/ 
http://twitter.com/BretWortman


On Wed, Feb 20, 2013 at 8:08 AM, Bret Wortman
wrote:

> Digging further into my logs this morning, I've discovered that there's no
> new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I
> tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting
> updated and logged to, it's just the PKI piece that seems to be dead.
>
> Nothing in /etc/pki-ca has changed since last year, and the last updates
> to /var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just
> can't tell what that change was
>
> Would a key change or certificate change have affected this?
>
> Worst case, if I do something like this:
>
> # ipa-server-install -U --uninstall
> # ipa-server-install
>
> will I lose the hosts, policies & users I already have configured? Does
> this stand a chance of getting me back up to where I can clone this box and
> get healthy again?
>
>
> *
> *
> *Bret Wortman*
> 
> http://damascusgrp.com/ 
> http://twitter.com/BretWortman
>
>
> On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman <
> bret.wort...@damascusgrp.com> wrote:
>
>> No, can't telnet to 7389 or 9444 either one:
>>
>> [root@ipamaster]# telnet oldmaster.my.com 7389
>> Trying 10.0.0.42...
>> telnet: connect to address 10.0.0.42: COnnection refused
>> [root@ipamaster]#
>>
>> I do note that I only have packages called dogtag-*-theme installed:
>>
>> [root@oldmaster]# yum list "*dogtag*"
>> Loaded plugins: lnagpacks, presto, refresh-packagekit
>> Installed Packages
>> dogtag-pki-ca-theme.noarch  9.0.11-1.fc17
>>  @fedora
>> dogtag-pki-common-theme.noarch  9.0.11-1.fc17
>>  @fedora
>> Available Packages
>> dogtag-pki.noarch   9.0.0-13.fc17
>>  @fedora
>> :
>>
>> I also noticed that, according to /var/log/pki-ca/catalina.out and
>> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no,
>> I'm not sure what happened on that day to change things, but I'm trying to
>> find out. (At least, I assume this logdir relates to dogtag)
>>
>>
>>
>> *
>> *
>> *Bret Wortman*
>> 
>> http://damascusgrp.com/ 
>> http://twitter.com/BretWortman
>>
>>
>> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden wrote:
>>
>>> Natxo Asenjo wrote:
>>>
 On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
 >>> >
 wrote:

 Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:

 :
 Could not connect to LDAP server host oldmaster.my.com
  port 7389 Error

 netscape.ldap.LDAPException: failed to connect to server
 ldap://oldmaster.my.com:7389  (91)


 This certainly appears to be a problem, but everyone's
 authenticating against oldmaster just fine. Thoughts, anyone?


 can you connect to that port (7389) on oldmaster.my.com
  from the other replica? (try telnetting to
 the
 port: telnet oldmaster.my.com  7389)

>>>
>>> 7389 is port in the 389-ds instance used by dogtag. Is the instance
>>> running on oldmaster?
>>>
>>> It isn't used for authentication which is why you aren't seeing problems
>>> with clients.
>>>
>>> rob
>>>
>>> __**_
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>>
>>
>>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble creating replica

[Bret Wortman]

Digging further into my logs this morning, I've discovered that there's no
new entries in /var/log/dirsrv/slapd-PKI-IPA since Feb 5 either. How can I
tell why this isn't running? /var/log/dirsrv/slapd-MY-COM is getting
updated and logged to, it's just the PKI piece that seems to be dead.

Nothing in /etc/pki-ca has changed since last year, and the last updates to
/var/lib/dirsrv/slapd-PKI-IPA/db or changelogs occurred on Feb 5. I just
can't tell what that change was

Would a key change or certificate change have affected this?

Worst case, if I do something like this:

# ipa-server-install -U --uninstall
# ipa-server-install

will I lose the hosts, policies & users I already have configured? Does
this stand a chance of getting me back up to where I can clone this box and
get healthy again?


*
*
*Bret Wortman*

http://damascusgrp.com/ 
http://twitter.com/BretWortman


On Tue, Feb 19, 2013 at 2:01 PM, Bret Wortman
wrote:

> No, can't telnet to 7389 or 9444 either one:
>
> [root@ipamaster]# telnet oldmaster.my.com 7389
> Trying 10.0.0.42...
> telnet: connect to address 10.0.0.42: COnnection refused
> [root@ipamaster]#
>
> I do note that I only have packages called dogtag-*-theme installed:
>
> [root@oldmaster]# yum list "*dogtag*"
> Loaded plugins: lnagpacks, presto, refresh-packagekit
> Installed Packages
> dogtag-pki-ca-theme.noarch  9.0.11-1.fc17
>  @fedora
> dogtag-pki-common-theme.noarch  9.0.11-1.fc17
>  @fedora
> Available Packages
> dogtag-pki.noarch   9.0.0-13.fc17
>  @fedora
> :
>
> I also noticed that, according to /var/log/pki-ca/catalina.out and
> /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no,
> I'm not sure what happened on that day to change things, but I'm trying to
> find out. (At least, I assume this logdir relates to dogtag)
>
>
>
> *
> *
> *Bret Wortman*
> 
> http://damascusgrp.com/ 
> http://twitter.com/BretWortman
>
>
> On Tue, Feb 19, 2013 at 1:26 PM, Rob Crittenden wrote:
>
>> Natxo Asenjo wrote:
>>
>>> On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
>>> >> >
>>> wrote:
>>>
>>> Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
>>>
>>> :
>>> Could not connect to LDAP server host oldmaster.my.com
>>>  port 7389 Error
>>>
>>> netscape.ldap.LDAPException: failed to connect to server
>>> ldap://oldmaster.my.com:7389  (91)
>>>
>>>
>>> This certainly appears to be a problem, but everyone's
>>> authenticating against oldmaster just fine. Thoughts, anyone?
>>>
>>>
>>> can you connect to that port (7389) on oldmaster.my.com
>>>  from the other replica? (try telnetting to the
>>> port: telnet oldmaster.my.com  7389)
>>>
>>
>> 7389 is port in the 389-ds instance used by dogtag. Is the instance
>> running on oldmaster?
>>
>> It isn't used for authentication which is why you aren't seeing problems
>> with clients.
>>
>> rob
>>
>> __**_
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users
>>
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] KPasswd TCP issues

[Sumit Bose]

On Tue, Feb 19, 2013 at 03:29:03PM -0700, ninib...@worldd.org wrote:
> 
> 
> ?
> ?
> Actually
> i'd like to take that back now, it works fine when running kpasswd, but if
> user password is expired when SSH to client, during the reset it only
> tried UDP same if issuing passwd command as well.


Both use sssd here which in theory should behave as kpasswd. Can you run
sssd with a high debug level, run the passwd command again and send
logs? If you prefer you can send them as PM to me. Most interesting
would be krb5_child.log but the others miht be useful as well.

bye,
Sumit
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] KPasswd TCP issues

[Petr Spacek]

On 19.2.2013 23:29, ninib...@worldd.org wrote:

 >
 >
 >
 >> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org
 > wrote:
 >
 >>> I used IPA from the CentOS 6 repositories and I am having an
 > issue I
 >
 >>> can't seem to solve. ?I installed a server and a client with
 > no
 >
 >>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
 > was
 >
 >>> flagged for a ping-pong DoS attack. ?With this information I
 > noticed
 >
 >>> kpasswd also listens on TCP 464 which I understand was used
 > for
 >
 >>> over-sized
 >
 >>> requests and other errors. ?I attempted to IPTABLES block UDP
 > for
 >
 >>> kerberos which resulted in kpasswd no longer functioning from
 > the
 >
 >>> client.
 >
 >>> ?Kerberos authentication defaults to TCP without issue, but no
 > matter
 >
 >>> what i cannot get the client to use TCP for kpasswd. ?Is there a
 > way
 >
 >>> to force kpasswd on the client to use TCP (i was under the
 > understanding
 >
 >>> that if UDP failed TCP would be attempted). ?I am running the
 > latest
 >
 >>> from the CentOS 6 repo's on both server and client. ?Thank
 > you!
 >
 >>
 >
 >> I just did a spot-check with udp port 464 set to REJECT on my
 > server,
 >
 >> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
 > an
 >
 >> ECONNREFUSED after trying to use the UDP port, and then correctly
 >
 >> falling back and opening a TCP connection.
 >
 >>
 >
 >> Do you have more information about what exactly happens when it
 > fails?
 >
 >> What does 'kpasswd' log when it's run with KRB5_TRACE set to
 > /dev/stderr
 >
 >> in its environment? Is anything logged to /var/log/kadmind.log on
 > the
 >
 >> server when you run 'kpasswd' on the client? Can you try it while
 > using
 >
 >> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
 > that's passed
 >
 >> between the two?
 >
 >>
 >
 >> Nalin
 >
 >>
 > �
 > /FACEPALM
 > So problem solved, I allowed all
 > the necessary ports via IPTABLES, but left the default REJECT rule in that
 > comes by default to handle blocking the UDP port for kpasswd. �The
 > default Reject rule in this case still answers with prohibited instead of
 > just a normal REJECT set for unreachable. �Problem solved.
 > �Thanks for pointing me somewhere =)
 >
Actually i'd like to take that back now, it works fine when running kpasswd,
but if user password is expired when SSH to client, during the reset it only
tried UDP same if issuing passwd command as well.


I would recommend to completely remove SRV records for kpasswd over UDP (in 
case you blocked kpasswd over UDP for all clients).


# ipa dnsrecord-del example.com _kpasswd._udp

This should prevent clients from even trying UDP.

Don't forget to DNS amplification attacks if you are paranoid :-)

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users