Re: [Freeipa-users] Host certificate issue problem
> When I check the host certificate I see a ca-error saying it cannot find > a suitable key. > > # ipa-getcert list > > Number of certificates and requests being tracked: 1. > Request ID '20130719035440': > status: CA_UNCONFIGURED > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS > Certificate DB' > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > What is the version of ipa-server , is the above error on ipa client , if so what is the version of ipa-client Both client and server are version 3.0; the error is on the client There was similar bug in earlier versions, I would suggest you to update the ipa server and clients to ipa-3.0 Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443 I have double checked to see if the workaround applies after the bug fix, it does not > When I check my keytab > # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example@example.com > No error > If I list my keytab, > > # klist -kt /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > - > >2 07/18/13 13:14:06 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com > > My /etc/krb5.conf file looks like: > > [libdefaults] > default_keytab_name = FILE:/etc/krb5.keytab > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = det-ldmpl01.sub.example.com:88 > master_kdc = det-ldmpl01.sub.example.com:88 > admin_server = det-ldmpl01.sub.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > .sub.example.com = EXAMPLE.COM > sub.example.com = EXAMPLE.COM > > It seems the error from ipa-getcert list shows: > > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > > where it is trunking the hostname and not including the realm name after > @ seems to be the problem, but I cannot figure out why. If I run > `hostname` on this host it prints det-webdl01.sub.example.com. > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- Regards M.R.Niranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0 MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m =J4fC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Host certificate issue problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/19/2013 09:47 AM, Rivet, Matt wrote: Hi, > When I check the host certificate I see a ca-error saying it cannot find > a suitable key. > > # ipa-getcert list > > Number of certificates and requests being tracked: 1. > Request ID '20130719035440': > status: CA_UNCONFIGURED > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS > Certificate DB' > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > What is the version of ipa-server , is the above error on ipa client , if so what is the version of ipa-client There was similar bug in earlier versions, I would suggest you to update the ipa server and clients to ipa-3.0 > When I check my keytab > # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example@example.com > No error > If I list my keytab, > > # klist -kt /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > - > >2 07/18/13 13:14:06 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com >1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com > > My /etc/krb5.conf file looks like: > > [libdefaults] > default_keytab_name = FILE:/etc/krb5.keytab > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = det-ldmpl01.sub.example.com:88 > master_kdc = det-ldmpl01.sub.example.com:88 > admin_server = det-ldmpl01.sub.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > .sub.example.com = EXAMPLE.COM > sub.example.com = EXAMPLE.COM > > It seems the error from ipa-getcert list shows: > > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > > where it is trunking the hostname and not including the realm name after > @ seems to be the problem, but I cannot figure out why. If I run > `hostname` on this host it prints det-webdl01.sub.example.com. > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- Regards M.R.Niranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0 MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m =J4fC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Redhat IPA as a SSL CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/19/2013 06:57 AM, craig.free...@noboost.org wrote: > Hi, > > I've been using Redhat IPA 2.2 as our internal CA quite successfully > for a while and managing in it from the IPA management website. > > I'm struggling to find precise information about the SSL certs and > management at a CLI level. > > 1) Can I submit SSL CSR via cli? Yes, you could using ipa cert-request command Example: 1. Add the host for which you are generating request. # ipa host-add webserver1.example.org 2. Create a CSR (i.e private key and certificate request using openssl command) A. Generate private key: [root@test1 certs]# openssl genrsa 1024 > server.key B. Generate CSR: [root@test1 certs]# openssl req -new -key server.key -out server.csr 3. Submit the certificate request: # ipa cert-request /etc/pki/tls/certs/server.csr 4. Get the signed Certificate out using ipa cert-show command Example: [root@test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt > 2) Where are the approved client SSL certs kept in IPA? > They are stored in Directory Server in 2 places 1. Domain Suffix tree dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org 2. CA store in DS. Certificate system of IPA stores certificate in it's ldap store (ou=certificateRepository,ou=ca,o=ipaca) > > cya > > Craig > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- Regards M.R.Niranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHozgMACgkQLu3FX2BHx8cE7gCfSWDTA24R0VGSuwpd49RIgXsH 5eAAn3sQS5eXdfNu2kPbo5YueM3gScyt =BCXd -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Host certificate issue problem
When I check the host certificate I see a ca-error saying it cannot find a suitable key. # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20130719035440': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01@. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes When I check my keytab # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example@example.com No error If I list my keytab, # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 07/18/13 13:14:06 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 2 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com 1 07/18/13 13:14:07 host/det-webdl01.sub.example@example.com My /etc/krb5.conf file looks like: [libdefaults] default_keytab_name = FILE:/etc/krb5.keytab default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = det-ldmpl01.sub.example.com:88 master_kdc = det-ldmpl01.sub.example.com:88 admin_server = det-ldmpl01.sub.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM .sub.example.com = EXAMPLE.COM sub.example.com = EXAMPLE.COM It seems the error from ipa-getcert list shows: ca-error: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01@. where it is trunking the hostname and not including the realm name after @ seems to be the problem, but I cannot figure out why. If I run `hostname` on this host it prints det-webdl01.sub.example.com. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] problem creating replica
I was just trying this again and noticed there is a /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume is the logging for the attempt to create the pki. right at the end is this entry. 2013-07-19 14:04:42 pkispawn: INFO ... unable to access security domain through REST interface. Trying old interface. 503 Server Error: Service Unavailable Does anyone know what that means and how to fix it? On 19 July 2013 12:46, Pete Brown wrote: > On 18 July 2013 19:50, Petr Viktorin wrote: >> On 07/18/2013 03:31 AM, Pete Brown wrote: >>> >>> I opened all the ports that seemed to be listening n the master. >>> I also ran the setup again without disabling the connection check to >>> see what else needed fixing. >>> It seems after much investigation and log dredging it seems my admin >>> password had expired. >>> I wasn't aware that was possible. >>> I reset the password and it seemed to get further. >>> This for some reason not mentioned in the documentation the replica is >>> trying to ssh into the master as admin. >>> I managed to fix that by changing my setup and ssh config files. >>> >>> Then it actually managed to start the setup process. >>> But again it fails at exactly the same point mentioned in my initial >>> email. >>> >>> After some further digging with reference to the log output below it >>> seems I have run into a bug that seems to have been fixed. >>> https://fedorahosted.org/freeipa/ticket/3213 >>> As I mentioned I am running current Fedora 18 so freeipa is >>> 3.1.5-1.fc18 is that fixed in my version? >> >> >> Yes, that bug was fixed in 3.1.0. > > Well the script is still complaining about not being able to find > dogtag_master_ds_port and the option still appears in my version of > the script. > Which from the bug seems to be what was causing the issue and the > ipareplica-install log I included below says this is the case. > It seems a bit odd because this is a fresh install of 3.1.5. > > > >>> It also seems the dogatg and IPA directories will be or have been merged? >>> Which version did this happen in and will it get applied to my server? >> >> >> Also in 3.1.0; new servers installed using that version have merged >> databases. > > I still seem to have split instances. > I did the install before Fedora 18 was released because I wanted ipa 3 > and that was the only way I could get it. > Will they get merged at some point or can I do it manually? > >> >>> Can anyone suggest how I go about fixing this issue? >> >> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong >> (ticket #2796). >> So I would start by uninstalling, then running the following command to make >> sure CA is not left: >> sudo pkidestroy -s CA -i pki-tomcat >> then installing again. > > Ran that on my replica after the install and before the clean and it said > this. > That would make sense because it fails during the ca creation stage. > > root@ipa2 ~]# pkidestroy -s CA -i pki-tomcat > ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! > > >> >> Can you also provide logs without the --skip-conncheck flag? Specifically >> the /var/log/ipareplica-conncheck.log should be interesting. > > From what I can tell all the tests in the connection check passed. > >> >> >>> I wanted to create a replica so I could upgrade to fedora 19 and not >>> have to take my single instance of FreeIPA offline while that was >>> happening. >>> Will I need to upgrade to Fedora 19 to fix my issue? >> >> >> >>> For reference this is the point of failure in the >>> /var/log/ipareplica-install.log file >>> >>> 2013-07-18T01:06:16Z DEBUG Starting external process >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration >>> from /tmp/tmpFKBxMW. >>> ERROR: Unable to access security domain: 503 Server Error: Service >>> Unavailable >> >> >> Please also check logs on the existing server. Is the CA available? >> Does e.g. `ipa cert-show 1` work? >> >>> 2013-07-18T01:08:16Z DEBUG stderr= >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit >>> status 1 >>> 2013-07-18T01:08:16Z INFO File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 619, in run_script >>> return_value = main_function() >>> >>>File "/usr/sbin/ipa-replica-install", line 652, in main >>> (CA, cs) = cainstance.install_replica_ca(config, >>> dogtag_master_ds_port) >>> >>>File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 1809, in install_replica_ca >>> subject_base=config.subject_base) >>> >>>File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 625, in configure_instance >>> self.start_creation(runtime=210) >>> >>>File "/usr/lib/python2.7/site-packages/i
Re: [Freeipa-users] problem creating replica
On 18 July 2013 19:50, Petr Viktorin wrote: > On 07/18/2013 03:31 AM, Pete Brown wrote: >> >> I opened all the ports that seemed to be listening n the master. >> I also ran the setup again without disabling the connection check to >> see what else needed fixing. >> It seems after much investigation and log dredging it seems my admin >> password had expired. >> I wasn't aware that was possible. >> I reset the password and it seemed to get further. >> This for some reason not mentioned in the documentation the replica is >> trying to ssh into the master as admin. >> I managed to fix that by changing my setup and ssh config files. >> >> Then it actually managed to start the setup process. >> But again it fails at exactly the same point mentioned in my initial >> email. >> >> After some further digging with reference to the log output below it >> seems I have run into a bug that seems to have been fixed. >> https://fedorahosted.org/freeipa/ticket/3213 >> As I mentioned I am running current Fedora 18 so freeipa is >> 3.1.5-1.fc18 is that fixed in my version? > > > Yes, that bug was fixed in 3.1.0. Well the script is still complaining about not being able to find dogtag_master_ds_port and the option still appears in my version of the script. Which from the bug seems to be what was causing the issue and the ipareplica-install log I included below says this is the case. It seems a bit odd because this is a fresh install of 3.1.5. >> It also seems the dogatg and IPA directories will be or have been merged? >> Which version did this happen in and will it get applied to my server? > > > Also in 3.1.0; new servers installed using that version have merged > databases. I still seem to have split instances. I did the install before Fedora 18 was released because I wanted ipa 3 and that was the only way I could get it. Will they get merged at some point or can I do it manually? > >> Can anyone suggest how I go about fixing this issue? > > > Well, ipa-server-uninstall can misbehave if CA installation goes wrong > (ticket #2796). > So I would start by uninstalling, then running the following command to make > sure CA is not left: > sudo pkidestroy -s CA -i pki-tomcat > then installing again. Ran that on my replica after the install and before the clean and it said this. That would make sense because it fails during the ca creation stage. root@ipa2 ~]# pkidestroy -s CA -i pki-tomcat ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! > > Can you also provide logs without the --skip-conncheck flag? Specifically > the /var/log/ipareplica-conncheck.log should be interesting. >From what I can tell all the tests in the connection check passed. > > >> I wanted to create a replica so I could upgrade to fedora 19 and not >> have to take my single instance of FreeIPA offline while that was >> happening. >> Will I need to upgrade to Fedora 19 to fix my issue? > > > >> For reference this is the point of failure in the >> /var/log/ipareplica-install.log file >> >> 2013-07-18T01:06:16Z DEBUG Starting external process >> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW >> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 >> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration >> from /tmp/tmpFKBxMW. >> ERROR: Unable to access security domain: 503 Server Error: Service >> Unavailable > > > Please also check logs on the existing server. Is the CA available? > Does e.g. `ipa cert-show 1` work? > >> 2013-07-18T01:08:16Z DEBUG stderr= >> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command >> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit >> status 1 >> 2013-07-18T01:08:16Z INFO File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 619, in run_script >> return_value = main_function() >> >>File "/usr/sbin/ipa-replica-install", line 652, in main >> (CA, cs) = cainstance.install_replica_ca(config, >> dogtag_master_ds_port) >> >>File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1809, in install_replica_ca >> subject_base=config.subject_base) >> >>File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 625, in configure_instance >> self.start_creation(runtime=210) >> >>File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 358, in start_creation >> method() >> >>File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 744, in __spawn_instance >> raise RuntimeError('Configuration of CA failed') >> >> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed, >> exception: RuntimeError: Configuration of CA failed >> >> On 17 July 2013 15:52, Pete Brown wrote: >>> >>> Hi everyone, >>> >>> I am attempting to create a replica of my freeipa server. >>> I am following the docs but they are not working for me. >>> I am getting the vague impre
[Freeipa-users] Redhat IPA as a SSL CA
Hi, I've been using Redhat IPA 2.2 as our internal CA quite successfully for a while and managing in it from the IPA management website. I'm struggling to find precise information about the SSL certs and management at a CLI level. 1) Can I submit SSL CSR via cli? 2) Where are the approved client SSL certs kept in IPA? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
Hi, I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64): => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' There is no such file even on RHEL 6. What is this file ? => host_mod: KerbTransport instance has no attribute '_conn' What does that mean ? => Failed to upload host SSH public keys. This is strange because SSH key are correctly uploaded ! Here is the complete stack trace : Server : ipa host-add test1.numeezy.fr --platform="VMware, Inc." --os="Debian GNU/Linux 7.1 (wheezy)" --password= OTP_password Client : # ipa-client-install --server=inf-ipa.numeezy.fr --hostname=test1.numeezy.fr --domain=numeezy.fr --realm=NUMEEZY.FR --password=OTP_password --no-ntp --unattended Hostname: test1.numeezy.fr Realm: NUMEEZY.FR DNS Domain: numeezy.fr IPA Server: inf-ipa.numeezy.fr BaseDN: dc=numeezy,dc=fr Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Enrolled in IPA realm NUMEEZY.FR Created /etc/ipa/default.conf Domain numeezy.fr is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm NUMEEZY.FR trying https://inf-ipa.numeezy.fr/ipa/xml certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml' host_mod: KerbTransport instance has no attribute '_conn' Failed to upload host SSH public keys. Please let me know if more information is needed and thanks in advance for your help. Regards, Alexandre Le 18 juil. 2013 à 19:49, Arthur a écrit : > В Fri, 12 Jul 2013 19:57:09 +0200 > Alexandre Ellert пишет: > >> Thanks for pointing that bug, compilation succeeded if adding >> "X-Python-Version: 2.7" to debian/control file. Now, testing >> functionality... I can give you some feedback if you want (i'm new >> here. Is there only RHEL/Fedora users on this mailing list ?) >> >> Le 12 juil. 2013 à 19:36, Alexander Bokovoy a >> écrit : >> >>> On Fri, 12 Jul 2013, Alexandre Ellert wrote: Hi, I'm currently trying to get a functional .deb package working on Debian Wheezy. I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success. First error was about compiling ipa-join : ipa-join.c: In function ‘callRPC’: ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no member named ‘gssapi_delegation’ => Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb : dh_install --list-missing dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere make[1]: quittant le répertoire « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs dh_installchangelogs dh_installexamples dh_installman dh_installcatalogs dh_installcron dh_installdebconf dh_installemacsen dh_installifupdown dh_installinfo dh_python2 E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2 Any idea or me advice about how to backport freeipa-client to wheezy ? >>> Perhaps, you can fix it in a manner similar to >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827 >>> >>> -- >>> / Alexander Bokovoy >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > That is great! I have to use some debian servers. It would be good to > add them to IPA-domain :) > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
Hi. I've done the kerberos part with several Apache Web servers with success. I've not done the fallback to ldap basic auth. Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one from IPA in the same keytab file. Reference this keytab file in httpd.conf. Regards Siggi KodaK wrote: >Another off the wall one from me, but I just want to know if this is >worth >pursuing. > >I have a series of internal web applications that authenticate >variously to >AD or IPA via prompted credentials. > >I'd like to use Kerberos tickets (and fall back to LDAP) instead. > >I have an IPA connected apache server that most of this stuff runs on. > >Is it possible to use both? > >I'm going to try following this example to get my feet wet: > >http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/ > >but that's just talking about mutilple AD realms. I'd like to know if >there was any special considerations for IPA > >Thanks again, > >--Jason > >-- >The government is going to read our mail anyway, might as well make it >tough for them. GPG Public key ID: B6A1A7C6 > > > > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA + AD authentication in apache
Another off the wall one from me, but I just want to know if this is worth pursuing. I have a series of internal web applications that authenticate variously to AD or IPA via prompted credentials. I'd like to use Kerberos tickets (and fall back to LDAP) instead. I have an IPA connected apache server that most of this stuff runs on. Is it possible to use both? I'm going to try following this example to get my feet wet: http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/ but that's just talking about mutilple AD realms. I'd like to know if there was any special considerations for IPA Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
host1-> nisdomainname my_domain.com host1-> rpm -q sudo sudo-1.7.2p1-6.el5_5 Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Pavel Brezina Sent: Thursday, July 18, 2013 2:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/17/2013 06:39 PM, Tovey, Mark wrote: > > Okay, I get it (pardon my obtuseness). > > host1-> getent netgroup hgroup1 > hgroup1 (host1.my_domain.com, -, my_domain.com) > > So netgroups are working. The host group is defined in IPA and getent > is able to access that information. > Thanks, > -Mark Hi, can you also paste the output of following commands please? $ nisdomainname $ rpm -q sudo Thanks, Pavel. > > > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > mto...@go2uti.com | O / C +1 503 953-1389 > > > -Original Message- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Wednesday, July 17, 2013 8:58 AM > To: Tovey, Mark > Cc: d...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] sudo rules user and host group bugs? > > On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: >> >> We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. > > OK, these are recent enough to support netgroups and the compat tree should > be configured automatically. > >> Those came out of the 'latest' repository. We do not have any netgroups >> defined (there is no /etc/netgroup file), so getent does not return anything. > > Every hostgroup is automatically translated into a netgroup on the server > side. You said you have some host groups present, so does "getent netgroup > return any netgroup data? > >> Thanks, >> -Mark >> > >> >> >> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >> mto...@go2uti.com | O / C +1 503 953-1389 >> >> >> -Original Message- >> From: Jakub Hrozek [mailto:jhro...@redhat.com] >> Sent: Wednesday, July 17, 2013 1:32 AM >> To: Tovey, Mark >> Cc: d...@redhat.com; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? >> >> On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: >>> >>> >>> We are using sssd. The sssd.conf file is mostly unchanged from how it >>> was installed by the ipa-client-install script: >> >> Hi Mark, >> >> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by >> extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure >> if netgroups were even supported in that old version.. >> >> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ? >> >> Does getent netgroup work? >> >>> >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam >>> >>> domains = my_domain.com >>> [nss] >>> >>> [pam] >>> >>> [domain/my_domain.com] >>> cache_credentials = True >>> krb5_store_password_if_offline = True ipa_domain = my_domain.com >>> id_provider = ipa auth_provider = ipa access_provider = ipa >>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com >>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 >>> >>> >>> And the nsswitch.conf file: >>> >>> passwd: files sss >>> shadow: files sss >>> group: files sss >>> >>> hosts: files dns >>> >>> bootparams: nisplus [NOTFOUND=return] files >>> >>> ethers: files >>> netmasks: files >>> networks: files >>> protocols: files >>> rpc:files >>> services: files >>> >>> netgroup: files sss >>> >>> publickey: nisplus >>> >>> automount: files ldap >>> aliases:files >>> >>> sudoers:files ldap >>> >>> Thanks, >>> -Mark >>> >>> >>> >>> >>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >>> mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 >>> >>> >>> -Original Message- >>> From: freeipa-users-boun...@redhat.com >>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal >>> Sent: Tuesday, July 16, 2013 12:51 PM >>> To: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs? >>> >>> On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0
Re: [Freeipa-users] freeipa-client on Debian Wheezy
В Fri, 12 Jul 2013 19:57:09 +0200 Alexandre Ellert пишет: > Thanks for pointing that bug, compilation succeeded if adding > "X-Python-Version: 2.7" to debian/control file. Now, testing > functionality... I can give you some feedback if you want (i'm new > here. Is there only RHEL/Fedora users on this mailing list ?) > > Le 12 juil. 2013 à 19:36, Alexander Bokovoy a > écrit : > > > On Fri, 12 Jul 2013, Alexandre Ellert wrote: > >> Hi, > >> > >> I'm currently trying to get a functional .deb package working on > >> Debian Wheezy. I have tried to recompile a package from Ubuntu > >> Precise (https://launchpad.net/~freeipa/+archive/ppa) without > >> success. > >> > >> First error was about compiling ipa-join : > >> ipa-join.c: In function ‘callRPC’: > >> ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no > >> member named ‘gssapi_delegation’ => Fix : Add > >> backport-gssapi-delegation.patch to package xmlrpc-c and then > >> install resulting libxmlrpc-core-c3-dev.deb and > >> libxmlrpc-core-c3.deb > >> > >> Now, recompile again with new patched libxmlrpc-core-c3... > >> compilation go further, but I'm stuck at the end of process of > >> building .deb : dh_install --list-missing dh_install: > >> usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp > >> but is not installed to anywhere dh_install: > >> usr/sbin/ipa-client-automount exists in debian/tmp but is not > >> installed to anywhere make[1]: quittant le répertoire > >> « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs > >> dh_installchangelogs dh_installexamples > >> dh_installman > >> dh_installcatalogs > >> dh_installcron > >> dh_installdebconf > >> dh_installemacsen > >> dh_installifupdown > >> dh_installinfo > >> dh_python2 > >> E: dh_python2:145: extension for python2.6 is missing. Build > >> extensions for all supported Python versions (`pyversions -vr`) or > >> adjust X-Python-Version field or pass --no-guessing-versions to > >> dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur: > >> debian/rules binary a produit une erreur de sortie de type 2 > >> > >> Any idea or me advice about how to backport freeipa-client to > >> wheezy ? > > Perhaps, you can fix it in a manner similar to > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827 > > > > -- > > / Alexander Bokovoy > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users That is great! I have to use some debian servers. It would be good to add them to IPA-domain :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa-client on Debian Wheezy
I've made packages from Debian Wheezy (actually only amd64). The goal is ti have a full functional and compatible client with Centos/RHEL 6.4 freeipa server 3.0.0. Actually join domain, ssh key upload, certificate enrollment and sudo integration works in my environment. If you want to test, just add this to /etc/apt/sources.list : deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main and import my GPG key : # wget -qO - http://apt.numeezy.fr/numeezy.asc | sudo apt-key add - Then, install package named freeipa-client. You can also download source using : apt-get source freeipa. Feel free to contact me if you have any issue using this package. PS : I've based my work on package done by Timo Aaltonen for Ubuntu. Thanks to him for his excellent work ! Alexandre Le 15 juil. 2013 à 08:37, Petr Spacek a écrit : > On 12.7.2013 19:57, Alexandre Ellert wrote: >> Thanks for pointing that bug, compilation succeeded if adding >> "X-Python-Version: 2.7" to debian/control file. >> Now, testing functionality... >> I can give you some feedback if you want (i'm new here. Is there only >> RHEL/Fedora users on this mailing list ?) > > This list is not Fedora/RHEL specific. We are glad to hear about ports to > another distributions, please continue! :-) > > -- > Petr^2 Spacek > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] help: ipa error 4301
I am glad to hear that. Can you just please send me the respective AVCs from /var/log/audit/audit.log? FreeIPA software is supposed to be run with SELinux enforced and we do our best so that it really works with SELinux enforced. Thanks, Martin On 07/18/2013 06:09 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: > SOLUTION > > Just to follow up, I found that SELinux was the problem. Once I ran > "#setenforce 0" the ipa-client-install script worked with no issue and my > client got a valid certificate. Thanks for looking! > > Matthew Shapiro > > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Thursday, July 18, 2013 1:15 AM > To: Shapiro, Matthew E CTR DODHRA DMDC (US) > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] help: ipa error 4301 > > On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: >> Hi , >> >> >> >> While running the ipa-client-install script on a RHEL 6.4 server, I get the >> following output (please note the indicated line with the arrow): >> >> >> >> [root@[hostname]]# ipa-client-install >> >> Discovery was successful! >> >> Hostname: [hostname] >> >> Realm: example.com >> >> DNS Domain: example.com >> >> IPA Server: chtvm-389.example.com >> >> BaseDN: dc=example,dc=com >> >> >> >> Continue to configure the system with these values? [no]: yes >> >> User authorized to enroll computers: admin >> >> Password for admin example com: >> >> >> >> Enrolled in IPA realm example.com >> >> Created /etc/ipa/default.conf >> >> Configured /etc/sssd/sssd.conf >> >> Configured /etc/krb5.conf for IPA realm example.com >> >> SSSD enabled >> >> Kerberos 5 enabled >> >> ---àUnable to find 'admin' user with 'getent passwd admin'! >> >> Recognized configuration: SSSD >> >> NTP enabled >> >> Client configuration complete. >> >> >> >> Also, please note that I've obfuscated the hostname, domain, and realm for >> security reasons.I believe I've narrowed down the problem to certificate >> enrollment. When I check my IPA Server Web UI, I have a notice in my host >> details that says "no valid certificate present." I then checked my client >> host by running: >> >> >> >> [root@hostname user]# ipa-getcert list >> >> Number of certificates and requests being tracked: 1. >> >> Request ID '20130717205230': >> >> status: CA_UNCONFIGURED >> >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Resource temporarily unavailable. >> >> stuck: yes >> >> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine Certificate - hostname.example.com',token='NSS Certificate DB' >> >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine >> Certificate - hostname.example.com ' >> >> CA: IPA >> >> issuer: >> >> subject: >> >> expires: unknown >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> I'm concerned about that "stuck" field, I have no idea what that means. >> >> I have other RHEL 6.4 clients that have been able to join my IPA domain with >> no >> issue at all, but this one client baffles me. Any thoughts?? >> >> >> >> -- >> >> Matthew Shapiro >> >> Systems Administrator >> >> >> >> Trofholz Technologies, Inc. >> >> Defense Personnel and Security Research Center (PERSEREC) >> >> Defense Manpower Data Center (DMDC) >> >> Office: 831.583.2828 >> >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > There seems to be something wrong with the host keytab: > > ... > >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Resource temporarily unavailable. > > Can you check if the host principal in keytab are correct? > > # klist -kt /etc/krb5.keytab > > Are you able to kinit with the host principal? > > # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM] > > > Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') - > is this still not working? > > # getent passwd admin > > Martin > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] help: ipa error 4301
SOLUTION Just to follow up, I found that SELinux was the problem. Once I ran "#setenforce 0" the ipa-client-install script worked with no issue and my client got a valid certificate. Thanks for looking! Matthew Shapiro -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Thursday, July 18, 2013 1:15 AM To: Shapiro, Matthew E CTR DODHRA DMDC (US) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] help: ipa error 4301 On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: > Hi , > > > > While running the ipa-client-install script on a RHEL 6.4 server, I get the > following output (please note the indicated line with the arrow): > > > > [root@[hostname]]# ipa-client-install > > Discovery was successful! > > Hostname: [hostname] > > Realm: example.com > > DNS Domain: example.com > > IPA Server: chtvm-389.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Password for admin example com: > > > > Enrolled in IPA realm example.com > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm example.com > > SSSD enabled > > Kerberos 5 enabled > > ---àUnable to find 'admin' user with 'getent passwd admin'! > > Recognized configuration: SSSD > > NTP enabled > > Client configuration complete. > > > > Also, please note that I've obfuscated the hostname, domain, and realm for > security reasons.I believe I've narrowed down the problem to certificate > enrollment. When I check my IPA Server Web UI, I have a notice in my host > details that says "no valid certificate present." I then checked my client > host by running: > > > > [root@hostname user]# ipa-getcert list > > Number of certificates and requests being tracked: 1. > > Request ID '20130717205230': > > status: CA_UNCONFIGURED > > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine Certificate - hostname.example.com',token='NSS Certificate DB' > > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine > Certificate - hostname.example.com ' > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > I'm concerned about that "stuck" field, I have no idea what that means. > > I have other RHEL 6.4 clients that have been able to join my IPA domain with > no > issue at all, but this one client baffles me. Any thoughts?? > > > > -- > > Matthew Shapiro > > Systems Administrator > > > > Trofholz Technologies, Inc. > > Defense Personnel and Security Research Center (PERSEREC) > > Defense Manpower Data Center (DMDC) > > Office: 831.583.2828 > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > There seems to be something wrong with the host keytab: ... > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. Can you check if the host principal in keytab are correct? # klist -kt /etc/krb5.keytab Are you able to kinit with the host principal? # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM] Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') - is this still not working? # getent passwd admin Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Announcing bind-dyndb-ldap version 3.5
The FreeIPA team is proud to announce bind-dyndb-ldap version 3.5. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. The new version has also been built for Fedora 19 and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-3.5-1.fc19 This release *enables persistent search by default*. Other changes include minor fixes and changes in documentation. == Changes in 3.5 == [1] Crash triggered by zone_refresh with broken connection to LDAP was fixed. [2] Code was changed to not trigger false positives in Clang static analyzer. [3] Persistent search is enabled by default. [4] Options cache_ttl, psearch and zone_refresh were formally deprecated. [5] Autotools should work on aarch64 (ARM64). == Upgrading == An server can be upgraded simply by installing updated rpms. BIND has to be restarted manually after the RPM installation. You will need to clean up configuration file /etc/named.conf if your configuration contains typos or other unsupported options. Downgrading back to any 2.x version is supported under following conditions: - new object class idnsForwardZone is not utilized - record types not supported by 2.x versions are not utilized - configured connection count is >= 3 (to prevent deadlocks in 2.x releases) == Important change planned for 4.0 release == Configurations with and without persistent search are now deprecated. Support for 'zone_refresh' and 'psearch' options will be removed in 4.0 release. Bind-dyndb-ldap 4.0 will require LDAP server with support for RFC 4533. 389 DS team is actively working on this feature: https://fedorahosted.org/389/ticket/47388 == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
On 07/17/2013 06:39 PM, Tovey, Mark wrote: Okay, I get it (pardon my obtuseness). host1-> getent netgroup hgroup1 hgroup1 (host1.my_domain.com, -, my_domain.com) So netgroups are working. The host group is defined in IPA and getent is able to access that information. Thanks, -Mark Hi, can you also paste the output of following commands please? $ nisdomainname $ rpm -q sudo Thanks, Pavel. Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 8:58 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Wed, Jul 17, 2013 at 03:01:58PM +, Tovey, Mark wrote: We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. OK, these are recent enough to support netgroups and the compat tree should be configured automatically. Those came out of the 'latest' repository. We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything. Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup return any netgroup data? Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, July 17, 2013 1:32 AM To: Tovey, Mark Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On Tue, Jul 16, 2013 at 09:13:00PM +, Tovey, Mark wrote: We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script: Hi Mark, you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version.. What is the output of "rpm -q sssd" and "rpm -q ipa-client" ? Does getent netgroup work? [sssd] config_file_version = 2 services = nss, pam domains = my_domain.com [nss] [pam] [domain/my_domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = my_domain.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6 And the nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases:files sudoers:files ldap Thanks, -Mark Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA mto...@go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, July 16, 2013 12:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] sudo rules user and host group bugs? On 07/16/2013 02:11 PM, Tovey, Mark wrote: My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0. We chose these because we were able to find RPM packages for them. We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet. Again, we are just evaluating at this point. So far, so good, except for this one point. The doman name, host name, and nsswitch.conf files are all properly configured. But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file). After you asked about that, I started looking into the documentation on netgroups. The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats." But when I look in the Netgroups area, I do not see any netgroups defined. I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with
Re: [Freeipa-users] problem creating replica
On 07/18/2013 03:31 AM, Pete Brown wrote: I opened all the ports that seemed to be listening n the master. I also ran the setup again without disabling the connection check to see what else needed fixing. It seems after much investigation and log dredging it seems my admin password had expired. I wasn't aware that was possible. I reset the password and it seemed to get further. This for some reason not mentioned in the documentation the replica is trying to ssh into the master as admin. I managed to fix that by changing my setup and ssh config files. Then it actually managed to start the setup process. But again it fails at exactly the same point mentioned in my initial email. After some further digging with reference to the log output below it seems I have run into a bug that seems to have been fixed. https://fedorahosted.org/freeipa/ticket/3213 As I mentioned I am running current Fedora 18 so freeipa is 3.1.5-1.fc18 is that fixed in my version? Yes, that bug was fixed in 3.1.0. It also seems the dogatg and IPA directories will be or have been merged? Which version did this happen in and will it get applied to my server? Also in 3.1.0; new servers installed using that version have merged databases. Can anyone suggest how I go about fixing this issue? Well, ipa-server-uninstall can misbehave if CA installation goes wrong (ticket #2796). So I would start by uninstalling, then running the following command to make sure CA is not left: sudo pkidestroy -s CA -i pki-tomcat then installing again. Can you also provide logs without the --skip-conncheck flag? Specifically the /var/log/ipareplica-conncheck.log should be interesting. I wanted to create a replica so I could upgrade to fedora 19 and not have to take my single instance of FreeIPA offline while that was happening. Will I need to upgrade to Fedora 19 to fix my issue? For reference this is the point of failure in the /var/log/ipareplica-install.log file 2013-07-18T01:06:16Z DEBUG Starting external process 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration from /tmp/tmpFKBxMW. ERROR: Unable to access security domain: 503 Server Error: Service Unavailable Please also check logs on the existing server. Is the CA available? Does e.g. `ipa cert-show 1` work? 2013-07-18T01:08:16Z DEBUG stderr= 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit status 1 2013-07-18T01:08:16Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 619, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 652, in main (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1809, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 625, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 744, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed On 17 July 2013 15:52, Pete Brown wrote: Hi everyone, I am attempting to create a replica of my freeipa server. I am following the docs but they are not working for me. I am getting the vague impression I am missing a step that doesn't seem to be documented. For the record all the posts listed are open and it was a clean install of Fedora 18. I thought the server may need to be a client of the master before I set it up as a replica but it just said I needed to uninstall the client setup. After running ipa-replica-prepare on the master and scping the file to the new replica. I ran this command on the new replica ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX /var/lib/ipa/replica-info-ipa2.domain.com.gpg The error I am seeing is from that command is this: Cannot acquire Kerberos ticket: kinit: Cannot read password while getting initial credentials Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. So I cleaned everything off (i think) and tried it with this command ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg This seems to
Re: [Freeipa-users] help: ipa error 4301
On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote: > Hi , > > > > While running the ipa-client-install script on a RHEL 6.4 server, I get the > following output (please note the indicated line with the arrow): > > > > [root@[hostname]]# ipa-client-install > > Discovery was successful! > > Hostname: [hostname] > > Realm: example.com > > DNS Domain: example.com > > IPA Server: chtvm-389.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Password for admin example com: > > > > Enrolled in IPA realm example.com > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm example.com > > SSSD enabled > > Kerberos 5 enabled > > ---àUnable to find 'admin' user with 'getent passwd admin'! > > Recognized configuration: SSSD > > NTP enabled > > Client configuration complete. > > > > Also, please note that I’ve obfuscated the hostname, domain, and realm for > security reasons.I believe I’ve narrowed down the problem to certificate > enrollment. When I check my IPA Server Web UI, I have a notice in my host > details that says “no valid certificate present.” I then checked my client > host by running: > > > > [root@hostname user]# ipa-getcert list > > Number of certificates and requests being tracked: 1. > > Request ID '20130717205230': > > status: CA_UNCONFIGURED > > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine Certificate - hostname.example.com',token='NSS Certificate DB' > > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine > Certificate - hostname.example.com ' > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > I’m concerned about that “stuck” field, I have no idea what that means. > > I have other RHEL 6.4 clients that have been able to join my IPA domain with > no > issue at all, but this one client baffles me. Any thoughts?? > > > > -- > > Matthew Shapiro > > Systems Administrator > > > > Trofholz Technologies, Inc. > > Defense Personnel and Security Research Center (PERSEREC) > > Defense Manpower Data Center (DMDC) > > Office: 831.583.2828 > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > There seems to be something wrong with the host keytab: ... > ca-error: Error setting up ccache for local "host" service using > default keytab: Resource temporarily unavailable. Can you check if the host principal in keytab are correct? # klist -kt /etc/krb5.keytab Are you able to kinit with the host principal? # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM] Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') - is this still not working? # getent passwd admin Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit admin password expired
On 07/17/2013 07:03 PM, Joseph, Matthew (EXP) wrote: > Hello, > > > > I’ve seem to run into an issue with our admin account on our FreeIPA server. > > Our password expired (I thought I disabled the password expiration for this > account) and when I run kinit admin it prompts me for a new password. > > I type in the old password and then the new one two times but then it states > that kinit: Password has expired while getting initial credentials. > > When I run kinit admin again on it the new password is actually set but it > tells me that again I need to change the password. > > > > Luckily that is not our only admin account for FreeIPA but can someone please > explain what is happening here? Can you check the krbpasswordexpiration attribute in the admin account after the password change failed? $ ipa user-show admin --all | grep krbpasswordexpiration In the past, I saw a similar failure when somebody configured a password policy (either global or for a group) to a too high value causing some timestamps in KDC<->LDAP layer to overflow - but this should be already fixed in current FreeIPA version (https://fedorahosted.org/freeipa/ticket/3312). You can get the policy with: $ ipa pwpolicy-show # get the global policy $ ipa pwpolicy-show admins # gets admins group policy (if you defined it) Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users