[Freeipa-users] Client not installing
Hi All, I have a new installation of freeipa ipa-server-3.0.0-37.el6.x86_64 on CentOS 6.5 one of my clients stopped authentication last night, I performed a ipa-client-install —uninstall from the client then on trying to delete the the host # ipa host-del client.x.y.z ipa: ERROR: Certificate format error: [Errno -5925] error (-5925) unknown /var/log/krb5kdc.log Oct 02 10:27:07 server krb5kdc[30623](info): TGS_REQ (4 etypes {18 17 16 23}) server_IP: ISSUE: authtime 1412221207, etypes {rep=18 tkt=18 ses=18}, HTTP/server@realm for ldap/server@realm Oct 02 10:27:07 server krb5kdc[30623](info): ... CONSTRAINED-DELEGATION s4u-client=admin@realm trying to add back the client [root@client ~]# ipa-client-install --domain=doamin --server=server Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: server Realm: realm DNS Domain: domain IPA Server: server BaseDN: dc=baseDN Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@realm: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=realm Issuer: CN=Certificate Authority,O=realm Valid From: Sun Sep 21 20:42:12 2014 UTC Valid Until: Thu Sep 21 20:42:12 2034 UTC Joining realm failed: RPC failed at server. Certificate format error: [Errno -5925] error (-5925) unknown Installation failed. Rolling back changes. IPA client is not configured on this system. Cheers, Tim signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file?
FYI... I used OTP for this. Works a treat! Thanks again Dmitri. Regards, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Thursday, 2 October 2014 8:21 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? Thanks to Dmitri, Petr, Tamas and Yiorgos for all your suggestions. I will try them out today. Regards, Les From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, 2 October 2014 3:09 AM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] can ipa-client-install be updated to call username/password from a file? On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote: On 01/10/14 08:19, Les Stott wrote: Hi, I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client. I am working on doing an unattended ipa client installation. I have it working with the following /usr/sbin/ipa-client-install -p admin -w admin_password -U --no-ntp While this works, while it runs, the admin_password value is visable in the output of a ps -ef command on the host when installing the ipa client. # ps -ef |grep ipa root 30284 30283 43 03:31 ?00:00:01 /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -w plain_text_password -U --no-ntp This represents a challenge to security, even though its only minor (as in its only there for a minute or so), but its still there and it is the admin password. Can ipa-client-install be updated to include a parameter to retrieve the admin password from a file? i.e. /usr/bin/python -E /usr/sbin/ipa-client-install -p admin -from-file /tmp/credentials -U --no-ntp That would then protect the admin password. I am not familiar with python coding. Thanks in advance, Les Hi Les, in addition to the answers you have already received, you can create a user with the 'host enrollment' permission only, so even if the credentials are compromised the damage is minimized. I am using this on 4.0.3 but looking at an older installation the same seems available in 3.0 too. Best Regards Yiorgos Or you can use OTPs. The OTPs were actually invented for exactly this use case. You register host and generate OTP at that time. Then you pass it to your enrollment script and it is used once. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] named and IpA
On 10/02/2014 01:05 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? *Al Licause * If DNS is running on IdM the DNS lookups might be forwarded to different DNS servers depending on your DNS cofiguration. Based on what you describe it seems that there is some sort of DNS misconfiguration. I would leave to gurus to help you with that. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client not installing
Craig Parker wrote: On 02/10/14 15:36, Hatim Diab wrote: Hi All, I have a new installation of freeipa ipa-server-3.0.0-37.el6.x86_64 on CentOS 6.5 one of my clients stopped authentication last night, I performed a ipa-client-install —uninstall from the client then on trying to delete the the host # ipa host-del client.x.y.z ipa: ERROR: Certificate format error: [Errno -5925] error (-5925) unknown /var/log/krb5kdc.log Oct 02 10:27:07 server krb5kdc[30623](info): TGS_REQ (4 etypes {18 17 16 23}) server_IP: ISSUE: authtime 1412221207, etypes {rep=18 tkt=18 ses=18}, HTTP/server@realm for ldap/server@realm Oct 02 10:27:07 server krb5kdc[30623](info): ... CONSTRAINED-DELEGATION s4u-client=admin@realm trying to add back the client [root@client ~]# ipa-client-install --domain=doamin --server=server Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: server Realm: realm DNS Domain: domain IPA Server: server BaseDN: dc=baseDN Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@realm: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=realm Issuer: CN=Certificate Authority,O=realm Valid From: Sun Sep 21 20:42:12 2014 UTC Valid Until: Thu Sep 21 20:42:12 2034 UTC Joining realm failed: RPC failed at server. Certificate format error: [Errno -5925] error (-5925) unknown Installation failed. Rolling back changes. IPA client is not configured on this system. Cheers, Tim It could be related to this bug - https://bugzilla.redhat.com/show_bug.cgi?id=738456 as I ran into an issue where I was getting an error (-5925), downgrading nss fixed it for me. Unless error 5925 applies to many things, in which case ignore me. :) I think in this case a certificate (or something) is stored in LDAP that is unreadable by NSS. It would be handy to know what is in there so we can handle this more gracefully. You'll probably need to use ldapsearch to get the entry since IPA is throwing up on it. Something like: $ kinit admin $ ldapsearch -Y GSSAPI -b fqdn=client.x.y.z,cn=computers,cn=accounts,dc=x,dc=y,dc=z This should just be a public cert, but feel free to send this to me directly if you'd like. To delete the value do something like: $ ldapmodify -Y GSSAPI dn: fqdn=client.x.y.z,cn=computers,cn=accounts,dc=x,dc=y,dc=z changetype: modify delete: userCertificate ^D Then ipa host-del should work. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project