Re: [Freeipa-users] Excessive CPU usage by ns-slapd

2015-02-19 Thread Rich Megginson

On 02/19/2015 12:11 PM, Jim Richard wrote:
Hi Rich, here’s what all 4 of my IPA servers look like right now. You 
can see that SSO-107’s CPU usage is much higher than the other 3 and 
it spikes to over 100% often. And what I see over time is that the 
higher and higher cpu usage will happen between two of my four 
servers, one will drop off and the other increases and each time this 
cycle happens, the cpu usage on the one server that is spiking will 
get a little bit higher.


The two servers that show this behavior are SSO-107 and SSO-109.


SSO-107 is almost entirely idle except for 1 thread doing replication 
updates, and the poll thread.  There are 255 descriptors it is polling on.


SSO-109 is entirely idle except for the poll thread.  There are 230 
descriptors it is polling on.


You might try using top with the ns-slapd process and the  'H' - Threads 
mode flag.  It would be very interesting to see the cpu usage breakdown 
by thread.


If it is indeed the poll thread that is consuming all of the cpu, 
there's not much that can be done.  CPU usage in the poll thread is a 
function of the number of connections, but since there is not much 
difference between 230 and 255, I would not expect a large CPU usage 
difference between 107 and 109 based solely on number of connections.


Are you seeing timeouts or application failures or poor performance that 
seems to be due to high CPU usage?  If so, and these are virtual 
machines, you might consider adding more virtual CPUs to give the server 
more processing power for the worker threads to compensate for 
monopolization by the poll thread.




I’ve attached some more detailed stack trace as well.









Here’s what my replication agreements look like:

[root@sso-107 (NY) ~]$ ipa-replica-manage list
sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: master
sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: master
sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: master
sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: master

[root@sso-107 (NY) ~]$ ipa-replica-manage list 
sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net

sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: replica
sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: replica

[root@sso-107 (NY) ~]$ ipa-replica-manage list 
sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net

sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: replica
sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: replica

[root@sso-107 (NY) ~]$ ipa-replica-manage list 
sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net

sso-108.nym1.placeiq.net http://sso-108.nym1.placeiq.net: replica
sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net: replica

[root@sso-107 (NY) ~]$ ipa-replica-manage list 
sso-110.nym1.placeiq.net http://sso-110.nym1.placeiq.net

sso-107.nym1.placeiq.net http://sso-107.nym1.placeiq.net: replica
sso-109.nym1.placeiq.net http://sso-109.nym1.placeiq.net: replica





SSO-107

top - 15:58:08 up 2 days, 10:00,  1 user,  load average: 0.00, 0.03, 0.06
Tasks:   1 total,   0 running,   1 sleeping, 0 stopped,   0 zombie
Cpu(s): 12.2%us,  1.1%sy,  0.0%ni, 86.7%id,  0.1%wa,  0.0%hi,  0.0%si, 
 0.0%st

Mem:   2952788k total,  2160216k used, 792572k free,   182584k buffers
Swap:  4094972k total,0k used,  4094972k free,   678292k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
11615 dirsrv20   0 2063m 843m  19m S 25.5 29.3 403:53.56 ns-slapd

[root@sso-107 (NY) /var/log/dirsrv/slapd-PLACEIQ-NET]$ ls -al 
/proc/`cat /var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l

245




SSO-108

top - 15:57:26 up 3 days, 17:25,  1 user,  load average: 0.03, 0.03, 0.00
Tasks:   1 total,   0 running,   1 sleeping, 0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.2%sy,  0.0%ni, 99.4%id,  0.1%wa,  0.0%hi,  0.0%si, 
 0.0%st

Mem:   2952788k total,  2200792k used, 751996k free,   182084k buffers
Swap:  4094972k total,0k used,  4094972k free,   713848k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
24399 dirsrv20   0 2055m 819m  19m S  0.8 28.4  54:48.53 ns-slapd

[root@sso-108 (NY) /var/log/dirsrv/slapd-PLACEIQ-NET]$ ls -al 
/proc/`cat /var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l

232




SSO-109

top - 16:00:05 up 4 days,  9:10,  1 user,  load average: 0.06, 0.32, 0.35
Tasks:   1 total,   0 running,   1 sleeping, 0 stopped,   0 zombie
Cpu(s):  0.7%us,  0.3%sy,  0.0%ni, 98.9%id,  0.2%wa,  0.0%hi,  0.0%si, 
 0.0%st

Mem:   2952788k total,  2422572k used, 530216k free,   235472k buffers
Swap:  4094972k total,0k used,  4094972k free,   906080k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
22522 dirsrv20   0 2065m 772m  19m S  1.2 26.8 308:13.07 ns-slapd

[root@sso-109 (NY) ~]$ ls -al /proc/`cat 
/var/run/dirsrv/slapd-PLACEIQ-NET.pid`/fd|grep socket|wc -l

219





SSO-110

top - 16:07:54 up 14 days, 18:03,  1 

Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Jim Richard
Hey guys, for what it’s worth, I spent a couple weeks working with Endi Sukma 
Dewata, edew...@redhat.com, Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 
upgrade fail”.

Unfortunately my post subject was not accurate but in fact, I was attempting 
the exact same thing and seeing the exact same error. The main LDAP instance 
would come up ok but upon attempting to migrate the PKI stuff with the new ldap 
schema etc, it just fails…


In the end we couldn’t figure it out, basically had to just give up. 

Maybe one of you could reach out to Endi and he could share some insights. 

I’d love to be able to make this work as well but as of now it looks like my 
only option if I want to upgrade to version 3.3/Centos 7 is well, there is no 
option….

I’d be happy to share or help in any way.



Jim Richard  |  PlaceIQ 
http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw
  |  Systems Administrator  |  jrich...@placeiq.com mailto:n...@placeiq.com  
|  +1 (646) 338-8905 



 On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi wrote:
 
 Hi,
 
 How I can check the cert and test?
 
 I did curl -v -k https://xxx/ca/admin/ca/getDomainXML
 
 According to that the cert have plenty of time left.
 
 On the otherhand
 https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but also 
 http 404.
 
 On 02/19/2015 06:22 PM, Martin Kosek wrote:
 On 02/19/2015 05:14 PM, Dmitri Pal wrote:
 On 02/19/2015 10:07 AM, Jani West wrote:
 Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with
 FreeIPA 3.3.3-28 by using replication.
 
 I have prepared replication file and moved it to the new replica server.
 Configured the firewalld and installed Ipa and other needed packages via 
 yum.
 
 When running ipa-replica-install --setup-ca -d installation will always
 stuck on:
 
 --
 Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
 seconds
 [2/19]: configuring certificate server instance
 ipa : DEBUGStarting external process
 ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
 ipa : DEBUGProcess finished, return code=1
 ipa : DEBUGstdout=Loading deployment configuration from
 /tmp/tmpHJBhR5.
 Installing CA into /var/lib/pki/pki-tomcat.
 Storing deployment configuration into
 /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
 Installation failed.
 
 
 ipa : DEBUGstderr=pkispawn: WARNING  ... unable to
 validate security domain user/password through REST interface. Interface 
 not
 available
 pkispawn: ERROR... Exception from Java Configuration Servlet:
 Error while updating security domain: java.io.IOException:
 java.io.IOException: SocketException cannot read on socket
 
 ipa : CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 
 1
 --
 
 Betwee the attempts I have cleaned yu ipa and pki configurations and
 deleteted the old replication agreement.
 
 
 Apache logs on old CentOS 6 server have these errors.
 --
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/admin/ca/getDomainXML HTTP/1.0 200 1158
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/admin/ca/updateDomainXML HTTP/1.0 404 -
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/agent/ca/updateDomainXML HTTP/1.0 403 323
 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
 expired
 [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
 accepted by client!?
 --
 
 What certificate this means? ca.crt have more than five years left.
 
 Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
 ipa-pki-proxy.conf and there are no obvious reason. Any hints?
 
 Are CA ports accessible on your master? Can you check your FW please?
 
 
 This line makes me think that expired certs may be involved:
 
 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
 expired
 
 CCing JanCh who have the best context in this area.
 
 
 
 -- 
 -- Jani West  --  jw...@iki.fi  -- +358 40 5010914 --
 -- Liinalahdentie 4  -- 01800 KLAUKKALA -- FINLAND --
 
 Haluaisin, että Suomi olisi paljon monikulttuurisempi.
 Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
 tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
 On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
 Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
 pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
 lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
 Ei ymmärretä, että maahanmuuttajat voivat tuoda
 

[Freeipa-users] How to remove an offline replica?

2015-02-19 Thread Thomas Raehalme
Hi!

I have a replica which is offline, and I'd like to remove it (to be later
replaced).

When trying to remove the replica with ipa-replica-manage according to the
instructions on the wiki, I get an error about inaccessible LDAP server:

# ipa-replica-manage del ipa-1.example.com
Connection to 'ipa-1.example.com' failed: Can't contact LDAP server
Unable to delete replica 'ipa-1.example.com'

ipa-1.example.com is the IPA replica and I am executing the command on IPA
master.

I also tried disconnect, but the result was the same:

# ipa-replica-manage disconnect ipa-1.example.com
Failed to get list of agreements from 'ipa-1.example.com': Can't contact
LDAP server

Does anyone have a hint on how to get the replica removed? I'm running
ipa-server-3.0.0-42 on CentOS 6.6.

Thanks!

Best regards,
Thomas
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How to remove an offline replica?

2015-02-19 Thread Rob Crittenden
Thomas Raehalme wrote:
 Hi!
 
 I have a replica which is offline, and I'd like to remove it (to be
 later replaced).
 
 When trying to remove the replica with ipa-replica-manage according to
 the instructions on the wiki, I get an error about inaccessible LDAP server:
 
 # ipa-replica-manage del ipa-1.example.com http://ipa-1.example.com
 Connection to 'ipa-1.example.com http://ipa-1.example.com' failed:
 Can't contact LDAP server
 Unable to delete replica 'ipa-1.example.com http://ipa-1.example.com'
 
 ipa-1.example.com http://ipa-1.example.com is the IPA replica and I am
 executing the command on IPA master.
 
 I also tried disconnect, but the result was the same:
 
 # ipa-replica-manage disconnect ipa-1.example.com http://ipa-1.example.com
 Failed to get list of agreements from 'ipa-1.example.com
 http://ipa-1.example.com': Can't contact LDAP server
 
 Does anyone have a hint on how to get the replica removed? I'm running
 ipa-server-3.0.0-42 on CentOS 6.6.

Add the --force flag.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] How to remove an offline replica?

2015-02-19 Thread Thomas Raehalme
On Thu, Feb 19, 2015 at 9:41 PM, Thomas Raehalme 
thomas.raeha...@codecenter.fi wrote:

 # ipa-replica-manage del ipa-1.example.com
 Connection to 'ipa-1.example.com' failed: Can't contact LDAP server
 Unable to delete replica 'ipa-1.example.com'


And right after posting I found the --force command-line parameter which
did the trick!

Best regards,
Thomas
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Jan Pazdziora
On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
 
 Except where we don't want single sign on, and separate passwords are
 advantageous or even required:
 
  - Web logins

Could you elaborate on the use cases when you'd want your users to log
in using their passwords on a Web login, instead of using SSO, be it
Kerberos or SAML? Is that purely the application not supporting it
or are there some other reasons (you say we don't want single sign
on which sounds like a political or compliance issue, not technical
one).

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Petr Spacek
On 19.2.2015 02:47, Steven Jones wrote:
 Hi,
 
 There is always a tradeoff between ease of use, complexity/cost and security. 
  Looking at what you have written suggests to me that your entire system 
 lacks a proper security / network architecture model and you are trying to 
 enforce a policy from one point, IPA.  
 
 regards
 
 Steven
 
 From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
 behalf of Martin Minkus martin.min...@sonic.com
 Sent: Thursday, 19 February 2015 1:06 p.m.
 To: freeipa-users@redhat.com
 Subject: [Freeipa-users] FreeIPA and Application Specific Passwords
 
 Hello all,
 
 Am wondering what support FreeIPA has for Application Specific
 Passwords? My research seems to indicate 'none'. I've seen quite a few
 people ask about this, usually the example is wanting a separate
 password for dovecot etc.
 
 Google itself implemented this, allowing multiple passwords for imap
 accounts in gmail so that a stolen phone or ipad doesn't give the thief
 complete unfettered access to the entire google account. The single
 password can be easily changed or locked out and even if it is not, it
 only has access to email.
 
 I work for an organisation and we are looking at standardising on
 FreeIPA for all our single sign on and auth requirements.
 
 Except where we don't want single sign on, and separate passwords are
 advantageous or even required:
 
  - Web logins

If I understand correctly, your biggest worry is that somebody will steal user
credentials via web form, right?

IMHO the best option is to get rid of passwords in web apps completely and use
true single-sign-on. The simplest thing may be just to use mod_auth_kerb and
put the application behind Kerberos but more complex/flexible/fancy approaches
are possible too, see
http://www.freeipa.org/page/Web_App_Authentication

This is 'The Approach' we are trying to pursue in FreeIPA project -
authenticate only once (when logging in to a machine) and never type password
again. This allows you to use two-factor authentication without apps knowing
about it etc.

Alternative is to use SAML/OpenID/other web technology to tie web apps to
web-based authentication portal which may allow SSO from Kerberos (without
mod_auth_kerb) or to simply have single trusted place to log-in from web form.

I hope Jan or Simo can correct my misunderstandings and add more details.

Have a nice day!

Petr^2 Spacek

  - VPN logins
  - Tacacs
 
 I'm assuming it's somewhat understandable to want to keep web logins
 separate - web sites are notoriously insecure, and we wouldn't want an
 employee's web login getting stolen/phished/etc giving an attacker vpn
 access, kerberos/ldap access to all our linux servers, and tacacs access
 to network infrastructure.
 
 The solution I've seen suggested to others that have asked about FreeIPA
 or OpenLDAP and Application Specific Passwords seems to be: Just create
 a separate user login for each application.
 
 Messy, but sure.
 
 I also see we could extend the schema and add in extra fields like
 webPassword and vpnPassword, but we'd have to maintain those
 fields/enforce complexity and length requirements/password expiry
 ourselves which is less than ideal.
 
 Or the final option might just be to run separate ldap instances for
 each application, so the username stays the same group membership is
 application specific in each ldap instance, and it gives us the password
 separation we desire. Also, most users don't need tacacs access or vpn
 access, though most(all) users will need web application access.
 
 Anyway. I'm wondering if there are any other potential options that I
 have missed? Or some better way we should be going about this?
 
 Yeah, we should probably trust our employees with their passwords more
 but apparently that is not the case.
 
 Thanks,
 Martin.
 
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project
 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Martin Kosek
On 02/19/2015 01:06 AM, Martin Minkus wrote:
 Hello all,
 
 Am wondering what support FreeIPA has for Application Specific
 Passwords? My research seems to indicate 'none'. I've seen quite a few
 people ask about this, usually the example is wanting a separate
 password for dovecot etc.
 
 Google itself implemented this, allowing multiple passwords for imap
 accounts in gmail so that a stolen phone or ipad doesn't give the thief
 complete unfettered access to the entire google account. The single
 password can be easily changed or locked out and even if it is not, it
 only has access to email.
 
 I work for an organisation and we are looking at standardising on
 FreeIPA for all our single sign on and auth requirements.
 
 Except where we don't want single sign on, and separate passwords are
 advantageous or even required:
 
  - Web logins
  - VPN logins
  - Tacacs
 
 I'm assuming it's somewhat understandable to want to keep web logins
 separate - web sites are notoriously insecure, and we wouldn't want an
 employee's web login getting stolen/phished/etc giving an attacker vpn
 access, kerberos/ldap access to all our linux servers, and tacacs access
 to network infrastructure.

I am not sure what exactly is the fear here. If FreeIPA Web Authentication
modules are used (http://www.freeipa.org/page/Web_App_Authentication), the user
credentials are not stored on the web server, they go straight to SSSD where
the user get's authenticated to remote LDAP (FreeIPA/AD). Alternatively, you
could also set up SAML with mod_auth_mellon and Ipsilon to get a federated
login where the web app would never get to the actual password.

 The solution I've seen suggested to others that have asked about FreeIPA
 or OpenLDAP and Application Specific Passwords seems to be: Just create
 a separate user login for each application.
 
 Messy, but sure.
 
 I also see we could extend the schema and add in extra fields like
 webPassword and vpnPassword, but we'd have to maintain those
 fields/enforce complexity and length requirements/password expiry
 ourselves which is less than ideal.
 
 Or the final option might just be to run separate ldap instances for
 each application, so the username stays the same group membership is
 application specific in each ldap instance, and it gives us the password
 separation we desire. Also, most users don't need tacacs access or vpn
 access, though most(all) users will need web application access.
 
 Anyway. I'm wondering if there are any other potential options that I
 have missed? Or some better way we should be going about this?
 
 Yeah, we should probably trust our employees with their passwords more
 but apparently that is not the case.
 
 Thanks,
 Martin.

I think we have exactly this request tracked:
https://fedorahosted.org/freeipa/ticket/4510

It already contains long discussion on the topics with some ideas. We still
miss the horsepower to actually add support for it though.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] New Replacing Master server help

2015-02-19 Thread Martin Kosek
On 02/18/2015 07:46 PM, Dmitri Pal wrote:
 On 02/18/2015 12:17 PM, Cory Carlton wrote:
 Hey all.

  We are in the process of essentially moving data centers while additionally
 changing to new OS(rhel from centos) - so we are building replica with master
 option servers to the new networks.  version 3.0.. its up and is working as
 any of our instances.

 Question is how or what do I need to bring over on the new install -replica
 master(s) to ensure we have all the Original master server information, keys,
 crt's, CA etc. before we can shut it down for ever (+ a snapshot ;) )

 we have struggled understanding exactly what to back up since the 3.0 version
 is lacking backup scripts.


 a thought, but not timely present would be to upgrade everything in place
 then migrate, again not timed right for us.

 Thanks in advance.

 Cory



 
 You need to make sure that at least one of the new replicas (better two) acts
 as an IPA CA.
 You need to move CRL generation to one of the new replicas that are CAs
 You need to move the certificate tracking from the old master to the new
 replica with CA.
 
 After that you can decommission old master.
 
 All these procedures are documented on the wiki and RHEL docs. You can also
 find some hints in these archives.
 
 Martin, do you think we need a combined wiki page that covers this use case or
 we already have something like this?

I think we are already well set. This is the upstream page:

http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS

This is the downstream documentation, mostly targetted on RHEL-6.x to RHEL-7.0
migration, but also applicable on your use case:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


[Freeipa-users] ipa-getcert list fails to report correctly

2015-02-19 Thread Les Stott
Hi all,

The following is blocking the ability for me to install a CA replica.

Environment:
RHEL 6.6
IPA 3.0.0-42
PKI 9.0.3-38

On the master the following is happening:

ipa-getcert list
Number of certificates and requests being tracked: 5.

(but it shows no certificate details in the output)

Running getcert list shows complete output.

Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i 
get a failed response. The apache error logs on the master show

[Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot 
verify your certificate

The reason I am trying to browse that address is because that's what the 
ipa-ca-install setup is failing at (it complains that the CA certificate is not 
in proper format, in fact it's not able to get it at all).

I know from another working ipa setup that 

Browsing to the above address provides valid xml content and ipa-getcert list 
shows certificate details and not just the number of tracked certificates.

Been trying for a long time to figure out the issues without luck.

I would greatly appreciate any help to troubleshoot and resolve the above 
issues.

Regards,

Les


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Dmitri Pal

On 02/19/2015 10:07 AM, Jani West wrote:
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 
with FreeIPA 3.3.3-28 by using replication.


I have prepared replication file and moved it to the new replica 
server. Configured the firewalld and installed Ipa and other needed 
packages via yum.


When running ipa-replica-install --setup-ca -d installation will 
always stuck on:


--
Configuring certificate server (pki-tomcatd): Estimated time 3 
minutes 30 seconds

[2/19]: configuring certificate server instance
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Loading deployment configuration from 
/tmp/tmpHJBhR5.

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUGstderr=pkispawn: WARNING  ... unable to 
validate security domain user/password through REST interface. 
Interface not available
pkispawn: ERROR... Exception from Java Configuration 
Servlet: Error while updating security domain: java.io.IOException: 
java.io.IOException: SocketException cannot read on socket


ipa : CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit 
status 1

--

Betwee the attempts I have cleaned yu ipa and pki configurations and 
deleteted the old replication agreement.



Apache logs on old CentOS 6 server have these errors.
--
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/admin/ca/getDomainXML HTTP/1.0 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/admin/ca/updateDomainXML HTTP/1.0 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/agent/ca/updateDomainXML HTTP/1.0 403 323

[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 
Certificate has expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: 
Not accepted by client!?

--

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on 
ipa-pki-proxy.conf and there are no obvious reason. Any hints?


Are CA ports accessible on your master? Can you check your FW please?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Martin Kosek
On 02/19/2015 05:23 PM, Dmitri Pal wrote:
 On 02/19/2015 05:06 AM, Jan Pazdziora wrote:
 On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
 Except where we don't want single sign on, and separate passwords are
 advantageous or even required:

   - Web logins
 Could you elaborate on the use cases when you'd want your users to log
 in using their passwords on a Web login, instead of using SSO, be it
 Kerberos or SAML? Is that purely the application not supporting it
 or are there some other reasons (you say we don't want single sign
 on which sounds like a political or compliance issue, not technical
 one).

 IMO the case is:
 I have a phone and a tablet and a laptop.
 I do not want to use one password for all three.
 On the phone and tablet people save their passwords so I do not want to have
 same password cached on all devices. I want to have a password per device.
 
 IMO the way to go is certs rather than passwords.

Certs would certainly help in this case. However, the UX would need to be
really good in order to beat saved password in GMail style, IMO.

 We are not there yet but with upcoming changes we will get much closer.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Jani West

Hi,

How I can check the cert and test?

I did curl -v -k https://xxx/ca/admin/ca/getDomainXML

According to that the cert have plenty of time left.

On the otherhand
https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert but 
also http 404.


On 02/19/2015 06:22 PM, Martin Kosek wrote:

On 02/19/2015 05:14 PM, Dmitri Pal wrote:

On 02/19/2015 10:07 AM, Jani West wrote:

Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with
FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica server.
Configured the firewalld and installed Ipa and other needed packages via yum.

When running ipa-replica-install --setup-ca -d installation will always
stuck on:

--
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
[2/19]: configuring certificate server instance
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Loading deployment configuration from
/tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


ipa : DEBUGstderr=pkispawn: WARNING  ... unable to
validate security domain user/password through REST interface. Interface not
available
pkispawn: ERROR... Exception from Java Configuration Servlet:
Error while updating security domain: java.io.IOException:
java.io.IOException: SocketException cannot read on socket

ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
--

Betwee the attempts I have cleaned yu ipa and pki configurations and
deleteted the old replication agreement.


Apache logs on old CentOS 6 server have these errors.
--
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/admin/ca/getDomainXML HTTP/1.0 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/admin/ca/updateDomainXML HTTP/1.0 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/agent/ca/updateDomainXML HTTP/1.0 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
accepted by client!?
--

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
ipa-pki-proxy.conf and there are no obvious reason. Any hints?


Are CA ports accessible on your master? Can you check your FW please?



This line makes me think that expired certs may be involved:

[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
expired

CCing JanCh who have the best context in this area.




--
-- Jani West  --  jw...@iki.fi  -- +358 40 5010914 --
-- Liinalahdentie 4  -- 01800 KLAUKKALA -- FINLAND --

Haluaisin, että Suomi olisi paljon monikulttuurisempi.
Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
Ei ymmärretä, että maahanmuuttajat voivat tuoda
Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,
että koko kansaa kuullaan, myös eri kulttuureista
tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän
Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella
maahanmuuttajia enemmän.

HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Jani West
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 
with FreeIPA 3.3.3-28 by using replication.


I have prepared replication file and moved it to the new replica server. 
Configured the firewalld and installed Ipa and other needed packages via 
yum.


When running ipa-replica-install --setup-ca -d installation will 
always stuck on:


--
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 
30 seconds

[2/19]: configuring certificate server instance
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Loading deployment configuration from 
/tmp/tmpHJBhR5.

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


ipa : DEBUGstderr=pkispawn: WARNING  ... unable to 
validate security domain user/password through REST interface. Interface 
not available
pkispawn: ERROR... Exception from Java Configuration 
Servlet: Error while updating security domain: java.io.IOException: 
java.io.IOException: SocketException cannot read on socket


ipa : CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1

--

Betwee the attempts I have cleaned yu ipa and pki configurations and 
deleteted the old replication agreement.



Apache logs on old CentOS 6 server have these errors.
--
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/admin/ca/getDomainXML HTTP/1.0 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/admin/ca/updateDomainXML HTTP/1.0 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST 
/ca/agent/ca/updateDomainXML HTTP/1.0 403 323

[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate 
has expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not 
accepted by client!?

--

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on 
ipa-pki-proxy.conf and there are no obvious reason. Any hints?

--
-- Jani West

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Dmitri Pal

On 02/19/2015 11:29 AM, Martin Kosek wrote:

On 02/19/2015 05:23 PM, Dmitri Pal wrote:

On 02/19/2015 05:06 AM, Jan Pazdziora wrote:

On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:

Except where we don't want single sign on, and separate passwords are
advantageous or even required:

   - Web logins

Could you elaborate on the use cases when you'd want your users to log
in using their passwords on a Web login, instead of using SSO, be it
Kerberos or SAML? Is that purely the application not supporting it
or are there some other reasons (you say we don't want single sign
on which sounds like a political or compliance issue, not technical
one).


IMO the case is:
I have a phone and a tablet and a laptop.
I do not want to use one password for all three.
On the phone and tablet people save their passwords so I do not want to have
same password cached on all devices. I want to have a password per device.

IMO the way to go is certs rather than passwords.

Certs would certainly help in this case. However, the UX would need to be
really good in order to beat saved password in GMail style, IMO.


I imagine Ipsilon based SSO when Ipsilon can make a decision which 
assertions to issue depending on the cert you have.





We are not there yet but with upcoming changes we will get much closer.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Dmitri Pal

On 02/19/2015 05:06 AM, Jan Pazdziora wrote:

On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:

Except where we don't want single sign on, and separate passwords are
advantageous or even required:

  - Web logins

Could you elaborate on the use cases when you'd want your users to log
in using their passwords on a Web login, instead of using SSO, be it
Kerberos or SAML? Is that purely the application not supporting it
or are there some other reasons (you say we don't want single sign
on which sounds like a political or compliance issue, not technical
one).


IMO the case is:
I have a phone and a tablet and a laptop.
I do not want to use one password for all three.
On the phone and tablet people save their passwords so I do not want to 
have same password cached on all devices. I want to have a password per 
device.


IMO the way to go is certs rather than passwords.
We are not there yet but with upcoming changes we will get much closer.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Martin Kosek
On 02/19/2015 05:14 PM, Dmitri Pal wrote:
 On 02/19/2015 10:07 AM, Jani West wrote:
 Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with
 FreeIPA 3.3.3-28 by using replication.

 I have prepared replication file and moved it to the new replica server.
 Configured the firewalld and installed Ipa and other needed packages via yum.

 When running ipa-replica-install --setup-ca -d installation will always
 stuck on:

 --
 Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
 seconds
 [2/19]: configuring certificate server instance
 ipa : DEBUGStarting external process
 ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
 ipa : DEBUGProcess finished, return code=1
 ipa : DEBUGstdout=Loading deployment configuration from
 /tmp/tmpHJBhR5.
 Installing CA into /var/lib/pki/pki-tomcat.
 Storing deployment configuration into
 /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
 Installation failed.


 ipa : DEBUGstderr=pkispawn: WARNING  ... unable to
 validate security domain user/password through REST interface. Interface not
 available
 pkispawn: ERROR... Exception from Java Configuration Servlet:
 Error while updating security domain: java.io.IOException:
 java.io.IOException: SocketException cannot read on socket

 ipa : CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
 --

 Betwee the attempts I have cleaned yu ipa and pki configurations and
 deleteted the old replication agreement.


 Apache logs on old CentOS 6 server have these errors.
 --
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/admin/ca/getDomainXML HTTP/1.0 200 1158
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/admin/ca/updateDomainXML HTTP/1.0 404 -
 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
 /ca/agent/ca/updateDomainXML HTTP/1.0 403 323
 [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
 [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
 expired
 [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
 accepted by client!?
 --

 What certificate this means? ca.crt have more than five years left.

 Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
 ipa-pki-proxy.conf and there are no obvious reason. Any hints?
 
 Are CA ports accessible on your master? Can you check your FW please?
 

This line makes me think that expired certs may be involved:

[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has
expired

CCing JanCh who have the best context in this area.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] question about Active Directory authentication

2015-02-19 Thread David Fitzgerald
Thanks for all the info. I think I will go the trust route with IPA 4.1 and see 
what happens (in a test environment first of course.)

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Tuesday, February 17, 2015 6:25 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question about Active Directory authentication


Ok,



So with winsync I will have the 2000+ users in IPA.



Within IPA I have several high risk/impact groups of servers and many low.



For the low risk/impact servers and most desktops they can trust what AD tells 
them.  For the high risk/impact servers/applications we do not want to reply on 
AD for any authorisation so permissions for these will be isolated from AD 
inside IPA.  The idea is if we lose AD or IPA we should not lose both via any 
cross-linking.



regards

Steven


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com on 
behalf of Dmitri Pal d...@redhat.commailto:d...@redhat.com
Sent: Wednesday, 18 February 2015 11:51 a.m.
To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question about Active Directory authentication

On 02/17/2015 05:21 PM, Steven Jones wrote:





***maybe***



c) You might be able to do both winsync and trusts at the same time then that 
is simpler provisioning. ie a user gets created in AD and automatically gets 
created in IPA ready for you to put in the user group you want.

I am not sure this is the best solution really.
Trust and sync do not help each other. The fact that you have trust does not 
help you to provision users the way you describe.


8--

They achieve different things.   How otherwise do I get 2000+ AD users into 
IPA?   To me winsync allows automated provisioning of users into IPA via AD, 
this greatly reduces manual effort.

That I get. I do not understand how trust helps you in this case.










--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] WebUI authentication problems

2015-02-19 Thread Dan Mossor
I just installed a new server on Fedora 21 Server, using the rolekit 
deployment tool. Everything was installed and configured (I hope) 
properly, but I'm running into a problem. The version is 
freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only 
after a restart of ipa.service.


After approximately 15 minutes, I am kicked out of the active session - 
while in the middle of using it - and cannot log back in. Login was 
attempted from 4 browsers across two machines, and every time the login 
screen returns with Your session has expired. Please re-login.


/var/log/httpd/errors is showing the following:
[Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client 
10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client 
10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client 
10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client 
10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client 
10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client 
10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information (, ASN.1 structure is 
missing a required field), referer: https://vader.dom.net/ipa/ui/index.html
[Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client 
10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported 
mechanism was requested (, Unknown error), referer: 
https://vader.dom.net/ipa/ui/


Restarting httpd, I can log in, and am immediately logged out again with 
the above errors.


Restarting ipa.service, I was able to log in with my user account, and 
was notified that my password expires in 0 days - even though it was 
just created less than an hour ago.


Is this a known issue, or is there a hidden problem with the rolekit 
deployment that I need to track down?




--
Dan Mossor, RHCSA
Systems Engineer at Large
Fedora Plasma Product WG | Fedora QA Team | Fedora Server WG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

2015-02-19 Thread Dmitri Pal

On 02/19/2015 02:54 PM, Jim Richard wrote:
Hey guys, for what it's worth, I spent a couple weeks working with 
Endi Sukma Dewata, edew...@redhat.com mailto:edew...@redhat.com, 
Re: [Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail.


Unfortunately my post subject was not accurate but in fact, I was 
attempting the exact same thing and seeing the exact same error. The 
main LDAP instance would come up ok but upon attempting to migrate the 
PKI stuff with the new ldap schema etc, it just fails...




If you have been gradually upgrading it might very well be that you are 
hitting some of the earlier bugs related to cert tracking.
The page can help you with troubleshooting 
http://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates
You need to see whether the certs on the master have expired and whether 
they are now properly tracked.
Rob is this the right way of checking the cert validity (see previous 
mail in the thread)?





In the end we couldn't figure it out, basically had to just give up.

Maybe one of you could reach out to Endi and he could share some 
insights.


I'd love to be able to make this work as well but as of now it looks 
like my only option if I want to upgrade to version 3.3/Centos 7 is 
well, there is no option


I'd be happy to share or help in any way.








































Jim Richard  | PlaceIQ 
http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2Fsa=Dsntz=1usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw  | 
 Systems Administrator  |  jrich...@placeiq.com 
mailto:n...@placeiq.com  | +1 (646) 338-8905





On Feb 19, 2015, at 11:37 AM, Jani West jw...@iki.fi 
mailto:jw...@iki.fi wrote:


Hi,

How I can check the cert and test?

I did curl -v -k https://xxx/ca/admin/ca/getDomainXML

According to that the cert have plenty of time left.

On the otherhand
https://xxx/ca/admin/ca/updateDomainXML is givin the the same cert 
but also http 404.


On 02/19/2015 06:22 PM, Martin Kosek wrote:

On 02/19/2015 05:14 PM, Dmitri Pal wrote:

On 02/19/2015 10:07 AM, Jani West wrote:
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 
7.0 with

FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica 
server.
Configured the firewalld and installed Ipa and other needed 
packages via yum.


When running ipa-replica-install --setup-ca -d installation will 
always

stuck on:

--
Configuring certificate server (pki-tomcatd): Estimated time 3 
minutes 30

seconds
[2/19]: configuring certificate server instance
ipa : DEBUGStarting external process
ipa : DEBUGargs=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUGProcess finished, return code=1
ipa : DEBUGstdout=Loading deployment configuration from
/tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


ipa : DEBUGstderr=pkispawn: WARNING  ... unable to
validate security domain user/password through REST interface. 
Interface not

available
pkispawn: ERROR... Exception from Java Configuration 
Servlet:

Error while updating security domain: java.io.IOException:
java.io.IOException: SocketException cannot read on socket

ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero 
exit status 1

--

Betwee the attempts I have cleaned yu ipa and pki configurations and
deleteted the old replication agreement.


Apache logs on old CentOS 6 server have these errors.
--
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/admin/ca/getDomainXML HTTP/1.0 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/admin/ca/updateDomainXML HTTP/1.0 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] POST
/ca/agent/ca/updateDomainXML HTTP/1.0 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: 
-8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 
Certificate has

expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake 
failed: Not

accepted by client!?
--

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
ipa-pki-proxy.conf and there are no obvious reason. Any hints?


Are CA ports accessible on your