Re: [Freeipa-users] multi-tenancy status
Now that sounds like an interesting project :-) besides the following links any other places where I can read up about it ? https://fedorahosted.org/ipsilon/ http://www.freeipa.org/page/Web_App_Authentication http://en.wikipedia.org/wiki/Identity_provider http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] multi-tenancy status
Rob Verduijn wrote: Now that sounds like an interesting project :-) besides the following links any other places where I can read up about it ? https://fedorahosted.org/ipsilon/ http://www.freeipa.org/page/Web_App_Authentication http://en.wikipedia.org/wiki/Identity_provider http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language For more details on SAML2 than you'll even want, see https://wiki.oasis-open.org/security/FrontPage mod_auth_mellon is an SP for Apache that is compatible with Ipsilon. There is also https://shibboleth.net/ Devs hang out in #ipsilon on freenode Ipsilon will be one of the changes in F-22: http://fedoraproject.org/wiki/Releases/22/ChangeSet#Ipsilon A test day is planned for March 12 (assuming approved by FESCO). rob Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] multi-tenancy status
Thanx, That all sounds very interesting, I've got some reading up to do. I'm going to point this out to some people :-) Rob 2015-02-24 20:55 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: Now that sounds like an interesting project :-) besides the following links any other places where I can read up about it ? https://fedorahosted.org/ipsilon/ http://www.freeipa.org/page/Web_App_Authentication http://en.wikipedia.org/wiki/Identity_provider http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language For more details on SAML2 than you'll even want, see https://wiki.oasis-open.org/security/FrontPage mod_auth_mellon is an SP for Apache that is compatible with Ipsilon. There is also https://shibboleth.net/ Devs hang out in #ipsilon on freenode Ipsilon will be one of the changes in F-22: http://fedoraproject.org/wiki/Releases/22/ChangeSet#Ipsilon A test day is planned for March 12 (assuming approved by FESCO). rob Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- -- Jani West -- jw...@iki.fi -- +358 40 5010914 -- -- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND -- Haluaisin, että Suomi olisi paljon monikulttuurisempi. Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana. On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen. Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu. Ei ymmärretä, että maahanmuuttajat voivat tuoda Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä, että koko kansaa kuullaan, myös eri kulttuureista tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella maahanmuuttajia enemmän. HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Identifying current CA master
Hi! On Mon, Feb 23, 2015 at 10:29 AM, Martin Kosek mko...@redhat.com wrote: Good question. You are most likely hitting bug https://bugzilla.redhat.com/show_bug.cgi?id=1178190 that is planned to be fixed in RHEL-6.7. It should only affect the display of the values, the actual storage and execution should be OK. As indicated in the bug, you can verify the values are set up correctly in /var/lib/certmonger/requests. Does that help? I checked the request under /var/lib/certmonger/requests and post-save command seems to be defined properly. Thanks! Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Root overrides HBAC rules for the command su
Hi, In FreeIPA you can create users and restrict on which hosts the user can login to. This is all great and works fine. If a user1 is logged in to a system. Knows the password of user2 and issues the command su to be that user2 on that same system. This is not allowed because the user2 does not have HBAC rules for that system. This is as expected. But if the user root tries the su command to be user2 is works despite the fact that user2 has no HBAC rule for that system. Why does this works? Is there a way to prevent this? Or is this something in su that it works like the way it does? Best regards, Jurriën This message (including any attachments) may contain information that is privileged or confidential. If you are not the intended recipient, please notify the sender and delete this email immediately from your systems and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy this email or any part of it if you are not the intended recipient -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 No permission to /home/..
Am Montag, 23. Februar 2015, 20:20:45 schrieb Jakub Hrozek: On Mon, Feb 23, 2015 at 05:29:32PM +0100, Günther J. Niederwimmer wrote: I tested all (?), I have configured a ntp /mount for /home, Create a /home/user directory only on the ipa-server, nothing is working I have allways permission denied ? I found a Bug report for the oddjob-mkhomedir, to change the permission from 0002 to 0077 but now, I am on the end ? Which bugreport? IIRC there was one by Stef Walter which I can't find right now described the default permissions, but it should still be configurable.. I found this, http://stackoverflow.com/questions/23040225/incorrect-permissions-when-home-directory-is-automatically-created-in-freeipa -- mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Root overrides HBAC rules for the command su
On Tue, Feb 24, 2015 at 09:15:11AM +, Bloemen, Jurriën wrote: Hi, In FreeIPA you can create users and restrict on which hosts the user can login to. This is all great and works fine. If a user1 is logged in to a system. Knows the password of user2 and issues the command su to be that user2 on that same system. This is not allowed because the user2 does not have HBAC rules for that system. This is as expected. But if the user root tries the su command to be user2 is works despite the fact that user2 has no HBAC rule for that system. Why does this works? Is there a way to prevent this? Or is this something in su that it works like the way it does? It is the PAM configuration of su, e.g. on F21 it looks like this: #%PAM-1.0 authsufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the wheel # group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the wheel # group. #auth requiredpam_wheel.so use_uid authsubstacksystem-auth authinclude postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth passwordinclude system-auth session include system-auth session include postlogin session optionalpam_xauth.so If you are root authentication is skipped with pam_rootok.so and access control by 'pam_succeed_if.so uid = 0 use_uid quiet'. You can change this if you want but is is not very useful because there are various other way for root to become user2 without calling su. root can do everything on the local system. HTH bye, Sumit Best regards, Jurriën This message (including any attachments) may contain information that is privileged or confidential. If you are not the intended recipient, please notify the sender and delete this email immediately from your systems and destroy all copies of it. You may not, directly or indirectly, use, disclose, distribute, print or copy this email or any part of it if you are not the intended recipient -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
West, Jani wrote: Hi, Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. # getcert list |grep expires expires: 2016-11-21 13:40:41 UTC expires: 2016-11-21 13:40:44 UTC expires: 2016-11-21 13:40:41 UTC expires: 2016-10-30 09:08:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' status: MONITORING expires: 2016-10-30 09:07:12 UTC # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 31 (0x1f) # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description # extended LDIF # # LDAPv3 # base uid=ipara,ou=People,o=ipaca with scope subtree # filter: (objectclass=*) # requesting: description # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I suspect you are bootstrapping the replica with expired certs. After the failed install the certs probably still exist on the replica in /var/lib/pki-ca/alias. Check the dates. I think you needsto refresh /root/cacerts.p12 on the master you are preparing the replica on. In newer IPA we regenerate this on-the-fly but it isn't in 3.0. Use PKCS12Export to do this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. -- -- Jani West On 24.2.2015 17:06, Rob Crittenden wrote: West, Jani wrote: Hi, Validity, status and serials seems to be fine. One interesting pick: While the installation is not too old it might be installed initially with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398. # getcert list |grep expires expires: 2016-11-21 13:40:41 UTC expires: 2016-11-21 13:40:44 UTC expires: 2016-11-21 13:40:41 UTC expires: 2016-10-30 09:08:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC expires: 2016-10-30 09:07:12 UTC # getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)' status: MONITORING expires: 2016-10-30 09:07:12 UTC # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 31 (0x1f) # ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca description # extended LDIF # # LDAPv3 # base uid=ipara,ou=People,o=ipaca with scope subtree # filter: (objectclass=*) # requesting: description # # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I suspect you are bootstrapping the replica with expired certs. After the failed install the certs probably still exist on the replica in /var/lib/pki-ca/alias. Check the dates. I think you needsto refresh /root/cacerts.p12 on the master you are preparing the replica on. In newer IPA we regenerate this on-the-fly but it isn't in 3.0. Use PKCS12Export to do this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Reg:FreeIPA Client Configuration
Hi, I have configure FreeIPA server in centos and synchronized with windows active directory .If I create any users in AD it will be automatically synchronized with IPAServer . But I'm unable to configure IPA client in my centos machine which is installed on another machine. IPA Client is unable to discover dns entry. Can anybody tell me how to resolve this issue. Regards, Veerakumar V Infrastructure Application Support [Aspire Systems] This e-mail message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] multi-tenancy status
On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] multi-tenancy status
Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 23 February 2015 8:01 PM To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata; Jan Cholasta Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 23 February 2015 12:18 PM To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata; Jan Cholasta Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Saturday, 21 February 2015 1:39 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata; Jan Cholasta Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly Martin Kosek wrote: On 02/20/2015 06:56 AM, Les Stott wrote: Hi all, The following is blocking the ability for me to install a CA replica. Environment: RHEL 6.6 IPA 3.0.0-42 PKI 9.0.3-38 On the master the following is happening: ipa-getcert list Number of certificates and requests being tracked: 5. (but it shows no certificate details in the output) Running getcert list shows complete output. Also, when trying to browse https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed response. The apache error logs on the master show [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate The reason I am trying to browse that address is because that's what the ipa-ca-install setup is failing at (it complains that the CA certificate is not in proper format, in fact it's not able to get it at all). I know from another working ipa setup that Browsing to the above address provides valid xml content and ipa-getcert list shows certificate details and not just the number of tracked certificates. Been trying for a long time to figure out the issues without luck. I would greatly appreciate any help to troubleshoot and resolve the above issues. Regards, Les Endi or JanC, would you have any advise for Les? To me, it looks like the Apache does not have proper certificate installed. My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it in total of 8 certs tracked: # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '201402': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- COM',nicknam e='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- COM',nicknam e='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=vm-086.example.com,O=EXAMPLE.COM expires: 2016-11-11 00:00:01 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '201447': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server- Cert' ,token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server- Cert' ,token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=vm-086.example.com,O=EXAMPLE.COM expires: 2016-11-11 00:00:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '2014000302': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',toke n= 'N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',toke n= 'N SS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=vm-086.example.com,O=EXAMPLE.COM expires: 2016-11-11 00:03:02 UTC key usage:
Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution - RESOLVED
Have resolved the issues below by completely removing FreeIPA and starting from scratch. Here is the procedure to completely remove FreeIPA so you can start again. ipa-server-install --uninstall certutil -d /etc/httpd/alias -D -n Server-Cert certutil -d /etc/httpd/alias -D -n MYDOMAIN.COM IPA CA certutil -d /etc/httpd/alias -D -n ipaCert certutil -d /etc/httpd/alias -D -n Signing-Cert yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs userdel pkisrv userdel pkiuser rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa* reboot Now you have a clean slate. Then install works as normal for IPA Server, Replica and CA Replica installations. Hope this saves someone else time in the future. Regards, Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 18 February 2015 6:27 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution Has anyone got any ideas on the below errors I am now receiving? Thanks in advance, Les I will test this out (update to 3.7.19-260) next week as I've got a few more CA replicas to setup. I'm still having issues. Different one this time. As I have previously worked around the install of CA replicas in my production Production environment as above, I went to setup CA replication in DR (both environments are completely separate). Make sure I did a yum update for all packages, including selinux-policy, and also making sure all needed modules were loaded in httpd.conf I proceeded to retry installation of CA replication. However, it failed with the following: Note: sb2sys01.domain.com is the replica I am trying to install (abbreviated below) # Attempting to connect to: sb2sys01.domain.com:9445 Connected. Posting Query = https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7; op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Fri, 13 Feb 2015 08:09:35 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size Error in RestoreKeyCertPanel(): updateStatus returns failure ERROR: ConfigureCA: RestoreKeyCertPanel() failure ERROR: unable to create CA In /var/log/pki-ca/catalina.out I see... CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed certificate|and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a working system). grep DirAclAuthz /etc/pki-ca/CS.cfg authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuth z authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn= authz.instance.DirAclAuthz.ldap.maxConns=15 authz.instance.DirAclAuthz.ldap.minConns=3 authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname= authz.instance.DirAclAuthz.ldap.ldapconn.host= authz.instance.DirAclAuthz.ldap.ldapconn.port= authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false The CA cert looks ok to me on the master. It does get copied to the replica in /usr/share/ipa/html/ca.crt I don't see any errors in httpd error or access logs on the master or the intended replica. The ipa-pki-proxy.conf config has the profilesubmit section. # matches for ee port LocationMatch ^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenI
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
On old master apache logs looks like this: --- [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] GET /ca/rest/securityDomain/domainInfo HTTP/1.1 404 325 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/admin/ca/getDomainXML HTTP/1.1 200 1158 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getCookie HTTP/1.1 200 4088 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 153 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] POST /ca/admin/ca/getConfigEntries HTTP/1.0 200 13714 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 200 115 - and /var/log/ipareplica-install.log on new replica looks like this: pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit status 1 2015-02-24T21:40:54Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1689, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 615, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Just give me a shout if you want me to run replication again and if you need any extra logs. On 02/25/2015 12:00 AM, Rob Crittenden wrote: Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server? Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install. Re-run ipa-replica-prepare and it will pick up the new file. Use that newly prepared file on your replica and hopefully that will do the trick. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Jani West wrote: On old master apache logs looks like this: --- [Tue Feb 24 23:37:40 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:37:41 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca [Tue Feb 24 23:38:22 2015] [error] [client 192.168.177.8] File does not exist: /var/www/html/ca 192.168.177.8 - - [24/Feb/2015:10:35:47 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 403 323 192.168.177.8 - - [24/Feb/2015:23:37:40 +0200] GET /ca/rest/securityDomain/domainInfo HTTP/1.1 404 325 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/admin/ca/getDomainXML HTTP/1.1 200 1158 192.168.177.8 - - [24/Feb/2015:23:37:41 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:19 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] GET /ca/rest/account/login HTTP/1.1 404 313 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getCookie HTTP/1.1 200 4088 192.168.177.8 - - [24/Feb/2015:23:38:22 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/getCertChain HTTP/1.0 200 1410 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:23 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:24 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 163 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/admin/ca/updateNumberRange HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:38:27 +0200] POST /ca/ee/ca/updateNumberRange HTTP/1.0 200 153 192.168.177.8 - - [24/Feb/2015:23:38:30 +0200] POST /ca/admin/ca/getConfigEntries HTTP/1.0 200 13714 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/getDomainXML HTTP/1.0 200 1158 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/admin/ca/updateDomainXML HTTP/1.0 404 - 192.168.177.8 - - [24/Feb/2015:23:41:06 +0200] POST /ca/agent/ca/updateDomainXML HTTP/1.0 200 115 - and /var/log/ipareplica-install.log on new replica looks like this: pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 2015-02-24T21:40:54Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpR56_Ck' returned non-zero exit status 1 2015-02-24T21:40:54Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 638, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 667, in main CA = cainstance.install_replica_ca(config) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1689, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 615, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-02-24T21:40:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Just give me a shout if you want me to run replication again and if you need any extra logs. The full ipaserver-install.log and /var/log/pki/pki-tomcat/ca/debug would be handy. Feel free to send them to me directly as they are probably rather large. rob On 02/25/2015 12:00 AM, Rob Crittenden wrote: Jani West wrote: Re-created replication file and run ipa-replica-install o fresh CentOS 7 server. It is still giving the same error: - 2015-02-24T21:40:54Z DEBUG Process finished, return code=1 2015-02-24T21:40:54Z DEBUG stdout=Loading deployment configuration from /tmp/tmpR56_Ck. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-02-24T21:40:54Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available That is expected. pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 I think a fresh set of logs is in needed. rob . On 02/24/2015 06:06 PM, Rob Crittenden wrote: West, Jani wrote: Thank you for the tip, Just created new /root/cacerts.p12. Should I import it to the CA somehow