[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sanju A 
Hi,

I am getting the following error while removing a host.

---
Certificate operation cannot be completed: Unable to communicate with CMS 
(Not Found)
---




Apache log
---

[Wed May 20 12:10:26 2015] [error] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with 
CMS (Not Found)


Regards
Sanju Abraham
=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread Ludwig Krispenz 


On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account.  I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not show 
complete RUV lists... While most of the replicas had a list of all 16 
servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
so this happens "out of the blue" ? Did it happen at the same time, do 
you know when it started ? The maxcsns in the ruv are quite old: r16: 
apr,21, r23: may,14 r24: may,9 could it be that there was no change 
applied to these masters for that time ?


Once I re-initialized --from servers that showed the correct RUVS 
everyone is happy again. I have tested replication by creating and 
deleting accounts, changing group members and a few other things. 
Everything is working fine.  I have enabled additional logging.


Now we wait and when it happens again, hopefully we have something.

thanks
~Janelle





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

2015-05-20 Thread opsource trail 
Hello,
we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
we are kind of confused about what type of trust we will need to deal with.
In Red Hat documentation we get an information that:

"... Trusts, then, are essentially unidirectional. Active Directory users
can access IdM resources and services, but IdM users cannot access Active
Directory resources... "
(
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
)

On the other hand, when I configure the trust I can clearly see that it is
actually bidirectional:
[root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
Administrator --password
--
Added Active Directory trust for realm "adexample.com"
--
  Realm name: adexample.com
  Domain NetBIOS name: ADEXAMPLE
  Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

I'm afraid that our Windows department will complain and consider this as a
security issue.

Is there anybody who could help me understand this?

Thanks!

All the best.

Jan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

2015-05-20 Thread Alexander Bokovoy 

On Wed, 20 May 2015, opsource trail wrote:

Hello,
we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
we are kind of confused about what type of trust we will need to deal with.
In Red Hat documentation we get an information that:

"... Trusts, then, are essentially unidirectional. Active Directory users
can access IdM resources and services, but IdM users cannot access Active
Directory resources... "
(
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
)

I tried to get technical writers to rewrite this sentence but so far
unsuccessful. There seems to be some fundamental misunderstanding at
hand, unfortunately.


On the other hand, when I configure the trust I can clearly see that it is
actually bidirectional:
[root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
Administrator --password
--
Added Active Directory trust for realm "adexample.com"
--
 Realm name: adexample.com
 Domain NetBIOS name: ADEXAMPLE
 Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified

I'm afraid that our Windows department will complain and consider this as a
security issue.

No, it is not a security issue, regardless what your Windows department
would like to think. They may better spend time looking into actual
Active Directory protocols documentation at
https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise
situation is much more complex than a binary division between 'secure'
and 'insecure'.


Is there anybody who could help me understand this?

You can start with http://www.freeipa.org/page/V4/One-way_trust to get
yourself a high level overview and comparison of what two-way and
one-way trust mean in the context of IPA and Active Directory.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

2015-05-20 Thread opsource trail 
Hi Alex,
thanks for your prompt response. This more/less sums up our arguments, but
definitely the AD protocol documentation might be helpful.

Best regards,
Jan

2015-05-20 11:39 GMT+02:00 Alexander Bokovoy :

> On Wed, 20 May 2015, opsource trail wrote:
>
>> Hello,
>> we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
>> we are kind of confused about what type of trust we will need to deal
>> with.
>> In Red Hat documentation we get an information that:
>>
>> "... Trusts, then, are essentially unidirectional. Active Directory users
>> can access IdM resources and services, but IdM users cannot access Active
>> Directory resources... "
>> (
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
>> )
>>
> I tried to get technical writers to rewrite this sentence but so far
> unsuccessful. There seems to be some fundamental misunderstanding at
> hand, unfortunately.
>
>  On the other hand, when I configure the trust I can clearly see that it is
>> actually bidirectional:
>> [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
>> Administrator --password
>> --
>> Added Active Directory trust for realm "adexample.com"
>> --
>>  Realm name: adexample.com
>>  Domain NetBIOS name: ADEXAMPLE
>>  Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
>>  Trust direction: Two-way trust
>>  Trust type: Active Directory domain
>>  Trust status: Established and verified
>>
>> I'm afraid that our Windows department will complain and consider this as
>> a
>> security issue.
>>
> No, it is not a security issue, regardless what your Windows department
> would like to think. They may better spend time looking into actual
> Active Directory protocols documentation at
> https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise
> situation is much more complex than a binary division between 'secure'
> and 'insecure'.
>
>  Is there anybody who could help me understand this?
>>
> You can start with http://www.freeipa.org/page/V4/One-way_trust to get
> yourself a high level overview and comparison of what two-way and
> one-way trust mean in the context of IPA and Active Directory.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam 
Hello!

I've tried to setup my IPA server to work on multiple domain env, for
the example, I have 20 instance/servers using mydomain.co.id then I have
another 10 instance/servers using mydomain.com, I want to manage both of
them on same IPA server.

On instance with mydomain.com, I've setup and point my DNS to the IPA
Server, the DNS Discovery was failed, but if I entered IPA server
address manually, the setup was success.

---
[root@joyoboyo ~]# getent passwd dewangga
dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
[root@joyoboyo ~]# uname -a
Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
---

Is it normal? Or is there another configuration on krb5.conf? I found
something interesting on [domain_realm] section, but before I changes
them, better I ask to the mailing list.

Thanks for any help and comments, this is my first time to configure IPA
Server :D

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Martin Kosek 
On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
> Hello!
> 
> I've tried to setup my IPA server to work on multiple domain env, for
> the example, I have 20 instance/servers using mydomain.co.id then I have
> another 10 instance/servers using mydomain.com, I want to manage both of
> them on same IPA server.

This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
TXT record with the ream, Kerberos client should be able to find the right IPA
server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
versions add this record to owned DNS zones automatically.

> On instance with mydomain.com, I've setup and point my DNS to the IPA
> Server, the DNS Discovery was failed, but if I entered IPA server
> address manually, the setup was success.

If autodiscovery with hosts in your alternate domain does not work, you can
also use just

# ipa-client-install --domain main.ipa.domain.com

and it should find the IPA server.

> 
> ---
> [root@joyoboyo ~]# getent passwd dewangga
> dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
> [root@joyoboyo ~]# uname -a
> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> ---
> 
> Is it normal? Or is there another configuration on krb5.conf? I found
> something interesting on [domain_realm] section, but before I changes
> them, better I ask to the mailing list.

What I see above looks normal to me. [domain_realm] manual mapping can be used
if you have DNS autodiscovery disabled or you miss the DNS TXT record for
Kerberos, IIRC.

> 
> Thanks for any help and comments, this is my first time to configure IPA
> Server :D

Good, I hope you like it :-)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD-trust and external DNS

2015-05-20 Thread Petr Spacek 
Hello,

please let me correct this:

IPA cares only about correct DNS records. It does not matter if IPA manages
the DNS server or if the server is external entity - everything will work as
long as all records are in place.

IPA installers should give you standard zone file which can be added to
existing DNS servers.

On 18.5.2015 16:13, Baird, Josh wrote:
> You should add your IPA zone as a slave on your 'external' DNS servers so 
> they are able to resolve the IPA zone.

If you decide to use IPA DNS then you *most importantly* need to add proper NS
records to the parent zone to ensure that DNS delegation is correct.

Slave zones are just 'nice to have' for improved resiliency but they should
never be used instead of proper NS records.

Let me know if you are interested in some other details.

Petr^2 Spacek

> Josh
> 
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
> Sent: Monday, May 18, 2015 10:10 AM
> To: Freeipa-users
> Subject: [Freeipa-users] AD-trust and external DNS
> 
> Hi all,
> 
> Creating an AD-trust works nicely. However, for some customers both AD and 
> IPA don't have have DNS "for their own", the use external DNS (Infoblox for 
> example)
> 
> Now, is is possible to create an AD trust without a build-in (bind) IPA-DNS?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam 
Hello!

On 05/20/2015 05:30 PM, Martin Kosek wrote:
> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I've tried to setup my IPA server to work on multiple domain env, for
>> the example, I have 20 instance/servers using mydomain.co.id then I have
>> another 10 instance/servers using mydomain.com, I want to manage both of
>> them on same IPA server.
> 
> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
> TXT record with the ream, Kerberos client should be able to find the right IPA
> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
> versions add this record to owned DNS zones automatically.

TXT record said like this :

$ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw

.. some content skipped ..

$ORIGIN mydomain.com.
_kerberos   TXT "MYDOMAIN.CO.ID"
joyoboyoA   103.xx.yy.98
liquid  A   103.xx.yy.100

Should I changes it? Or leave it as is?

>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>> Server, the DNS Discovery was failed, but if I entered IPA server
>> address manually, the setup was success.
> 
> If autodiscovery with hosts in your alternate domain does not work, you can
> also use just
> 
> # ipa-client-install --domain main.ipa.domain.com
> 
> and it should find the IPA server.
> 
>>
>> ---
>> [root@joyoboyo ~]# getent passwd dewangga
>> dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
>> [root@joyoboyo ~]# uname -a
>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>> ---
>>
>> Is it normal? Or is there another configuration on krb5.conf? I found
>> something interesting on [domain_realm] section, but before I changes
>> them, better I ask to the mailing list.
> 
> What I see above looks normal to me. [domain_realm] manual mapping can be used
> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
> Kerberos, IIRC.
> 
>>
>> Thanks for any help and comments, this is my first time to configure IPA
>> Server :D
> 
> Good, I hope you like it :-)
> 

And what if I setup replica IPA server, did mydomain.com will be
distributed to another replicated IPA server?

Thanks

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Martin Kosek 
On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
> Hello!
> 
> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> I've tried to setup my IPA server to work on multiple domain env, for
>>> the example, I have 20 instance/servers using mydomain.co.id then I have
>>> another 10 instance/servers using mydomain.com, I want to manage both of
>>> them on same IPA server.
>>
>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>> TXT record with the ream, Kerberos client should be able to find the right 
>> IPA
>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>> versions add this record to owned DNS zones automatically.
> 
> TXT record said like this :
> 
> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
> 
> .. some content skipped ..
> 
> $ORIGIN mydomain.com.
> _kerberos TXT "MYDOMAIN.CO.ID"
> joyoboyo  A   103.xx.yy.98
> liquidA   103.xx.yy.100
> 
> Should I changes it? Or leave it as is?

If this is the alternate DNS domain (REALM != DNS domain name), this should be
fine and Kerberos client should be able to tell which KDC/realm is responsible
for this domain.

>>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>>> Server, the DNS Discovery was failed, but if I entered IPA server
>>> address manually, the setup was success.
>>
>> If autodiscovery with hosts in your alternate domain does not work, you can
>> also use just
>>
>> # ipa-client-install --domain main.ipa.domain.com
>>
>> and it should find the IPA server.
>>
>>>
>>> ---
>>> [root@joyoboyo ~]# getent passwd dewangga
>>> dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
>>> [root@joyoboyo ~]# uname -a
>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>> ---
>>>
>>> Is it normal? Or is there another configuration on krb5.conf? I found
>>> something interesting on [domain_realm] section, but before I changes
>>> them, better I ask to the mailing list.
>>
>> What I see above looks normal to me. [domain_realm] manual mapping can be 
>> used
>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>> Kerberos, IIRC.
>>
>>>
>>> Thanks for any help and comments, this is my first time to configure IPA
>>> Server :D
>>
>> Good, I hope you like it :-)
>>
> 
> And what if I setup replica IPA server, did mydomain.com will be
> distributed to another replicated IPA server?

Yup, all IPA data are replicated between masters.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam 
Thanks Martin,

Better I leave the configuration as is :D

So, If I want to add another domain, I just add and point them to master
IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
`ipa dnsrecord-add`.

Isn't it?

On 05/20/2015 05:42 PM, Martin Kosek wrote:
> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
 Hello!

 I've tried to setup my IPA server to work on multiple domain env, for
 the example, I have 20 instance/servers using mydomain.co.id then I have
 another 10 instance/servers using mydomain.com, I want to manage both of
 them on same IPA server.
>>>
>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>>> TXT record with the ream, Kerberos client should be able to find the right 
>>> IPA
>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>>> versions add this record to owned DNS zones automatically.
>>
>> TXT record said like this :
>>
>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>>
>> .. some content skipped ..
>>
>> $ORIGIN mydomain.com.
>> _kerberosTXT "MYDOMAIN.CO.ID"
>> joyoboyo A   103.xx.yy.98
>> liquid   A   103.xx.yy.100
>>
>> Should I changes it? Or leave it as is?
> 
> If this is the alternate DNS domain (REALM != DNS domain name), this should be
> fine and Kerberos client should be able to tell which KDC/realm is responsible
> for this domain.
> 
 On instance with mydomain.com, I've setup and point my DNS to the IPA
 Server, the DNS Discovery was failed, but if I entered IPA server
 address manually, the setup was success.
>>>
>>> If autodiscovery with hosts in your alternate domain does not work, you can
>>> also use just
>>>
>>> # ipa-client-install --domain main.ipa.domain.com
>>>
>>> and it should find the IPA server.
>>>

 ---
 [root@joyoboyo ~]# getent passwd dewangga
 dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
 [root@joyoboyo ~]# uname -a
 Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
 ---

 Is it normal? Or is there another configuration on krb5.conf? I found
 something interesting on [domain_realm] section, but before I changes
 them, better I ask to the mailing list.
>>>
>>> What I see above looks normal to me. [domain_realm] manual mapping can be 
>>> used
>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>>> Kerberos, IIRC.
>>>

 Thanks for any help and comments, this is my first time to configure IPA
 Server :D
>>>
>>> Good, I hope you like it :-)
>>>
>>
>> And what if I setup replica IPA server, did mydomain.com will be
>> distributed to another replicated IPA server?
> 
> Yup, all IPA data are replicated between masters.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Martin Kosek 
On 05/20/2015 12:56 PM, Dewangga Bachrul Alam wrote:
> Thanks Martin,
> 
> Better I leave the configuration as is :D
> 
> So, If I want to add another domain, I just add and point them to master
> IPA Server, right?

Right, after FreeIPA 3.2 (https://fedorahosted.org/freeipa/ticket/3544),
dnszone-add should be enough to generate the DNS record to solve the Kerberos 
side.

> And add DNS Zone, A Rec, etc on IPA server by using
> `ipa dnsrecord-add`.
> 
> Isn't it?

Should be.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Petr Spacek 
On 20.5.2015 12:56, Dewangga Bachrul Alam wrote:
> Thanks Martin,
> 
> Better I leave the configuration as is :D
> 
> So, If I want to add another domain, I just add and point them to master
> IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
> `ipa dnsrecord-add`.
> 
> Isn't it?

Yes, + you have to add NS record *to the parent zone* so all clients know
which servers are responsible for the new domain.

Petr^2 Spacek

> 
> On 05/20/2015 05:42 PM, Martin Kosek wrote:
>> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> On 05/20/2015 05:30 PM, Martin Kosek wrote:
 On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
> Hello!
>
> I've tried to setup my IPA server to work on multiple domain env, for
> the example, I have 20 instance/servers using mydomain.co.id then I have
> another 10 instance/servers using mydomain.com, I want to manage both of
> them on same IPA server.

 This is fine. If the alternate domain contain the "_kerberos.domain.com" 
 DNS
 TXT record with the ream, Kerberos client should be able to find the right 
 IPA
 server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
 versions add this record to owned DNS zones automatically.
>>>
>>> TXT record said like this :
>>>
>>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>>>
>>> .. some content skipped ..
>>>
>>> $ORIGIN mydomain.com.
>>> _kerberos   TXT "MYDOMAIN.CO.ID"
>>> joyoboyoA   103.xx.yy.98
>>> liquid  A   103.xx.yy.100
>>>
>>> Should I changes it? Or leave it as is?
>>
>> If this is the alternate DNS domain (REALM != DNS domain name), this should 
>> be
>> fine and Kerberos client should be able to tell which KDC/realm is 
>> responsible
>> for this domain.
>>
> On instance with mydomain.com, I've setup and point my DNS to the IPA
> Server, the DNS Discovery was failed, but if I entered IPA server
> address manually, the setup was success.

 If autodiscovery with hosts in your alternate domain does not work, you can
 also use just

 # ipa-client-install --domain main.ipa.domain.com

 and it should find the IPA server.

>
> ---
> [root@joyoboyo ~]# getent passwd dewangga
> dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
> [root@joyoboyo ~]# uname -a
> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> ---
>
> Is it normal? Or is there another configuration on krb5.conf? I found
> something interesting on [domain_realm] section, but before I changes
> them, better I ask to the mailing list.

 What I see above looks normal to me. [domain_realm] manual mapping can be 
 used
 if you have DNS autodiscovery disabled or you miss the DNS TXT record for
 Kerberos, IIRC.

>
> Thanks for any help and comments, this is my first time to configure IPA
> Server :D

 Good, I hope you like it :-)

>>>
>>> And what if I setup replica IPA server, did mydomain.com will be
>>> distributed to another replicated IPA server?
>>
>> Yup, all IPA data are replicated between masters.
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam 
Yes, of course.
I will add NS record to parent zone if my IPA server are ready for
production. :D

Thanks for any comments and help.
Cheers! :)

On 05/20/2015 06:02 PM, Petr Spacek wrote:
> On 20.5.2015 12:56, Dewangga Bachrul Alam wrote:
>> Thanks Martin,
>>
>> Better I leave the configuration as is :D
>>
>> So, If I want to add another domain, I just add and point them to master
>> IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
>> `ipa dnsrecord-add`.
>>
>> Isn't it?
> 
> Yes, + you have to add NS record *to the parent zone* so all clients know
> which servers are responsible for the new domain.
> 
> Petr^2 Spacek
> 
>>
>> On 05/20/2015 05:42 PM, Martin Kosek wrote:
>>> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
 Hello!

 On 05/20/2015 05:30 PM, Martin Kosek wrote:
> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I've tried to setup my IPA server to work on multiple domain env, for
>> the example, I have 20 instance/servers using mydomain.co.id then I have
>> another 10 instance/servers using mydomain.com, I want to manage both of
>> them on same IPA server.
>
> This is fine. If the alternate domain contain the "_kerberos.domain.com" 
> DNS
> TXT record with the ream, Kerberos client should be able to find the 
> right IPA
> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
> versions add this record to owned DNS zones automatically.

 TXT record said like this :

 $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw

 .. some content skipped ..

 $ORIGIN mydomain.com.
 _kerberos  TXT "MYDOMAIN.CO.ID"
 joyoboyo   A   103.xx.yy.98
 liquid A   103.xx.yy.100

 Should I changes it? Or leave it as is?
>>>
>>> If this is the alternate DNS domain (REALM != DNS domain name), this should 
>>> be
>>> fine and Kerberos client should be able to tell which KDC/realm is 
>>> responsible
>>> for this domain.
>>>
>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>> Server, the DNS Discovery was failed, but if I entered IPA server
>> address manually, the setup was success.
>
> If autodiscovery with hosts in your alternate domain does not work, you 
> can
> also use just
>
> # ipa-client-install --domain main.ipa.domain.com
>
> and it should find the IPA server.
>
>>
>> ---
>> [root@joyoboyo ~]# getent passwd dewangga
>> dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash
>> [root@joyoboyo ~]# uname -a
>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>> ---
>>
>> Is it normal? Or is there another configuration on krb5.conf? I found
>> something interesting on [domain_realm] section, but before I changes
>> them, better I ask to the mailing list.
>
> What I see above looks normal to me. [domain_realm] manual mapping can be 
> used
> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
> Kerberos, IIRC.
>
>>
>> Thanks for any help and comments, this is my first time to configure IPA
>> Server :D
>
> Good, I hope you like it :-)
>

 And what if I setup replica IPA server, did mydomain.com will be
 distributed to another replicated IPA server?
>>>
>>> Yup, all IPA data are replicated between masters.
>>>
>>
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] host usercertificate attribute

2015-05-20 Thread Natxo Asenjo 
hi rob,

On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo > > wrote:
>>
>> hi,
>>
>> If I retrieve the usercertificate attribute for host objects I get
>> some gibberish.
>>
>> How can I decode the info I get from ldapsearch?
>>
>>
>> maybe there is a way to feed that to openssl. What I ended up doing was
>> using Perl and Crypt::X509 and I can see all the certificate elements.
>>
>
> They are DER-encoded files. Something like this will show the contents:
>
> $ openssl x509 -text -in /tmp/file
>

$ openssl x509 -text -in ldapsearch-usercertificate-ZWnfJL
unable to load certificate
139637925009264:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Apparently it misses some stuff.

As I wrote, I already got what I needed using perl, but maybe there are
other ways.

Thanks!
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] host usercertificate attribute

2015-05-20 Thread Rob Crittenden 

Natxo Asenjo wrote:

hi rob,

On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Natxo Asenjo wrote:

On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo
mailto:natxo.ase...@gmail.com>
>>
wrote:

 hi,

 If I retrieve the usercertificate attribute for host
objects I get
 some gibberish.

 How can I decode the info I get from ldapsearch?


maybe there is a way to feed that to openssl. What I ended up
doing was
using Perl and Crypt::X509 and I can see all the certificate
elements.


They are DER-encoded files. Something like this will show the contents:

$ openssl x509 -text -in /tmp/file


$ openssl x509 -text -in ldapsearch-usercertificate-ZWnfJL
unable to load certificate
139637925009264:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Apparently it misses some stuff.


You could try adding -inform  DER


As I wrote, I already got what I needed using perl, but maybe there are
other ways.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] host usercertificate attribute

2015-05-20 Thread Natxo Asenjo 
hi Rob,

On Wed, May 20, 2015 at 2:08 PM, Rob Crittenden  wrote:

> Nat
> You could try adding -inform  DER
>

cool, that works ;-)

Thanks.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread thierry bordaz 

On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account.  I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not show 
complete RUV lists... While most of the replicas had a list of all 16 
servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
I don't know about the orphaned entries. Did you get entries below 
deleted parents ?


AFAIK all replicas are master and so have an entry {replica } in 
the RUV. We should expect all servers having the same number of 
RUVelements (16, 4 or 5). The servers with 4 or 5 may be isolated so 
that they did not received updates from those with 16 RUVelements.

would you copy/paste an example of RUV with 16 and with 4-5 ?



Once I re-initialized --from servers that showed the correct RUVS 
everyone is happy again. I have tested replication by creating and 
deleting accounts, changing group members and a few other things. 
Everything is working fine.  I have enabled additional logging.


Now we wait and when it happens again, hopefully we have something.


Yes, it will help :-)

thanks
thierry


thanks
~Janelle



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread Janelle 

On 5/20/15 12:54 AM, Ludwig Krispenz wrote:


On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account. I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not show 
complete RUV lists... While most of the replicas had a list of all 16 
servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
so this happens "out of the blue" ? Did it happen at the same time, do 
you know when it started ? The maxcsns in the ruv are quite old: r16: 
apr,21, r23: may,14 r24: may,9 could it be that there was no change 
applied to these masters for that time ?



Indeed yes, that is a correct statement. It seems to be incredibly random.
Ok, I give up - how are you finding the date in the strings? And really, 
is May 14th that old?


What is odd about the Apr 21st one, is that if you see my previous 
emails, I had cleaned up all of this before, so for that to "re-appear" 
is indeed a mystery.


As of this morning, things remain clean. What will be funny, now that I 
had extended logging enabled, they know we are on to them, so the 
servers won't fail again. :-)


~J



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden 

Sina Owolabi wrote:

Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
dogtag-ipa-retrieve-agent-submit.


Ok, the full output is really helpful.

First an explanation of CA subsystem renewal.

CA clones are just that, exact clones of each other, which means they 
use the same subsystem certificates for OCSP, audit, etc. This also 
means that at renewal time they need to be renewed on only one master 
and then somehow shared with the ohter clones.


The initially-installed CA is designated as the renewal master by 
default. It configures certmonger to renew the CA subsytem certificates 
and put the new public cert into a shared area in IPA that will be 
replicated to the other masters.


The non-renewal masters are configured with a special CA, 
dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an 
updated certificate and when available, it installs it.


So the issue is that it isn't seeing this updated certificate, hence 
CA_WORKING.


The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate 
that IPA uses to talk to the CA expired on 04/29.


So the steps you need to take are:

1. Check your other CA masters and see if they have been renewed 
properly (getcert list will tell you, look for expiration in 2017).

2. If they have, see if the data was pushed to LDAP

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com

See if there are certificate entries there. Check on multiple masters to 
see if there is a replication issue.


If the certs are there you can try restarting certmonger to kickstart 
the request.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden 

Sanju A wrote:

Hi,

I am getting the following error while removing a host.

---
Certificate operation cannot be completed: Unable to communicate with
CMS (Not Found)
---


This usually means that the CA is not serving requestss. It may be up 
and running but that doesn't mean the webapp is working.


This is often due to expired CA subsystem certificates. Run getcert list 
to check.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread Janelle 

On 5/20/15 6:01 AM, thierry bordaz wrote:

On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account. I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not show 
complete RUV lists... While most of the replicas had a list of all 16 
servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
I don't know about the orphaned entries. Did you get entries below 
deleted parents ?


AFAIK all replicas are master and so have an entry {replica } in 
the RUV. We should expect all servers having the same number of 
RUVelements (16, 4 or 5). The servers with 4 or 5 may be isolated so 
that they did not received updates from those with 16 RUVelements.

would you copy/paste an example of RUV with 16 and with 4-5 ?


Now, the steps to clear this were:

Removed the "unable to decode" with the direct ldapmodify's. This worked 
across all replicas, which was nice and did not have to be repeated in 
each one. In other words, entered on a single server, and it was removed 
on all.


re-initialized --from=good server on the ones with the short list.

Waited 5 minutes to let everything settle, then started running tests of 
adds/deletes which seemed to be just fine.


Here are 2 of the DCs

-
Node dc1-ipa1
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa4.example.com 389  4
-
Node dc1-ipa2
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
-
Node dc1-ipa3
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 24} 554d53d30018 554d54a400020018
dc5-ipa1.example.com 389  26
dc5-ipa2.example.com 389  15
dc5-ipa3.example.com 389  17
-
Node dc1-ipa4
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 24} 554d53d30018 554d54a400020018
dc5-ipa1.example.com 389  26
dc5-ipa2.example.com 389  15
dc5-ipa3.example.com 389  17
-
Node dc2-ipa1
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sina Owolabi 
Hi Rob

This is the only CA master. The one I cloned it from was decommissioned,
reinstalled and then  made to be a replica of this server.

Looks like I'm really stuck.  How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.

On Wed, May 20, 2015, 2:32 PM Rob Crittenden  wrote:

> Sina Owolabi wrote:
> > Another key difference I noticed is that the problematic certs have
> > CA:IPA in them, while the working certs have CA:
> > dogtag-ipa-retrieve-agent-submit.
>
> Ok, the full output is really helpful.
>
> First an explanation of CA subsystem renewal.
>
> CA clones are just that, exact clones of each other, which means they
> use the same subsystem certificates for OCSP, audit, etc. This also
> means that at renewal time they need to be renewed on only one master
> and then somehow shared with the ohter clones.
>
> The initially-installed CA is designated as the renewal master by
> default. It configures certmonger to renew the CA subsytem certificates
> and put the new public cert into a shared area in IPA that will be
> replicated to the other masters.
>
> The non-renewal masters are configured with a special CA,
> dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
> updated certificate and when available, it installs it.
>
> So the issue is that it isn't seeing this updated certificate, hence
> CA_WORKING.
>
> The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
> that IPA uses to talk to the CA expired on 04/29.
>
> So the steps you need to take are:
>
> 1. Check your other CA masters and see if they have been renewed
> properly (getcert list will tell you, look for expiration in 2017).
> 2. If they have, see if the data was pushed to LDAP
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
>
> See if there are certificate entries there. Check on multiple masters to
> see if there is a replication issue.
>
> If the certs are there you can try restarting certmonger to kickstart
> the request.
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread Ludwig Krispenz 


On 05/20/2015 03:25 PM, Janelle wrote:

On 5/20/15 12:54 AM, Ludwig Krispenz wrote:


On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account.  I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not 
show complete RUV lists... While most of the replicas had a list of 
all 16 servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
so this happens "out of the blue" ? Did it happen at the same time, 
do you know when it started ? The maxcsns in the ruv are quite old: 
r16: apr,21, r23: may,14 r24: may,9 could it be that there was no 
change applied to these masters for that time ?


Indeed yes, that is a correct statement. It seems to be incredibly 
random.
Ok, I give up - how are you finding the date in the strings? And 
really, is May 14th that old?

5535647200030010 is a CSN (ChangeSequenceNumber), it is built of

hextimestamp: 55356472
sequence number: 0003  (numbering of csns generated within the sceond of 
the time stamp

replica id: 0010 (==16) replica, where the change was received
subsequence number:  used internally if a mod consists of several 
sub-mods


May. 14 is not old, but would mean that there was no change on that 
replica for a couple of days




What is odd about the Apr 21st one, is that if you see my previous 
emails, I had cleaned up all of this before, so for that to 
"re-appear" is indeed a mystery.


As of this morning, things remain clean. What will be funny, now that 
I had extended logging enabled, they know we are on to them, so the 
servers won't fail again. :-)


~J







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused by ldapsearch results

2015-05-20 Thread Boyce, George Robert. (GSFC-762.0)[NICS] 
<<
This worked for me:

$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm
"(|(uid=admin)(name=admin))" dn
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com

Note that cn is Common Name which is set to the user's full name, in this case 
likely "George Boyce". So that will never match gboyce.

Rob
>>

Rob,

Thanks for your example, it had me test my ldap bind which narrows the problem 
and gives me a workaround.

I used cn=gboyce to pull my group record, so I expected my test to return two 
records for my account and my group. And it does when I authenticate as admin 
as in your test. So the problem is isolated to when I use a dedicated search 
account. I missed this note on setting up system accounts:

<<
Note: IPA 4.0 is going to change the default stance on data from nearly 
everything is readable to nothing is readable, by default. You will eventually 
need to add some Access Control Instructions (ACI's) to grant read access to 
the parts of the LDAP tree you will need.
>>

Looks like I need to do just that. :-) 

Still the behavior of returning nothing by adding an extra false term, or 
returning one entry when each of the terms each returns a unique entry, seems 
wrong. It does return two entries when both are in the same subtree.

###
### everything ok when using admin... two records, one from users, one from 
groups
###
# ldapsearch -Y GSSAPI -b "dc=..." "(|(uid=admin)(cn=gboyce))" dn
SASL/GSSAPI authentication started
SASL username: admin@...
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(uid=admin)(cn=gboyce))
# requesting: dn
#

# admin, users, accounts, ...
dn: uid=admin,cn=users,cn=accounts,dc=...

# gboyce, groups, accounts, ...
dn: cn=gboyce,cn=groups,cn=accounts,dc=...

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

##

###
### system account (without ACLs) returns simple queries, but not correct 
results for compound queries in different subtrees
###

###
### different subtrees fails...
###
# ldapsearch -x  -D "uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=..." -w "..." -b 
"dc=..." "(|(uid=admin)(cn=gboyce))" dn 

  
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(uid=admin)(cn=gboyce))
# requesting: dn
#

# admin, users, accounts, ...
dn: uid=admin,cn=users,cn=accounts,dc=...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###
### same subtree works...
###
# l "(|(cn=admins)(cn=gboyce))" dn
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(cn=admins)(cn=gboyce))
# requesting: dn
#

# admins, groups, accounts, ...
dn: cn=admins,cn=groups,cn=accounts,dc=...

# gboyce, groups, accounts, ...
dn: cn=gboyce,cn=groups,cn=accounts,dc=...

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

###
### valid filter from above with extra false term...
###
# l "(|(cn=admins)(cn=gboyce)(name=foobar))" dn
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(cn=admins)(cn=gboyce)(name=foobar))
# requesting: dn
#

# search result
search: 2
result: 0 Success

# numResponses: 1


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread thierry bordaz 

On 05/20/2015 03:46 PM, Janelle wrote:

On 5/20/15 6:01 AM, thierry bordaz wrote:

On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account.  I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such high 
hopes for this tool. Thanks so much everyone for all your help in 
trying to get things stable, but for whatever reason, there is a 
random loss of sync among the servers and obviously this is not 
acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 23} 5553e3a30017 555432430017
unable to decode  {replica 24} 554d53d30018 554d54a400020018

What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not 
show complete RUV lists... While most of the replicas had a list of 
all 16 servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
I don't know about the orphaned entries. Did you get entries below 
deleted parents ?


AFAIK all replicas are master and so have an entry {replica } in 
the RUV. We should expect all servers having the same number of 
RUVelements (16, 4 or 5). The servers with 4 or 5 may be isolated so 
that they did not received updates from those with 16 RUVelements.

would you copy/paste an example of RUV with 16 and with 4-5 ?


Now, the steps to clear this were:

Removed the "unable to decode" with the direct ldapmodify's. This 
worked across all replicas, which was nice and did not have to be 
repeated in each one. In other words, entered on a single server, and 
it was removed on all.

Hello,

Did you do direct ldapmodify onto the RUV entry 
(nsuniqueid=---,SUFFIX) , clean RUV ?


dc1-ipa1 and dc1-ipa2 are missing some RUVelement. If you do  an update 
on dc3-ipa1, is it replicated to dc1-ipa[12] ?


Also there are duplicated RID (9, 25) for dc1-ipa2.example.com:389. You 
may see some messages like 'attrlist_replace' in some error logs.

25 seems to be the new RID.

thanks
thierry



re-initialized --from=good server on the ones with the short list.

Waited 5 minutes to let everything settle, then started running tests 
of adds/deletes which seemed to be just fine.


Here are 2 of the DCs

-
Node dc1-ipa1
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa4.example.com 389  4
-
Node dc1-ipa2
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
-
Node dc1-ipa3
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 24} 554d53d30018 554d54a400020018
dc5-ipa1.example.com 389  26
dc5-ipa2.example.com 389  15
dc5-ipa3.example.com 389  17
-
Node dc1-ipa4
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 24} 554d53d30018 554d54a400020018
dc5-ipa1.example.com 389  26
dc5-ipa2.exam

Re: [Freeipa-users] replication again :-(

2015-05-20 Thread Mark Reynolds 



On 05/20/2015 10:17 AM, thierry bordaz wrote:

On 05/20/2015 03:46 PM, Janelle wrote:

On 5/20/15 6:01 AM, thierry bordaz wrote:

On 05/20/2015 02:57 AM, Janelle wrote:

On 5/19/15 12:04 AM, thierry bordaz wrote:

On 05/19/2015 03:42 AM, Janelle wrote:

On 5/18/15 6:23 PM, Janelle wrote:
Once again, replication/sync has been lost. I really wish the 
product was more stable, it is so much potential and yet.


Servers running for 6 days no issues. No new accounts or changes 
(maybe a few users changing passwords) and again, 5 out of 16 
servers are no longer in sync.


I can test it easily by adding an account and then waiting a few 
minutes, then run "ipa  user-show --all username" on all the 
servers, and only a few of them have the account.  I have now 
waited 15 minutes, still no luck.


Oh well.. I guess I will go look at alternatives. I had such 
high hopes for this tool. Thanks so much everyone for all your 
help in trying to get things stable, but for whatever reason, 
there is a random loss of sync among the servers and obviously 
this is not acceptable.


regards
~J




All the replicas are happy again. I found these again:

unable to decode  {replica 16} 5535647200030010 
5535647200030010
unable to decode  {replica 23} 5553e3a30017 
555432430017
unable to decode  {replica 24} 554d53d30018 
554d54a400020018


What I also found to be interesting is that I have not deleted any 
masters at all, so this was quite perplexing where the orphaned 
entries came from.  However I did find 3 of the replicas did not 
show complete RUV lists... While most of the replicas had a list of 
all 16 servers, a couple of them listed only 4 or 5. (using 
ipa-replica-manage list-ruv)
I don't know about the orphaned entries. Did you get entries below 
deleted parents ?


AFAIK all replicas are master and so have an entry {replica } 
in the RUV. We should expect all servers having the same number of 
RUVelements (16, 4 or 5). The servers with 4 or 5 may be isolated so 
that they did not received updates from those with 16 RUVelements.

would you copy/paste an example of RUV with 16 and with 4-5 ?


Now, the steps to clear this were:

Removed the "unable to decode" with the direct ldapmodify's. This 
worked across all replicas, which was nice and did not have to be 
repeated in each one. In other words, entered on a single server, and 
it was removed on all.

Hello,

Did you do direct ldapmodify onto the RUV entry 
(nsuniqueid=---,SUFFIX) , clean RUV ?

Thierry,

Janelle just manually added a cleanallruv task (that I had recommended 
the other week).


Mark


dc1-ipa1 and dc1-ipa2 are missing some RUVelement. If you do  an 
update on dc3-ipa1, is it replicated to dc1-ipa[12] ?


Also there are duplicated RID (9, 25) for dc1-ipa2.example.com:389. 
You may see some messages like 'attrlist_replace' in some error logs.

25 seems to be the new RID.

thanks
thierry



re-initialized --from=good server on the ones with the short list.

Waited 5 minutes to let everything settle, then started running tests 
of adds/deletes which seemed to be just fine.


Here are 2 of the DCs

-
Node dc1-ipa1
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa4.example.com 389  4
-
Node dc1-ipa2
-
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
-
Node dc1-ipa3
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 16} 5535647200030010 5535647200030010
unable to decode  {replica 24} 554d53d30018 554d54a400020018
dc5-ipa1.example.com 389  26
dc5-ipa2.example.com 389  15
dc5-ipa3.example.com 389  17
-
Node dc1-ipa4
-
dc3-ipa1.example.com 389  14
dc3-ipa2.example.com 389  13
dc3-ipa3.example.com 389  12
dc3-ipa4.example.com 389  11
dc2-ipa1.example.com 389  7
dc2-ipa2.example.com 389  6
dc2-ipa3.example.com 389  5
dc2-ipa4.example.com 389  3
dc4-ipa1.example.com 389  18
dc4-ipa2.example.com 389  19
dc4-ipa3.example.com 389  20
dc4-ipa4.example.com 389  21
dc1-ipa1.example.com 389  10
dc1-ipa2.example.com 389  25
dc1-ipa2.example.com 389  9
dc1-ipa3.example.com 389  8
dc1-ipa4.example.com 389  4
unable to decode  {replica 1

[Freeipa-users] Running pki commands on fresh IPA server -- authentication

2015-05-20 Thread Jan Pazdziora 

Hello,

TL;DR: how should I authenticate for pki command line commands on
stock IPA installation?

Longer context: I try to setup new IPA server (1) with --external-ca
and I'd like to sign the CSR which gets generated on IPA 1 using
CA at my other IPA server (2).

The CSR as produced by IPA 1 is for

Subject: O=SUB.EXAMPLE.TEST, CN=Certificate Authority
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign

Jan Ch. hints that I cannot use ipa cert-request because the certificate
request does not have hostname CN and besides, IPA and ipa command only
support server certificates and here I am attempting to create CA
certificate.

Hence my understanding is I need to use Dogtag directly and I'd like
to use the pki commands. I believe I need start by getting the XML
template -- I've used

pki cert-request-profile-show caInstallCACert --output template

Then I took the Base64 content of the /root/ipa.csr from IPA 2, put it
to  child element of

/CertEnrollmentRequest/Input[@id="11"]/Attribute[@name="cert_request"]

and attempted to run

# pki cert-request-submit template 
UnauthorizedException: AuthCredentials.set()

Reading man pki(1) suggests I should authenticate using certificate
nickname, and reading other documentation suggests that using
ca-agent's certificate could be a good option. So I do

# openssl pkcs12 -out /root/ca-agent.pem < /root/ca-agent.p12
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
# pki -n ca-agent client-cert-import --cert /root/ca-agent.pem
---
Imported certificate "ca-agent"
---
# pki -n ca-agent cert-request-submit template
WARNING: UNTRUSTED ISSUER encountered on 
'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert 
'CN=Certificate Authority,O=EXAMPLE.TEST'
Import CA certificate (Y/n)? n
ClientResponseFailure: Error status 401 Unauthorized returned

Even if I allow that CA certificate to be imported, the results is
the same:

Import CA certificate (Y/n)? 
CA server URI [http://mgmt9.rhq.lab.eng.bos.redhat.com:8080/ca]: 
ClientResponseFailure: Error status 401 Unauthorized returned

What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64
and pki-server-10.1.2-7.el7.noarch.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Updates refused when trying to do dynamic DNS updates with TSIG

2015-05-20 Thread Brian Koontz 
Running FreeIPA 4.1.4, Fedora 21.  Trying to get dynamic DNS updates on
clients to work following these instructions:

http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG

(Using GSS-TSIG isn't an option because I have no way of authenticating
every time a client IP changes.)

I've reread the instructions several times, but each time I get "update
failed: REFUSED".  Logs aren't showing anything useful other than the query
is being refused.  Is this document missing an important step?  (I saw no
need to create a DNS/ service as there should be no krb5 authentication
involved here...)

  --Brian

--
Brian Koontz
IT Support
Project Vote Smart
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Boyce, George Robert. (GSFC-762.0)[NICS] 
<<
If you want to add special ACIs using the new/updated permission API (ipa
permission-add), I would suggest following procedure:

1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71
2) Add the new permissions you want to add, make them a member of a (new)
privilege.
3) Create a new role, make the new/updated privileges members of that role
4) Use ldapmodify to make the system account DN member of that role (you just
add a new member attribute value)
5) Profit - you should be now able to control permissions to your system
account with FreeIPA CLI/UI
>>

On step 4 to add the sysaccounts user to the role, I get an error:

# cat sysaccount-LDAPsearch-add-role-2.ldif
dn: cn=A and A,cn=roles,cn=accounts,dc=...
changetype: modify
add: member
member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=...

# ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif
SASL/GSSAPI authentication started
SASL username: admin@...
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=A and A,cn=roles,cn=accounts,dc=..."
ldap_modify: Object class violation (65)

Same thing if I use Directory Manager. I was able to add a normal user to the 
role, using both the GUI and ldapmodify.

# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112

# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Rob Crittenden 

Boyce, George Robert. (GSFC-762.0)[NICS] wrote:

<<

If you want to add special ACIs using the new/updated permission API (ipa

permission-add), I would suggest following procedure:

1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71

2) Add the new permissions you want to add, make them a member of a (new)

privilege.

3) Create a new role, make the new/updated privileges members of that role

4) Use ldapmodify to make the system account DN member of that role (you
just

add a new member attribute value)

5) Profit - you should be now able to control permissions to your system

account with FreeIPA CLI/UI

 >>

On step 4 to add the sysaccounts user to the role, I get an error:

# cat sysaccount-LDAPsearch-add-role-2.ldif

dn: cn=A and A,cn=roles,cn=accounts,dc=…

changetype: modify

add: member

member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=…

# ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif

SASL/GSSAPI authentication started

SASL username: admin@...

SASL SSF: 56

SASL data security layer installed.

modifying entry "cn=A and A,cn=roles,cn=accounts,dc=…"

ldap_modify: Object class violation (65)

Same thing if I use Directory Manager. I was able to add a normal user
to the role, using both the GUI and ldapmodify.


Try adding the inetUser objectclass to your system account. You're 
probably lacking memberOf.



# ipa --version

VERSION: 4.1.0, API_VERSION: 2.112

# cat /etc/centos-release

CentOS Linux release 7.1.1503 (Core)

George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762


I was in Code 500 many moons ago, Center Network Environment (CNE).

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-20 Thread Boyce, George Robert. (GSFC-762.0)[NICS] 
I forgot to describe the system account that I created. I followed the 
procedure at https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

# LDAPsearch, sysaccounts, etc, ...
dn: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=...
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: LDAPsearch

What do I need to change to be able to add this account as a member to a given 
role? To avoid this:

modifying entry "cn=A and A,cn=roles,cn=accounts,dc=..."
ldap_modify: Object class violation (65)

George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Rob Crittenden 

Sina Owolabi wrote:

Hi Rob

This is the only CA master. The one I cloned it from was
decommissioned,  reinstalled and then  made to be a replica of this server.

Looks like I'm really stuck.  How do I export the data out so I can
reinstall from scratch, if possible? There are a lot of rules and
configuration data I'd really like to keep.


So in this case you have no master managing the renewal.

Take a look at 
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0 
starting at the step "Reconfigure a CA as the new master"


Since at least one certificate has expired you'll need to go back in 
time to get this working. Be sure to restart IPA after going back to 
ensure that the CA is up.


You'll eventually want to do the CRL changes as well.

rob




On Wed, May 20, 2015, 2:32 PM Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Sina Owolabi wrote:
 > Another key difference I noticed is that the problematic certs have
 > CA:IPA in them, while the working certs have CA:
 > dogtag-ipa-retrieve-agent-submit.

Ok, the full output is really helpful.

First an explanation of CA subsystem renewal.

CA clones are just that, exact clones of each other, which means they
use the same subsystem certificates for OCSP, audit, etc. This also
means that at renewal time they need to be renewed on only one master
and then somehow shared with the ohter clones.

The initially-installed CA is designated as the renewal master by
default. It configures certmonger to renew the CA subsytem certificates
and put the new public cert into a shared area in IPA that will be
replicated to the other masters.

The non-renewal masters are configured with a special CA,
dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an
updated certificate and when available, it installs it.

So the issue is that it isn't seeing this updated certificate, hence
CA_WORKING.

The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate
that IPA uses to talk to the CA expired on 04/29.

So the steps you need to take are:

1. Check your other CA masters and see if they have been renewed
properly (getcert list will tell you, look for expiration in 2017).
2. If they have, see if the data was pushed to LDAP

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com

See if there are certificate entries there. Check on multiple masters to
see if there is a replication issue.

If the certs are there you can try restarting certmonger to kickstart
the request.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-20 Thread Sanju A 
Dear Rob,

Please find the result of getcert list.

Request ID '20140430124456':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.tcs-mobility.com,O=EXAMPLE.COM
expires: 2016-04-30 12:44:55 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes


Regards
Sanju Abraham




From:   Rob Crittenden 
To: Sanju A , freeipa-users@redhat.com
Date:   20-05-2015 19:04
Subject:Re: [Freeipa-users] Certificate operation cannot be 
completed: Unable to communicate with CMS (Not Found)



Sanju A wrote:
> Hi,
>
> I am getting the following error while removing a host.
>
> ---
> Certificate operation cannot be completed: Unable to communicate with
> CMS (Not Found)
> ---

This usually means that the CA is not serving requestss. It may be up 
and running but that doesn't mean the webapp is working.

This is often due to expired CA subsystem certificates. Run getcert list 
to check.

rob


=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ruv problem

2015-05-20 Thread Alexander Frolushkin 
Hello again.
Is it now clear how to deal with problem ipa-replica-manage list-ruv showing
unable to decode: {replica 16} 548a81260010 548a81260010
?

I have this on all of my 17 servers, including a new replica created recently, 
and
ipa-replica-manage clean-ruv 16 says

unable to decode: {replica 16} 548a81260010 548a81260010 
Replica ID 16 not found"

WBR,
Alexander Frolushkin




?? ?  ? ? ? ??? ?? ???, 
??? ??? ??. ? ? ? ???  
??, ??? ?? ?   ???  ???-, ? 
?.  ?? ?? ??? ? ?, ?? ?, ?, 
??? ??? ??? ?? ? ??? ??? ? ? ? 
?.  ??  ??? ? , ??, ??? 
 ??? ??  ? ??? ??  ??  ? ? 
? ? ??? ? ? ??.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused by ldapsearch results

2015-05-20 Thread Martin Kosek 
On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote:
> <<
> This worked for me:
> 
> $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm
> "(|(uid=admin)(name=admin))" dn
> SASL/GSSAPI authentication started
> SASL username: ad...@example.com
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
> 
> Note that cn is Common Name which is set to the user's full name, in this 
> case likely "George Boyce". So that will never match gboyce.
> 
> Rob
>>>
> 
> Rob,
> 
> Thanks for your example, it had me test my ldap bind which narrows the 
> problem and gives me a workaround.
> 
> I used cn=gboyce to pull my group record, so I expected my test to return two 
> records for my account and my group. And it does when I authenticate as admin 
> as in your test. So the problem is isolated to when I use a dedicated search 
> account. I missed this note on setting up system accounts:
> 
> <<
> Note: IPA 4.0 is going to change the default stance on data from nearly 
> everything is readable to nothing is readable, by default. You will 
> eventually need to add some Access Control Instructions (ACI's) to grant read 
> access to the parts of the LDAP tree you will need.
>>>
> 
> Looks like I need to do just that. :-) 
> 
> Still the behavior of returning nothing by adding an extra false term,

IIRC, this is done on purpose, there was an CVE and as a fix, if you are
querying with an attribute you do not have permission to query with, you get no
answers.

> or returning one entry when each of the terms each returns a unique entry,
seems wrong.
> It does return two entries when both are in the same subtree.

This one sounds strange, CCing Ludwig for reference.

> 
> ###
> ### everything ok when using admin... two records, one from users, one from 
> groups
> ###
> # ldapsearch -Y GSSAPI -b "dc=..." "(|(uid=admin)(cn=gboyce))" dn
> SASL/GSSAPI authentication started
> SASL username: admin@...
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (|(uid=admin)(cn=gboyce))
> # requesting: dn
> #
> 
> # admin, users, accounts, ...
> dn: uid=admin,cn=users,cn=accounts,dc=...
> 
> # gboyce, groups, accounts, ...
> dn: cn=gboyce,cn=groups,cn=accounts,dc=...
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> ##
> 
> ###
> ### system account (without ACLs) returns simple queries, but not correct 
> results for compound queries in different subtrees
> ###
> 
> ###
> ### different subtrees fails...
> ###
> # ldapsearch -x  -D "uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=..." -w "..." -b 
> "dc=..." "(|(uid=admin)(cn=gboyce))" dn   
>   
>   
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (|(uid=admin)(cn=gboyce))
> # requesting: dn
> #
> 
> # admin, users, accounts, ...
> dn: uid=admin,cn=users,cn=accounts,dc=...
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> ###
> ### same subtree works...
> ###
> # l "(|(cn=admins)(cn=gboyce))" dn
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (|(cn=admins)(cn=gboyce))
> # requesting: dn
> #
> 
> # admins, groups, accounts, ...
> dn: cn=admins,cn=groups,cn=accounts,dc=...
> 
> # gboyce, groups, accounts, ...
> dn: cn=gboyce,cn=groups,cn=accounts,dc=...
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> 
> ###
> ### valid filter from above with extra false term...
> ###
> # l "(|(cn=admins)(cn=gboyce)(name=foobar))" dn
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (|(cn=admins)(cn=gboyce)(name=foobar))
> # requesting: dn
> #
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused by ldapsearch results

2015-05-20 Thread Ludwig Krispenz 


On 05/21/2015 07:50 AM, Martin Kosek wrote:

On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote:

<<
This worked for me:

$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm
"(|(uid=admin)(name=admin))" dn
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com

Note that cn is Common Name which is set to the user's full name, in this case likely 
"George Boyce". So that will never match gboyce.

Rob
Rob,

Thanks for your example, it had me test my ldap bind which narrows the problem 
and gives me a workaround.

I used cn=gboyce to pull my group record, so I expected my test to return two 
records for my account and my group. And it does when I authenticate as admin 
as in your test. So the problem is isolated to when I use a dedicated search 
account. I missed this note on setting up system accounts:

<<
Note: IPA 4.0 is going to change the default stance on data from nearly 
everything is readable to nothing is readable, by default. You will eventually 
need to add some Access Control Instructions (ACI's) to grant read access to 
the parts of the LDAP tree you will need.
Looks like I need to do just that. :-)

Still the behavior of returning nothing by adding an extra false term,

IIRC, this is done on purpose, there was an CVE and as a fix, if you are
querying with an attribute you do not have permission to query with, you get no
answers.

correct. It was https://bugzilla.redhat.com/show_bug.cgi?id=979508
and behaviour matches the spec in 13.3.3.3: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Permissions


For the other problem, there  is not enough information to judge. If two 
entries are in different subtrees also different acis could apply, we 
need the full set of acis, the full search and eventuallay access 
control logging (nsslapd-errorlog-level: 128)



or returning one entry when each of the terms each returns a unique entry,

seems wrong.

It does return two entries when both are in the same subtree.

This one sounds strange, CCing Ludwig for reference.


###
### everything ok when using admin... two records, one from users, one from 
groups
###
# ldapsearch -Y GSSAPI -b "dc=..." "(|(uid=admin)(cn=gboyce))" dn
SASL/GSSAPI authentication started
SASL username: admin@...
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(uid=admin)(cn=gboyce))
# requesting: dn
#

# admin, users, accounts, ...
dn: uid=admin,cn=users,cn=accounts,dc=...

# gboyce, groups, accounts, ...
dn: cn=gboyce,cn=groups,cn=accounts,dc=...

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

##

###
### system account (without ACLs) returns simple queries, but not correct 
results for compound queries in different subtrees
###

###
### different subtrees fails...
###
# ldapsearch -x  -D "uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=..." -w "..." -b "dc=..." 
"(|(uid=admin)(cn=gboyce))" dn
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(uid=admin)(cn=gboyce))
# requesting: dn
#

# admin, users, accounts, ...
dn: uid=admin,cn=users,cn=accounts,dc=...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###
### same subtree works...
###
# l "(|(cn=admins)(cn=gboyce))" dn
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(cn=admins)(cn=gboyce))
# requesting: dn
#

# admins, groups, accounts, ...
dn: cn=admins,cn=groups,cn=accounts,dc=...

# gboyce, groups, accounts, ...
dn: cn=gboyce,cn=groups,cn=accounts,dc=...

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

###
### valid filter from above with extra false term...
###
# l "(|(cn=admins)(cn=gboyce)(name=foobar))" dn
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (|(cn=admins)(cn=gboyce)(name=foobar))
# requesting: dn
#

# search result
search: 2
result: 0 Success

# numResponses: 1




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project