Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

2016-02-29 Thread Fraser Tweedale 
On Mon, Feb 22, 2016 at 06:42:04PM +0100, Natxo Asenjo wrote:
> On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher  wrote:
> 
> > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a
> > traceback every time pki-cad starts:
> >
> > Traceback (most recent call last):
> >   File "/usr/sbin/pki-server", line 89, in 
> > cli.execute(sys.argv)
> >   File "/usr/sbin/pki-server", line 84, in execute
> > super(PKIServerCLI, self).execute(args)
> >   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in execute
> > module.execute(module_args)
> >   File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line
> > 103, in execute
> > scriptlet.execute()
> >   File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py",
> > line 50, in execute
> > cert = self.subsystem.get_system_cert('subsystem')
> >   File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line 93,
> > in get_system_cert
> > cert['request'] = base64.b64decode(self.config['%s.%s.certreq' %
> > (self.prefix, tag)])
> > KeyError: 'ca.subsystem.certreq'
> > Starting pki-ca:   [  OK  ]
> >
> > As you can see, the daemon does still start successfully, and the
> > traceback doesn't appear in any of the pki-cad logs.
> >
> >
> yes, I see this too after the last round of updates. Curiously enough, just
> on one of the kdcs, the other does not have this traceback.
> 
> Both are centos 6.7 fully patched, 32 bits.
> 
You can resolve the issue by stopping pki-cad, adding
'ca.subsystem.certreq=' (empty value) to CS.cfg, then restarting
pki-cad.  AFAICT the absense of the certreq field will not cause any
problems.

I'm still investigating what caused the 'ca.subsystem.certreq'
config to disappear from CS.cfg in the first place.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP not working since upgrade

2016-02-29 Thread Simo Sorce 
On Mon, 2016-02-29 at 16:49 +, Alessandro De Maria wrote:
> Of course,
> 
> could you point me to the logs you would be interested in?

Probably the kdc logs, I am not sure we directly log from ipa-otpd, but
you could take a look at the journal/syslog too ?

Simo.

> Regards
> Alessandro
> 
> On 29 February 2016 at 05:44, Simo Sorce  wrote:
> 
> > On Mon, 2016-02-29 at 00:11 +, Alessandro De Maria wrote:
> > > Solved.
> > > This turned out to be the ipa-otp process stuck on one of the 2 servers.
> > > The VPN requests where being sent to the other server which was working
> > fine
> > >
> > > a simple restart of ipa fixed it.
> >
> > Do you have any logs that show any error from the ipa-otpd process
> > It would be nice to fix any issue it may have.
> >
> > Simo.
> >
> > > Regards
> > >
> > > On 28 February 2016 at 23:17, Alessandro De Maria <
> > > alessandro.dema...@gmail.com> wrote:
> > >
> > > > Hello,
> > > >
> > > > since I upgraded to 4.2.0 on Centos, OTPs do not seem to work anymore.
> > > > Name: ipa-server
> > > > Version : 4.2.0
> > > > Release : 15.el7_2.6
> > > >
> > > > The error I see in the
> > > > Feb 28 23:01:40 id1 krb5kdc[2894](info): AS_REQ (6 etypes {18 17 16 23
> > 25
> > > > 26}) 10.0.1.10: NEEDED_PREAUTH: alessan...@xx.com for krbtgt/
> > xx@xx.com,
> > > > Additional pre-authentication required
> > > > Feb 28 23:01:41 id1.XX.com krb5kdc[2896](info): AS_REQ (6 etypes {18
> > 17
> > > > 16 23 25 26}) 10.0.1.10: PREAUTH_FAILED: alessan...@xx.com for krbtgt/
> > > > xx@xx.com, Incorrect password in encrypted challenge
> > > >
> > > > I tried syncing the OTP and also creating a new one.
> > > > Strangely enough I can connect OK with the VPN supplying password +
> > OTP,
> > > > but OTP is not working on both freeipa gui and when issuing sudo.
> > > >
> > > > Could someone help me understand what is going on?
> > > >
> > > > Regards
> > > > Alessandro
> > > >
> > > >
> > > > --
> > > > Alessandro De Maria
> > > > alessandro.dema...@gmail.com
> > > >
> > >
> > >
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
> 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Preserved users not replicated to new master (FreeIPA 4.2.0)

2016-02-29 Thread thierry bordaz 

Hi Justin,

   I was trying to reproduce this but I think I am missing some steps.
   Do you mind reviewing my testcase to check what is missing ?
   The test case  is :
   install master M, prepare replica (+copy of gpg), install replica
   (new master) R.
   On R:

 * Authenticate as 'admin'
 * 'ipa user-add '
 * ipa user-del --preserve 

   On M:

 * Authenticate as 'admin'
 * ipa user-find --preserved=true  <--- here the preserved 
   is found

   Is it similar to what you tested ?

   thanks
   theirry

On 02/27/2016 06:20 AM, Justin Bushey wrote:

Hello,

I've noticed that when creating a new IPA master users that are set to 
be Preserved after deletion are not being replicated to the new 
master. I haven't been able to experiment much with this since I'm 
working in our production environment, but I did notice that if I 
restore them as active users and re-initialize the new master I can 
then move them to the 'Preserved' category. This change is replicated.


I'm setting up the new master in the normal manner:

On existing master:
ipa-replica-prepare --ip-address x.x.x.x replica.domain.com 



And then using ipa-replica-install on the new master:

ipa-replica-install --setup-dns --setup-ca --no-reverse --forwarder 
x.x.x.x --forwarder x.x.x.x --ip-address=x.x.x.x 
replica-info-replica.domain.com.gpg


I'm just wondering if there's something I'm doing wrong, if this is by 
design, or if this is an actual bug.


Thanks,

Justin M. Bushey
Systems Administrator
InfoRelay Online Systems, Inc.




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] version compatibility between server and client

2016-02-29 Thread Martin Kosek 
On 02/26/2016 05:23 PM, Rakesh Rajasekharan wrote:
> Hi!,
> 
> I had successfully set up ipa in our qa environment, but since we are
> running cenots 6, i just got 3.0.25 version of IPA.
> 
> I wanted to try out the latest 4.x version, for server by using a centos 7
> OS. But have few questions regarding that
> 
> Will there be compatibility issues, if I use a server at 4.x and clients at
> 3.0.25

Please see
http://www.freeipa.org/page/Client#Compatibility
There are plans for FreeIPA 4.4 to improve the "ipa" tool/API compatibility too.

> Another question is,
>>From the documentation, I see that theres an option to manually configure a
> client where in we do not have to install freeipa-client using
> ipa-client-install
> 
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html

Please note that this is a quite old documentation, see here for other options:
http://www.freeipa.org/page/Upstream_User_Guide

> So that way , I can install the latest version of freeipa server and make
> my clients also be able to use the latest verison without actually
> installing it.
> 
> But, are there any issues with this approach, and how does it differ from
> doing a ipa-client-install on the client machine.

I can hardly imagine when manually configuring a FreeIPA client would be a good
idea. In vast majority of cases, ipa-client-install is what you want, to
configure a client against newer or older FreeIPA server version.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC KSK rollover

2016-02-29 Thread Peter Fern 
On 02/29/2016 21:22, Petr Spacek wrote:
> On 28.2.2016 14:51, Peter Fern wrote:
>> Hi all,
>> A new KSK has been auto-generated, and it's transitioned through
>> 'published' and is now sitting in the 'ready' state, but does not appear
>> as a DNSKEY record on the zone.  I can see that ods-enforcerd has picked
>> up the state change correctly and logged a DSChanged event with the
>> correct output for the new DNSKEY record, and it appears as expected in
>> localhsm, but is not published on the zone.
>>
>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
>> the rollover?
> Hi,
>
> I would recommend you to wait until fix
> https://fedorahosted.org/freeipa/ticket/5334
> is released in 4.3.1 or so.
>
> After that you can use procedure described on page
> http://www.freeipa.org/page/Howto/DNSSEC
> to run ds-seen command.
>
> I hope this helps.

That ticket was reported by me ;-)

The issue here is that the new KSK did not appear as a DNSKEY record, so
running ds-seen would have been a bad idea, since the zone would be
entirely invalid if the old key was rotated out before the new key was
published, and the new DS record would be invalid without the
corresponding KSK anyway.

I did also have some more rotated keys get stuck per #5334, and had
cleared them prior to this issue, but I was having trouble getting the
zone resigned correctly, and I was hoping to roll all the keys to deal
with that.  In the end, I had to un-sign the domain and re-sign it to
recover.

I was wondering if there were possibly some known issues/tricks with KSK
rollover, but wasn't certain if my #5334 issues may have thrown a
spanner in the works at some key point in the lifecycle.  I've got some
more KSKs due to roll in a couple of months, so hopefully I can get
4.3.1 deployed before then, and I'll be able to see if the process goes
smoothly without the extraneous issues.

I've also discovered the replication ACI issues in 4.3.0 (#5575 and
friends), which are causing me some grief.  Is there a feel for how
close we are to a 4.3.1 release?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC KSK rollover

2016-02-29 Thread Petr Spacek 
On 28.2.2016 14:51, Peter Fern wrote:
> Hi all,
> A new KSK has been auto-generated, and it's transitioned through
> 'published' and is now sitting in the 'ready' state, but does not appear
> as a DNSKEY record on the zone.  I can see that ods-enforcerd has picked
> up the state change correctly and logged a DSChanged event with the
> correct output for the new DNSKEY record, and it appears as expected in
> localhsm, but is not published on the zone.
> 
> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
> the rollover?

Hi,

I would recommend you to wait until fix
https://fedorahosted.org/freeipa/ticket/5334
is released in 4.3.1 or so.

After that you can use procedure described on page
http://www.freeipa.org/page/Howto/DNSSEC
to run ds-seen command.

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project