Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

2016-03-01 Thread German Parente 
Hi Fraser,

thanks for the workaround. As I have a customer who hit this bug, I have 
created BZ 1313207 to trace this issue in the case.

Regards,

German.

- Original Message -
> From: "Fraser Tweedale" 
> To: "Ian Pilcher" , "Natxo Asenjo" 
> 
> Cc: freeipa-users@redhat.com
> Sent: Tuesday, March 1, 2016 6:34:01 AM
> Subject: Re: [Freeipa-users] Traceback starting pki-cad - 
> ca.subsystem.certreq missing?
> 
> On Mon, Feb 22, 2016 at 06:42:04PM +0100, Natxo Asenjo wrote:
> > On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher  wrote:
> > 
> > > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a
> > > traceback every time pki-cad starts:
> > >
> > > Traceback (most recent call last):
> > >   File "/usr/sbin/pki-server", line 89, in 
> > > cli.execute(sys.argv)
> > >   File "/usr/sbin/pki-server", line 84, in execute
> > > super(PKIServerCLI, self).execute(args)
> > >   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 195, in
> > >   execute
> > > module.execute(module_args)
> > >   File "/usr/lib/python2.6/site-packages/pki/server/cli/upgrade.py", line
> > > 103, in execute
> > > scriptlet.execute()
> > >   File "/usr/lib/python2.6/site-packages/pki/server/upgrade/__init__.py",
> > > line 50, in execute
> > > cert = self.subsystem.get_system_cert('subsystem')
> > >   File "/usr/lib/python2.6/site-packages/pki/server/__init__.py", line
> > >   93,
> > > in get_system_cert
> > > cert['request'] = base64.b64decode(self.config['%s.%s.certreq' %
> > > (self.prefix, tag)])
> > > KeyError: 'ca.subsystem.certreq'
> > > Starting pki-ca:   [  OK  ]
> > >
> > > As you can see, the daemon does still start successfully, and the
> > > traceback doesn't appear in any of the pki-cad logs.
> > >
> > >
> > yes, I see this too after the last round of updates. Curiously enough, just
> > on one of the kdcs, the other does not have this traceback.
> > 
> > Both are centos 6.7 fully patched, 32 bits.
> > 
> You can resolve the issue by stopping pki-cad, adding
> 'ca.subsystem.certreq=' (empty value) to CS.cfg, then restarting
> pki-cad.  AFAICT the absense of the certreq field will not cause any
> problems.
> 
> I'm still investigating what caused the 'ca.subsystem.certreq'
> config to disappear from CS.cfg in the first place.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] version compatibility between server and client

2016-03-01 Thread Martin Kosek 
On 02/29/2016 07:03 PM, Rakesh Rajasekharan wrote:
> the only reason for me to avoid ipa-client-install was few of our machines
> are Amazon Linux and I was having a tough time setting up ipa over there as
> the yum does not get the repo even with epel enabled.

Ah, right. This was already discussed to some extent there:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00311.html

Amazon Linux does not really fly with FreeIPA and SSSD. So if you want to avoid
these painful processes, I would recommend either increasing the pressure on
Amazon Linux to support it or switching to other AMIs, like CentOS (or even 
RHEL).

> Otherwise, I was able to get this working on all of the other systems ,
> which are centos 6.3

Good! (note that 6.3 is pretty old, IPA server on this version is known to have
some bugs and gaps. Current version is 6.7 or even better, 7.2)

> Are there any documentations on setting IPA on an Amazon Linux, if not, the
> only option would to try compiling this.

CCing Alexander in case he has any resources. But as I said above, current
situation of FreeIPA&SSSD on Amazon Linux is not great.

> 
> Thanks,
> Rakesh
> 
> On Mon, Feb 29, 2016 at 5:23 PM, Martin Kosek  wrote:
> 
>> On 02/26/2016 05:23 PM, Rakesh Rajasekharan wrote:
>>> Hi!,
>>>
>>> I had successfully set up ipa in our qa environment, but since we are
>>> running cenots 6, i just got 3.0.25 version of IPA.
>>>
>>> I wanted to try out the latest 4.x version, for server by using a centos
>> 7
>>> OS. But have few questions regarding that
>>>
>>> Will there be compatibility issues, if I use a server at 4.x and clients
>> at
>>> 3.0.25
>>
>> Please see
>> http://www.freeipa.org/page/Client#Compatibility
>> There are plans for FreeIPA 4.4 to improve the "ipa" tool/API
>> compatibility too.
>>
>>> Another question is,
>>> >From the documentation, I see that theres an option to manually
>> configure a
>>> client where in we do not have to install freeipa-client using
>>> ipa-client-install
>>>
>>>
>> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html
>>
>> Please note that this is a quite old documentation, see here for other
>> options:
>> http://www.freeipa.org/page/Upstream_User_Guide
>>
>>> So that way , I can install the latest version of freeipa server and make
>>> my clients also be able to use the latest verison without actually
>>> installing it.
>>>
>>> But, are there any issues with this approach, and how does it differ from
>>> doing a ipa-client-install on the client machine.
>>
>> I can hardly imagine when manually configuring a FreeIPA client would be a
>> good
>> idea. In vast majority of cases, ipa-client-install is what you want, to
>> configure a client against newer or older FreeIPA server version.
>>
>> Martin
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC KSK rollover

2016-03-01 Thread Petr Spacek 
On 29.2.2016 11:54, Peter Fern wrote:
> On 02/29/2016 21:22, Petr Spacek wrote:
>> On 28.2.2016 14:51, Peter Fern wrote:
>>> Hi all,
>>> A new KSK has been auto-generated, and it's transitioned through
>>> 'published' and is now sitting in the 'ready' state, but does not appear
>>> as a DNSKEY record on the zone.  I can see that ods-enforcerd has picked
>>> up the state change correctly and logged a DSChanged event with the
>>> correct output for the new DNSKEY record, and it appears as expected in
>>> localhsm, but is not published on the zone.
>>>
>>> Running FreeIPA 4.3.0-1.fc23, anyone got pointers on how to proceed with
>>> the rollover?
>> Hi,
>>
>> I would recommend you to wait until fix
>> https://fedorahosted.org/freeipa/ticket/5334
>> is released in 4.3.1 or so.
>>
>> After that you can use procedure described on page
>> http://www.freeipa.org/page/Howto/DNSSEC
>> to run ds-seen command.
>>
>> I hope this helps.
> 
> That ticket was reported by me ;-)
> 
> The issue here is that the new KSK did not appear as a DNSKEY record, so
> running ds-seen would have been a bad idea, since the zone would be
> entirely invalid if the old key was rotated out before the new key was
> published, and the new DS record would be invalid without the
> corresponding KSK anyway.

This should be fixed in 4.3.1 too.


> I did also have some more rotated keys get stuck per #5334, and had
> cleared them prior to this issue, but I was having trouble getting the
> zone resigned correctly, and I was hoping to roll all the keys to deal
> with that.  In the end, I had to un-sign the domain and re-sign it to
> recover.
> 
> I was wondering if there were possibly some known issues/tricks with KSK
> rollover, but wasn't certain if my #5334 issues may have thrown a
> spanner in the works at some key point in the lifecycle.  I've got some
> more KSKs due to roll in a couple of months, so hopefully I can get
> 4.3.1 deployed before then, and I'll be able to see if the process goes
> smoothly without the extraneous issues.
> 
> I've also discovered the replication ACI issues in 4.3.0 (#5575 and
> friends), which are causing me some grief.  Is there a feel for how
> close we are to a 4.3.1 release?

We intent to release it in week or two (if everything goes as planned).
Stay tuned.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cross Forest Transitive AD Trust

2016-03-01 Thread PARTH MONGA 
Hi List Members,

I have a situation I am having a hard time getting a clean answer on.

I have a IDM/IPA domain setup and I have a trust setup with my Windows
domain. That part is working perfectly.

I have a one way forest transitive trust (outgoing) with a second windows
domain. I want users in this second domain to be able to authenticate to my
IDM/IPA domain. I was hoping that this would be possible through my
transitive trust with my primary windows domain.

When I issue the command ipa trust-fetch-domains for my primary domain I
get the response no new domains found. The second domain is never found.

Here is my question. Is this even possible without creating a trust with
the second domain directly? The documentation states that IPA will traverse
all trusts and add them. However I am starting to believe that reference is
for domains in only one forest. Can anyone clear up that point for me?

Regards,

Parth
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Forest Transitive AD Trust

2016-03-01 Thread Alexander Bokovoy 

On Wed, 02 Mar 2016, PARTH MONGA wrote:

Hi List Members,

I have a situation I am having a hard time getting a clean answer on.

I have a IDM/IPA domain setup and I have a trust setup with my Windows
domain. That part is working perfectly.

I have a one way forest transitive trust (outgoing) with a second windows
domain. I want users in this second domain to be able to authenticate to my
IDM/IPA domain. I was hoping that this would be possible through my
transitive trust with my primary windows domain.

No, that's not possible by AD architecture.



When I issue the command ipa trust-fetch-domains for my primary domain I
get the response no new domains found. The second domain is never found.

That's correct.


Here is my question. Is this even possible without creating a trust with
the second domain directly? The documentation states that IPA will traverse
all trusts and add them. However I am starting to believe that reference is
for domains in only one forest. Can anyone clear up that point for me?

The documentation is correct, you can have multiple trusts to separate
forests and domains from all of them will be usable via trust to IPA.
However, we cannot access any domains from forests that AD forest trusts
itself because while forest trust is transitive, the transition is only
extends to domains within the forests that trust each other, there is no
transitivity across forest trusts.

If forest A's root domain A trusts forest B's root domain B, and forest
B's root domain B trusts forest C's root domain C, then A only can
transit to domains in forest B, not forest C.

See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
search for the section named "Forest trusts":
-
Forest trusts can be created between two forests only and cannot be
implicitly extended to a third forest. 
-


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-01 Thread Prashant Bapat 
Hi,

I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.

I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos authentication
working. Documented here

.

However if I bring OTP into picture, authentication fails. Error message is
like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".

Any pointers on how to make OTP work?

Regards.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Forest Transitive AD Trust

2016-03-01 Thread PARTH MONGA 
Thanks Alexander for the prompt reply.
Appreciated.

Now i am wondering how likewise is able to do this stuff under the hood for
me.

I have similar setup with likewise and same one way incoming trust
relationships towards my primary domain (dom1) from another external domain
(dom2).

And i am able to login to my client machines using user accounts created in
dom1 and dom2.
Magic
Any thoughts >

On Wednesday, 2 March 2016, Alexander Bokovoy  wrote:

> On Wed, 02 Mar 2016, PARTH MONGA wrote:
>
>> Hi List Members,
>>
>> I have a situation I am having a hard time getting a clean answer on.
>>
>> I have a IDM/IPA domain setup and I have a trust setup with my Windows
>> domain. That part is working perfectly.
>>
>> I have a one way forest transitive trust (outgoing) with a second windows
>> domain. I want users in this second domain to be able to authenticate to
>> my
>> IDM/IPA domain. I was hoping that this would be possible through my
>> transitive trust with my primary windows domain.
>>
> No, that's not possible by AD architecture.
>
>
>> When I issue the command ipa trust-fetch-domains for my primary domain I
>> get the response no new domains found. The second domain is never found.
>>
> That's correct.
>
> Here is my question. Is this even possible without creating a trust with
>> the second domain directly? The documentation states that IPA will
>> traverse
>> all trusts and add them. However I am starting to believe that reference
>> is
>> for domains in only one forest. Can anyone clear up that point for me?
>>
> The documentation is correct, you can have multiple trusts to separate
> forests and domains from all of them will be usable via trust to IPA.
> However, we cannot access any domains from forests that AD forest trusts
> itself because while forest trust is transitive, the transition is only
> extends to domains within the forests that trust each other, there is no
> transitivity across forest trusts.
>
> If forest A's root domain A trusts forest B's root domain B, and forest
> B's root domain B trusts forest C's root domain C, then A only can
> transit to domains in forest B, not forest C.
>
> See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
> search for the section named "Forest trusts":
> -
> Forest trusts can be created between two forests only and cannot be
> implicitly extended to a third forest. -
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Forest Transitive AD Trust

2016-03-01 Thread Alexander Bokovoy 

On Wed, 02 Mar 2016, PARTH MONGA wrote:

Thanks Alexander for the prompt reply.
Appreciated.

Now i am wondering how likewise is able to do this stuff under the hood for
me.

I have similar setup with likewise and same one way incoming trust
relationships towards my primary domain (dom1) from another external domain
(dom2).

You need to get your terminology right. Can you explain which of the
cases from https://kb.vmware.com/kb/2064250 would apply to your
situation?

There are quite a number of differences between different types of
trust.


And i am able to login to my client machines using user accounts created in
dom1 and dom2.
Magic
Any thoughts >

There is no magic here, your likewise setup is using different trust
mode than what IPA does. Most likely your likewise setup is a domain in
dom1 forest already.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-01 Thread Alexander Bokovoy 

On Tue, 01 Mar 2016, Prashant Bapat wrote:

Hi,

I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.

I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos authentication
working. Documented here

.

However if I bring OTP into picture, authentication fails. Error message is
like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".

Any pointers on how to make OTP work?

http://www.freeipa.org/page/V4/OTP
http://www.freeipa.org/page/V4/OTP/Detail

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project