Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Fraser Tweedale 
On Thu, Jun 30, 2016 at 03:36:22PM +0200, Tomasz Torcz wrote:
> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
> > Hi,
> > 
> > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> > 
> > When i want to start IPA with ipactl start i run into the situation
> > starting pki-tomcat take a long time and ipactl aborts the starting
> > process and shutdown services. So IPA doesnt start.
> 
> Sounds like 
> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
> 
I concur - it is likely to be the same issue.  A new release of pki
on f23 is going to happen in the next day or so.  If it is the same
issue, that will fix it.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and NFSv4 with krb5 security

2016-06-30 Thread Youenn PIOLET 
Hi,
First questions (sorry if it's obvious):
- Do you have a valid token on the client? (obtained with kinit)
- Did you import the keytab for NFS service on the server?
- Did you put "domain = yourdomain.tld" in your NFS server config file? On
your client?
- Depending on your (ipa? nfs?) version you may have to enable weak crypto
(I saw this everywhere but never had to do it for a reason I still ignore)

I'm far from being the most informed people on this list, but I think it
may be the first things to check.

Hope this helps,
Regards
--
Youenn Piolet
piole...@gmail.com


2016-06-30 21:47 GMT+02:00 Joanna Delaporte :

> I need some pointers for getting NFSv4 to use krb5 authorization in my IPA
> realm.
>
> My realm is new. I have just migrated some users from an NIS domain to the
> IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
> server and client, and automaps using the recommended methods in the RHEL 7
> Storage and Domain Auth/Policy guides.
>
> In the exports file on the nfsserver, as long as I
> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
> However, when I remove sys, I no longer am able to mount. I have
> root_squash set.
>
> Automount hangs when I restart it, while trying to mount the first NFS
> directory.
>
> If I try to mount on the command line, I get this:
> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
> mount.nfs4: access denied by server while mounting arcturus:/
>
> If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed
> with mountstats).
> I am not seeing anything related to the mount attempts on the nfsserver
> logs, but I'm not sure I am looking in the right logs.
>
> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
> error or access logs.
>
> What am I missing?
>
> Thanks!
> Joanna
>
>
>
> --
>
>
> Joanna Delaporte
> Linux Systems Administrator | Parkland College
> joannadelapo...@gmail.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA and NFSv4 with krb5 security

2016-06-30 Thread Joanna Delaporte 
I need some pointers for getting NFSv4 to use krb5 authorization in my IPA
realm.

My realm is new. I have just migrated some users from an NIS domain to the
IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
server and client, and automaps using the recommended methods in the RHEL 7
Storage and Domain Auth/Policy guides.

In the exports file on the nfsserver, as long as I
have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
However, when I remove sys, I no longer am able to mount. I have
root_squash set.

Automount hangs when I restart it, while trying to mount the first NFS
directory.

If I try to mount on the command line, I get this:
root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
mount.nfs4: access denied by server while mounting arcturus:/

If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed
with mountstats).
I am not seeing anything related to the mount attempts on the nfsserver
logs, but I'm not sure I am looking in the right logs.

I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
error or access logs.

What am I missing?

Thanks!
Joanna



-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.

2016-06-30 Thread Mitra Dehghan 
Dear Christian
Thanks for your explanation about shell builtin. I changed directory
permissions and now it works!

Mitra

On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes 
wrote:

> On 2016-06-28 09:08, Mitra Dehghan wrote:
> >
> > Hello,
> >
> > I want to know how can I give directory permissions on a client to a
> > domain user in FreeIPA.
> >
> >
> > I'm using "runasuser" feature in sudo policy to give my domain users
> > permission to run local services on client.
> >
> > Here is an example:
> > I have a service on my client called "/abc/" located at "/home/abc/" and
> > locally run by local user called "/abc/"
> >
> > I have used runasuser feature in sudo policy rules to let domain users
> > (say: /u...@mydomain.dc/) run the service. /usr/ can run scripts, read
> > and edit files and stop/start services, using /abc/'s permissions and
> > without any problem.
> >
> > But the problem I have faced is, when I want "/usr/" to traverse
> > subdirectories under "//home/abc//" it doesn't work.
> > I have defined sudocmd for cd command and added it as allow-command to
> > appropriate sudorule. my sudocmd definitions are like this:
> >
> > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/'
> > /
> > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/m/'
> > /
> > /ipa sudocmd-add --desc="ttt" 'cd /home/abc/n/q/'/
>
> cd is a builtin command of your shell. It has to be because it changes
> the current working directory the shell's process. sudo doesn't work for
> shell builtins. You have to find another way to accomplish your task.
>
> By the way are you familiar how r,w,x work for directories? 'r' is used
> for listing the content of a directory, 'w' for creating/removing files
> (except for +t directories) and 'x' is used to check if a user is
> allowed to enter a directory. You can allow users to enter a directory
> w/o actually seeing its content.
>
> Christian
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
m-dehghan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-06-30 Thread pgb205 
Ben, do you mind sharing your solution as I am affected by the exact same error 
when fetching AD domains.
thanks
On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George  wrote:

when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting 
below error in error_log
[Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to 
call com.redhat.idm.trust.fetch_domains helper.DBus exception is 
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes 
include: the remote application did not send a reply, the message bus security 
policy blocked the reply, the reply timeout expired, or the network connection 
was broken..[Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: 
[jsonserver_session] admin IDM LOCAL: trust_fetch_domains(u'kwttestdc.com.kw', 
rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError
On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George  wrote:

Hi 
Anyone please help me to fix this issue.
i have created new group in AD( 4 hours back) and while i was mapping this 
group as --external, i am getting below error.

[root freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc 
"KWTTESTDC.com.KW AD 
Administrators-External"--Added group 
"ad_admins_external"--  Group name: 
ad_admins_external  Description: KWTTESTDC.com.KW AD 
Administrators-External[root freeipa sysctl.d]# ipa group-add-member 
ad_admins_external --external "KWTTESTDC\test admins"[member user]:[member 
group]:  Group name: ad_admins_external  Description: KWTTESTDC.com.KW AD 
Administrators-External  Failed members:    member user:    member group: 
KWTTESTDC\test admins: Cannot find specified domain or server 
name-Number of members added 0-


On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George  wrote:

Hi
while issuing ipa trust-fetch-domains, i am getting below error.
i have created new security group in AD and i want to add this to external 
group.
[root freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"ipa: ERROR: error 
on server 'freeipa.idm.local': Fetching domains from trusted fo                 
                                     rest failed. See details in the error_log
help me to fi/expalin more about this error
Regards



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords

2016-06-30 Thread Joanna Delaporte 
I figured it out. The problem was the user's UID being too low. In the
client's /var/log/secure log, I found this:

sshd[25010]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met
by user "user1"

The user that was failing to authenticate via password had a UID lower than
1000. When I allowed IPA to set a random UID, the login with migrated
password worked (although it didn't prompt to reset password for this user
and I'm still figuring out NFSv4 access for users). The NIS domain I am
migrating from is several years old, from the era when it was normal to
have users start in the 500s. So, I need to migrate UIDs simultaneously.

On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden  wrote:

> Joanna Delaporte wrote:
>
>> I am migrating an NIS domain to IPA. I have attempted to follow the
>> instructions
>> 
>> for
>> NIS account crypted password migration, but I haven't yet successfully
>> used password authentication to log in to remote machines.
>>
>> The instructions expect I would migrate DES-encrypted passwords, but I
>> have a mixture of md5 and sha512-encrypted passwords. Do I need to
>> follow a different process, or am I chasing the wrong problem?
>>
>> This is my first IPA realm.
>>
>
> If you have crypt-compatible passwords ($6$) then just pass
> it in as {crypt}$6$... and it should work fine.
>
> You can ONLY set a pre-hashed password in migration mode AND when adding
> the user. You can't add the user then set a hashed password.
>
> rob
>
>


-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread Jakub Hrozek 
On Thu, Jun 30, 2016 at 06:16:37PM +0200, Lukas Slebodnik wrote:
> On (30/06/16 15:38), Sumit Bose wrote:
> >On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote:
> >> Hello,
> >> 
> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
> >> 
> >> -  ipa-admintools-3.0.0-47
> >> 
> >> -  ipa-client-3.0.0-47
> >> 
> >> -  sssd-ipa-1.11.6-30
> >> 
> >> 
> >> According with the following documentation, our users are automatically 
> >> authenticated to Kerberos at every login :
> >> https://www.freeipa.org/page/Kerberos
> >> "When SSSD project is used, the ticket is get for a user automatically as 
> >> he authenticates to client machine."
> >> 
> >> It's working pretty well but some of our users are using nominative 
> >> accounts for ssh connection then access to Hadoop with an applicative 
> >> keytab...
> >> We are agreed than we have to perform a kinit at every connection but when 
> >> theses users work on several sessions they lose the applicative account 
> >> ticket :(
> >
> >If you use credential cache collections (type DIR: or KEYTAB:) SSSD
> According to versions of sssd, it looks like el6.
> And KEYRING collection ccache is not on el6.
> I'm not sure about DIR collection ccache.

It is there, but it was never formally tested and there might be bugs.
Also, I'm not sure about /run on RHEL-6, you might want to manually
specify another directory for the DIR cache (DIR:/tmp?)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread Simo Sorce 
On Thu, 2016-06-30 at 18:16 +0200, Lukas Slebodnik wrote:
> On (30/06/16 15:38), Sumit Bose wrote:
> >On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote:
> >> Hello,
> >> 
> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
> >> 
> >> -  ipa-admintools-3.0.0-47
> >> 
> >> -  ipa-client-3.0.0-47
> >> 
> >> -  sssd-ipa-1.11.6-30
> >> 
> >> 
> >> According with the following documentation, our users are automatically 
> >> authenticated to Kerberos at every login :
> >> https://www.freeipa.org/page/Kerberos
> >> "When SSSD project is used, the ticket is get for a user automatically as 
> >> he authenticates to client machine."
> >> 
> >> It's working pretty well but some of our users are using nominative 
> >> accounts for ssh connection then access to Hadoop with an applicative 
> >> keytab...
> >> We are agreed than we have to perform a kinit at every connection but when 
> >> theses users work on several sessions they lose the applicative account 
> >> ticket :(
> >
> >If you use credential cache collections (type DIR: or KEYTAB:) SSSD
> According to versions of sssd, it looks like el6.
> And KEYRING collection ccache is not on el6.
> I'm not sure about DIR collection ccache.

Correct RHEL6 has no support for keyring ccaches, only RHEL7.

> >would only update the individual cache matching the user principal
> >stored in IPA. The caches for other principals would persist. But if the
> >principal in the applicative keytab is from the same Kerberos realm you
> >still might need to use the 'kswitch' command to set the primary
> >principal. But it should be sufficient to call it only once because the
> >information is stored in the collection and not overwritten by SSSD.
> >
> >If this does not work the affected users can add something like:
> >
> >export KRB5CCNAME=$HOME/my_cc_cache
>   ^
> Is FILE: considered as default or it need to be
> written as well for KRB5CCNAME

If no ccache type is specified the krb5 libs default to the FILE ccache
type.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread Lukas Slebodnik 
On (30/06/16 15:38), Sumit Bose wrote:
>On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote:
>> Hello,
>> 
>> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
>> 
>> -  ipa-admintools-3.0.0-47
>> 
>> -  ipa-client-3.0.0-47
>> 
>> -  sssd-ipa-1.11.6-30
>> 
>> 
>> According with the following documentation, our users are automatically 
>> authenticated to Kerberos at every login :
>> https://www.freeipa.org/page/Kerberos
>> "When SSSD project is used, the ticket is get for a user automatically as he 
>> authenticates to client machine."
>> 
>> It's working pretty well but some of our users are using nominative accounts 
>> for ssh connection then access to Hadoop with an applicative keytab...
>> We are agreed than we have to perform a kinit at every connection but when 
>> theses users work on several sessions they lose the applicative account 
>> ticket :(
>
>If you use credential cache collections (type DIR: or KEYTAB:) SSSD
According to versions of sssd, it looks like el6.
And KEYRING collection ccache is not on el6.
I'm not sure about DIR collection ccache.

>would only update the individual cache matching the user principal
>stored in IPA. The caches for other principals would persist. But if the
>principal in the applicative keytab is from the same Kerberos realm you
>still might need to use the 'kswitch' command to set the primary
>principal. But it should be sufficient to call it only once because the
>information is stored in the collection and not overwritten by SSSD.
>
>If this does not work the affected users can add something like:
>
>export KRB5CCNAME=$HOME/my_cc_cache
  ^
Is FILE: considered as default or it need to be
written as well for KRB5CCNAME
LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to reisnatll the ca or the dogtag system

2016-06-30 Thread Florence Blanc-Renaud 

Hi,

the message "LDAP Server Down" seems to indicate that the LDAP server is 
not started. You can restart it using:

systemctl restart dirsrv@REALM.service

Flo.

On 06/29/2016 03:58 AM, Barry wrote:

Hi:

Errors occur ...cert ni problem ..seem ca error and cannot tract cert.
thx

ipa-replica-prepare c03.abc.com  --ip-address
192.168.1.73
Directory Manager (existing master) password:

preparation of replica failed: cannot connect to
u'ldapi://%2fvar%2frun%2fslapd-WISERS-COM.socket': LDAP Server Down
cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP
Server Down
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 274, in main
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dirman_password)

  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
self.handle_errors(e)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 736, in handle_errors
error=u'LDAP Server Down')

[root@central ~]# ipa-replica-prepare central03.wisers.com
 --ip-address 192.168.1.73
Directory Manager (existing master) password:

preparation of replica failed: cannot connect to
u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down
cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC-COM.socket': LDAP
Server Down
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 274, in main
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dirman_password)

  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
self.handle_errors(e)

  File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 736, in handle_errors
error=u'LDAP Server Down')





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SRV records?

2016-06-30 Thread Christophe TREFOIS 
Hi,

I am getting a bit confused about what is possible / advised to do and how to 
setup SRV records for our existing setup.

Currently, it looks like his:

ipa1.domain.ltd
ipa2.domain.ltd
ipa3.domain.ltd

I believe the installed domain and realm is domain.ltd (we added some other 
realm domains later on).

And we use ipa1 for external user access, ipa2 for services, and ipa3 for 
backup (not accessed directly).

We now want to create SRV records for this setup.

How would they look like?

The problem I have is that domain.ltd is also the university’s AD domain and, 
according to the docs, it is not recommended to do this, in any fashion.

Would it be however, feasible, to do this via a FreeIPA-FreeIPA migration?

Could you please share any piece of information, or dadvice on this?

Thank you so much,

—
Christophe


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fwd: How to migrate users with md5 and sha512 passwords

2016-06-30 Thread Joanna Delaporte 
My first time posting. I didn't realize I needed to reply-all to include
the group. Oops!

-- Forwarded message --
From: Joanna Delaporte 
Date: Thu, Jun 30, 2016 at 10:21 AM
Subject: Re: [Freeipa-users] How to migrate users with md5 and sha512
passwords
To: Rob Crittenden 


Hi Rob,

Thanks for the clarification on the migration being able to handle standard
crypt passwords of the standard hash types. I seem to have one user that
worked and one that didn't. I'm migrating about 4000 users, but I only have
two users' passwords to test. The password that hasn't worked is about 20
chars long in cleartext. Do you know if there is a character length limit
for the passwords?

Today I'll be deleting and re-adding those two users a few times while I
try to figure out what I am missing. What is the best way to make sure the
client has an updated password accessible to sssd? I looked through the
RHEL 7 Domain Identity, Auth, and Policy Guide and didn't find a
recommended procedure for refreshing sssd cache. Should I restart the sssd
service on the IPA client when I delete/readd a user with a crypt password?

I do have sshd set with ChallengeResponseAuthentication yes.

Thanks!
Joanna

On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden  wrote:

> Joanna Delaporte wrote:
>
>> I am migrating an NIS domain to IPA. I have attempted to follow the
>> instructions
>> 
>> for
>> NIS account crypted password migration, but I haven't yet successfully
>> used password authentication to log in to remote machines.
>>
>> The instructions expect I would migrate DES-encrypted passwords, but I
>> have a mixture of md5 and sha512-encrypted passwords. Do I need to
>> follow a different process, or am I chasing the wrong problem?
>>
>> This is my first IPA realm.
>>
>
> If you have crypt-compatible passwords ($6$) then just pass
> it in as {crypt}$6$... and it should work fine.
>
> You can ONLY set a pre-hashed password in migration mode AND when adding
> the user. You can't add the user then set a hashed password.
>
> rob
>
>


-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com



-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Where should the CA Location

2016-06-30 Thread Florence Blanc-Renaud 

Hi,

it looks like the NSS db for slapd-ABX-com does not contain the full 
cert chain. You can run certutil -L -d /etc/dirsv/slapd-ABX-com and 
check if there is a certificate for your issuer, and if it has the C,, 
flags at least.


For instance, in my setup I am using ca2/server certificate for slapd, 
and this certificate was issued by ca2:

$ certutil -L -d /etc/dirsrv/slapd-xxx

Certificate Nickname Trust 
Attributes


SSL,S/MIME,JAR/XPI

ca2/server   u,u,u
ca2  C,,

Flo.

On 06/29/2016 12:26 PM, barry...@gmail.com wrote:

It is 3.0 version cannot use those commands.

2016-06-25 2:06 GMT+08:00 Florence Blanc-Renaud >:

Hi

Disclaimer: I'm new on this mailing list but willing to share
experience :)

Did you use "ipa-cacert-manage install -t C,," to install your
external CA certificate? This command copies the certificate in
cn=certificates,cn=ipa,cn=etc,dc=xxx

After this, you can use ipa-certupdate which will put the CA cert in
all the needed NSS databases and update the nickname where needed.

Flo.


On 06/23/2016 04:54 AM, barry...@gmail.com
 wrote:

Hi :

I renew External CA cert below ...seem server-cert ok.

But ca CERT FAIL..
I ALREADY PASTE ON
/etc/httpd/alias
/etc/dirsrv/slapd-PKI-IPA
/etc/dirsv/slapd-ABX-com
/var/lib/pki-ca/alias 's CA conf

any idea?

 ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable
Runtime error -8179 - Peer's Certificate issuer is not recognized.)




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how to make fIPA stick to only...

2016-06-30 Thread lejeczek 

... its own FQHN and its IP ?

hi users,

I'm fiddling with rewrites but being an amateur cannot 
figure it out, it's on a multi/home-IP box. Is it possible?


many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the best way to create a search account

2016-06-30 Thread Rob Verduijn 
thanx

2016-06-30 13:59 GMT+02:00 Tomasz Torcz :

> On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote:
> > Hello,
> >
> >
> > What would be the most appropriate way to create a search account so
> that a
> > third party tool (wildfly) can use it to search the ipa domain for
> > credentials ?
>
>   I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>
>
> --
> Tomasz Torcz"Funeral in the morning, IDE hacking
> xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best practices on enrolling existing hosts.

2016-06-30 Thread Simo Sorce 
On Thu, 2016-06-30 at 10:32 -0400, Danila Ladner wrote:
> Hello folks.
> What are the best practices on enrolling existing hosts in infrastructure
> into FreeIPA
> What do we do with local users which are present on the hosts and overlap
> with users in FreeIPA, should we remove local users? What happens to the
> files, directories owned by them? Is it usually a manual process?

It is usually a manual process as host by host you need to determine if
the local user is actually the same user in the central system or
another user by the same name.

In latest FreeIPA we have ID Views, which allows you to remap posix
attibutes (including name, uidnumber and gidumber) exactly for cases
like this where pre-existing users may have incompatiblee nameing or
numbering attributes/schemes.

> I was thinking creating some salt states since we have around 800 hosts to
> remove local accounts, just not sure how i can remap files and directories
> to be owned by ipa users, IPA users have same usernames but apparently
> different GIDs and UIDs.
> Would be useful to hear some insights on what folks do in the
> implementation process.

In this case the admin would manually (or script) create a view for a
(group of) machine(s) and load the overrides in the ID View, and then
apply the ID View to the machine(s) 

Docs here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html

Also here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html

note that ID Views are not confined just to AD trust environments this
second doc is just to have a wider view of the feature.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Best practices on enrolling existing hosts.

2016-06-30 Thread Danila Ladner 
Hello folks.
What are the best practices on enrolling existing hosts in infrastructure
into FreeIPA
What do we do with local users which are present on the hosts and overlap
with users in FreeIPA, should we remove local users? What happens to the
files, directories owned by them? Is it usually a manual process?
I was thinking creating some salt states since we have around 800 hosts to
remove local accounts, just not sure how i can remap files and directories
to be owned by ipa users, IPA users have same usernames but apparently
different GIDs and UIDs.
Would be useful to hear some insights on what folks do in the
implementation process.

Thank you,
Danila Ladner.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
>
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
> [false], canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> roblem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
> canRead: [false]
rpm -qa | grep tomcat
tomcatjss-7.1.3-1.fc23.noarch
tomcat-servlet-3.1-api-8.0.32-5.fc23.noarch
tomcat-8.0.32-5.fc23.noarch
tomcat-jsp-2.3-api-8.0.32-5.fc23.noarch
tomcat-el-3.0-api-8.0.32-5.fc23.noarch
tomcat-lib-8.0.32-5.fc23.noarch

ls -la /var/lib/pki/pki-tomcat/lib/
insgesamt 20
drwxrwx---. 2 pkiuser pkiuser 4096 28. Jun 15:59 .
drwxrwx---. 8 pkiuser pkiuser 4096 22. Mai 2015  ..
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser   34 28. Jun 15:59 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser   46 28. Jun 15:59
catalina-storeconfig.jar -> /usr/share/tomcat/lib/catalina-storeconfig.jar
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser   45 28. Jun 15:59 commons-collections.jar
-> /usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser   35 28. Jun 15:59 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser   32 28. Jun 15:59 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 22. Mai 2015  log4j.properties ->
/etc/pki/pki-tomcat/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat7-websocket.jar
-> /usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-dbcp.jar ->
/usr/share/tomcat/lib/tomcat-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-3.0-api.jar
-> /usr/share/tomcat/lib/tomcat-el-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-jni.jar ->
/usr/share/tomcat/lib/tomcat-jni.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.3-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.1-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.1-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-util-scan.jar ->
/usr/share/tomcat/lib/tomcat-util-scan.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-websocket.jar ->
/usr/share/tomcat/lib/tomcat-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar

For example:
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar -> File is not available
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar -> File is ok.



>

Re: [Freeipa-users] How to deactivate automatic kinit at ssh login ?

2016-06-30 Thread Sumit Bose 
On Thu, Jun 30, 2016 at 08:54:16AM +0200, bahan w wrote:
> Hello !
> 
> I'm using freeipa 3.0.0-47.
> 
> I send you this mail concerning the automatic kinit at ssh login ? I wanted
> to know if it was possible to deactivate it on a specific server ?
> 
> The reason is that I have some of my users who often use another ticket
> that their own and this feature can be annoying for them.

Please have a look at my response to ' [Freeipa-users] FreeIPAv3 and
SSSD // Disable automatic Kerberos authentication'
(https://www.redhat.com/archives/freeipa-users/2016-June/msg00480.html)

HTH

bye,
Sumit

> 
> BR.
> 
> Bahan

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread Sumit Bose 
On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote:
> Hello,
> 
> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
> 
> -  ipa-admintools-3.0.0-47
> 
> -  ipa-client-3.0.0-47
> 
> -  sssd-ipa-1.11.6-30
> 
> 
> According with the following documentation, our users are automatically 
> authenticated to Kerberos at every login :
> https://www.freeipa.org/page/Kerberos
> "When SSSD project is used, the ticket is get for a user automatically as he 
> authenticates to client machine."
> 
> It's working pretty well but some of our users are using nominative accounts 
> for ssh connection then access to Hadoop with an applicative keytab...
> We are agreed than we have to perform a kinit at every connection but when 
> theses users work on several sessions they lose the applicative account 
> ticket :(

If you use credential cache collections (type DIR: or KEYTAB:) SSSD
would only update the individual cache matching the user principal
stored in IPA. The caches for other principals would persist. But if the
principal in the applicative keytab is from the same Kerberos realm you
still might need to use the 'kswitch' command to set the primary
principal. But it should be sufficient to call it only once because the
information is stored in the collection and not overwritten by SSSD.

If this does not work the affected users can add something like:

export KRB5CCNAME=$HOME/my_cc_cache

to their .bashrc (or related config file of other shells). Then at least
in the shell all commands, like e.g. ssh, would use my_cc_cache with the
credential from the kinit with the keytab.

HTH

bye,
Sumit


> 
> To resume :
> 1
> 
> User1 connect to the system with nominative account
> 
> Nominative Kerberos Ticket
> 
> 2
> 
> User1 use the applicative keytab to access to Hadoop
> 
> Applicative Kerberos Ticket
> 
> 3
> 
> User1 open a new session to the system with nominvative account
> 
> Nominative Kerberos Ticket --> Applicative Kerberos Ticket is lose
> 
> 
> Impact :
> --> Failed developpement
> --> Force the user to re-execute a kinit
> 
> We would know if it is possible to disable the automatic authentication in 
> provide with SSSD?
> 
> Thanks.
> 
> Regards,
> 
> Thibault
> 
> 
> _
> 
> Ce message et ses pieces jointes peuvent contenir des informations 
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu 
> ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou 
> falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged 
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete 
> this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been 
> modified, changed or falsified.
> Thank you.
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Tomasz Torcz 
On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
> Hi,
> 
> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> 
> When i want to start IPA with ipactl start i run into the situation
> starting pki-tomcat take a long time and ipactl aborts the starting
> process and shutdown services. So IPA doesnt start.

Sounds like 
https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/


-- 
Tomasz Torcz"Funeral in the morning, IDE hacking
xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AES reverse encryption plugin on userPassword attribute

2016-06-30 Thread opensauce . 
Hi All,

I need to store user passwords with reverse encryption for an application.

I know the AES plugin is enabled and available :

# AES, Password Storage Schemes, plugins, config
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
cn: AES
nsslapd-pluginDescription: AES storage scheme plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: aes-storage-scheme
nsslapd-pluginInitfunc: aes_init
nsslapd-pluginPath: libpbe-plugin
nsslapd-pluginType: reverpwdstoragescheme
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 1.3.4.0
nsslapd-pluginarg0: nsmultiplexorcredentials
nsslapd-pluginarg1: nsds5ReplicaCredentials
nsslapd-pluginprecedence: 1
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject

How do I apply this plugin to the userPassword attribute of a single or
multiple users?

Thanks

Mike
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords

2016-06-30 Thread Rob Crittenden 

Joanna Delaporte wrote:

I am migrating an NIS domain to IPA. I have attempted to follow the
instructions
 for
NIS account crypted password migration, but I haven't yet successfully
used password authentication to log in to remote machines.

The instructions expect I would migrate DES-encrypted passwords, but I
have a mixture of md5 and sha512-encrypted passwords. Do I need to
follow a different process, or am I chasing the wrong problem?

This is my first IPA realm.


If you have crypt-compatible passwords ($6$) then just pass 
it in as {crypt}$6$... and it should work fine.


You can ONLY set a pre-hashed password in migration mode AND when adding 
the user. You can't add the user then set a hashed password.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
Here are some more infos.

journal -xe tells me some error:

INFO: Initializing ProtocolHandler ["http-bio-8443"]
Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported
by NSS
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS

..

org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs.
Enable debug logging for this logger for a complete list o

...

org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
[false], canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
roblem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.Catalina stopServer
SEVERE: Could not contact localhost:8005. Tomcat may not be running.
org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused

.

pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1

> Hi,
>
> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>
> When i want to start IPA with ipactl start i run into the situation
> starting pki-tomcat take a long time and ipactl aborts the starting
> process and shutdown services. So IPA doesnt start.
>
> ipactl start:
>
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
>
> ...hangs...
>
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
>
>
> systemctl status shows the errors:
>
> ipa.service   
>
> loaded failed failedIdentity, Policy, Audit
> kadmin.service
>
> loaded failed failedKerberos 5 Password-changing and Administration
> pki-tomcatd@pki-tomcat.service
>
> loaded failed failedPKI Tomcat Server pki-tomcat
>
>
> Which logfiles are important to analyse this issue of IPA ?
>
>
> Andreas
>
>
>
>


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

2016-06-30 Thread Rob Crittenden 

David Kupka wrote:

On 29/06/16 19:05, Roderick Johnstone wrote:

Hi

If I set a kerberos principal for a user to expire on a given date using:
ipa user-mod  --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?

Thanks

Roderick Johnstone



Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove
krbPrincipalExpiration attribute from the user entry in DS.

$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"

I think that it makes sense to expose this in API. Could you please file
RFE (https://fedorahosted.org/freeipa/newticket)?



You just need to pass in a blank value:

$ ipa user-mod  --principal-expiration=

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread Ludwig Krispenz 


On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:


On 06/30/2016 02:27 PM, d...@mdfive.dz wrote:

Hi,

Please find strace on a core file : http://pastebin.com/v9cUzau4

the crash is in an IPA plugin, ipa_pwd_extop,
to get a better stack you would have to install also the debuginfo for 
ipa-server.

but tje stack matches the error messages you have seen
[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, 
line 225]: key encryption/encoding failed

they are from the function sin the call stack.

Looks like the user has a password with a \351 char:
cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"}

does the crash always happen with a bind from this user ?


and then someone familiar with this plugin should look into it


Regards


On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed 
on CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
encoding.c, line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and spacewalk integration.

2016-06-30 Thread Danila Ladner 
Thank you for reaching out. The problem has been fixed. I have forgotten to
restart tomcat6 to disable tomcat auth. User error!!!

On Thu, Jun 30, 2016 at 6:09 AM, Jan Pazdziora 
wrote:

> On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote:
> > Hello Folks.
> >
> > I am stuck at this task integrating spacewalk freeipa authorization.
> >
> > I have followed this docs from spacewalk to enable web authentication
> with
> > FreeIPA:
> >
> > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA
> >
> > I did all the steps above and trying to authenticate with the user I do
> not
> > have in the internal spacewalk database, but ssd ifp with sssd_dbus
> should
> > help me with that.
>
> [...]
>
> > I did enabled sssd and sssd_ifp logs and see all the lookups go through
> if
> > you need them i can provide them.
> > The problem is it seems on the step where spacewalk can't create a new
> user
> > based on Organization Unit name.
> > I am a little bit lost and firstly asked Spacewalk community but no one
> was
> > able to help me.
> > If anyone has any additional information where can I troubleshoot
> further,
> > i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it
> > works just fine, so I am sure it is not IPA backend, but something in
> > particular with spacewalk httpd modules, but still can't figure out what
> > exactly is the issue.
> > If anyone have some information or done similar integration, i'd
> appreciate
> > if you can share it.
>
> What Spacewalk version and what OS and version is this?
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
Hi,

i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2

When i want to start IPA with ipactl start i run into the situation
starting pki-tomcat take a long time and ipactl aborts the starting
process and shutdown services. So IPA doesnt start.

ipactl start:

Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service

...hangs...

Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


systemctl status shows the errors:

ipa.service 
 
loaded failed failedIdentity, Policy, Audit
kadmin.service  
 
loaded failed failedKerberos 5 Password-changing and Administration
pki-tomcatd@pki-tomcat.service  
 
loaded failed failedPKI Tomcat Server pki-tomcat


Which logfiles are important to analyse this issue of IPA ?


Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 7.x replica install from 6.x master fails

2016-06-30 Thread Clough, Ryan 
I too ran into this issue of certificate serial mismatch. Just wanted to
shoot a note thanking the two of you for helping. Your questions and
answers were very well articulated and very detailed. I used the info in
this thread to get my replica installed. Thank you! =)

___
Ryan Clough
Information Systems
Decision Sciences 

On Fri, Apr 15, 2016 at 8:53 AM, Petr Vobornik  wrote:

> On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have
> a cert database at:
> >
> > /etc/pki/pki-tomcat/alias
> >
> > At:
> >
> > /var/lib/pki-ca/alias
>
> right
>
> >
> > subsystemCert cert-pki-ca has a serial number of 18 (0x12)
> >
> > At:
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > the certificate has a serial number of 4.
> >
> >
> > What is the best way to fix this?
> >
> > If it matters, the master installation is old enough to have had its
> certs auto-renewed.
>
> Yes, certs were renewed but the PKI user entry was not which causes the
> issue. This has been seen on very old IPA installations.
>
> 1) Login into IPA Master (RHEL 6) - as root.
>
> 2) Redirect "subsystemCert cert-pki-ca" to a file.
>
> # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
> -a > /tmp/subsystemcert.pem
>
> 3) Drop the header/footer and combine this into a single line.
>
> # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-BEGIN
> CERTIFICATE-$/{:1;n;/^-END
> CERTIFICATE-$/b2;H;b1};:2;${x;s/\s//g;p}'
>
> 4) String generated in step 3 needs to be added under attribute
> "usercertificate;binary:" below.
>
>
> ===
> # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
> dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string
> from step 3.
> -
> replace: description
> description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM
> EOF
>
> ===
>
> Note: the description field attribute has format:
>::: subjectdn>
>
>
> 5) Once the above command is successful restart IPA service
>
> # service ipa restart
>
> 6) Check if the mapping is now correct.
>
> # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
> ID|Description"
>
> >
> > Dennis
> >
> >
> > -Original Message-
> > From: Petr Vobornik [mailto:pvobo...@redhat.com]
> > Sent: Friday, April 15, 2016 10:06 AM
> > To: Ott, Dennis; Freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >
> > On 04/15/2016 03:51 PM, Ott, Dennis wrote:
> >> Looks like we're out of ideas.
> >>
> >> I'll proceed with Plan B.
> >>
> >
> > A possibility is also to check if
> >
> > Serial number of
> >
> > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
> >
> > matches serial number of the cert below (4) and if
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > has actually the same cert in userCertificate attribute
> >
> > Or maybe to do the same with other PKI users in ou=people,o=ipaca
> >
> >> -Original Message-
> >> From: Ott, Dennis
> >> Sent: Monday, April 11, 2016 12:27 PM
> >> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> As a test, I attempted to do a replica install on a Fedora 23 machine.
> It fails with the same error.
> >>
> >> Dennis
> >>
> >>
> >>
> >> -Original Message-
> >> From: freeipa-users-boun...@redhat.com
> >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
> >> Sent: Thursday, April 07, 2016 5:39 PM
> >> To: Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> It doesn't look like that is my problem. The output of pki-server
> ca-group-member-find "Subsystem Group" gives:
> >>
> >>
> >>   User ID: CA-ptipa1.example.com-9443
> >>   Common Name: CA-ptipa1.example.com-9443
> >>   Surname: CA-ptipa1.example.com-9443
> >>   Type: agentType
> >>   Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM
> >>   E-mail:
> >>
> >> All the certs seem valid:
> >>
> >> # getcert list | grep expires
> >> expires: 2017-07-18 00:55:14 UTC
> >> expires: 2017-07-18 00:54:14 UTC
> >> expires: 2017-07-18 00:54:14 UTC
> >> expires: 2017-07-18 00:54:14 UTC
> >> expires: 2017-07-18 00:54:14 UTC
> >> expires: 2017-08-09 00:54:19 UTC
> >> expires: 2017-08-09 00:54:19 UTC
> >> expires: 2017-08-09 00:54:21 UTC #
> >>
> >> I was wondering if I might be hitting this:
> >>
> >>

[Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread tstorai.ext 
Hello,

We are using FreeIPAv3 with SSSD with Hortonworks Cluster :

-  ipa-admintools-3.0.0-47

-  ipa-client-3.0.0-47

-  sssd-ipa-1.11.6-30


According with the following documentation, our users are automatically 
authenticated to Kerberos at every login :
https://www.freeipa.org/page/Kerberos
"When SSSD project is used, the ticket is get for a user automatically as he 
authenticates to client machine."

It's working pretty well but some of our users are using nominative accounts 
for ssh connection then access to Hadoop with an applicative keytab...
We are agreed than we have to perform a kinit at every connection but when 
theses users work on several sessions they lose the applicative account ticket 
:(

To resume :
1

User1 connect to the system with nominative account

Nominative Kerberos Ticket

2

User1 use the applicative keytab to access to Hadoop

Applicative Kerberos Ticket

3

User1 open a new session to the system with nominvative account

Nominative Kerberos Ticket --> Applicative Kerberos Ticket is lose


Impact :
--> Failed developpement
--> Force the user to re-execute a kinit

We would know if it is possible to disable the automatic authentication in 
provide with SSSD?

Thanks.

Regards,

Thibault


_

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread Ludwig Krispenz 


On 06/30/2016 02:27 PM, d...@mdfive.dz wrote:

Hi,

Please find strace on a core file : http://pastebin.com/v9cUzau4

the crash is in an IPA plugin, ipa_pwd_extop,
to get a better stack you would have to install also the debuginfo for 
ipa-server.

and then someone familiar with this plugin should look into it


Regards


On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed 
on CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
encoding.c, line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the best way to create a search account

2016-06-30 Thread Natxo Asenjo 
hi Rob,

On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn 
wrote:

> Hello,
>
>
> What would be the most appropriate way to create a search account so that
> a third party tool (wildfly) can use it to search the ipa domain for
> credentials ?
>

I just create a normal account. We rotate passwords on a regular basis, but
you could just set the krbpasswordexpiration attribute far in the future.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread dev 

Hi,

Please find strace on a core file : http://pastebin.com/v9cUzau4

Regards


On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed on 
CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, 
line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the best way to create a search account

2016-06-30 Thread Tomasz Torcz 
On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote:
> Hello,
> 
> 
> What would be the most appropriate way to create a search account so that a
> third party tool (wildfly) can use it to search the ipa domain for
> credentials ?

  I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts


-- 
Tomasz Torcz"Funeral in the morning, IDE hacking
xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] what is the best way to create a search account

2016-06-30 Thread Rob Verduijn 
Hello,


What would be the most appropriate way to create a search account so that a
third party tool (wildfly) can use it to search the ipa domain for
credentials ?

Cheers
Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread dev 

Ok, for centos 7 i installed it with :
yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo

I'll be back since i get core file

Regards

On 2016-06-30 12:34, d...@mdfive.dz wrote:

Hi,

There is no 389-ds-base-debuginfo in repos

# yum search debug-info | sort | head

0install-debuginfo.x86_64 : Debug information for package 0install
2048-cli-debuginfo.x86_64 : Debug information for package 2048-cli
389-admin-debuginfo.x86_64 : Debug information for package 389-admin
389-adminutil-debuginfo.x86_64 : Debug information for package 
389-adminutil

3proxy-debuginfo.x86_64 : Debug information for package 3proxy
aalib-debuginfo.x86_64 : Debug information for package aalib
abduco-debuginfo.x86_64 : Debug information for package abduco
activemq-cpp-debuginfo.x86_64 : Debug information for package 
activemq-cpp

admesh-debuginfo.x86_64 : Debug information for package admesh
advancecomp-debuginfo.x86_64 : Debug information for package 
advancecomp



Regards

On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed on 
CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
encoding.c, line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread dev 

Hi,

There is no 389-ds-base-debuginfo in repos

# yum search debug-info | sort | head

0install-debuginfo.x86_64 : Debug information for package 0install
2048-cli-debuginfo.x86_64 : Debug information for package 2048-cli
389-admin-debuginfo.x86_64 : Debug information for package 389-admin
389-adminutil-debuginfo.x86_64 : Debug information for package 
389-adminutil

3proxy-debuginfo.x86_64 : Debug information for package 3proxy
aalib-debuginfo.x86_64 : Debug information for package aalib
abduco-debuginfo.x86_64 : Debug information for package abduco
activemq-cpp-debuginfo.x86_64 : Debug information for package 
activemq-cpp

admesh-debuginfo.x86_64 : Debug information for package admesh
advancecomp-debuginfo.x86_64 : Debug information for package advancecomp


Regards

On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed on 
CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, 
line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread Ludwig Krispenz 

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's installed on 
CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, 
line 225]: key encryption/encoding failed



Any help?
Best regards



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

2016-06-30 Thread Tomasz Torcz 
On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote:
> Tomasz Torcz wrote:
> > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] 
> > > > > > CertificateOperationError: Certificate operation cannot be 
> > > > > > completed: Unable to communicate with CMS (Internal Server Error)
> > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: 
> > > > > > INFO: [jsonserver_session] ad...@pipebreaker.pl: 
> > > > > > cert_find(version=u'2.164'): CertificateOperationError
> > > > > > 
> > > > > >  How to fix those?
> > > > > 
> > > > > You'll need to look at the dogtag debug log for the reason it threw a 
> > > > > 500,
> > > > > it's in /var/log/pki-tomcat/ca or something close to that.
> > > > 
> > > > 
> > > > I've looked into the logs but I'm not wiser.  Is there a setting to 
> > > > get
> > > > rid of java traceback from logs and get more useful messages?  There 
> > > > seem
> > > > to be a problem with SSL connection to port 636, maybe because it seems 
> > > > to use
> > > > expired certificate?
> > > 
> > > Not that I know of. The debug log is sure a firehose but you've identified
> > > the problem.
> > > 
> > > > $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl 
> > > > x509 -noout
> > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > verify error:num=10:certificate has expired
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > DONE
> > > 
> > > Run getcert list and look at the expiration dates. What you want to do is
> > > kill ntpd, set the date back to say a week before the oldest date, restart
> > > the dirsrv, restart the pki-tomcat/pki-cad service then restart 
> > > certmonger.
> > > This should force a renewal attempt.
> 
> What you need to do is setup certmonger to track all the certificates
> properly and get things renewed. I'm away from my desk so can't provide any
> instructions on how to do this and they depend on whether or not this
> machine is the renewal master.


   I've used instructions from 
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
to remind certmonger about other certificates. I had to adjust paths:
-d /var/lib/pki/pki-tomcat/alias/
-B /usr/libexec/ipa/certmonger/stop_pkicad 
and
-C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"'

I've rolled back time and I'm waiting for certmonger to refresh
those certs:

Request ID '20160630083224':
status: MONITORING
subject: CN=CA Audit,O=PIPEBREAKER.PL
expires: 2015-11-06 09:42:50 UTC
Request ID '20160630083226':
status: MONITORING
subject: CN=CA Subsystem,O=PIPEBREAKER.PL
expires: 2015-11-06 09:42:49 UTC
Request ID '20160630083227':
status: MONITORING
subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
expires: 2017-10-25 15:20:52 UTC
root@okda ca$ date
Thu Nov  5 11:39:41 CET 2015

It's been 2 hours and certificates are still not refreshed.


 
> > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing 
> > already expired CA certificate) didn't
> > make into FreeIPA 4.4.0 alpha. :-(
> 
> This is unrelated. I seriously doubt your CA is near expiration (my guess is
> it expires in 2033).

  I'm not sure about CA certificate itself, but "CA Subsystem" certificate is 
expired.
As far as I understand, 1752 is about refreshing certs by going directly 
through socket,
mitigating expired certificates.

-- 
Tomasz Torcz"Funeral in the morning, IDE hacking
xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and spacewalk integration.

2016-06-30 Thread Jan Pazdziora 
On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote:
> Hello Folks.
> 
> I am stuck at this task integrating spacewalk freeipa authorization.
> 
> I have followed this docs from spacewalk to enable web authentication with
> FreeIPA:
> 
> https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA
> 
> I did all the steps above and trying to authenticate with the user I do not
> have in the internal spacewalk database, but ssd ifp with sssd_dbus should
> help me with that.

[...]

> I did enabled sssd and sssd_ifp logs and see all the lookups go through if
> you need them i can provide them.
> The problem is it seems on the step where spacewalk can't create a new user
> based on Organization Unit name.
> I am a little bit lost and firstly asked Spacewalk community but no one was
> able to help me.
> If anyone has any additional information where can I troubleshoot further,
> i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it
> works just fine, so I am sure it is not IPA backend, but something in
> particular with spacewalk httpd modules, but still can't figure out what
> exactly is the issue.
> If anyone have some information or done similar integration, i'd appreciate
> if you can share it.

What Spacewalk version and what OS and version is this?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA (directory service) Crash several times a day

2016-06-30 Thread dev 

Hi,

The Directory Services crashes several times a day. It's installed on 
CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file 
encoding.c, line 171]: generating kerberos keys failed [Invalid 
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, 
line 225]: key encryption/encoding failed



Any help?
Best regards

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

2016-06-30 Thread David Kupka 

On 29/06/16 19:05, Roderick Johnstone wrote:

Hi

If I set a kerberos principal for a user to expire on a given date using:
ipa user-mod  --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?

Thanks

Roderick Johnstone



Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove 
krbPrincipalExpiration attribute from the user entry in DS.


$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"

I think that it makes sense to expose this in API. Could you please file 
RFE (https://fedorahosted.org/freeipa/newticket)?


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to deactivate automatic kinit at ssh login ?

2016-06-30 Thread bahan w 
Hello !

I'm using freeipa 3.0.0-47.

I send you this mail concerning the automatic kinit at ssh login ? I wanted
to know if it was possible to deactivate it on a specific server ?

The reason is that I have some of my users who often use another ticket
that their own and this feature can be annoying for them.

BR.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project