Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
These are fresh logs from a last attempt to create a replica Centos 7 /var/log/pki/pki-tomcat/ca/debug [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Token Panel === [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: === Security Domain Panel === [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Joining existing security domain [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Resolving security domain URLhttps://ipa-server.nelios:443 [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting security domain cert chain [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token [09/Sep/2016:22:59:40][http-bio-8443-exec-3]: Getting install token [09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Getting old cookie [09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Token: null [09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Install token is null [09/Sep/2016:22:59:41][http-bio-8443-exec-3]: Failed to obtain installation token from security domain Centos 6 /var/log/pki-ca/debug [09/Sep/2016:22:59:42][TP-Processor3]: GetCookie before auth, url = https://ipa2-server2.nelios:443/ca/admin/console/config/wizard?p=5&subsystem=CA [09/Sep/2016:22:59:42][TP-Processor3]: IP: 192.168.4.175 [09/Sep/2016:22:59:42][TP-Processor3]: AuthMgrName: passwdUserDBAuthMgr [09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: no client certificate found [09/Sep/2016:22:59:42][TP-Processor3]: Authentication: UID=admin [09/Sep/2016:22:59:42][TP-Processor3]: In LdapBoundConnFactory::getConn() [09/Sep/2016:22:59:42][TP-Processor3]: masterConn is connected: true [09/Sep/2016:22:59:42][TP-Processor3]: getConn: conn is connected true [09/Sep/2016:22:59:42][TP-Processor3]: getConn: mNumConns now 2 [09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory::getConn [09/Sep/2016:22:59:42][TP-Processor3]: LdapAnonConnFactory.getConn(): num avail conns now 2 [09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 3 [09/Sep/2016:22:59:42][TP-Processor3]: returnConn: mNumConns now 2 [09/Sep/2016:22:59:42][TP-Processor3]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=$Unidentified$] authentication failure [09/Sep/2016:22:59:42][TP-Processor3]: GetCookie authentication failed [09/Sep/2016:22:59:42][TP-Processor3]: mErrorFormPath=/admin/ca/securitydomainlogin.template [09/Sep/2016:22:59:42][TP-Processor3]: CMSServlet: curDate=Fri Sep 09 22:59:42 EEST 2016 id=caGetCookie time=39 /var/log/httpd/access_log 192.168.4.175 - - [09/Sep/2016:22:59:21 +0300] "GET /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 315 192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET /ca/admin/ca/getDomainXML HTTP/1.1" 200 1148 192.168.4.175 - - [09/Sep/2016:22:59:22 +0300] "GET /ca/rest/account/login HTTP/1.1" 404 303 192.168.4.175 - - [09/Sep/2016:22:59:41 +0300] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1398 192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "GET /ca/rest/account/login HTTP/1.1" 404 303 192.168.4.175 - - [09/Sep/2016:22:59:42 +0300] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 5170 /var/log/httpd/error_log [Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not exist: /var/www/html/ca [Fri Sep 09 22:59:22 2016] [error] [client 192.168.4.175] File does not exist: /var/www/html/ca [Fri Sep 09 22:59:42 2016] [error] [client 192.168.4.175] File does not exist: /var/www/html/ca /var/log/pki-ca/system 5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to authenticate as admin UID=admin. Error: netscape.ldap.LDAPException: error result (49) 5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet caGetCookie: Error getting servlet output stream when rendering template. Error Invalid Credential.. /var/log/pki-ca/catalina.out Sep 08, 2016 4:17:34 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9180 Sep 08, 2016 4:17:34 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9443 Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9445 Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9444 Sep 08, 2016 4:17:35 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9446 Sep 08, 2016 4:17:35 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:9447 Sep 08, 2016 4:17:35 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/123 config=null Sep 08, 2016 4:17:35 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 8550 ms Catalina seems to not have logged anything from yesterday. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
I've tried that but still the same result. [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h localhost -b "uid=admin,ou=people,o=ipaca" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object On Fri, Sep 9, 2016 at 6:04 PM, Petr Vobornik wrote: > On 09/09/2016 04:24 PM, Giorgos Kafataridis wrote: > > > > > > On 09/09/2016 04:09 PM, Petr Vobornik wrote: > >> On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote: > > Yes, I have followed > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/upgrading.html > > > > to the letter. > > The only reason I had to recreate the cacert.p12 file is because it > > is not > > renewed automatically in v3, so the cacert.p12 was outdated and the > > CA was > > throwing an "p12 invalid digest" error. > > > > * I opened all necessary ports > > * I checked all certs and they are valid for another year > > > > > > /Run connection check to master// > > //Check connection from replica to remote master > 'ipa-server.nelios':// > > // Directory Service: Unsecure port (389): OK// > > // Directory Service: Secure port (636): OK// > > // Kerberos KDC: TCP (88): OK// > > // Kerberos Kpasswd: TCP (464): OK// > > // HTTP Server: Unsecure port (80): OK// > > // HTTP Server: Secure port (443): OK// > > // PKI-CA: Directory Service port (7389): OK// > > // > > //The following list of ports use UDP protocol and would need to be// > > //checked manually:// > > // Kerberos KDC: UDP (88): SKIPPED// > > // Kerberos Kpasswd: UDP (464): SKIPPED// > > // > > //Connection from replica to master is OK.// > > //Start listening on required ports for remote master check// > > //Get credentials to log in to remote master// > > //Check SSH connection to remote master// > > //Execute check on remote master// > > //Check connection from master to remote replica > > 'ipa2-server2.nelios':// > > // Directory Service: Unsecure port (389): OK// > > // Directory Service: Secure port (636): OK// > > // Kerberos KDC: TCP (88): OK// > > // Kerberos KDC: UDP (88): OK// > > // Kerberos Kpasswd: TCP (464): OK// > > // Kerberos Kpasswd: UDP (464): OK// > > // HTTP Server: Unsecure port (80): OK// > > // HTTP Server: Secure port (443): OK// > > // > > //Connection from master to replica is OK.// > > // > > //Connection check OK/ > > > > *Even with a fresh install of centos 7 with different hostname and ip > > and I > > still get the the error below* > > > > Configuring certificate server (pki-tomcatd). Estimated time: 3 > > minutes 30 seconds > > [1/24]: creating certificate server user > > [2/24]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > configure CA > > instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpbMwmp_'' > > returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > > installation logs > > and the following files/directories for more information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki-ca-install.log > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCA > > configuration failed. > > > > * > > **With debug enabled I get: * > > > > pa : DEBUGStarting external process > > ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' > > '/tmp/tmpwY8XjR' > > ipa : DEBUGProcess finished, return code=1 > > ipa : DEBUGstdout=Log file: > > /var/log/pki/pki-ca-spawn.20160909044214.log > > Loading deployment configuration from /tmp/tmpwY8XjR. > > Installing CA into /var/lib/pki/pki-tomcat. > > Storing deployment configuration into > > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > > > Installation failed. > > > > > > ipa : DEBUG > > stderr=/usr/lib/python2.7/site-packages/urllib3/ > connectionpool.py:769: > > InsecureRequestWarning: Unverified HTTPS request is being made. > Adding > > certificate verification is strongly advised. See: > > https://urllib3.readthedocs.org/en/latest/security.html > > InsecureRequestWarning) > > pkispawn: WARNING ... unable to validate secu
Re: [Freeipa-users] automated ftp service only accounts and passwords
Larry Rosen wrote: Why does it (secure log) say: Sep 9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) Administratively set passwords are treated as expired so only the end-user knows the password. http://www.freeipa.org/page/New_Passwords_Expired The _account_ expired is a bit surprising but it may mean the same thing. You could confirm by add --all to the user-show and see if there is a principal expiration date but I'd find that to be quite unusual. User info: [sysadmin@redmine ~]$ ipa pwpolicy-show service_accts Group: service_accts Max lifetime (days): 2 Min lifetime (hours): 0 History size: 0 Character classes: 2 Min length: 8 Priority: 5 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 [sysadmin@redmine ~]$ date Fri Sep 9 11:35:31 EDT 2016 [sysadmin@redmine ~]$ ipa user-show xfseuftp User login: xfseuftp First name: xfs Last name: eur Home directory: /export/xfseur Login shell: /bin/bash Email address: xfseuftp@ipajdr.local UID: 100618 GID: 1333200036 Account disabled: False Password: True Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info Member of HBAC rule: access_lamp_stor_01_server Kerberos keys available: True [sysadmin@redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd Access granted: True Matched rules: access_lamp_stor_01_server <--- this is the sftp server attempting to access Not matched rules: access_all_servers Not matched rules: access_il09_app_mufg_server Not matched rules: access_ipa_servers Not matched rules: access_lampuat_server Not matched rules: access_ssh_gate_01_server Not matched rules: access_uat_xfs_il10_server Not matched rules: access_xfs_il10_server Not matched rules: dsiroot_access Not matched rules: il10web_access_xfs_il10_server Not matched rules: xfsroot_access ssh/sftp setup: Match User xfseuftp # Force the connection to use the built-in SFTP support. ForceCommand internal-sftp -u 6 # Chroot the connection into the specified directory. ChrootDirectory /export/xfseur # Disable authentication agent forwarding. AllowAgentForwarding no # Disable TCP connection forwarding. AllowTcpForwarding no # Disable X11 remote desktop forwarding. X11Forwarding no When I attempt to change the account's password (I am sure it's the password I set). I've even tried deleting & re-creating the ID from scratch: [sysadmin@redmine ~]$ ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" [sysadmin@redmine ~]$ ssh xfseuftp@10.120.97.149 xfseuftp@10.120.97.149's password: Permission denied, please try again. xfseuftp@10.120.97.149's password: Even if I su to the user [root@lamp-stor-01 export]# ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" It depends on what ticket you have, not the user executing the command. [root@lamp-stor-01 export]# su - xfseuftp Last login: Fri Sep 9 11:57:24 EDT 2016 on pts/1 -bash-4.2$ passwd Changing password for user xfseuftp. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error secure log entries when attempted to change password: Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied. Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) Sep 9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2 . Sep 9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp Sep 9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0) Sep 9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System
Re: [Freeipa-users] automated ftp service only accounts and passwords
Why does it (secure log) say: Sep 9 12:04:57 lamp-stor-01 sshd[27950]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) User info: [sysadmin@redmine ~]$ ipa pwpolicy-show service_accts Group: service_accts Max lifetime (days): 2 Min lifetime (hours): 0 History size: 0 Character classes: 2 Min length: 8 Priority: 5 Max failures: 0 Failure reset interval: 0 Lockout duration: 0 [sysadmin@redmine ~]$ date Fri Sep 9 11:35:31 EDT 2016 [sysadmin@redmine ~]$ ipa user-show xfseuftp User login: xfseuftp First name: xfs Last name: eur Home directory: /export/xfseur Login shell: /bin/bash Email address: xfseuftp@ipajdr.local UID: 100618 GID: 1333200036 Account disabled: False Password: True Member of groups: service_accts, xfseuftp, uat_info_old, ipausers, info Member of HBAC rule: access_lamp_stor_01_server Kerberos keys available: True [sysadmin@redmine ~]$ ipa hbactest --user=xfseuftp --host=lamp-stor-01.ipajdr.local --service sshd Access granted: True Matched rules: access_lamp_stor_01_server <--- this is the sftp server attempting to access Not matched rules: access_all_servers Not matched rules: access_il09_app_mufg_server Not matched rules: access_ipa_servers Not matched rules: access_lampuat_server Not matched rules: access_ssh_gate_01_server Not matched rules: access_uat_xfs_il10_server Not matched rules: access_xfs_il10_server Not matched rules: dsiroot_access Not matched rules: il10web_access_xfs_il10_server Not matched rules: xfsroot_access ssh/sftp setup: Match User xfseuftp # Force the connection to use the built-in SFTP support. ForceCommand internal-sftp -u 6 # Chroot the connection into the specified directory. ChrootDirectory /export/xfseur # Disable authentication agent forwarding. AllowAgentForwarding no # Disable TCP connection forwarding. AllowTcpForwarding no # Disable X11 remote desktop forwarding. X11Forwarding no When I attempt to change the account's password (I am sure it's the password I set). I've even tried deleting & re-creating the ID from scratch: [sysadmin@redmine ~]$ ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" [sysadmin@redmine ~]$ ssh xfseuftp@10.120.97.149 xfseuftp@10.120.97.149's password: Permission denied, please try again. xfseuftp@10.120.97.149's password: Even if I su to the user [root@lamp-stor-01 export]# ipa passwd xfseuftp New Password: Enter New Password again to verify: Changed password for "xfseuftp@IPAJDR.LOCAL" [root@lamp-stor-01 export]# su - xfseuftp Last login: Fri Sep 9 11:57:24 EDT 2016 on pts/1 -bash-4.2$ passwd Changing password for user xfseuftp. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error secure log entries when attempted to change password: Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): User info message: Permission denied. Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.90.138 user=xfseuftp Sep 9 11:33:15 lamp-stor-01 sshd[26880]: pam_sss(sshd:auth): received for user xfseuftp: 13 (User account has expired) Sep 9 11:33:16 lamp-stor-01 sshd[26880]: Failed password for xfseuftp from 10.10.90.138 port 33534 ssh2 . Sep 9 11:57:56 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp Sep 9 11:58:15 lamp-stor-01 su: pam_unix(su-l:session): session opened for user xfseuftp by root(uid=0) Sep 9 11:58:20 lamp-stor-01 passwd: pam_unix(passwd:chauthtok): user "xfseuftp" does not exist in /etc/passwd Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Sep 9 11:58:23 lamp-stor-01 passwd: pam_sss(passwd:chauthtok): Authentication failed for user xfseuftp: 4 (System error) Sep 9 11:58:27 lamp-stor-01 su: pam_unix(su-l:session): session closed for user xfseuftp -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, September 09, 2016 9:30 AM To: Larry Rosen ; freeipa-users@redhat.com Subject: Re: [Freeipa-users] automated ftp service only accounts and passwords Larry Rosen wrote: > How do I set the password on a chroot jailed sftp id account that is > not allowed a shell to not expire its password after setting it?
Re: [Freeipa-users] ERROR CA configuration failed. - again
lejeczek wrote: hi everybody, looking at ipareplica-install.log: raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG [error] RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute then at /var/log/pki/pki-tomcat/ca/system I'd suggest looking at the debug log for more details. 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value I cannot find anything more telling in the logs. Does it have anything to do with what's in: /etc/httpd/alias/ ? No. I yum removed `rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server krb5-workstation pki-tomcat certmonger rm dirs + reinstalled, yet I cannot find the the root cause of this mess. I seriously doubt the problem is local to the box. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ERROR CA configuration failed. - again
hi everybody, looking at ipareplica-install.log: raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG [error] RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute then at /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value I cannot find anything more telling in the logs. Does it have anything to do with what's in: /etc/httpd/alias/ ? I yum removed `rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server krb5-workstation pki-tomcat certmonger rm dirs + reinstalled, yet I cannot find the the root cause of this mess. best regards L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 9/9/2016 8:09 AM, Petr Vobornik wrote: On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote: Yes, I have followed https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html to the letter. The only reason I had to recreate the cacert.p12 file is because it is not renewed automatically in v3, so the cacert.p12 was outdated and the CA was throwing an "p12 invalid digest" error. * I opened all necessary ports * I checked all certs and they are valid for another year /Run connection check to master// //Check connection from replica to remote master 'ipa-server.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // PKI-CA: Directory Service port (7389): OK// // //The following list of ports use UDP protocol and would need to be// //checked manually:// // Kerberos KDC: UDP (88): SKIPPED// // Kerberos Kpasswd: UDP (464): SKIPPED// // //Connection from replica to master is OK.// //Start listening on required ports for remote master check// //Get credentials to log in to remote master// //Check SSH connection to remote master// //Execute check on remote master// //Check connection from master to remote replica 'ipa2-server2.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos KDC: UDP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // Kerberos Kpasswd: UDP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // //Connection from master to replica is OK.// // //Connection check OK/ *Even with a fresh install of centos 7 with different hostname and ip and I still get the the error below* Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed. * **With debug enabled I get: * pa : DEBUGStarting external process ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR' ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log Loading deployment configuration from /tmp/tmpwY8XjR. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed to obtain installation token from security domain"} Is there a way to validate the repilca .gpg file from a v3 installation against a v4.2 freeipa installation to check for any errors before going through the ipa-replica-install? The ipa-replica-install completes if I don't include the --setup-ca flag but I don't want that There is no automatic method to verify the replica file. Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug + couple lines before and after? Contents of /var/log/pki/pki-tomcat/ca/debug: [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [09/Sep/2016
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 09/09/2016 04:24 PM, Giorgos Kafataridis wrote: > > > On 09/09/2016 04:09 PM, Petr Vobornik wrote: >> On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote: > Yes, I have followed > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > to the letter. > The only reason I had to recreate the cacert.p12 file is because it > is not > renewed automatically in v3, so the cacert.p12 was outdated and the > CA was > throwing an "p12 invalid digest" error. > > * I opened all necessary ports > * I checked all certs and they are valid for another year > > > /Run connection check to master// > //Check connection from replica to remote master 'ipa-server.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // PKI-CA: Directory Service port (7389): OK// > // > //The following list of ports use UDP protocol and would need to be// > //checked manually:// > // Kerberos KDC: UDP (88): SKIPPED// > // Kerberos Kpasswd: UDP (464): SKIPPED// > // > //Connection from replica to master is OK.// > //Start listening on required ports for remote master check// > //Get credentials to log in to remote master// > //Check SSH connection to remote master// > //Execute check on remote master// > //Check connection from master to remote replica > 'ipa2-server2.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos KDC: UDP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // Kerberos Kpasswd: UDP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // > //Connection from master to replica is OK.// > // > //Connection check OK/ > > *Even with a fresh install of centos 7 with different hostname and ip > and I > still get the the error below* > > Configuring certificate server (pki-tomcatd). Estimated time: 3 > minutes 30 seconds > [1/24]: creating certificate server user > [2/24]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA > instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs > and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCA > configuration failed. > > * > **With debug enabled I get: * > > pa : DEBUGStarting external process > ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpwY8XjR' > ipa : DEBUGProcess finished, return code=1 > ipa : DEBUGstdout=Log file: > /var/log/pki/pki-ca-spawn.20160909044214.log > Loading deployment configuration from /tmp/tmpwY8XjR. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > ipa : DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn: WARNING ... unable to validate security domain > user/password > through REST interface. Interface not available > pkispawn: ERROR... Exception from Java Configuration > Servlet: 500 > Server Error: Internal Server Error > pkispawn: ERROR... ParseError: not well-formed (invalid > token): line > 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed > > to obtain installation token from security domain"} > > > Is there a way to validate the repilca .gpg file from a v3 > installation a
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 09/09/2016 04:09 PM, Petr Vobornik wrote: On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote: Yes, I have followed https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html to the letter. The only reason I had to recreate the cacert.p12 file is because it is not renewed automatically in v3, so the cacert.p12 was outdated and the CA was throwing an "p12 invalid digest" error. * I opened all necessary ports * I checked all certs and they are valid for another year /Run connection check to master// //Check connection from replica to remote master 'ipa-server.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // PKI-CA: Directory Service port (7389): OK// // //The following list of ports use UDP protocol and would need to be// //checked manually:// // Kerberos KDC: UDP (88): SKIPPED// // Kerberos Kpasswd: UDP (464): SKIPPED// // //Connection from replica to master is OK.// //Start listening on required ports for remote master check// //Get credentials to log in to remote master// //Check SSH connection to remote master// //Execute check on remote master// //Check connection from master to remote replica 'ipa2-server2.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos KDC: UDP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // Kerberos Kpasswd: UDP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // //Connection from master to replica is OK.// // //Connection check OK/ *Even with a fresh install of centos 7 with different hostname and ip and I still get the the error below* Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed. * **With debug enabled I get: * pa : DEBUGStarting external process ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR' ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log Loading deployment configuration from /tmp/tmpwY8XjR. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed to obtain installation token from security domain"} Is there a way to validate the repilca .gpg file from a v3 installation against a v4.2 freeipa installation to check for any errors before going through the ipa-replica-install? The ipa-replica-install completes if I don't include the --setup-ca flag but I don't want that There is no automatic method to verify the replica file. Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug + couple lines before and after? Contents of /var/log/pki/pki-tomcat/ca/debug: [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [09/
Re: [Freeipa-users] automated ftp service only accounts and passwords
Larry Rosen wrote: How do I set the password on a chroot jailed sftp id account that is not allowed a shell to not expire its password after setting it? Theres no way to change it to the fixed password I want. I have created a service_account password policy that has no expiration (set to Max lifetime (days) = 2 ). More details are needed. Did you create a service account user or are you using an IPA user? You created a new password policy, is the sftp account in that group? Why can't you set the password to what you want? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 09/09/2016 02:33 PM, Giorgos Kafataridis wrote: > >>> Yes, I have followed >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html >>> >>> to the letter. >>> The only reason I had to recreate the cacert.p12 file is because it >>> is not >>> renewed automatically in v3, so the cacert.p12 was outdated and the >>> CA was >>> throwing an "p12 invalid digest" error. >>> >>>* I opened all necessary ports >>>* I checked all certs and they are valid for another year >>> >>> >>> /Run connection check to master// >>> //Check connection from replica to remote master 'ipa-server.nelios':// >>> // Directory Service: Unsecure port (389): OK// >>> // Directory Service: Secure port (636): OK// >>> // Kerberos KDC: TCP (88): OK// >>> // Kerberos Kpasswd: TCP (464): OK// >>> // HTTP Server: Unsecure port (80): OK// >>> // HTTP Server: Secure port (443): OK// >>> // PKI-CA: Directory Service port (7389): OK// >>> // >>> //The following list of ports use UDP protocol and would need to be// >>> //checked manually:// >>> // Kerberos KDC: UDP (88): SKIPPED// >>> // Kerberos Kpasswd: UDP (464): SKIPPED// >>> // >>> //Connection from replica to master is OK.// >>> //Start listening on required ports for remote master check// >>> //Get credentials to log in to remote master// >>> //Check SSH connection to remote master// >>> //Execute check on remote master// >>> //Check connection from master to remote replica >>> 'ipa2-server2.nelios':// >>> // Directory Service: Unsecure port (389): OK// >>> // Directory Service: Secure port (636): OK// >>> // Kerberos KDC: TCP (88): OK// >>> // Kerberos KDC: UDP (88): OK// >>> // Kerberos Kpasswd: TCP (464): OK// >>> // Kerberos Kpasswd: UDP (464): OK// >>> // HTTP Server: Unsecure port (80): OK// >>> // HTTP Server: Secure port (443): OK// >>> // >>> //Connection from master to replica is OK.// >>> // >>> //Connection check OK/ >>> >>> *Even with a fresh install of centos 7 with different hostname and ip >>> and I >>> still get the the error below* >>> >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>> minutes 30 seconds >>> [1/24]: creating certificate server user >>> [2/24]: configuring certificate server instance >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to >>> configure CA >>> instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' >>> returned non-zero exit status 1 >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the >>> installation logs >>> and the following files/directories for more information: >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki-ca-install.log >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki/pki-tomcat >>> [error] RuntimeError: CA configuration failed. >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERRORCA >>> configuration failed. >>> >>> * >>> **With debug enabled I get: * >>> >>> pa : DEBUGStarting external process >>> ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpwY8XjR' >>> ipa : DEBUGProcess finished, return code=1 >>> ipa : DEBUGstdout=Log file: >>> /var/log/pki/pki-ca-spawn.20160909044214.log >>> Loading deployment configuration from /tmp/tmpwY8XjR. >>> Installing CA into /var/lib/pki/pki-tomcat. >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> >>> Installation failed. >>> >>> >>> ipa : DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >>> certificate verification is strongly advised. See: >>> https://urllib3.readthedocs.org/en/latest/security.html >>> InsecureRequestWarning) >>> pkispawn: WARNING ... unable to validate security domain >>> user/password >>> through REST interface. Interface not available >>> pkispawn: ERROR... Exception from Java Configuration >>> Servlet: 500 >>> Server Error: Internal Server Error >>> pkispawn: ERROR... ParseError: not well-formed (invalid >>> token): line >>> 1, column 0: >>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed >>> >>> to obtain installation token from security domain"} >>> >>> >>> Is there a way to validate the repilca .gpg file from a v3 >>> installation against >>> a v4.2 freeipa installation to check for any errors before going >>> through the >>> ipa-replica-install? >>> The ipa-replica-install completes if I don't include the --setup-ca >>> flag but I >>> don't want that >>> >> There is no automatic method to verify the replica file. >> >> Could you share the stack trace from /var/lo
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
Yes, I have followed https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html to the letter. The only reason I had to recreate the cacert.p12 file is because it is not renewed automatically in v3, so the cacert.p12 was outdated and the CA was throwing an "p12 invalid digest" error. * I opened all necessary ports * I checked all certs and they are valid for another year /Run connection check to master// //Check connection from replica to remote master 'ipa-server.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // PKI-CA: Directory Service port (7389): OK// // //The following list of ports use UDP protocol and would need to be// //checked manually:// // Kerberos KDC: UDP (88): SKIPPED// // Kerberos Kpasswd: UDP (464): SKIPPED// // //Connection from replica to master is OK.// //Start listening on required ports for remote master check// //Get credentials to log in to remote master// //Check SSH connection to remote master// //Execute check on remote master// //Check connection from master to remote replica 'ipa2-server2.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos KDC: UDP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // Kerberos Kpasswd: UDP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // //Connection from master to replica is OK.// // //Connection check OK/ *Even with a fresh install of centos 7 with different hostname and ip and I still get the the error below* Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed. * **With debug enabled I get: * pa : DEBUGStarting external process ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR' ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log Loading deployment configuration from /tmp/tmpwY8XjR. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed to obtain installation token from security domain"} Is there a way to validate the repilca .gpg file from a v3 installation against a v4.2 freeipa installation to check for any errors before going through the ipa-replica-install? The ipa-replica-install completes if I don't include the --setup-ca flag but I don't want that There is no automatic method to verify the replica file. Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug + couple lines before and after? Contents of /var/log/pki/pki-tomcat/ca/debug: [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [09/Sep/2016:08:22:51][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/j
[Freeipa-users] automated ftp service only accounts and passwords
How do I set the password on a chroot jailed sftp id account that is not allowed a shell to not expire its password after setting it? There's no way to change it to the fixed password I want. I have created a service_account password policy that has no expiration (set to Max lifetime (days) = 2 ). Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
On 09/09/2016 12:13 PM, Giorgos Kafataridis wrote: > Yes, I have followed > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > to the letter. > The only reason I had to recreate the cacert.p12 file is because it is not > renewed automatically in v3, so the cacert.p12 was outdated and the CA was > throwing an "p12 invalid digest" error. > > * I opened all necessary ports > * I checked all certs and they are valid for another year > > > /Run connection check to master// > //Check connection from replica to remote master 'ipa-server.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // PKI-CA: Directory Service port (7389): OK// > // > //The following list of ports use UDP protocol and would need to be// > //checked manually:// > // Kerberos KDC: UDP (88): SKIPPED// > // Kerberos Kpasswd: UDP (464): SKIPPED// > // > //Connection from replica to master is OK.// > //Start listening on required ports for remote master check// > //Get credentials to log in to remote master// > //Check SSH connection to remote master// > //Execute check on remote master// > //Check connection from master to remote replica 'ipa2-server2.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos KDC: UDP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // Kerberos Kpasswd: UDP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // > //Connection from master to replica is OK.// > // > //Connection check OK/ > > *Even with a fresh install of centos 7 with different hostname and ip and I > still get the the error below* > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds >[1/24]: creating certificate server user >[2/24]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation > logs > and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat >[error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration > failed. > > * > **With debug enabled I get: * > > pa : DEBUGStarting external process > ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpwY8XjR' > ipa : DEBUGProcess finished, return code=1 > ipa : DEBUGstdout=Log file: > /var/log/pki/pki-ca-spawn.20160909044214.log > Loading deployment configuration from /tmp/tmpwY8XjR. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > ipa : DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html >InsecureRequestWarning) > pkispawn: WARNING ... unable to validate security domain > user/password > through REST interface. Interface not available > pkispawn: ERROR... Exception from Java Configuration Servlet: 500 > Server Error: Internal Server Error > pkispawn: ERROR... ParseError: not well-formed (invalid token): > line > 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed > > to obtain installation token from security domain"} > > > Is there a way to validate the repilca .gpg file from a v3 installation > against > a v4.2 freeipa installation to check for any errors before going through the > ipa-replica-install? > The ipa-replica-install completes if I don't include the --setup-ca flag but > I > don't want that > There is no automatic method to verify the replica file. Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug + couple lines before and after? -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
On (07/09/16 17:39), Venkataramana Kintali wrote: >Hi, >Of late, I am learning FreeIPA . I have installed IPA server and few >clients (Version 3.0.0) >I am facing an issue with ssh key authentication in my setup. >I generated a putty ssh private key (using putty keygen) ,and uploaded it >under a user through IPA GUI. I assume you uploaded public key to the IPA otherwise you did something wrong and I wonder why it works on some machines. >I am able to login to some IPA clients but not able to login to other IPA >clients with putty using private key and passphrase. > Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all machines) Is sshd configuration the same on all machines? /etc/ssh/ssh_config /etc/ssh/sshd_config >Public Key Authentication is enabled on all clients. >I am able to from one client to other clients successfully (after doing >kinit) without promting password. > >Can someone please throw some light on this as to what the issue could be >here and what else I can check to understand where the problem is ? > >I searched this online but couldn't find any solution in the context of IPA. > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server
Yes, I have followed https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html to the letter. The only reason I had to recreate the cacert.p12 file is because it is not renewed automatically in v3, so the cacert.p12 was outdated and the CA was throwing an "p12 invalid digest" error. * I opened all necessary ports * I checked all certs and they are valid for another year /Run connection check to master// //Check connection from replica to remote master 'ipa-server.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // PKI-CA: Directory Service port (7389): OK// // //The following list of ports use UDP protocol and would need to be// //checked manually:// // Kerberos KDC: UDP (88): SKIPPED// // Kerberos Kpasswd: UDP (464): SKIPPED// // //Connection from replica to master is OK.// //Start listening on required ports for remote master check// //Get credentials to log in to remote master// //Check SSH connection to remote master// //Execute check on remote master// //Check connection from master to remote replica 'ipa2-server2.nelios':// // Directory Service: Unsecure port (389): OK// // Directory Service: Secure port (636): OK// // Kerberos KDC: TCP (88): OK// // Kerberos KDC: UDP (88): OK// // Kerberos Kpasswd: TCP (464): OK// // Kerberos Kpasswd: UDP (464): OK// // HTTP Server: Unsecure port (80): OK// // HTTP Server: Secure port (443): OK// // //Connection from master to replica is OK.// // //Connection check OK/ *Even with a fresh install of centos 7 with different hostname and ip and I still get the the error below* Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERRORCA configuration failed. * **With debug enabled I get: * pa : DEBUGStarting external process ipa : DEBUGargs='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpwY8XjR' ipa : DEBUGProcess finished, return code=1 ipa : DEBUGstdout=Log file: /var/log/pki/pki-ca-spawn.20160909044214.log Loading deployment configuration from /tmp/tmpwY8XjR. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed to obtain installation token from security domain"} Is there a way to validate the repilca .gpg file from a v3 installation against a v4.2 freeipa installation to check for any errors before going through the ipa-replica-install? The ipa-replica-install completes if I don't include the --setup-ca flag but I don't want that -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project