[Freeipa-users] Problems with mount and user logins

[Detlev Habicht]

Hi all,

i am setting up IPA the first time for real life and have now
some big problems.

First for testing i setup an IPA-Server, a NFS server and up
to 3 clients. The server are running Scientic Linux and the clients
Federo 24 (setup via Cobbler server). The setup is based on the Red Hat Linux 7 
IPA Docs.

This was running well over several weeks. I can reinstall my clients
via cobbler and everything was good.But mostly with one user (me).

Now i was adding 20 hosts and the first time big problems
are coming.

First, one problem has nothing to do with IPA: I found bug reports
about new autofs problems with Fedora 24. autofs is starting 
at the wrong time and sssd too.

Second, my problem has to do with mounting or accessing directories:
When i login in a host, sometimes mounting directories is not allowed 
and sometimes it is possible. And there is no system, sometimes it 
works, sometimes it works not.

Well, important: i am login at several hosts at the same time! Mostly
with one user! Me!

I install the clients with ipa-client-install and ipa-client-automount (first
time by hand, for reinstall with kickstart).

I do not something with the user .-files like .cshrc or change any other 
dot-file.

I read now at some MIT-Docs, it is a good idea to add kdestroy in dot-files
for logout.

I can’t expect big help with my poor report here, but i have now two questions: 

Have i to setup the users dot-files in some way? Is there any good documentation
for a users home directory setup?

Is login in several clients at the same time with the same shared home 
directory a problem?

Thank you for any help!

Detlev  



--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de
  + Handy+49 172 5415752  ---



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server as a domain controller for more than one domain

[Alexander Bokovoy]

On Fri, 16 Sep 2016, Andrey Ptashnik wrote:

Hi IPA team,

Can I use the same FreeIPA server to be a domain controller for more than one 
domain?

Define 'domain', please. The term is so overloaded that it is hard to
understand what exactly you need to control.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA server as a domain controller for more than one domain

[Andrey Ptashnik]

Hi IPA team,

Can I use the same FreeIPA server to be a domain controller for more than one 
domain?

Regards,

Andrey Ptashnik


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] login auth fails then success

[Larry Rosen]

Sorry I thought I had pasted these previously:

What other logs do I need to add (maybe from the IPA server)?

Client system's /var/log/secure:

Sep 13 19:12:33 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:12:33 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web
Sep 13 19:18:11 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:18:11 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web
Sep 13 19:22:52 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:22:53 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web
Sep 13 19:23:49 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:23:49 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web
Sep 13 19:28:24 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:28:24 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web
Sep 13 19:29:27 il10-app-xfs udcs: pam_unix(login:auth): authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=il10web
Sep 13 19:29:27 il10-app-xfs udcs: pam_sss(login:auth): authentication success; 
logname= uid=0 euid=0 tty= ruser= rhost= user=il10web

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, September 16, 2016 1:39 PM
To: Larry Rosen ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] login auth fails then success

Larry Rosen wrote:
> We have a web app that logs in using a service (automated login user,
> non-expiring, non-failure count) account that leaves these log entries
> all day long.  This does not appear to cause any problems, it just make
> my logs grow unnecessarily and creates a lot of "noise" in the log.
>
> Any ideas why it initially fails and then works?**

Logs where? Can we see them?

rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] login auth fails then success

[Rob Crittenden]

Larry Rosen wrote:

We have a web app that logs in using a service (automated login user,
non-expiring, non-failure count) account that leaves these log entries
all day long.  This does not appear to cause any problems, it just make
my logs grow unnecessarily and creates a lot of “noise” in the log.

Any ideas why it initially fails and then works?**


Logs where? Can we see them?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] login auth fails then success

[Larry Rosen]

We have a web app that logs in using a service (automated login user, 
non-expiring, non-failure count) account that leaves these log entries all day 
long.  This does not appear to cause any problems, it just make my logs grow 
unnecessarily and creates a lot of "noise" in the log.

Any ideas why it initially fails and then works?

Larry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

[Alexander Bokovoy]

On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:

   You can replace actual hostnames/realm names/IP addresses by something more 
generic
   in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but
from your response, it looks like I wasn’t. I’m sorry about that. I got
yelled at by our security team last time we sent logs to a public list
that had any type of identifiable information in them, so it’s sort of
a new process for me. I think I have it down now.

The results of the commands are here: http://pastebin.com/PRwr7wv6

So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.

You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.

Can you provide output of netdom.exe run on Windows side:

 netdom trust addom.domain /namesuffixes: ipa.domain

You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Petr Vobornik]

On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:
> 
> 
> On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
>> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
 I've tried that but still the same result.

 [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
 localhost -b "uid=admin,ou=people,o=ipaca"
 Enter LDAP Password:
 # extended LDIF
 #
 # LDAPv3
 # base  with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # search result
 search: 2
 result: 32 No such object
>>>
>>> Hi,
>>>
>>> The master's logs indicate there's an authentication issue.
>>>
>>> Could you search the whole directory to find the admin user?
>>> $ ldapsearch ... -b "o=ipaca" "(uid=admin)"
>>>
>>> Try also other suffixes that you have in the DS.
>>>
>>> If you find it, try to authenticate against DS directly as the admin
>>> user. If the authentication fails, try resetting the password.
>>
>> I believe there is actually another DS instance on CentOS 6.8 running on 
>> port 
>> 7389, so make sure you check that too. If the admin user is indeed missing, 
>> it 
>> will need to be recreated, assigned a password and certificate, and added to 
>> the appropriate groups.
>>
>> See also: http://pki.fedoraproject.org/wiki/IPA_PKI_Users
>>
> 
> Sorry for the delay, crazy office days.
> 
> Ok, tried that and finally got a hit on the user. Indeed in 6.x you also have 
> 7389 to look for.
> 
> *Master
> 
> *#ldapsearch -h localhost -p 7389 -b "o=ipaca" "(uid=admin)" -x -W
> Enter LDAP Password:
> 
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (uid=admin)
> # requesting: ALL
> #
> 
> # admin, people, ipaca
> dn: uid=admin,ou=people,o=ipaca
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: cmsuser
> uid: admin
> sn: admin
> cn: admin
> mail: root@localhost
> usertype: adminType
> userstate: 1
> description: 2;6;CN=Certificate Authority,O=NELIOS;CN=ipa-ca-agent,O=NELIOS
> userCertificate:: 
> MIIDaTCCAlGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAxMQ8wDQYDVQQKEwZO
> .
> .
> .
> .
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> *Replica Server*
> 
> [root@ipa2-server2 ~]# ldapsearch -h ipa-server.nelios -p 7389 -b "o=ipaca" 
> "(uid=admin)" -x -W
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (uid=admin)
> # requesting: ALL
> #
> 
> # admin, people, ipaca
> dn: uid=admin,ou=people,o=ipaca
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: cmsuser
> uid: admin
> sn: admin
> cn: admin
> mail: root@localhost
> usertype: adminType
> userstate: 1
> 
> Password is valid in both cases.
> 
> So the user is there and can be retrieved from replica, assuming that 
> ipa-replica-install also tries 7389 the only thing I can try now is "ipa 
> cert-request --uid admin" to create a new certificate, generate a new 
> cacert.p12 
> and retry install ?
> 
> 

In the other subthred there was a log from CentOS6 machine:

/var/log/pki-ca/system

5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [6] [6] Failed to
authenticate as admin UID=admin. Error: netscape.ldap.LDAPException:
error result (49)
5337.TP-Processor3 - [09/Sep/2016:22:59:42 EEST] [3] [3] Servlet
caGetCookie: Error getting servlet output stream when rendering
template. Error Invalid Credential..

Which to me looks like a wrong password. Which indicates my original
theory that IPA admin user shared with CA admin user the same password
but it got out of sync. During replica installation it uses IPA admin
user for authenticating as PKI admin user.

If that is correct then changing PKI admin user's (
uid=admin,ou=people,o=ipaca ) password to IPA admin user's password
might fix the issue.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-certinstall -w -d mysite.key mysite.crt

[Petr Vobornik]

On 09/15/2016 12:42 PM, Günther J. Niederwimmer wrote:
> Hello,
> 
> FreeIPA 4.3.1
> 
> is it a workaround to install the key and cert
> 
> with this command I have to insert a password, but the key file have no 
> password?
> 
> Afterward I have a Error from ipa-server-certinstall ?
> 
> Thanks for the Help
> 

Looks to me as bug: https://fedorahosted.org/freeipa/ticket/6032

It was fixed in FreeIPA 4.4.1 (will be in Fedora 25)

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[Petr Vobornik]

On 09/16/2016 01:51 PM, lejeczek wrote:
> I appreciate the fact that it might be a complex task, however a
> supported(CLI) way to if not revert it all back to pre-install state but
> at least to take samba out of IPA's hands would be nice to have.
> Would it be ok to leave IPA+ds389 part as is and only change,
> reconfigure Samba - I believe so - if yes then a CLI option to achieve
> this would be very desired.
> Rob's workaround only... "built-in".

Out of curiosity: is there a partial broader use case behind this
feature request?

> 
> many thanks
> 
> On 16/09/16 05:57, Alexander Bokovoy wrote:
>> So we decided to not perform 'ipa-adtrust-install --uninstall' as it
>> makes no sense. If somebode is willing to uninstall
>> 'ipa-adtrust-install', then need to realize what they are doing as it
>> would need to remove certain configuration in IPA LDAP because there are
>> actual 389-ds plugins that depend on the configuration and work jointly
>> with ipasam module in Samba to provide common setup. If 'ipasam' is
>> missing, those modules also become useless.
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Petr Vobornik]

On 09/16/2016 04:22 PM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>> hi,
>>
>>
>> On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti > > wrote:
>>
>>
>>
>> On 16.09.2016 09:38, Natxo Asenjo wrote:
>>> hi,
>>>
>>>
>>> On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo
>>> mailto:natxo.ase...@gmail.com>
>>>
>>> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti
>>> mailto:mba...@redhat.com>> wrote:
>>>
>>>
>>>
>>> On 15.09.2016 12:44, Natxo Asenjo wrote:
 hi,

 On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
 mailto:mba...@redhat.com>> wrote:


 Hello,

 usually the most information can be found here
 /var/log/pki/pki-tomcat/ca/debug


 mmm, in this centos 6.8 system that does not exist:

 # ls -l /var/log/pki/pki-tomcat/ca/debug
 ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No
 such file or directory


 I do have a /var/log/pki-ca/debug


>>> Does it contain any information related to your issue?
>>>
>>>
>>> I have tried renewing the certificate:
>>>
>>> ipa-getcert resubmit -i 20121107212513
>>>
>>>
>>> If I grep that file for that request id I find nothing recent,
>>> just in the ipaserver installation log
>>>
>>> # cd /var/log
>>> # grep -ri 20121107212513 *.log
>>> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
>>> tracking request "20121107212513" added.
>>>
>>> # grep -ri 20121107212513 pki-ca
>>> #
>>>
>>>
>>> Any clues?
>>>
>>>
>>> --
>>> Groeten,
>>> natxo
>>
>>
>> Sorry, I'm quite lost here, maybe somebody from dogtag can help what
>> might be reason of those CA errors
>>
>>
>>
>> do I need to ask in the dogtag list?
> 
> You won't find any errors on this in the dogtag logs because it isn't
> getting that far.
> 
> The 3 certs you list are the ones that are renewed via the IPA API (as
> opposed to the subsystem certs renewed directly by dogtag). I think the
> failures are all related. I had someone else report the CSR decoding
> failure and he just restarted IPA and that fixes things for him though
> it was a rather unsatisfying fix.
> 
> What I'd do is this. Assuming each step works, move onto the next.
> 
> 1. ipa cert-show 1
> 
> The serial # picked more or less at random, we're testing connectivity
> and that the CA is up and operational.
> 
> 2. I assume that getcert list | grep expire shows all certs currently
> valid? The IPA service certs expire in a month, how about the CA
> subsystem certs?
> 
> 3. Is this the same server having problems talking to the CA due to the
> other NSS errors? If so what I'd do is restart httpd then immediately
> use ipa-getcert to resubmit the requests to try to get into that few
> minute window.

The error log from thread [Freeipa-users] ipa: ERROR: Certificate format
error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an
old, unsupported format." looks like it.

> 
> If this is the same box you already have debugging enabled so seeing
> what that shows might be helpful.
> 
> rob
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

[Brook, Andy [CRI]]

On 9/16/16, 12:04 AM, "Alexander Bokovoy"  wrote:

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/15/16, 1:06 PM, "Alexander Bokovoy"  wrote:
>
>On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>>All,
>>  I’m working on setting up Samba to serve files from a server 
attached
>>  to our IPA domain. I followed the directions in
>>  
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
>>  Everything seems to work and I can access the files from another 
RHEL
>>  server attached to the same domain using a Kerberos ticket from a
>>  user from the trusted AD domain. However, I can’t access this share
>>  from a windows client that is also attached to the trusted AD 
domain.
>>
>>My smb.conf is as follows:
>>[global]
>>workgroup = IPA
>>realm = IPA.DOMAIN
>>kerberos method = dedicated keytab
>>dedicated keytab file = FILE:/etc/samba/samba.keytab
>>log file = /var/log/samba/log.%m
>>log level = 3
>>security = ads
>>load printers = no
>>disable spoolss = yes
>>map to guest = Never
>>restrict anonymous = 2
>>
>>[spacetest]
>>path = /var/www
>>writable = yes
>>browsable = yes
>>
>>I put the keytab in place from the cifs service from the IPA server.
>>
>>I feel like I’m missing something small, but I can’t seem to find it.
>>Logs from samba are here: http://pastebin.com/aMDXfR78
>These logs show that your Windows client did not use Kerberos but tried
>to authenticate with password using NTLMSSP. This is not supported yet,
>as written on the page you used for the setup guidance.
>
>You need to find out why Windows client didn't use Kerberos.
>Is your trust to AD really working?
>
>We’re authenticating AD users on the hosts that are connected to IPA.
>We’re able to create external groups and associate them with internal
>groups for HBAC and sudoers rules. Is there something else I should
>check to see if the trust is working? It’s entirely possible I missed
>something somewhere in the setup, but I don’t think I did.
Start by listing your configuration. Show:
 - ipa service-show cifs/samba.server.host (using FQDN hostname)

 - ipa trust-show ad.domain

 - kinit user@AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k 
//samba.server.host/share

 - Try to access \\samba.server.host\share from Windows host and then
   show 'klist' in the Windows shell, or alternatively,

 - if you are using Windows Server 2012 or later, show output of
   'klist get cifs/samba.server.host@IPA.DOMAIN'

 - show any lines related to use user@AD.DOMAIN and
   cifs/samba.server.host from /var/log/krb5kdc.log on IPA master

You can replace actual hostnames/realm names/IP addresses by something more 
generic
in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but from your 
response, it looks like I wasn’t. I’m sorry about that. I got yelled at by our 
security team last time we sent logs to a public list that had any type of 
identifiable information in them, so it’s sort of a new process for me. I think 
I have it down now. 

The results of the commands are here: http://pastebin.com/PRwr7wv6


Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu




This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Petr Vobornik]

On 09/16/2016 09:39 AM, Natxo Asenjo wrote:
> hi,
> 
> 
> Any clues?
> 

output of
   $ cat error_log | grep INFO -A 1 | cut -c -120
shows that first cert-show was successful. It was followed by cert-request.

cert-request internally called
- host-show
  - cert_show(1) success
  - cert_show(162) success
  -   ipaserver.plugins.dogtag.ra.get_certificate()
 https_request 'https://xx.xxx.xxx.xx:443/ca/agent/ca/displayBySerial'
  - cert_revoke(162, recvocation_reason=4)
 - cert_show(162) success
 - cert_show(1) - success
 - ipaserver.plugins.dogtag.ra.revoke_certificate()
   - https_request 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke'

ends with:

NetworkError
[Thu Sep 15 13:08:23 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

After it every other communication with CA ends with the issue in subject:

cert_show(u'15'): NetworkError
[Thu Sep 15 13:08:26 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to
'https://xx.xxx.xxx.xxl:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

So the main issue is "NSS could not shutdown." Investigation of that is
beyond me.

Maybe a workaround can be do first revoke existing cert for the host and
then request a new one - which might trigger a different sequence of
calls and hopefully not reproduce the issue. But the issue will be still
present.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Rob Crittenden]

Natxo Asenjo wrote:

hi,


On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti mailto:mba...@redhat.com>> wrote:



On 16.09.2016 09:38, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo
mailto:natxo.ase...@gmail.com>

On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti
mailto:mba...@redhat.com>> wrote:



On 15.09.2016 12:44, Natxo Asenjo wrote:

hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
mailto:mba...@redhat.com>> wrote:


Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug


mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No
such file or directory


I do have a /var/log/pki-ca/debug



Does it contain any information related to your issue?


I have tried renewing the certificate:

ipa-getcert resubmit -i 20121107212513


If I grep that file for that request id I find nothing recent,
just in the ipaserver installation log

# cd /var/log
# grep -ri 20121107212513 *.log
ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
tracking request "20121107212513" added.

# grep -ri 20121107212513 pki-ca
#


Any clues?


--
Groeten,
natxo



Sorry, I'm quite lost here, maybe somebody from dogtag can help what
might be reason of those CA errors



do I need to ask in the dogtag list?


You won't find any errors on this in the dogtag logs because it isn't 
getting that far.


The 3 certs you list are the ones that are renewed via the IPA API (as 
opposed to the subsystem certs renewed directly by dogtag). I think the 
failures are all related. I had someone else report the CSR decoding 
failure and he just restarted IPA and that fixes things for him though 
it was a rather unsatisfying fix.


What I'd do is this. Assuming each step works, move onto the next.

1. ipa cert-show 1

The serial # picked more or less at random, we're testing connectivity 
and that the CA is up and operational.


2. I assume that getcert list | grep expire shows all certs currently 
valid? The IPA service certs expire in a month, how about the CA 
subsystem certs?


3. Is this the same server having problems talking to the CA due to the 
other NSS errors? If so what I'd do is restart httpd then immediately 
use ipa-getcert to resubmit the requests to try to get into that few 
minute window.


If this is the same box you already have debugging enabled so seeing 
what that shows might be helpful.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Ben Lipton]

On 09/16/2016 03:39 AM, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 2:25 PM, Natxo Asenjo > wrote:


hi,

attached error_log



Any clues?

Thanks!

--
--
Groeten,
natxo


Sorry, I'm not having any luck tracking down the answer. Maybe someone 
else has an idea.


Looking at the code, /etc/httpd/alias does seem to be the relevant database.

One last thought: does anything change if selinux is in permissive mode? 
Is there anything interesting in /var/log/audit/audit.log? Again, it 
doesn't make a whole lot of sense because it works sometimes, but maybe 
something is changing a few minutes after boot time?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 3rd party Cert install now IPA total broken

[Günther J . Niederwimmer]

Hello,
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is total 
broken?
I make this 

ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install 
root.crt

ipa-certupdate

ipa-server-certinstall -w -d ipa_3rd_ca.p12

I create this p12 with key.pem, cert.pem root.crt

I insert also in the cert.pem the intermediate.crt 

the kerberos don't start anymore ?
The Error Is
 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm 
'4GJN.COM'

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
4GJN_CA_FILE u,u,u
ipaCert  u,u,u
4GJN.COM IPA CA  CT,C,C
STARTCOM-ROOTC,,  

I can  Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?

I also add this, found in Bugzilla
 certutil -d /var/lib/pki/pki-tomcat/alias -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
caSigningCert cert-pki-caCTu,Cu,Cu
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
STARTCOM-ROOTCT,, 

this is created in the

certutil -d /etc/dirsrv/slapd-4GJN.COM -L 

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

4GJN_CA_FILE u,u,u
4GJN.COM IPA CA  CT,C,C
STARTCOM-ROOTC,, 

Can any help a little, please ;-)

The bad Problem, I tested this with my master server with DNS / DNSSEC I can't 
new install (DNSSEC Keys)

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[Alexander Bokovoy]

On Fri, 16 Sep 2016, lejeczek wrote:
I appreciate the fact that it might be a complex task, however a 
supported(CLI) way to if not revert it all back to pre-install state 
but at least to take samba out of IPA's hands would be nice to have.
Would it be ok to leave IPA+ds389 part as is and only change, 
reconfigure Samba - I believe so - if yes then a CLI option to achieve 
this would be very desired.

Rob's workaround only... "built-in".

We looked at it from multiple angles and decided against it. You are
welcome to create a script for that and publish it.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Natxo Asenjo]

hi,


On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti  wrote:

>
>
> On 16.09.2016 09:38, Natxo Asenjo wrote:
>
> hi,
>
>
> On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo  
>>
>> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti  wrote:
>>
>>>
>>>
>>> On 15.09.2016 12:44, Natxo Asenjo wrote:
>>>
>>> hi,
>>>
>>> On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti 
>>> wrote:
>>>

 Hello,

 usually the most information can be found here
 /var/log/pki/pki-tomcat/ca/debug

>>>
>>> mmm, in this centos 6.8 system that does not exist:
>>>
>>> # ls -l /var/log/pki/pki-tomcat/ca/debug
>>> ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
>>> directory
>>>
>>>
>>> I do have a /var/log/pki-ca/debug
>>>
>>>
>>>
>>> Does it contain any information related to your issue?
>>>
>>
>> I have tried renewing the certificate:
>>
>> ipa-getcert resubmit -i 20121107212513
>>
>>
>> If I grep that file for that request id I find nothing recent, just in
>> the ipaserver installation log
>>
>> # cd /var/log
>> # grep -ri 20121107212513 *.log
>> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New tracking
>> request "20121107212513" added.
>>
>> # grep -ri 20121107212513 pki-ca
>> #
>>
>>
> Any clues?
>
>
> --
> Groeten,
> natxo
>
>
>
> Sorry, I'm quite lost here, maybe somebody from dogtag can help what might
> be reason of those CA errors
>


do I need to ask in the dogtag list?
-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[lejeczek]

I appreciate the fact that it might be a complex task, 
however a supported(CLI) way to if not revert it all back to 
pre-install state but at least to take samba out of IPA's 
hands would be nice to have.
Would it be ok to leave IPA+ds389 part as is and only 
change, reconfigure Samba - I believe so - if yes then a CLI 
option to achieve this would be very desired.

Rob's workaround only... "built-in".

many thanks

On 16/09/16 05:57, Alexander Bokovoy wrote:
So we decided to not perform 'ipa-adtrust-install 
--uninstall' as it

makes no sense. If somebode is willing to uninstall
'ipa-adtrust-install', then need to realize what they are 
doing as it
would need to remove certain configuration in IPA LDAP 
because there are
actual 389-ds plugins that depend on the configuration and 
work jointly
with ipasam module in Samba to provide common setup. If 
'ipasam' is

missing, those modules also become useless.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

[Lukas Slebodnik]

On (15/09/16 11:46), Venkataramana Kintali wrote:
>Hi Lukas,
>ssh_config is also same on all servers.
>Our need is to do it both  ways, to be able to login with ssh public
>keys(uploaded in IPA) and disable password login, and be able to access
>allhosts within the same IPA domain silently from any host.
>Hoping the configs will help, I am including the configurations here.
>
>ssh_config file :  http://pastebin.com/MWHyH1Qw
>sshd_config file: http://pastebin.com/gpn5XhXM
>sssd_config file: http://pastebin.com/5Pby6xKp
>
Looks good to me

>I just used some placeholders for sssd_config file in pastebin instead of
>actual values.
>

In initial mail you wrote:
>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
Therefore your previous test case is wrong.
If you want to test authentication with public keys
then you cannot obtain krb5 ticket with kinit.

I would also recommend to call kdestory before
authentication with ssh to be sure that gssapi
authentication will not be used.

I would recomment to set "debug_level = 7" in domain and ssh section
on the server where you woudl like to authenticate.
then restart sssd and try to authenticate with ssh + verbose mode
e.g. ssh -v u...@remote.host

Then I would recommend to compare logs from working server
and from broken server.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-add using password

[Alexander Bokovoy]

On Fri, 16 Sep 2016, Troels Hansen wrote:

Hi, we are having some issues creating a IPA-AD trust, using password, and not 
shared secret, because of the error where name routing not getting created on 
AD if using shared secret.

We have a AD domain tree with a top level domain and a domain below that where 
the users are located. We try to join the top level domain as a trust exists 
between those tow domains.

Everything worked in our test setup, where we joined using a shared secret.

We try to join our AD using this command:
ipa trust-add  --type=ad --admin  @ 
--password

However, we receive one of these two error messages:

ipa: ERROR: CIFS server communication error: code "- 1073741712 ",
message "Invalid workstation" (both may be "None")

ipa: ERROR: AD domain controller complains about communication
sequence. It may mean unsynchronized time on both sides, for example

I think the first message was caused by some login restrictions on the user 
used to join, as it seems we don't receive that error massage anymore, and we 
receive the second error every time we try to join.

We have tried pointing it to a specific server with the "--server" option, but 
that didn't change anything.


If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then
/var/log/httpd/error_log will contain detailed debug information from
IPA attempts to talk to AD DCs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 2FA using FreeIPA

[Lukas Slebodnik]

On (13/09/16 03:49), Deepak Dimri wrote:
>Hi All,
>I have below lines added to my sshd_config file for testuser.  
>
>
>
>Match User testuser
>AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>I have OTP enable for tapuser in IPA and i am able to login to GUI using the 
>password + OTP.  However when i try to ssh i am getting prompted for first 
>factor then second factor and then it ends with "Permission denied 
>(keyboard-interactive)." error.  What could be wrong here? 
>Regards,Deepak
>
Please provide versions of freeIPA server packages, version of sssd.
And it would be good to seed the exact output of ssh authentication.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa trust-add using password

[Troels Hansen]

Hi, we are having some issues creating a IPA-AD trust, using password, and not 
shared secret, because of the error where name routing not getting created on 
AD if using shared secret. 

We have a AD domain tree with a top level domain and a domain below that where 
the users are located. We try to join the top level domain as a trust exists 
between those tow domains. 

Everything worked in our test setup, where we joined using a shared secret. 

We try to join our AD using this command: 
ipa trust-add  --type=ad --admin  @ 
--password 

However, we receive one of these two error messages: 

ipa: ERROR: CIFS server communication error: code "- 1073741712 ", 
message "Invalid workstation" (both may be "None") 

ipa: ERROR: AD domain controller complains about communication 
sequence. It may mean unsynchronized time on both sides, for example 

I think the first message was caused by some login restrictions on the user 
used to join, as it seems we don't receive that error massage anymore, and we 
receive the second error every time we try to join. 

We have tried pointing it to a specific server with the "--server" option, but 
that didn't change anything. 


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Martin Basti]

On 16.09.2016 09:38, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo 


On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti mailto:mba...@redhat.com>> wrote:



On 15.09.2016 12:44, Natxo Asenjo wrote:

hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
mailto:mba...@redhat.com>> wrote:


Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug


mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such
file or directory


I do have a /var/log/pki-ca/debug



Does it contain any information related to your issue?


I have tried renewing the certificate:

ipa-getcert resubmit -i 20121107212513


If I grep that file for that request id I find nothing recent,
just in the ipaserver installation log

# cd /var/log
# grep -ri 20121107212513 *.log
ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
tracking request "20121107212513" added.

# grep -ri 20121107212513 pki-ca
#


Any clues?


--
Groeten,
natxo



Sorry, I'm quite lost here, maybe somebody from dogtag can help what 
might be reason of those CA errors
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

hi,


On Thu, Sep 15, 2016 at 2:25 PM, Natxo Asenjo 
wrote:

> hi,
>
> attached error_log
>


Any clues?

Thanks!

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Natxo Asenjo]

hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo 
>
> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti  wrote:
>
>>
>>
>> On 15.09.2016 12:44, Natxo Asenjo wrote:
>>
>> hi,
>>
>> On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti  wrote:
>>
>>>
>>> Hello,
>>>
>>> usually the most information can be found here
>>> /var/log/pki/pki-tomcat/ca/debug
>>>
>>
>> mmm, in this centos 6.8 system that does not exist:
>>
>> # ls -l /var/log/pki/pki-tomcat/ca/debug
>> ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
>> directory
>>
>>
>> I do have a /var/log/pki-ca/debug
>>
>>
>>
>> Does it contain any information related to your issue?
>>
>
> I have tried renewing the certificate:
>
> ipa-getcert resubmit -i 20121107212513
>
>
> If I grep that file for that request id I find nothing recent, just in the
> ipaserver installation log
>
> # cd /var/log
> # grep -ri 20121107212513 *.log
> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New tracking
> request "20121107212513" added.
>
> # grep -ri 20121107212513 pki-ca
> #
>
>
Any clues?


--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project