Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-20 Thread Jakub Hrozek 
On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote:
> > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> > […]
> > > However, when I try logging in as a student domain user 
> > > (student.example.au),
> > > I don't see any of the groups (there should be 8):
> > > 
> > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> > > [rnst ipa-client-rh7 ~]$ groups
> > > rnst
> > > 
> > > Is this expected behaviour?  Is there a possible client configuration that
> > > will support our AD forest setup or is this simply not possible?
> > 
> > What you did is quite correct, but unfortunately works only with
> > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
> 
> I tried the same configuration on FC24, which has sssd-1.14.1-3, but it 
> didn’t work for the student domain either:
> 
> $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au
> -sh-4.3$ groups
> rnst
> 
> Is the version shipping with RHEL7.3 likely to be different?

No, it's pretty much the same. Can you take a look at the logs and
create a dump of the ldb cache, please?

See:
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Promote CA-less replica

2016-10-20 Thread James Harrison 
Hi,Thanks again.
Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba 
compilation choice stopping AD trusts from working (samba isn't using MIT 
kerberos).  We're now using CentOS 7.2. 

While we know the CentOS version will operate correctly, we only get to use 4.2 
of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for CentOS?
Best regardsJames Harrison   From: Rob Crittenden 
 To: James Harrison ; Martin Babinsky 
; "freeipa-users@redhat.com"  
 Sent: Wednesday, 19 October 2016, 14:28
 Subject: Re: [Freeipa-users] Promote CA-less replica
  
James Harrison wrote:
> Hi,
> Martin thanks for your quick response. Based on your comments. I have
> further questions.
>
>  >> equal peers and can be considered masters
>
> 1. If there any urgency for us to recreate a "master" server to perform
> any "master" type functions? How do we re-attach "replicas" to this new
> "master"?

Like he said, all IPA servers are equal (some are just more equal than 
others). If you truly have a CA-less system the the only thing that 
distinguishes one master from another is the presence of the DNS 
service. From below it looks like you install DNS on all which makes 
them all masters.

You can manage the replication topology using ipa-replica-manage.

>
>  >> As long as the others have valid CA and server certs
> 2. This is the install script we are using on the "replicas"
>
> ipa-replica-install \
>      --setup-dns --ssh-trust-dns --no-dnssec-validation \
>      -p x \
>      --admin-password=xxx \
>      --ip-address=replica_ip  \
>      --no-forwarders \
>      -U --mkhomedir --log-file=freeipa_log_file $1
>
> 3. The $1 is the cert generated from the "master".  If theres no
> distinction between a "master" and a "replica" in a CA-less environment,
> can a "replica" run the ipa-replica-prepare script once
> ipa-replica-install has been successfully run?

I think you mean $1 is the replica file generated from some master. 
Seeing how you generate that would tell us whether you are truly in a 
CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to 
ipa-replica-prepare).

To answer your question, yes. In a CA-less environment any master can 
generate a prepare file.

You can add/remove connections using ipa-replica-manage. The initial 
connection is between the master that generated the prepare file and the 
host it was installed on.

rob

>
> Thank you for any help.
> Best regards,
> James Harrison
>
> 
> *From:* Martin Babinsky 
> *To:* freeipa-users@redhat.com
> *Sent:* Wednesday, 19 October 2016, 11:01
> *Subject:* Re: [Freeipa-users] Promote CA-less replica
>
> On 10/19/2016 11:35 AM, James Harrison wrote:
>
> Hi James,
>
>  > Hi,
>  > Were using FreeIPA on Ubuntu Xenial. We lost the Master server.
>  >
>  > I have some questions:
>  > 1. Do DNS replicate among other replicas is we change/add DNS records?
>  > If not can this behaviour be changed?
> IPA-intergrated DNS stores records in the replicated LDAP subtree so any
> added/removed DNS record will replicate to other IPA DNS servers.
>
>  > 2. How do we promote a replica to become a master? We have not
>  > configured our servers to become a CA. Our CA is Comodo and we have
>  > configured FreeIPA to use a certificate, key and interim certificates
>  > from Comodo. using the options:
>  >
>  > --http_pkcs12=
>  > --http_pin=
>  > --dirsrv_pkcs12=...
>  > --dirsrv_pin=
>  >
>  > Hope someone can help. Quite urgent.
>  >
> The terms FreeIPA master/replica are quite arbitrary as all replicas are
> equal peers and can be considered masters. The only notion of 'master'
> is when you use a Dogtag CA (then one of the CA replicas is designated a
> renewal master and does renew certificates in the topology and one is
> CRL master generating certificate revocation lists) and/or DNSSec (then
> one of DNS replica is designated a key master generating zone signing
> keys and other DNS replicas pull these keys).
>
> As you are using CA-less replicas then there should be no loss in the
> fact that the one designated 'master' is down (unless it was e.g. the
> only DNS server). As long as the others have valid CA and server certs
> they should be working just fine.
>
>
>
> You can just install a new replica in place of the master by generating
> replica file on another replicaa nd supplying the required certificates
> through options.
>
>
>  > Regards,
>  > James Harrison
>
>  >
>  >
>
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
>



   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-20 Thread Robert Sturrock 
> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> […]
> > However, when I try logging in as a student domain user 
> > (student.example.au),
> > I don't see any of the groups (there should be 8):
> > 
> > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> > [rnst ipa-client-rh7 ~]$ groups
> > rnst
> > 
> > Is this expected behaviour?  Is there a possible client configuration that
> > will support our AD forest setup or is this simply not possible?
> 
> What you did is quite correct, but unfortunately works only with
> RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn’t 
work for the student domain either:

$ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au
-sh-4.3$ groups
rnst

Is the version shipping with RHEL7.3 likely to be different?

Regards,

Robert.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Thanks for the clarification. Regards

2016-10-20 14:23 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>>
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>>
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
>>
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
>
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

When you use DNSSEC validation, your DNS infrastructure should all be
using DNSSEC. This does not depend on whether you are deploying trust to
AD or not.

In fact, when installing FreeIPA server, you have option to disable
DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
option exists in ipa-dns-install.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

Thanks for you answer


2016-10-20 10:10 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hello everyone,
>>
>> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
>> documentation explain in
>> http://www.freeipa.org/page/Active_Directory_trust_setup#If_
>> AD_is_subdomain_of_IPA
>>
>> however the server is unable to resolve any record from my child domain, i
>> found
>> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if
>> this
>> version of IPA is affected by it.
>>
>> The procedure in the documentation is still valid ?.
>>
> Given that you have literally provided no logs that would help to help
> you, let's start from it.
>
> Show what's your problem is through the logs. What exact commands are
> failing? If you suspect DNS issues, show your named-pkcs11's logs.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-20 Thread Florence Blanc-Renaud 

On 10/19/2016 08:18 PM, Bertrand Rétif wrote:

*De: *"Bertrand Rétif" 

*À: *freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:42:07
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue




*De: *"Rob Crittenden" 
*À: *"Bertrand Rétif" ,
freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:30:14
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue

Bertrand Rétif wrote:
>> De: "Martin Babinsky" 
>> À: freeipa-users@redhat.com
>> Envoyé: Mercredi 19 Octobre 2016 08:45:49
>> Objet: Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
>
>> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
>>> Hello,
>>>
>>> I had an issue with pki-tomcat.
>>> I had serveral certificate that was expired and pki-tomcat
did not start
>>> anymore.
>>>
>>> I set the dateon the server before certificate expiration
and then
>>> pki-tomcat starts properly.
>>> Then I try to resubmit the certificate, but I get below error:
>>> "Profile caServerCert Not Found"
>>>
>>> Do you have any idea how I could fix this issue.
>>>
>>> Please find below output of commands:
>>>
>>>
>>> # getcert resubmit -i 20160108170324
>>>
>>> # getcert list -i 20160108170324
>>> Number of certificates and requests being tracked: 7.
>>> Request ID '20160108170324':
>>> status: MONITORING
>>> ca-error: Server at
>>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
replied:
>>> Profile caServerCert Not Found
>>> stuck: no
>>> key pair storage:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>>> subject: CN=IPA RA,O=A.SKINFRA.EU
>>> expires: 2016-06-28 15:25:11 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>> Thanksby advance for your help.
>>> Bertrand
>>>
>>>
>>>
>>>
>
>> Hi Betrand,
>
>> what version of FreeIPA and Dogtag are you running?
>
>> Also perform the following search on the IPA master and post
the result:
>
>> """
>> ldapsearch -D "cn=Directory Manager" -W -b
>> 'ou=certificateProfiles,ou=ca,o=ipaca'
'(objectClass=certProfile)'
>> """
>
> Hi Martin,
>
> Thanks for your reply.
>
> Here is version:
> - FreeIPA 4.2.0
> - Centos 7.2
>
> I have been able to fix the issue with "Profile caServerCert
Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> I replace below entry
>
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> by
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
>
> and then launch "ipa-server-upgrade" command
> I found this solution in this post:
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
>
> Then I was able to renew my certificate.
>
> However I reboot my server to and pki-tomcat do not start and
provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug
>
> [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> [19/Oct/2016:11:11:52][localhost-startStop-1]:
SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> System$][Outcome=Success][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification
>
> java.lang.Exception: SystemCertsVerification: system certs
verification failure
> at

com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> at

com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem

Re: [Freeipa-users] Getting Minimum SSF not met.

2016-10-20 Thread Guillermo Fuentes 
Hi Deepak,
What you did was disabling  unsecure connections to the directory service.

As such, use LDAPS to connect and enable unsecure connections again:

ldapmodify -D "cn=directory manager" -W -H ldaps://`hostname`

dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 0


If the directory service is stopped, you can edit the attribute
in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and start the service.

Hope it helps,
Guillermo



GUILLERMO FUENTES
SENIOR SYSTEMS ADMINISTRATOR

T: 561-880-2998 x1337

E: guillermo.fuen...@modmed.com



[image: [ Modernizing Medicine ]] 
[image: [ Facebook ]]  [image:
[ LinkedIn ]]  [image:
[ YouTube ]]  [image: [
Twitter ]]  [image: [ Blog ]]
 [image: [ Instagram ]]


[image: [ MOMENTUM 2016 ]] 


On Thu, Oct 20, 2016 at 8:03 AM, Deepak Dimri 
wrote:

> Hi All,
>
>
> I wanted to enable secure LDAP connection on freeIPA but alas after
> changing cn=config
>
> nsslapd-minssf from 0 to 128 i am getting  below error:
>
>
> ipactl restart
>
> Failed to read data from Directory Service: Unknown error when retrieving
> list of services from LDAP: Server is unwilling to perform: Minimum SSF not
> met.
>
> Shutting down
>
>
> When trying to put back the original nsslapd-minssf to "0" i am getting below
> error:
>
> modifying entry "cn=config"
>
> ldap_modify: Server is unwilling to perform (53)
>
> additional info: Minimum SSF not met.
>
>
> I tried below configuration but still getting unwilling to perform (53)
> Minimum SSF not met Error.
>
>
> dn: cn=config
>
> changetype: modify
>
> replace: nsslapd-minssf
>
> nsslapd-minssf: 10
>
> -
>
> replace: nsslapd-allow-anonymous-access
>
> nsslapd-allow-anonymous-access: on
>
> -
>
> replace: nsslapd-minssf-exclude-rootdse
>
> nsslapd-minssf-exclude-rootdse: off
>
>
> I am following the steps mentioned here: https://access.redhat.co
> m/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Admi
> nistration_Guide/SecureConnections.html
> Chapter 14. Configuring Secure Connections - Red Hat Support
> 
> access.redhat.com
> By default, clients and users connect to the Red Hat Directory Server over
> a standard connection. Standard connections do not use any encryption, so
> information is ...
>
>
> How can i get  LDAPS working on my FreeIPA?
>
>
> Many Thanks,
>
> Deepak
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication error acquiring replica: unknown error

2016-10-20 Thread Harald Dunkel 
Hi folks,

My second master shows me that it would push local changes
to ipa1, but it doesn't:

[root@ipa2 ipa]# ipa-replica-manage list
ipa3.aixigo.de: master
ipa4.aixigo.de: master
ipa1.aixigo.de: master
ipa2.aixigo.de: master
[root@ipa2 ~]# ipa-replica-manage list `hostname`
ipa1.aixigo.de: replica
[root@ipa2 ~]# ipa-replica-manage list -v `hostname`
ipa1.aixigo.de: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: 205 Replication error acquiring replica: unknown error - 
Incremental update connection error.  Backing off, will retry update later.
  last update ended: 1970-01-01 00:00:00+00:00


The other ipa servers don't show an "unknown error". The log
file doesn't tell, either, so I wonder what this problem is?
FreeIPA is version 4.2.0-15.0.1 on Centos 7.2.


Every helpful comment is highly appreciated
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Given that you have literally provided no logs that would help to help
you, let's start from it.

Show what's your problem is through the logs. What exact commands are
failing? If you suspect DNS issues, show your named-pkcs11's logs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Thanks in advance.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User

2016-10-20 Thread Klíma David 
Hi all, I need advice or help with freeIPA implementation behind F5 bigip 
loadbalancer. My goal is to have all freeIPA services (including json/xml API) 
behind loadbalancer for freeIPA clients.

>> Because RHEL support says me IPA behind loadbalancer is not supported I was 
>> coming out of these articles (I recommend you read and I thank the people 
>> who wrote them):

https://www.redhat.com/archives/freeipa-users/2015-March/msg00965.html
http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html
https://ssimo.org/blog/id_019.html
https://access.redhat.com/solutions/547723
http://firstyear.id.au/blog/html/2015/12/11/Load_balanced_389_instance_with_freeipa_kerberos_domain..html
http://www.freeipa.org/page/V4/Keytab_Retrieval#Use_Case:_A_load_balancing_cluster_of_HTTP_server_that_allow_GSSAPI.2FKrb5_negotiation_.28TBD.29
https://www.freeipa.org/page/V4/Service_Constraint_Delegation
http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy

>> Now I have one pool with one freeIPA node (for easy debugging):
hostname: ipa-01.internal.services

>> And VIP hostname for clients:
hostname: hub.internal.services

hub.internal.services
+--+
|  |
|  |
++  | Loadbalancer |  ipa-01.internal.services
|| TLS  |  | TLS  +--+
|Client  +->+  +->+  |
||  |  |  | freeIPA node |
++  |  |  |  |
|  |  +--+
+--+


>> After ipa-server-install   first, I created a fake host that I assign 
>> services. This is fake host for the load balancer:

ipa host-add hub.internal.services --force --random
ipa host-allow-retrieve-keytab hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p host/hub.internal.services -k 
/etc/krb5.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac

>> Second I created LDAP service - because I need keytab for 
>> ldap/hub.internal.services (after retrieved merged into 
>> /etc/dirsrv/ds.keytab):

ipa service-add --force ldap/hub.internal.services
ipa service-add-host ldap/hub.internal.services --hosts=ipa-01.internal.services
ipa service-allow-retrieve-keytab ldap/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p ldap/hub.internal.services -k 
/etc/dirsrv/ds.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown dirsrv:dirsrv /etc/dirsrv/ds.keytab

>> Next I created HTTP service - I need keytab for HTTP/hub.internal.services 
>> (after retrieved merged into /etc/httpd/conf/ipa.keytab):

ipa service-add --force HTTP/hub.internal.services
ipa service-add-host HTTP/hub.internal.services 
--hosts={ipa-01.internal.services,ipa-02.internal.services,ipa-03.internal.services}
ipa service-allow-retrieve-keytab HTTP/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p HTTP/hub.internal.services -k 
/etc/httpd/conf/ipa.keytab \
-e 
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown apache:apache /etc/httpd/conf/ipa.keytab

>> Check keytabs:

klist -Kket /etc/krb5.keytab
klist -Kket /etc/dirsrv/ds.keytab
klist -Kket /etc/httpd/conf/ipa.keytab

All keytabs looks like this:
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp  Principal
 -- ---
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(aes256-cts-hmac-sha1-96)  
(0x0b8140ce7a7a521cbacecda8902e7c7a6b61fd21758997fb2f2721d9f2d3c8e5)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(aes128-cts-hmac-sha1-96)  (0x4247b97e7b2b62a49094105b86740537)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(des3-cbc-sha1)  (0x67851f1a16f8df45b30b1a89fe677ad03eaeae6ba2940e4a)
   3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES 
(arcfour-hmac)  (0xed6d8caba385fdd8b5775e2f17303fb6)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(aes256-cts-hmac-sha1-96)  
(0x439341b1848dc91f02f6b38f2e04446e9f7f8547d8251a708dce99d1526e961a)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(aes128-cts-hmac-sha1-96)  (0x11e1c820db6b49bb9290c0c9e2888914)
   1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES 
(des3-cbc-sha1)  (0xbad3cb89fbf132abbcad29bcfd79fb4532cedfe90bf1078f)
   1 13.5.2016 23:00:43 ldap/h

[Freeipa-users] Getting Minimum SSF not met.

2016-10-20 Thread Deepak Dimri 
Hi All,


I wanted to enable secure LDAP connection on freeIPA but alas after changing 
cn=config

nsslapd-minssf from 0 to 128 i am getting  below error:


ipactl restart

Failed to read data from Directory Service: Unknown error when retrieving list 
of services from LDAP: Server is unwilling to perform: Minimum SSF not met.

Shutting down


When trying to put back the original nsslapd-minssf to "0" i am getting below 
error:

modifying entry "cn=config"

ldap_modify: Server is unwilling to perform (53)

additional info: Minimum SSF not met.


I tried below configuration but still getting unwilling to perform (53) Minimum 
SSF not met Error.


dn: cn=config

changetype: modify

replace: nsslapd-minssf

nsslapd-minssf: 10

-

replace: nsslapd-allow-anonymous-access

nsslapd-allow-anonymous-access: on

-

replace: nsslapd-minssf-exclude-rootdse

nsslapd-minssf-exclude-rootdse: off


I am following the steps mentioned here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/SecureConnections.html

Chapter 14. Configuring Secure Connections - Red Hat 
Support
access.redhat.com
By default, clients and users connect to the Red Hat Directory Server over a 
standard connection. Standard connections do not use any encryption, so 
information is ...




How can i get  LDAPS working on my FreeIPA?


Many Thanks,

Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-10-20 Thread Sébastien Julliot 
Hi everyone,


In order to prevent administrators to make mistakes that could have

silly consequences, I would like to set "preserve" as the default selected

action in freeipa's webui.

What do you think would be the best way to achieve this ?


Thank you in advance,

Sebastien Julliot.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replica DS failure deadlock

2016-10-20 Thread Ludwig Krispenz 


On 10/19/2016 06:28 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote:

On 10/19/2016 05:02 PM, Ludwig Krispenz wrote:

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote:

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote:

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

We had one of our replicas fail today with the following errors:


[18/Oct/2016:13:40:47 -0400]
agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu"
(srv-m14-32:389) - Can't locate CSN 58065ef300010003 in
the changelog (DB rc=-30988). If replication stops, the
consumer may need to be reinitialized.
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: retry (49) the
transaction (csn=58065f7400050004) failed (rc=-30993
(BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock))
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: failed to write
entry with csn (58065f7400050004); db error - -30993
BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
(uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to
changelog csn 58065f7400050004
[18/Oct/2016:13:43:07 -0400] -
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but
did not set SLAPI_RESULT_CODE
[18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin -
process_postop: Failed to apply update
(58065f7400050004) error (1).  Aborting replication
session(conn=1314106 op=1688559)
[18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify:
modified entry is NULL--updating cache just in case
[18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition
cn=Password
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
Templates found, which should be added before the CoS
Definition.
[18/Oct/2016:13:43:20 -0400] - Operation error fetching Null
DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993.
[18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get
id for changenumber=30856302,cn=changelog from entryrdn
index (-30993)
[18/Oct/2016:13:43:20 -0400] - Operation error fetching
changenumber=30856302,cn=changelog (null), error -30993.
[18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an
error occured while adding change number 30856302, dn =
changenumber=30856302,cn=changelog: Operations error.
[18/Oct/2016:13:43:20 -0400] retrocl-plugin -
retrocl_postob: operation failure [1]
[18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin -
process_postop: Failed to apply update
(58065f9f0060) error (1).  Aborting replication
session(conn=1901274 op=5)
[18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry
BAD 1601, err=0 BDB0062 Successful return: 0
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: retry (49) the
transaction (csn=58065f7c000a0004) failed (rc=-30993
(BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock))
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: failed to write
entry with csn (58065f7c000a0004); db error - -30993
BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a
deadlock
[18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu
(uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to
changelog csn 58065f7c000a0004


ns-slapd was hung so we restarted and now it's stuck and
won't come back up. It
hangs up here:

[18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition
cn=Password
Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS
Templates found, which should be added before the CoS
Definition.
[18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin -
changelog program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema;
NSPR error - -5943
[18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin -
changelog program - _cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema;
NSPR error - -5943


Tried deleting the semaphore files and restarting but no
luck. Attached
is a stacktrace of the stuck ns-slapd process.

Here's the versions were running:

ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
389-ds-base-1.3.4.0-33.el7_2.x86_64

FWIW, we were experimenting with the new life-cycle
management features,
specifically "preserved" users and deleted the user
"janedoe" when this
happened.  From the errors above looks like this host failed to
replicate the change?  Not sure if this is related or not.

Is it possible to recover the database? Thanks in advance
for any pointers.

from the stack trace the process is not hanging, it is trying to
recover.
After a crash/kill  the changelog does n

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-20 Thread Jakub Hrozek 
On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> Hello,
> 
> We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
> our University organisational AD.  The AD forest contains *two*
> domains:
> 
>   EXAMPLE.AU (staff users)
>   STUDENT.EXAMPLE.AU (student users)
> 
> The IPA domain that trusts these is called:
> 
>   IPA.EXAMPLE.AU
> 
> The basic configuration as described above works ok - we can login to
> IPA client hosts with user principals from either of the AD domains
> and we see correct group membership.
> 
> However, I would like to tune this configuration to drop the domain
> component of the user and group names.  I tried to do this by adding
> these settings to the [sssd] section in sssd.conf on the client:
> 
> default_domain_suffix = example.au
> full_name_format = %1$s
> 
> With this configuration, I can login as a staff domain user (example.au)
> successfully and I then see the short-name form of the groups:
> 
> $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au
> [rns@ipa-client-rh7 ~]$ groups
> rns domain users d-750g 511all [..etc..]
> 
> However, when I try logging in as a student domain user (student.example.au),
> I don't see any of the groups (there should be 8):
> 
> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
> [rnst@ipa-client-rh7 ~]$ groups
> rnst
> 
> Is this expected behaviour?  Is there a possible client configuration that
> will support our AD forest setup or is this simply not possible?

What you did is quite correct, but unfortunately works only with
RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project