Re: [Freeipa-users] attrlist_replace - attr_replace : failed

2016-11-08 Thread Petr Spacek 
On 8.11.2016 15:19, lejeczek wrote:
> hi everyone
> 
> I have a three servers which seemingly!? work but all three log:
> 
> attrlist_replace - attr_replace (nsslapd-referral, ldap://swir.xx.xx
> 
> and swir.xx.xx is the server which ipa-replica-prepared and on it I see:
> 
> attrlist_replace - attr_replace (nsslapd-referral, ldap://whale.xx.xx
> ...
> Error: could not bind id [cn=Replication Manager
> masterAgreement1-swir.xx.xx-pki-tomcat,ou=csusers,cn=config] authentication
> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success)
> 
> where is it going wrong?

You redacted too much of the log but from what I can see, I guess that it is 
this:

http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

2016-11-08 Thread Petr Spacek 
On 7.11.2016 17:45, Raul Dias wrote:
> You are right,
> 
> This might be more a Fedora issue than FreeIPA. I am hoping that someone else
> is also using DHCP with LDAP (specially with FreeIPA).
> 
> I am using the IPA-dhcp plugin: https://github.com/jefferyharrell/IPA-dhcp
> 
> ldapsearch -x shows the entries are fine in the LDAP.
> 
> Stracing dhcpd shows that it is not making any connection to the LDAP, while
> it shows an error message.
> 
> On Fedora 24 (updated), I am using dhcp-server-4.3.4.fc24
> 
> /etc/dhcp/dhcpd.conf:
> ldap-server "10.101.1.1"; #or localhost, or any interface ip or ns name
> ldap-port 389;
> ldap-base-dn "cn=dhcp,dc=dias,dc=com,dc=br";
> ldap-method static;
> ldap-debug-file "/var/log/dhcp-ldap-startup.log";
> 
> The STDERR output acts as if it were talking to the LDAP server:
> 
> Cannot find host LDAP entry server.dias.com.br
> (&(objectClass=dhcpServer)(cn=server.dias.com.br))
> 
> As the output of ldapsearch, the entry is there:
> # server.dias.com.br, dhcp, dias.com.br
> dn: cn=server.dias.com.br,cn=dhcp,dc=dias,dc=com,dc=br
> objectClass: dhcpserver
> objectClass: top
> dhcpServiceDN: cn=dhcp,dc=dias,dc=com,dc=br
> cn: server.dias.com.br
> dhcpStatements: authoritative
> 
> Using the same config on a ubuntu host, it works fine, which makes me wonder
> that dhcpd in Fedora 24 does not work at all with LDAP.

Do you mean that dhcpd on Ubuntu is configured against the very same FreeIPA
server?

Are you sure that dhcpd is using the same credentials to BIND to LDAP? There
might be an access control issue if different hosts use different credentials
or so. It would help if you described how you bound to LDAP using ldapsearch.

Petr^2 Spacek

> 
> Or maybe this is a reflection of some FreeIPA server way of life
> configuration, like sssd.
> 
> -rsd
> 
> 
> On 07/11/2016 05:10, Petr Spacek wrote:
>> On 6.11.2016 06:06, Raul Dias wrote:
>>> Hello,
>>>
>>> It seems that DHCP with LDAP on Fedora 24 (FreeIPA) is broken.
>>>
>>> Can anyone confirm?
>>>
>>> Doing an strace -e trace=network does not show any attempt to connect to the
>>> ldap server.
>>>
>>> OTOH, the same config on a Ubuntu 16.10 works fine.
>> Hello,
>>
>> AFAIK DHCP support was never part of official FreeIPA builds. What are you
>> trying to achieve and where did you get the builds?
>>
>> We need to know exact software versions and configuration. For further hints
>> how to report bugs please see
>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

2016-11-08 Thread 郑磊 
Yes, the problem is solved after I added the httpd_run_ipa boolean to the 
selinux-policy on Ubuntu.

Thank you!





--
祝:
工作顺利!生活愉快!
--
长沙研发中心 郑磊 
电话:18684703229
邮箱:zheng...@kylinos.cn
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "Lukas Slebodnik";
Date:  Tue, Nov 8, 2016 09:53 PM
To:  "郑磊"; 
Cc:  "Umarzuki Mochlis"; 
"freeipa-users"; 
Subject:  Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

 
On (08/11/16 16:57), 郑磊 wrote:
>Command returns the result:
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P 
>httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on
>Cannot set persistent booleans without managed policy.
>
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa
>Error getting active value for httpd_run_ipa
>
Then it just mean that selinux-policy on ununtu does not contain
such boolean.

You have few options:
* create your own SELinux rules
* backport SELinux rules from upstream/fedora
* Use freeIPA with SELinux on different distribution.
* use freeIPA without SELinux on ubuntu (IIRC the default is Apparmor)

LS-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

2016-11-08 Thread 郑磊 
I will try to your solutions.

Thanks!





--
祝:
工作顺利!生活愉快!
--
长沙研发中心 郑磊 
电话:18684703229
邮箱:zheng...@kylinos.cn
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "Lukas Slebodnik";
Date:  Tue, Nov 8, 2016 09:53 PM
To:  "郑磊"; 
Cc:  "Umarzuki Mochlis"; 
"freeipa-users"; 
Subject:  Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

 
On (08/11/16 16:57), 郑磊 wrote:
>Command returns the result:
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P 
>httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on
>Cannot set persistent booleans without managed policy.
>
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa
>Error getting active value for httpd_run_ipa
>
Then it just mean that selinux-policy on ununtu does not contain
such boolean.

You have few options:
* create your own SELinux rules
* backport SELinux rules from upstream/fedora
* Use freeIPA with SELinux on different distribution.
* use freeIPA without SELinux on ubuntu (IIRC the default is Apparmor)

LS-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-08 Thread Alessandro De Maria 
Thank you Rob and Martin,

the correct place on Ubuntu seems to be:
/etc/pki/nssdb/

This directory does not seem to be initialised by the *ipa-client-install*
tool.


Now my script still doesn't work, but offer brand new errors :)

Thank you

On 8 November 2016 at 14:55, Rob Crittenden  wrote:

> Alessandro De Maria wrote:
> > Hello Martin,
> >
> > still no luck unfortunately.
> >
> > The client is an ubuntu 14.04 server, and I believe it is enrolled
> already.
> >
> > The /etc/ipa/ca.pem is correct and already installed, and I even added
> > it to the /etc/ssl/certs directory (which is why my curl command in the
> > first email does not complain)
>
> The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this
> is handled on Ubuntu clients but you'll need to confirm that whatever
> Ubuntu uses exists and has the IPA CA certificate installed.
>
> rob
>
> >
> > Commands like /kinit/ work just fine, and I have never experienced a
> > problem which would make me doubt of the enrollment of this client.
> >
> >
> > I run the following commands:
> > # mkdir /etc/ipa/nssdb
> > # certutil -A -d /etc/ipa/nssdb -n 'PROD.X.COM
> >  IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt
> > # chmod +r /etc/ipa/nssdb/*
> > # certutil -L -d /etc/ipa/nssdb
> >
> > Certificate Nickname Trust
> > Attributes
> >
> >  SSL,S/MIME,JAR/XPI
> >
> > PROD..COM  IPA CA
> > CT,C,C
> >
> > But I am still unable to run the script.
> > Is there anything else I need to do? Do I need to restart some
> > components? Any log I could look into?
> >
> > Thank you
> >
> >
> > On 8 November 2016 at 07:56, Martin Babinsky  > > wrote:
> >
> > On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
> >
> > Hi Martin,
> >
> > I tried from the host I am executing the script from, and I get:
> > certutil -L -d /etc/httpd/alias/
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
> >
> >
> > >From the FreeIPA server, as I said previously, I get:
> >
> > certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname
>  Trust
> > Attributes
> >
> >  SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert
>  u,u,u
> > ipaCert
> u,u,u
> > Server-Cert
> u,u,u
> > PROD.X.COM 
> >  > > IPA CA
> >  CT,C,C
> >
> >
> > >From the FreeIPA server, I seem to be able to run the script,
> so we are
> > definitely on the right track.
> > How do I get the /etc/httpd/alias/ in sync across these hosts?
> can I
> > copy it, or is there a way to regenerate it?
> >
> > Regards
> > Alessandro
> >
> > On 7 November 2016 at 15:36, Alessandro De Maria
> >  > 
> >  > >> wrote:
> >
> > Hi Martin, this is the output from the id1 host:
> >
> > certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname
> >  Trust
> > Attributes
> >
> >  SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert
> >  u,u,u
> > ipaCert
> > u,u,u
> > Server-Cert
> > u,u,u
> > PROD.X.COM 
> >  IPA CA
> >  CT,C,C
> >
> >
> > looks just like you suggested. Any other suggestion?
> >
> > On 7 November 2016 at 10:56, Martin Babinsky
> > mailto:mbabi...@redhat.com>
> > >>
> > wrote:
> >
> > On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
> >
> > Hello,
> >
> > I have a FreeIPA installation that is working very
> > nicely,
> > we already
> > have configured many hosts and so far we are quite
> happy
> > with it.
> >
> > I was trying to connect Ansible to fetch hosts from
> > FreeIPA
> > using the
> > freeipa.py script
> >
> > (https://github.com/ansible/ansible/blob/devel/contrib/
> inventory/freeipa.py
> >  inventory/freeipa.py>
> >
> >  inventory/freeipa.py
> >  inventory/freeipa.py>>)
> >
> >
> > U

Re: [Freeipa-users] SRV (mixed?) records

2016-11-08 Thread Martin Basti 



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems inconsistent to 
me (eg. work5 is not part of the domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa dns 
related toolkit(on that server) shows zone & records, to dig/host/etc. 
presents nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 
swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 
swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 
464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 
389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 
swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 
swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 
464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 
123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records should be removed.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SRV (mixed?) records

2016-11-08 Thread lejeczek 

hi everyone
when I look at my domain I see something which seems 
inconsistent to me (eg. work5 is not part of the domain, was 
--uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the 
ipa dns related toolkit(on that server) shows zone & 
records, to dig/host/etc. presents nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 
dzien, 0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 
whale, 0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 
dzien, 0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 
whale, 0 100 123 swir


thanks.
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

2016-11-08 Thread Martin Babinsky 

On 11/08/2016 05:13 PM, Ask Stack wrote:

I thought /etc/krb5.conf controls which kerberos server the clients talk
to.

As a test, I removed /etc/krb5.conf and rebooted the client. After
reboot, I can still log in and "kinit user" .
Removing /etc/krb5.keytab, however would stop user from logging in and
sssd to start.





/etc/krb5.conf configures Kerberos client library: it instructs the 
client about which realm it should use, whether to use dns discovery or 
use static list of KDC and mapping between DNS domains and realms.


Read `man krb5.conf' for more info.

sssd stores plenty of information about Kerberos realm in its own 
configuration (realm, DNS discovery etc.) so it can authenticate the 
user even without valid krb5.conf (as you observed).


However, to pull in user info from authoritative source (IPA LDAP), sssd 
authenticates against IPA as the host principal using /etc/krb5.keytab, 
that's why it stopped working and refused to start after you removed it.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] What is the use of /etc/krb5.conf?

2016-11-08 Thread Ask Stack 
I thought /etc/krb5.conf controls which kerberos server the clients talk to. 

As a test, I removed /etc/krb5.conf and rebooted the client. After reboot, I 
can still log in and "kinit user" . 
Removing /etc/krb5.keytab, however would stop user from logging in and sssd to 
start. 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CSN not found

2016-11-08 Thread lejeczek 



On 03/11/16 19:58, Mark Reynolds wrote:

dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb

>results of above scan do not look like that CSN form reported in
>dirsrv's error log, it is:
>..
>=116156
>=116157
>=116158
>..

That doesn't look quite right,  Just to confirm you should be doing
something like

dbscan -f
/var/lib/dirsrv/slapd-master_1/db/changelogdb/fe665489-a13011e6-acbab8c1-43b12a38_581a3c410001.db
| grep 581b120f00050004
I don't see any xx.db in 
/var/lib/dirsrv/slapd-master_1/db/changelogdb

but there are these:

16c9da9e-a54611e6-80ab82b9-81e5c5a8_574596220060.db
16c9da9e-a54611e6-80ab82b9-81e5c5a8.sema
DBVERSION
e71ad28c-a54511e6-80ab82b9-81e5c5a8_574595c80004.db
e71ad28c-a54511e6-80ab82b9-81e5c5a8.sema

in /var/lib/dirsrv/slapd-master_1/cldb and if I scant those:

cldb]$ for _F in .db; do dbscan -f $_F | grep 
57480d6d0025; done


there is nothing (on the replica that complains but also 
nothing on all members)


cldb]$ ll ../db/changelog/
total 2260
-rw---. 1 dirsrv dirsrv   16384 Nov  8 00:02 aci.db
-rw---. 1 dirsrv dirsrv   40960 Nov  8 15:52 ancestorid.db
-rw---. 1 dirsrv dirsrv   40960 Nov  8 15:52 changenumber.db
-rw---. 1 dirsrv dirsrv   16384 Nov  8 00:02 cn.db
-rw---. 1 dirsrv dirsrv  51 Nov  8 00:02 DBVERSION
-rw---. 1 dirsrv dirsrv  303104 Nov  8 15:52 entryrdn.db
-rw---. 1 dirsrv dirsrv   40960 Nov  8 15:52 entryusn.db
-rw---. 1 dirsrv dirsrv 1523712 Nov  8 15:52 id2entry.db
-rw---. 1 dirsrv dirsrv   90112 Nov  8 15:52 nsuniqueid.db
-rw---. 1 dirsrv dirsrv   16384 Nov  8 15:52 
numsubordinates.db

-rw---. 1 dirsrv dirsrv   90112 Nov  8 15:52 objectclass.db
-rw---. 1 dirsrv dirsrv   40960 Nov  8 15:52 parentid.db
-rw---. 1 dirsrv dirsrv   16384 Nov  8 00:02 seeAlso.db
-rw---. 1 dirsrv dirsrv   65536 Nov  8 15:52 
targetuniqueid.db


it's centOS 7 with IPA 
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64



>>
>>What about the access logs?  Do you see the CSN there?

Did you check the DS access logs??


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Determine if hosts are still active.

2016-11-08 Thread McNiel, Craig 
I'm running IPA 4.2 in SSO in a highly dynamic AWS EC2 environment.  Is
there a way to tell if a host that has joined the domain is still active
using an LDAP query so that I can determine hosts that have been torn down
and no longer exist and remove them from the directory?

I have looked at several different attributes in LDAP but, none of them
seem to provide any information on the last time the host authenticated or
communicated with an IPA master.

Thanks !

Craig
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

2016-11-08 Thread Brian Candler 

On 08/11/2016 13:57, lejeczek wrote:
I've changed an uid of a.user but system: $ id a.user - still shows 
old id.
When is the system supposed to notice that change? 


You might want to force the cache to expire early. Try:

sss_cache -U

or

sss_cache -u 

(I'm afraid I don't know what the automatic expiry time is)

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

2016-11-08 Thread Martin Basti 



On 08.11.2016 14:57, lejeczek wrote:

hello

I've changed an uid of a.user but system: $ id a.user - still shows 
old id.

When is the system supposed to notice that change?

thanks
L.



Hello,

you probably need to erase SSSD cache on client, sss_cache -E if I 
remember correctly


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-08 Thread Rob Crittenden 
Alessandro De Maria wrote:
> Hello Martin,
> 
> still no luck unfortunately.
> 
> The client is an ubuntu 14.04 server, and I believe it is enrolled already.
> 
> The /etc/ipa/ca.pem is correct and already installed, and I even added
> it to the /etc/ssl/certs directory (which is why my curl command in the
> first email does not complain)

The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this
is handled on Ubuntu clients but you'll need to confirm that whatever
Ubuntu uses exists and has the IPA CA certificate installed.

rob

> 
> Commands like /kinit/ work just fine, and I have never experienced a
> problem which would make me doubt of the enrollment of this client.
> 
> 
> I run the following commands:
> # mkdir /etc/ipa/nssdb
> # certutil -A -d /etc/ipa/nssdb -n 'PROD.X.COM
>  IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt
> # chmod +r /etc/ipa/nssdb/*
> # certutil -L -d /etc/ipa/nssdb
> 
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
> 
> PROD..COM  IPA CA
> CT,C,C
> 
> But I am still unable to run the script.
> Is there anything else I need to do? Do I need to restart some
> components? Any log I could look into?
> 
> Thank you
> 
> 
> On 8 November 2016 at 07:56, Martin Babinsky  > wrote:
> 
> On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
> 
> Hi Martin,
> 
> I tried from the host I am executing the script from, and I get:
> certutil -L -d /etc/httpd/alias/
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
> 
> 
> >From the FreeIPA server, as I said previously, I get:
> 
> certutil -L -d /etc/httpd/alias/
> 
> Certificate Nickname Trust
> Attributes
> 
>  SSL,S/MIME,JAR/XPI
> 
> Signing-Cert u,u,u
> ipaCert  u,u,u
> Server-Cert  u,u,u
> PROD.X.COM 
>  > IPA CA
>  CT,C,C
> 
> 
> >From the FreeIPA server, I seem to be able to run the script, so we 
> are
> definitely on the right track.
> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
> copy it, or is there a way to regenerate it?
> 
> Regards
> Alessandro
> 
> On 7 November 2016 at 15:36, Alessandro De Maria
>  
>  >> wrote:
> 
> Hi Martin, this is the output from the id1 host:
> 
> certutil -L -d /etc/httpd/alias/
> 
> Certificate Nickname   
>  Trust
> Attributes
> 
>  SSL,S/MIME,JAR/XPI
> 
> Signing-Cert   
>  u,u,u
> ipaCert 
> u,u,u
> Server-Cert 
> u,u,u
> PROD.X.COM 
>  IPA CA
>  CT,C,C
> 
> 
> looks just like you suggested. Any other suggestion?
> 
> On 7 November 2016 at 10:56, Martin Babinsky
> mailto:mbabi...@redhat.com>
> >>
> wrote:
> 
> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
> 
> Hello,
> 
> I have a FreeIPA installation that is working very
> nicely,
> we already
> have configured many hosts and so far we are quite happy
> with it.
> 
> I was trying to connect Ansible to fetch hosts from
> FreeIPA
> using the
> freeipa.py script
>
> 
> (https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
> 
> 
>
> 
>  
> >)
> 
> 
> Unfortunately when I run it, I get the following:
>

[Freeipa-users] attrlist_replace - attr_replace : failed

2016-11-08 Thread lejeczek 

hi everyone

I have a three servers which seemingly!? work but all three log:

attrlist_replace - attr_replace (nsslapd-referral, 
ldap://swir.xx.xx


and swir.xx.xx is the server which ipa-replica-prepared and 
on it I see:


attrlist_replace - attr_replace (nsslapd-referral, 
ldap://whale.xx.xx

...
Error: could not bind id [cn=Replication Manager 
masterAgreement1-swir.xx.xx-pki-tomcat,ou=csusers,cn=config] 
authentication mechanism [SIMPLE]: error 32 (No such object) 
errno 0 (Success)


where is it going wrong?
many thanks
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

2016-11-08 Thread Lukas Slebodnik 
On (08/11/16 16:57), 郑磊 wrote:
>Command returns the result:
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P 
>httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on
>Cannot set persistent booleans without managed policy.
>
>root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa
>Error getting active value for httpd_run_ipa
>
Then it just mean that selinux-policy on ununtu does not contain
such boolean.

You have few options:
* create your own SELinux rules
* backport SELinux rules from upstream/fedora
* Use freeIPA with SELinux on different distribution.
* use freeIPA without SELinux on ubuntu (IIRC the default is Apparmor)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] system to pick up pa user-mod --uid change - how long?

2016-11-08 Thread lejeczek 

hello

I've changed an uid of a.user but system: $ id a.user - 
still shows old id.

When is the system supposed to notice that change?

thanks
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD trust and UPN issue

2016-11-08 Thread Jan Karásek 
Hi, 

I can configrm that UPN issue is fixed in RHEL 7.3. That is great, thank you a 
lot. 
It looks like solution came with sssd 1.14.x right ? Anybody knows if there are 
plans to implement it into RHEL 6.x (ipa-client) ? Currently my ipa-clients on 
RHEL 6.8 (sssd 1.13.3.-22) are not able to handle that. 

Thanks, 
Jan 


-- 

From: "Jan Karásek"  
To: freeipa-users@redhat.com 
Sent: Tuesday, May 10, 2016 4:44:14 PM 
Subject: AD trust and UPN issue 

Hi, 

thank you for the answer. I have already tried that workaround and still no 
luck. At the moment this is showstopper for us on two different projects at two 
different customers. 
Any chance to get it patch before 7.3 arrives ? 

Thanks, 
Jan 
-- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_principal = nosuchattr 
subdomain_inherit = ldap_user_principal 
in sssd.conf's domain section on the server? (Yes, server, not client..) 

This should work without the workaround starting with 7.3.. 

Jan K 


- Original Message - 
From: "freeipa-users-request"  
To: freeipa-users@redhat.com 
Sent: Tuesday, May 10, 2016 4:23:56 PM 
Subject: Freeipa-users Digest, Vol 94, Issue 63 

-- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek  
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_princi

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-08 Thread Alessandro De Maria 
Hello Martin,

still no luck unfortunately.

The client is an ubuntu 14.04 server, and I believe it is enrolled already.

The /etc/ipa/ca.pem is correct and already installed, and I even added it
to the /etc/ssl/certs directory (which is why my curl command in the first
email does not complain)

Commands like *kinit* work just fine, and I have never experienced a
problem which would make me doubt of the enrollment of this client.


I run the following commands:
# mkdir /etc/ipa/nssdb
# certutil -A -d /etc/ipa/nssdb -n 'PROD.X.COM IPA CA' -t CT,C,C -a
< /etc/ipa/ca.crt
# chmod +r /etc/ipa/nssdb/*
# certutil -L -d /etc/ipa/nssdb

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

PROD..COM IPA CA CT,C,C

But I am still unable to run the script.
Is there anything else I need to do? Do I need to restart some components?
Any log I could look into?

Thank you


On 8 November 2016 at 07:56, Martin Babinsky  wrote:

> On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
>
>> Hi Martin,
>>
>> I tried from the host I am executing the script from, and I get:
>> certutil -L -d /etc/httpd/alias/
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
>> certificate/key database is in an old, unsupported format.
>>
>>
>> From the FreeIPA server, as I said previously, I get:
>>
>> certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> ipaCert  u,u,u
>> Server-Cert  u,u,u
>> PROD.X.COM  IPA CA
>>  CT,C,C
>>
>>
>> From the FreeIPA server, I seem to be able to run the script, so we are
>> definitely on the right track.
>> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
>> copy it, or is there a way to regenerate it?
>>
>> Regards
>> Alessandro
>>
>> On 7 November 2016 at 15:36, Alessandro De Maria
>> mailto:alessandro.dema...@gmail.com>>
>> wrote:
>>
>> Hi Martin, this is the output from the id1 host:
>>
>> certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> ipaCert  u,u,u
>> Server-Cert  u,u,u
>> PROD.X.COM  IPA CA
>>  CT,C,C
>>
>>
>> looks just like you suggested. Any other suggestion?
>>
>> On 7 November 2016 at 10:56, Martin Babinsky > > wrote:
>>
>> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>>
>> Hello,
>>
>> I have a FreeIPA installation that is working very nicely,
>> we already
>> have configured many hosts and so far we are quite happy
>> with it.
>>
>> I was trying to connect Ansible to fetch hosts from FreeIPA
>> using the
>> freeipa.py script
>> (https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py
>> > tory/freeipa.py>)
>>
>>
>> Unfortunately when I run it, I get the following:
>>
>> *ipa: ERROR: cert validation failed for
>> "CN=id1.prod.****.com,O=PROD..COM
>> 
>> " ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>> certificate issuer has been marked as not trusted by the
>> user.)*
>> *ipa: ERROR: cert validation failed for
>> "CN=id2.prod.****.com,O=PROD..COM
>> 
>> " ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>> certificate issuer has been marked as not trusted by the
>> user.)*
>> *Traceback (most recent call last):*
>> *  File "./freeipa.py", line 82, in *
>> *api = initialize()*
>> *  File "./freeipa.py", line 17, in initialize*
>> *api.Backend.rpcclient.connect()*
>> *  File
>> "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line
>> 66,
>> in connect*
>> *conn = self.create_connection(*args, **kw)*
>> *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
>> line 939, in
>> create_connection*
>> *error=', '.join(urls))*
>> *ipalib.errors.NetworkError: cannot connect to 'any of the
>>

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

2016-11-08 Thread 郑磊 
Command returns the result:
root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P 
httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on
Cannot set persistent booleans without managed policy.

root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa
Error getting active value for httpd_run_ipa

root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_can_network_connect
httpd_can_network_connect --> off

root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_manage_ipa
httpd_manage_ipa --> off

I want the result is not to appear error in the configuration process 
information.






--
祝:
工作顺利!生活愉快!
--
长沙研发中心 郑磊 
电话:18684703229
邮箱:zheng...@kylinos.cn
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "Umarzuki Mochlis";
Date:  Tue, Nov 8, 2016 04:42 PM
To:  "郑磊"; 
Cc:  "freeipa-users"; 
Subject:  Re: [Freeipa-users] Configuring httpd error when selinux is permissive

 
2016-11-08 16:33 GMT+08:00 郑磊 :
> Hello everyone,
> I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is
> enable, and its mode is permissive. I met a problem at configuring the httpd
> process, but the process won't be interrupted. The configuration information
> is as follows:
> Configuring the web interface (httpd). Estimated time: 1 minute
>   [1/20]: setting mod_nss port to 443
>   [2/20]: setting mod_nss cipher suite
>   [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>   [4/20]: setting mod_nss password file
>   [5/20]: enabling mod_nss renegotiate
>   [6/20]: adding URL rewriting rules
>   [7/20]: configuring httpd
>   [8/20]: configure certmonger for renewals
>   [9/20]: setting up httpd keytab
>   [10/20]: setting up ssl
>   [11/20]: importing CA certificates from LDAP
>   [12/20]: publish CA cert
>   [13/20]: clean up any existing httpd ccache
>   [14/20]: configuring SELinux for httpd
> ipa.ipaplatform.redhat.tasks: ERRORCannot get SELinux boolean
> 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned
> non-zero exit status 255
> WARNING: Could not set SELinux booleans: httpd_can_network_connect=on
> httpd_run_ipa=on httpd_manage_ipa=on
>
> The web interface may not function correctly until
> the booleans are successfully changed with the command:
> /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on
> httpd_manage_ipa=on
> Try updating the policycoreutils and selinux-policy packages.
>   [15/20]: create KDC proxy user
>   [16/20]: create KDC proxy config
>   [17/20]: enable KDC proxy
>   [18/20]: restarting httpd
>   [19/20]: configuring httpd to start on boot
>   [20/20]: enabling oddjobd
> Done configuring the web interface (httpd).
> Is there anyone can help me?
>
> Thanks!

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


Hi,

Have you tried the suggested setsebool command?-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

2016-11-08 Thread Umarzuki Mochlis 
2016-11-08 16:33 GMT+08:00 郑磊 :
> Hello everyone,
> I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is
> enable, and its mode is permissive. I met a problem at configuring the httpd
> process, but the process won't be interrupted. The configuration information
> is as follows:
> Configuring the web interface (httpd). Estimated time: 1 minute
>   [1/20]: setting mod_nss port to 443
>   [2/20]: setting mod_nss cipher suite
>   [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>   [4/20]: setting mod_nss password file
>   [5/20]: enabling mod_nss renegotiate
>   [6/20]: adding URL rewriting rules
>   [7/20]: configuring httpd
>   [8/20]: configure certmonger for renewals
>   [9/20]: setting up httpd keytab
>   [10/20]: setting up ssl
>   [11/20]: importing CA certificates from LDAP
>   [12/20]: publish CA cert
>   [13/20]: clean up any existing httpd ccache
>   [14/20]: configuring SELinux for httpd
> ipa.ipaplatform.redhat.tasks: ERRORCannot get SELinux boolean
> 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned
> non-zero exit status 255
> WARNING: Could not set SELinux booleans: httpd_can_network_connect=on
> httpd_run_ipa=on httpd_manage_ipa=on
>
> The web interface may not function correctly until
> the booleans are successfully changed with the command:
> /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on
> httpd_manage_ipa=on
> Try updating the policycoreutils and selinux-policy packages.
>   [15/20]: create KDC proxy user
>   [16/20]: create KDC proxy config
>   [17/20]: enable KDC proxy
>   [18/20]: restarting httpd
>   [19/20]: configuring httpd to start on boot
>   [20/20]: enabling oddjobd
> Done configuring the web interface (httpd).
> Is there anyone can help me?
>
> Thanks!

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


Hi,

Have you tried the suggested setsebool command?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Configuring httpd error when selinux is permissive

2016-11-08 Thread 郑磊 
Hello everyone,
I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is 
enable, and its mode is permissive. I  met a problem at configuring the httpd 
process, but the process won't be  interrupted. The configuration information 
is as follows:
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/20]: setting mod_nss port to 443
  [2/20]: setting mod_nss cipher suite
  [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/20]: setting mod_nss password file
  [5/20]: enabling mod_nss renegotiate
  [6/20]: adding URL rewriting rules
  [7/20]: configuring httpd
  [8/20]: configure certmonger for renewals
  [9/20]: setting up httpd keytab
  [10/20]: setting up ssl
  [11/20]: importing CA certificates from LDAP
  [12/20]: publish CA cert
  [13/20]: clean up any existing httpd ccache
  [14/20]: configuring SELinux for httpd
ipa.ipaplatform.redhat.tasks:  ERRORCannot get SELinux boolean 
'httpd_run_ipa': Command  '/usr/sbin/getsebool httpd_run_ipa' returned non-zero 
exit status 255
WARNING: Could not set SELinux booleans: httpd_can_network_connect=on 
httpd_run_ipa=on httpd_manage_ipa=on

The web interface may not function correctly until 
the booleans are successfully changed with the command:
/usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on 
httpd_manage_ipa=on
Try updating the policycoreutils and selinux-policy packages.
  [15/20]: create KDC proxy user
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: restarting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
Is there anyone can help me?

Thanks!





--
祝:
工作顺利!生活愉快!
--
长沙研发中心 郑磊 
电话:18684703229
邮箱:zheng...@kylinos.cn
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Remove AD domain in auth commands

2016-11-08 Thread Martin Babinsky 

On 11/07/2016 09:11 PM, James Harrison wrote:

Hello
Sorry didn't explain. The ipa is the default domain, but I also want to
use the Windows domain to authenticate, but I want the OS to detect what
realm to use in the ssh command.

Thanks

On Mon, 7 Nov, 2016 at 11:48, Martin Basti
 wrote:

AFAIK Jakub already answered that
https://www.redhat.com/archives/freeipa-users/2016-November/msg00031.html

On 07.11.2016 12:05, James Harrison wrote:

Anyone ?

Sent from Yahoo Mail on Android


On Fri, 4 Nov, 2016 at 11:04, James Harrison
 wrote:
Hello,

I've installed FreeIPA 4.2 master using Centos and I have a
Windows 2012R2 with its AD schema emulating a Windows 2012 system

I have established a trust between the two and it appears to
work. I can reference a user on the AD domain, but the only
way is to add the AD domain.

The only way to ssh to the master IPA server is like this:

ssh "x_@IPAWIN.LOCAL"@10.10.10.10

Another example is using kinit:

I have to do the following to get a credential:
kinit x_@IPAWIN.LOCAL

Ideally I would not need or use the "@IPAWIN.LOCAL".

Can anyone help?

Best regards,
James Harrison









Hi James,

as Jakub pointed out you may have to wait for the next release of SSSD 
for this to work.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-08 Thread Martin Babinsky 

On 11/07/2016 04:45 PM, Alessandro De Maria wrote:

Hi Martin,

I tried from the host I am executing the script from, and I get:
certutil -L -d /etc/httpd/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.


From the FreeIPA server, as I said previously, I get:

certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  u,u,u
PROD.X.COM  IPA CA
 CT,C,C


From the FreeIPA server, I seem to be able to run the script, so we are
definitely on the right track.
How do I get the /etc/httpd/alias/ in sync across these hosts? can I
copy it, or is there a way to regenerate it?

Regards
Alessandro

On 7 November 2016 at 15:36, Alessandro De Maria
mailto:alessandro.dema...@gmail.com>> wrote:

Hi Martin, this is the output from the id1 host:

certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  u,u,u
PROD.X.COM  IPA CA
 CT,C,C


looks just like you suggested. Any other suggestion?

On 7 November 2016 at 10:56, Martin Babinsky mailto:mbabi...@redhat.com>> wrote:

On 11/04/2016 04:52 PM, Alessandro De Maria wrote:

Hello,

I have a FreeIPA installation that is working very nicely,
we already
have configured many hosts and so far we are quite happy
with it.

I was trying to connect Ansible to fetch hosts from FreeIPA
using the
freeipa.py script

(https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py

)

Unfortunately when I run it, I get the following:

*ipa: ERROR: cert validation failed for
"CN=id1.prod.****.com,O=PROD..COM

" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*ipa: ERROR: cert validation failed for
"CN=id2.prod.****.com,O=PROD..COM

" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*Traceback (most recent call last):*
*  File "./freeipa.py", line 82, in *
*api = initialize()*
*  File "./freeipa.py", line 17, in initialize*
*api.Backend.rpcclient.connect()*
*  File
"/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
in connect*
*conn = self.create_connection(*args, **kw)*
*  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
line 939, in
create_connection*
*error=', '.join(urls))*
*ipalib.errors.NetworkError: cannot connect to 'any of the
configured
servers': https://id1.prod.****.com/ipa/json,
https://id2.prod.****.com/ipa/json*


If I curl the URL, it works just fine ( I imported the CA
Certificate in
the system directory /etc/ssl/certs).

I have run `openssl s_client` connect and downloaded the remote
certificate locally, then I run:

# openssl verify cert.pem
# *id1.prod.****.com.pem*: OK


Would you help me figure out what's going on?



--
Alessandro De Maria
alessandro.dema...@gmail.com

>



Hi Alessandro,

this error can mean that the CA certificate in IPA NSS database
has wrong trust flags set. Please make sure that there is IPA CA
certificate present on /etc/httpd/alias and it has trust flags
CT,C,C like this:

# certutil -L -d /etc/httpd/alias/

Certificate Nickname
 Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert