Re: [Freeipa-users] Would fixing hosts file break kerberos

2016-11-17 Thread Robbie Harwood 
William Muriithi  writes:

> I just noticed that I used inappropriate way of setting up my hosts
> files and I am planning to make a fix.  I am however worried this may
> break Kerberos.  Should this change be of concern and have anyone made
> the changes before?

It will depend on what you named the host in the KDC and what your
DNS/canonicalization options are.

Any breakage will not be permanant; try it, see if it works, and if not,
revert it.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Would fixing hosts file break kerberos

2016-11-17 Thread William Muriithi 
Afternoon.

I just noticed that I used inappropriate way of setting up my hosts
files and I am planning to make a fix.  I am however worried this may
break Kerberos.  Should this change be of concern and have anyone made
the changes before?

My current /etc/hosts are as follows:
192.168.20.2 ipa  ipa.example.com

I am planning to change them so that the above line looks like this:
192.168.20.2ipa.example.com  ipa

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Sean Hogan 

Hi Guys..

   Sorry to bug ya again.. so looks like the selinux packages are not back
ported to 7.1 as I only have selinux-policy-3.13.1-23.el7_1.21.noarch as an
option

Setting the contexts manually  to /etc/ipa/nssdb


Original
[root@server2 ipa]# ls -dZ nssdb
drwxr-xr-x. root root system_u:object_r:etc_t:s0   nssdb

Set to
[root@server2 ipa]# semanage fcontext -a -t cert_t "/etc/ipa/nssdb(/.*)?"
[root@server2 ~]# restorecon -FvvR /etc/ipa/nssdb/

Check for change
[root@server2 ~]# ls -dZ /etc/ipa/nssdb
drwxr-xr-x. root root system_u:object_r:cert_t:s0  /etc/ipa/nssdb

I did this.. re-enrolled the box again but still no host cert showing in
IPA however I do get a result now from getcert list as seen below.   The
install log still shows certmonger failed  .. 2016-11-17T20:05:05Z ERROR
certmonger request for host certificate failed.




getcert list
Number of certificates and requests being tracked: 1.
Request ID '20161117153721':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS
Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
host'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Not seeing anymore selinux issues either

[root@server2 sudofix]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent




Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Jakub Hrozek ,
Martin Babinsky 
Date:   11/17/2016 09:14 AM
Subject:Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



Sean Hogan wrote:
> Hi Robert,
>
> No I did not cut it off there was no reason listed.. that was the
> last line about the issue.
>
> I did find this to be my issue however
> https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat
> guys see if they can pull the new selinux policy packages as I do not
> see them avail right now for my boxes.
>
> [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
> 
> type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
> auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
> setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
> hostname=? addr=? terminal=?'
> 
> type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
> name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
> syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK
> a2=0x4000 a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
> for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir
> 
> type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
> name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
> ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
> objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
> syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
> a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
> for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

Good catch, that seems like the issue.

> [root@server2 log]# rpm -qf /etc/ipa/nssdb
> ipa-python-4.1.0-18.el7_1.4.x86_64

IIRC it is just ghosted, all files should be owned by something.

> Encryption types.. thanks for the command.. good to know but hate seeing
> the arcfour and des options as I know DISA will not like that.

No DES, Triple DES. You can always remove them if you want, just be
aware of interoperability.

rob

>
> [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
> cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
> Enter LDAP Password:
> #

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi.

I've tried to delete and reimport only the *Server-Cert* certificate (I've
a copy of the original folder).
But it happened a strange behaviour:






















*# certutil -L -d /etc/httpd/alias -n Server-Cert -a >
/tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#
certutil -L -d .Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM  IPA
CACT,C,C# certutil -A -d
/etc/httpd/alias -n Server-Cert -t u,u,u -a -i /tmp/Server-Cert.crtNotice:
Trust flag u is set automatically if the private key is present.p11-kit:
objects of this type cannot be created# certutil -L -d
/etc/httpd/aliasCertificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM  IPA
CA
CT,C,CServer-Cert  Pu,u,u*

What's the error message in bold?
And why trust flags are set different from ones specified?

Thanks, Morgan

2016-11-17 17:36 GMT+01:00 Morgan Marodin :

> Hi.
>
> I've upgraded all packages of my distribution, not only ipa packages.
> There were a lot of packages.
>
> *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*
>
> All other checks seem ok:
>
>
>
>
>
>
>
>
>
>
>
> *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
> Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
> getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
> /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
> "NSS Certificate DB" in slot "NSS User Private Key and Certificate
> Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
> a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
> Certificate DB:ipaCert*
>
>
> *[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
> egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
> 2015Not After : Thu Sep 07 10:15:34 2017*
>
> Could it be a good idea to export and re-import all certs from
> */etc/httpd/alias* folder?
>
> Thanks
>
> 2016-11-17 17:07 GMT+01:00 Rob Crittenden :
>
>> Morgan Marodin wrote:
>> > Hi Rob.
>> >
>> > I've just tried to remove the group write to the *.db files, but it's
>> > not the problem.
>>
>> I didn't expect it to be but you don't want Apache having write access
>> to your certs and keys.
>>
>> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>> > NSSNickname Server-Cert/
>>
>> Ok.
>>
>> >
>> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
>> > works, services went up.
>> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>> > /winbind.service/, /kadmin.service/, /memcached.service/ and
>> > /pki-tomcatd.target/.
>>
>> Good, so you can limp along for a while then.
>>
>> > Any other ideas?
>>
>> So you upgraded. What did you actually upgrade? Only the IPA packages or
>> a lot more?
>>
>> What version is running now, and what version of mod_nss?
>>
>> $ rpm -q mod_nss
>>
>> Let's see if the NSS tools can find the cert:
>>
>> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>>
>> Should come back with: certutil: certificate is valid
>>
>> rob
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi.

I've upgraded all packages of my distribution, not only ipa packages.
There were a lot of packages.

*[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*

All other checks seem ok:











*[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]#
getseboolgetsebool:  SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
"NSS Certificate DB" in slot "NSS User Private Key and Certificate
Services"< 0> rsa  736...   NSS Certificate DB:Server-Cert< 1> rsa
a4b...   NSS Certificate DB:Signing-Cert< 2> rsa  0ff...   NSS
Certificate DB:ipaCert*


*[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
egrep "Not Before|Not After"Not Before: Mon Sep 07 10:15:34
2015Not After : Thu Sep 07 10:15:34 2017*

Could it be a good idea to export and re-import all certs from
*/etc/httpd/alias* folder?

Thanks

2016-11-17 17:07 GMT+01:00 Rob Crittenden :

> Morgan Marodin wrote:
> > Hi Rob.
> >
> > I've just tried to remove the group write to the *.db files, but it's
> > not the problem.
>
> I didn't expect it to be but you don't want Apache having write access
> to your certs and keys.
>
> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> > NSSNickname Server-Cert/
>
> Ok.
>
> >
> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> > works, services went up.
> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> > /winbind.service/, /kadmin.service/, /memcached.service/ and
> > /pki-tomcatd.target/.
>
> Good, so you can limp along for a while then.
>
> > Any other ideas?
>
> So you upgraded. What did you actually upgrade? Only the IPA packages or
> a lot more?
>
> What version is running now, and what version of mod_nss?
>
> $ rpm -q mod_nss
>
> Let's see if the NSS tools can find the cert:
>
> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>
> Should come back with: certutil: certificate is valid
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Rob Crittenden 
Sean Hogan wrote:
> Hi Robert,
> 
> No I did not cut it off there was no reason listed.. that was the
> last line about the issue.
> 
> I did find this to be my issue however
> https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat
> guys see if they can pull the new selinux policy packages as I do not
> see them avail right now for my boxes.
> 
> [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
> 
> type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
> auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
> setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
> hostname=? addr=? terminal=?'
> 
> type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
> name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
> syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK
> a2=0x4000 a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
> for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir
> 
> type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
> name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
> ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
> objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
> syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
> a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
> for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

Good catch, that seems like the issue.

> [root@server2 log]# rpm -qf /etc/ipa/nssdb
> ipa-python-4.1.0-18.el7_1.4.x86_64

IIRC it is just ghosted, all files should be owned by something.

> Encryption types.. thanks for the command.. good to know but hate seeing
> the arcfour and des options as I know DISA will not like that.

No DES, Triple DES. You can always remove them if you want, just be
aware of interoperability.

rob

> 
> [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
> cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud 

On 11/17/2016 04:51 PM, Morgan Marodin wrote:

Hi Rob.

I've just tried to remove the group write to the *.db files, but it's
not the problem.
/[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname Server-Cert/

I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
works, services went up.
The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
/winbind.service/, /kadmin.service/, /memcached.service/ and
/pki-tomcatd.target/.

But if I try to start /httpd.service/:
/[root@mlv-ipa01 ~]# tail -f /var/log/messages
Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server...
Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC
proxy enabled
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
exited, code=exited, status=1/FAILURE
Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP
Server.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed
state.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./

Any other ideas?

Hi,

- Does the NSS Db contain the private key for Server-Cert? If yes, the 
command

$ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
should display a line like this one:
< 0> rsa  01a6cbd773f3d785ffa44233148dcb8ade266ea5   NSS Certificate 
DB:Server-Cert


- Is your system running with SElinux enforcing? If yes, you can check 
if there were SElinux permission denials using

$ ausearch -m avc --start recent

- If the certificate was expired, I believe you would see a different 
message, but it doesn't hurt to check its validity
$ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not 
Before|Not After"



Flo.


Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden >:

Morgan Marodin wrote:
> Hi Florence.
>
> Thanks for your support.
>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> -rw---. 1 root root4833 Sep  4  2015 install.log
> -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/

Eventually you'll want to remove group write on the *.db files.

> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good

> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com 

> > -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> ciphers
>

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden 
Morgan Marodin wrote:
> Hi Rob.
> 
> I've just tried to remove the group write to the *.db files, but it's
> not the problem.

I didn't expect it to be but you don't want Apache having write access
to your certs and keys.

> /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert/

Ok.

> 
> I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> works, services went up.
> The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> /winbind.service/, /kadmin.service/, /memcached.service/ and
> /pki-tomcatd.target/.

Good, so you can limp along for a while then.

> Any other ideas?

So you upgraded. What did you actually upgrade? Only the IPA packages or
a lot more?

What version is running now, and what version of mod_nss?

$ rpm -q mod_nss

Let's see if the NSS tools can find the cert:

# certutil -V -u V -d /etc/httpd/alias -n Server-Cert

Should come back with: certutil: certificate is valid

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Sean Hogan 

Hi Robert,

No I did not cut it off there was no reason listed.. that was the last
line about the issue.

I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys
see if they can pull the new selinux policy packages as I do not see them
avail right now for my boxes.

[root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent

type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received
setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root
hostname=? addr=? terminal=?'

type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK a2=0x4000
a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc:  denied  { write }
for  pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc:  denied  { write }
for  pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

[root@server2 log]# rpm -qf /etc/ipa/nssdb
ipa-python-4.1.0-18.el7_1.4.x86_64



Encryption types.. thanks for the command.. good to know but hate seeing
the arcfour and des options as I know DISA will not like that.

[root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi Rob.

I've just tried to remove the group write to the *.db files, but it's not
the problem.

*[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname
Server-Cert*

I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it
works, services went up.
The same for *ntpd*, *named-pkcs11.service*, *smb.service*,
*winbind.service*, *kadmin.service*, *memcached.service* and
*pki-tomcatd.target*.

But if I try to start *httpd.service*:








*[root@mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 16:46:06 mlv-ipa01
systemd[1]: Starting The Apache HTTP Server...Nov 17 16:46:06 mlv-ipa01
ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov 17 16:46:07
mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited,
status=1/FAILURENov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process
""Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to
start The Apache HTTP Server.Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
httpd.service entered failed state.Nov 17 16:46:07 mlv-ipa01 systemd[1]:
httpd.service failed.*

Any other ideas?

Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden :

> Morgan Marodin wrote:
> > Hi Florence.
> >
> > Thanks for your support.
> >
> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> > permissions and certificates are good:
> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> > total 184
> > -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> > -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> > -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> > -rw---. 1 root root4833 Sep  4  2015 install.log
> > -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> > lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> > /usr/lib64/libnssckbi.so
> > -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> > -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> > -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/
>
> Eventually you'll want to remove group write on the *.db files.
>
> > And password validations seems ok, too:
> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> > /etc/httpd/alias/pwdfile.txt
> good
>
> > Enabling mod-nss debug I can see these logs:
> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> > NSSSessionCacheTimeout is deprecated. Ignoring.
> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> >  -> Server-Cert
> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> > for SSL protocol
> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> > nss_engine_init.c(906): Disabling TLS Session Tickets
> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> > nss_engine_init.c(916): Enabling DHE key exchange
> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> > nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> > ciphers
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> > Server-Cert.
> [snip]
> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> > found: 'Server-Cert'
>
> Can you shows what this returns:
>
> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>
> > Do you think there is a kerberos problem?
>
> It definitely is not.
>
> You can bring the system up in a minimal way by manually starting the
> dir...@example.com service and then krb5kdc. This will at least let your
> users authenticate. The management framework (GUI) runs through Apache
> so that will

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

2016-11-17 Thread Rob Crittenden 
Brian Candler wrote:
> On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote:
>> I've seen some discussion in the (distant) past about disabling
>> anonymous binds to the LDAP component of IPA, and I'm wondering if
>> there's a preferred method to do it. Further, are there any known
>> problems with disabling anonymous binds when using FreeIPA? The only
>> modern documentation I can find is here:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html,
>> and I'm curious if FreeIPA has a different way.
> 
> FWIW, I see the same here. Installed ipa-server under CentOS 7 (which
> gave me freeipa 4.2.0), and found anonymous binds allowed: tested by
> "ldapsearch -x ..."
> 
> I was able to disable anonymous bind (and also disable unencrypted
> queries) by changing the cn=config entry:
> 
> |dn: cn=config|
> |changetype: modify|
> |replace: nsslapd-allow-anonymous-access|
> |nsslapd-allow-anonymous-access: rootdse|
> |-|
> |replace: nsslapd-minssf|
> |nsslapd-minssf: 56|
> 
> I don't think this replicated from master to slave though, and I ended
> up doing it on slaves as well.
> 
> If there is an "official" way to disable anon bind on FreeIPA 4.x, I
> would like to know it.

Modifying nsslapd-allow-anonymous-access is the official way. Attributes
in cn=config are not replicated.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden 
Morgan Marodin wrote:
> Hi Florence.
> 
> Thanks for your support.
> 
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r--  1 root root1345 Sep  7  2015 cacert.asc
> -rw-rw  1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> -rw---. 1 root root4833 Sep  4  2015 install.log
> -rw-rw  1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 key3.db.orig
> lrwxrwxrwx  1 root root  24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw  1 root apache20 Sep  7  2015 pwdfile.txt
> -rw-rw  1 root apache 16384 Sep  7  2015 secmod.db
> -rw-r-. 1 root apache 16384 Sep  4  2015 secmod.db.orig/

Eventually you'll want to remove group write on the *.db files.

> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good

> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>  -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> Server-Cert.
[snip]
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> found: 'Server-Cert'

Can you shows what this returns:

# grep NSSNickname /etc/httpd/conf.d/nss.conf

> Do you think there is a kerberos problem?

It definitely is not.

You can bring the system up in a minimal way by manually starting the
dir...@example.com service and then krb5kdc. This will at least let your
users authenticate. The management framework (GUI) runs through Apache
so that will be down until we can get Apache started again.

rob

> 
> Please let me know, thanks.
> Bye, Morgan
> 
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud  >:
> 
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
> 
> Hello.
> 
> This morning I've tried to upgrade my IPA server, but the upgrade
> failed, and now the service doesn't start! :(
> 
> If I try lo launch the upgrade manually this is the output:
> /[root@mlv-ipa01 download]# ipa-server-upgrade
> 
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>   [6/8]: upgrading server
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Rob Crittenden 
Sean Hogan wrote:
> Hi Jakub,
> 
> I ended up re-enrolling the box and it is behaving as expected except I
> am not getting a host cert. Robert indicated auto host cert no longer
> avail with rhel 7 but using the --request -cert option on enroll to get
> a host cert if I wanted one. I did so and get this in the install log
> 
> 
> *2016-11-16T22:00:53Z DEBUG Starting external process*
> *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
> 'certmonger.service'*
> *2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
> *2016-11-16T22:00:53Z DEBUG stdout=active*
> 
> *2016-11-16T22:00:53Z DEBUG stderr=*
> *2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed*

Did you cut off the reason reported for the request failing?

> Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
> IPA server?

You could look in the server logs for details.

> As for crypto on RHEL 6 IPA I have (if this is what you looking for).
> However this is modified version as it took me a while to get this list
> to pass tenable scans by modding the dse files.
> [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`

These are the TLS settings for LDAP, not the Kerberos encryption types
supported. You instead want to run:

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA 4.4 replica installation failing

2016-11-17 Thread Baird, Josh 
Hi all,

In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, 
and I seem to be hitting something similar to #5412 [1].

The 'ipa-replica-install' is getting stuck on:

  [4/26]: creating installation admin user

Dirsrv error logs on the new replica:

[17/Nov/2016:08:45:09.342813042 -0600] NSMMReplicationPlugin - 
agmt="cn=caToimqa-d1-dc01.qa-unix.domain.com" (imqa-d1-dc01:389): Unable to 
acquire replica: permission denied. The bind dn "" does not have permission to 
supply replication updates to the replica. Will retry later.

Dirsrv access logs on existing master:

[17/Nov/2016:08:39:59.244698389 -0600] conn=121 op=83 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:00.248620354 -0600] conn=121 op=84 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:00.248917257 -0600] conn=121 op=84 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:01.253067200 -0600] conn=121 op=85 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:01.253481728 -0600] conn=121 op=85 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:02.257477560 -0600] conn=121 op=86 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:02.257813691 -0600] conn=121 op=86 RESULT err=0 tag=101 
nentries=0 etime=0
[17/Nov/2016:08:40:03.261805482 -0600] conn=121 op=88 SRCH 
base="uid=admin-imqa-d2-dc01.qa-unix.follett.com,ou=people,o=ipaca" scope=0 
filter="(objectClass=*)" attrs=ALL
[17/Nov/2016:08:40:03.262310788 -0600] conn=121 op=88 RESULT err=0 tag=101 
nentries=0 etime=0

Dirsrv logs on the existing master:

[17/Nov/2016:08:40:20.644554573 -0600] NSMMReplicationPlugin - conn=120 op=13 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:41:57.858672215 -0600] NSMMReplicationPlugin - conn=123 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied
[17/Nov/2016:08:45:09.334188374 -0600] NSMMReplicationPlugin - conn=130 op=5 
replica="o=ipaca": Unable to acquire replica: error: permission denied

Has anyone else experienced this issue?

Thanks,

Josh

[1] https://fedorahosted.org/freeipa/ticket/5412


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hi Florence.

Thanks for your support.

Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
permissions and certificates are good:











*[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r--  1 root
root1345 Sep  7  2015 cacert.asc-rw-rw  1 root apache 65536 Nov 17
11:06 cert8.db-rw-r-. 1 root apache 65536 Sep  4  2015
cert8.db.orig-rw---. 1 root root4833 Sep  4  2015
install.log-rw-rw  1 root apache 16384 Nov 17 11:06 key3.db-rw-r-.
1 root apache 16384 Sep  4  2015 key3.db.origlrwxrwxrwx  1 root root
24 Nov 17 10:24 libnssckbi.so -> /usr/lib64/libnssckbi.so-rw-rw  1 root
apache20 Sep  7  2015 pwdfile.txt-rw-rw  1 root apache 16384 Sep
7  2015 secmod.db-rw-r-. 1 root apache 16384 Sep  4  2015
secmod.db.orig*

And password validations seems ok, too:




*[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txtcertutil: Checking token "NSS Certificate DB"
in slot "NSS User Private Key and Certificate Services"< 0> rsa
   NSS Certificate DB:Server-Cert<
1> rsa     NSS Certificate
DB:Signing-Cert< 2> rsa     NSS
Certificate DB:ipaCert*

Enabling mod-nss debug I can see these logs:






























































































































































































































































*[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log[Thu Nov 17
15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17 15:05:10.807958 2016]
[:warn] [pid 10660] NSSSessionCacheTimeout is deprecated. Ignoring.[Thu Nov
17 15:05:10.807991 2016] [:debug] [pid 10660] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com  ->
Server-Cert[Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
Configuring server for SSL protocol[Thu Nov 17 15:05:11.002817 2016]
[:debug] [pid 10660] nss_engine_init.c(770): NSSProtocol:  Enabling
TLSv1.0[Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1[Thu Nov 17
15:05:11.002847 2016] [:debug] [pid 10660] nss_engine_init.c(780):
NSSProtocol:  Enabling TLSv1.2[Thu Nov 17 15:05:11.002856 2016] [:debug]
[pid 10660] nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)[Thu
Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] nss_engine_init.c(866):
NSSProtocol:  [TLS 1.2] (maximum)[Thu Nov 17 15:05:11.003099 2016] [:debug]
[pid 10660] nss_engine_init.c(906): Disabling TLS Session Tickets[Thu Nov
17 15:05:11.003198 2016] [:debug] [pid 10660] nss_engine_init.c(916):
Enabling DHE key exchange[Thu Nov 17 15:05:11.003313 2016] [:debug] [pid
10660] nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Thu
Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5[Thu Nov 17 15:05:11.003483 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_null_sha[Thu Nov 17
15:05:11.003491 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_40_md5[Thu Nov 17 15:05:11.003509 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_md5[Thu Nov 17
15:05:11.003632 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_rc4_128_sha[Thu Nov 17 15:05:11.003740 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: rsa_rc2_40_md5[Thu Nov 17
15:05:11.003747 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: rsa_des_sha[Thu Nov 17 15:05:11.003802 2016] [:debug] [pid 10660]
nss_engine_init.c(1140): Disable cipher: rsa_3des_sha[Thu Nov 17
15:05:11.003902 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: dhe_rsa_des_sha[Thu Nov 17 15:05:11.004001 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_sha[Thu Nov 17
15:05:11.004167 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: rsa_aes_256_sha[Thu Nov 17 15:05:11.004180 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Disable cipher: null_sha_256[Thu Nov 17
15:05:11.004191 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable
cipher: aes_128_sha_256[Thu Nov 17 15:05:11.004285 2016] [:debug] [pid
10660] nss_engine_init.c(1140): Enable cipher: aes_256_sha_256[Thu Nov 17
15:05:11.004352 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable
cipher: camelia_128_sha[Thu Nov 17

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'

2016-11-17 Thread Sumit Bose 
On Thu, Nov 10, 2016 at 07:19:09PM +0800, Matrix wrote:
> Hi, Sumit
> 
> I have checked, and did not find anything more:
> 
> error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: 
> ...
> [10/Nov/2016:10:46:58 +] conn=816560 fd=189 slot=189 connection from 
> 10.2.3.32 to 10.2.1.250
> [10/Nov/2016:10:46:58 +] conn=816560 op=0 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [10/Nov/2016:10:46:58 +] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 
> etime=0, SASL bind in progress
> [10/Nov/2016:10:46:58 +] conn=816560 op=-1 fd=189 closed - B1

Sorry, I still have no idea, maybe running ldapwhoami with '-d -1' might
help to identify which step is failing.

bye,
Sumit

> 
> ...
> 
> Matrix
> 
> 
> -- Original --
> From:  "Sumit Bose";;
> Date:  Thu, Nov 10, 2016 07:13 PM
> To:  "Matrix"; 
> Cc:  "Sumit Bose"; 
> "freeipa-users"; 
> Subject:  Re: [Freeipa-users] sssd failed with 
> 'ldap_sasl_bindfailed(-2)[Localerror]'
> 
> 
> 
> On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> > Hi, Sumit
> > 
> > Thanks for your reply
> > 
> > I have tried. still failed
> 
> Do you see any related messages on the LDAP server side?
> 
> bye,
> Sumit
> 
> > 
> > # cat /etc/openldap/ldap.conf  | grep -v ^#
> > 
> > URI ldap://ipaslave.stg.example.net
> > BASE dc=example,dc=net
> > TLS_CACERT /etc/ipa/ca.crt
> > SASL_MECH GSSAPI
> > TLS_REQCERT allow
> > SASL_NOCANON on
> > 
> > 
> > # cat /etc/krb5.conf| grep rdns
> >   rdns = false
> > 
> > Matrix
> > 
> > -- Original --
> > From:  "Sumit Bose";;
> > Date:  Thu, Nov 10, 2016 06:32 PM
> > To:  "freeipa-users"; 
> > 
> > Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind 
> > failed(-2)[Localerror]'
> > 
> > 
> > 
> > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > > debug steps have been tried: 
> > > 
> > > 1 kinit is workable: 
> > > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
> > > 
> > > # /usr/kerberos/bin/klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: host/client02.stg.example@example.net
> > > 
> > > Valid starting ExpiresService principal
> > > 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net
> > > 
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > > 
> > > 2 ldapwhoami with krb auth failed. 
> > > 
> > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > > SASL/GSSAPI authentication started
> > > ldap_sasl_interactive_bind_s: Local error (-2)
> > > additional info: SASL(-1): generic failure: GSSAPI Error: 
> > > Unspecified GSS failure.  Minor code may provide more information (Mutual 
> > > authentication failed)
> > > 
> > 
> > Have you made sure that canonicalizing is disabled, i.e.
> > /etc/krb5.conf: 
> > [libdefaults]
> >  ...
> >  rdns = false
> >  ...
> > 
> > /etc/openldap/ldap.conf
> > ...
> > SASL_NOCANONon
> > ...
> > 
> > HTH
> > 
> > bye,
> > Sumit
> > 
> > > 
> > > Matrix
> > > 
> > > -- Original --
> > > From:  "Matrix";;
> > > Date:  Thu, Nov 10, 2016 02:11 PM
> > > To:  "freeipa-users"; 
> > > 
> > > Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> > > (-2)[Localerror]'
> > > 
> > > 
> > > 
> > > Hi, 
> > > 
> > > I have installed sssd in a RHEL5 client. 
> > > 
> > > ipa-client/sssd version:
> > > ipa-client-2.1.3-7.el5
> > > sssd-client-1.5.1-71.el5
> > > sssd-1.5.1-71.el5
> > > 
> > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> > > error]'. 
> > > 
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > > (1): ldap_sasl_bind failed (-2)[Local error]
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] 
> > > [child_sig_handler] (7): Waiting for child [7].
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] 
> > > [child_sig_handler] (4): child [7] finished successfully.
> > > 
> > > I have tried to google to find root cause. some link explained it should 
> > > be something wrong with dns. I have double confirmed it. 
> > > 
> > > # nslookup client02.stg.example.net
> > > Server: 10.2.1.21
> > > Address:10.2.1.21#53
> > > 
> > > Name:   client02.stg.example.net
> > > Address: 10.2.3.32
> > > 
> > > 
> > > # nslookup 10.2.3.32
> > > Server: 10.2.1.21
> > > Address:10.2.1.21#53
> > > 
> > > 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> > > 
> > > 
> > > # nslookup ipaslave.stg.example.net
> > > Server: 10.2.1.21
> > > Address:10.2.1.21#53
> > > 
> > > Name:

Re: [Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in /var/log/messages

2016-11-17 Thread Bjarne Blichfeldt 
Excellent - thanks.

I was missing some forward statements for a few private segments.

Venlig hilsen

Bjarne Blichfeldt




-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: 16. november 2016 14:36
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in 
/var/log/messages

On 16.11.2016 12:56, Bjarne Blichfeldt wrote:
> Just updated a couple of free-ipa servers to:
> ipa-server-dns-4.4.0-12.el7.noarch
> redhat-release-server-7.3-7.el7.x86_64
> 
> Before the update, I resolved the issue with RFC messages by:
> /etc/named.conf:
> options {
>disable-empty-zone "10.in-addr.arpa.";
> :
> 
> Now after the update the RFS messages has returned. I read in the changelog 
> for 4.4 that this issue was resolved.
> What did I miss?

This sort of misconfiguration is described on

https://deepthought.isc.org/article/AA-00204/0/What-does-RFC-1918-response-from-Internet-for-0.0.0.10.IN-ADDR.ARPA-mean.html


Please follow advices on ISC web to fix this. You are most probably sending 
your queries to the public Internet instead of your internal network.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud 

On 11/17/2016 12:09 PM, Morgan Marodin wrote:

Hello.

This morning I've tried to upgrade my IPA server, but the upgrade
failed, and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:
/[root@mlv-ipa01 download]# ipa-server-upgrade
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information/

These are error logs of Apache:
/[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
found: 'Server-Cert'/

The problem seems to be the /Server-Cert /that could not be found.
But if I try to execute the certutil command manually I can see it:/
[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
ipaCert  u,u,u
Server-Cert  Pu,u,u
IPA.MYDOMAIN.COM  IPA
CACT,C,C/

Could you help me?
What could I try to do to restart my service?


Hi,

I would first make sure that httpd is using /etc/httpd/alias as NSS DB 
(check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf).
Then it may be a file permission issue: the NSS DB should belong to 
root:apache (the relevant files are cert8.db, key3.db and secmod.db).
You should also find a pwdfile.txt in the same directory, containing the 
NSS DB password. Check that the password is valid using

certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
(if the command succeeds then the password in pwdfile is OK).

You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting 
"LogLevel debug", and check the output in /var/log/httpd/error_log.


HTH,
Flo.

Thanks, Morgan




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

2016-11-17 Thread Brian Candler 

On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote:
I've seen some discussion in the (distant) past about disabling 
anonymous binds to the LDAP component of IPA, and I'm wondering if 
there's a preferred method to do it. Further, are there any known 
problems with disabling anonymous binds when using FreeIPA? The only 
modern documentation I can find is here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html, 
and I'm curious if FreeIPA has a different way.


FWIW, I see the same here. Installed ipa-server under CentOS 7 (which 
gave me freeipa 4.2.0), and found anonymous binds allowed: tested by 
"ldapsearch -x ..."


I was able to disable anonymous bind (and also disable unencrypted 
queries) by changing the cn=config entry:


|dn: cn=config|
|changetype: modify|
|replace: nsslapd-allow-anonymous-access|
|nsslapd-allow-anonymous-access: rootdse|
|-|
|replace: nsslapd-minssf|
|nsslapd-minssf: 56|

I don't think this replicated from master to slave though, and I ended 
up doing it on slaves as well.


If there is an "official" way to disable anon bind on FreeIPA 4.x, I 
would like to know it.


Thanks,

Brian.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin 
Hello.

This morning I've tried to upgrade my IPA server, but the upgrade failed,
and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:



































*[root@mlv-ipa01 download]# ipa-server-upgradeUpgrading IPA:  [1/8]: saving
configuration  [2/8]: disabling listeners  [3/8]: enabling DS global lock
[4/8]: starting directory server  [5/8]: updating schema  [6/8]: upgrading
server  [7/8]: stopping directory server  [8/8]: restoring
configurationDone.Update completeUpgrading IPA servicesUpgrading the
configuration of the IPA services[Verifying that root certificate is
published][Migrate CRL publish directory]CRL tree already moved[Verifying
that CA proxy configuration is correct][Verifying that KDC configuration is
using ipa-kdb backend][Fix DS schema file syntax]Syntax already
fixed[Removing RA cert from DS NSS database]RA cert already removed[Enable
sidgen and extdom plugins by default][Updating HTTPD service IPA
configuration][Updating mod_nss protocol versions]Protocol versions already
updated[Updating mod_nss cipher suite][Fixing trust flags in
/etc/httpd/alias]Trust flags already processed[Exporting KRA agent PEM
file]KRA is not enabledIPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.Unexpected error - see /var/log/ipaupgrade.log for
details:CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information*

These are error logs of Apache:


*[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17
11:48:45.499220 2016] [:warn] [pid 5664] NSSSessionCacheTimeout is
deprecated. Ignoring.[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
Certificate not found: 'Server-Cert'*

The problem seems to be the *Server-Cert *that could not be found.
But if I try to execute the certutil command manually I can see it:






*[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uServer-Cert
Pu,u,uIPA.MYDOMAIN.COM  IPA
CACT,C,C*

Could you help me?
What could I try to do to restart my service?

Thanks, Morgan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project