Re: [Freeipa-users] Replica Creation Issue

[Petr Vobornik]

On 12/14/2016 03:27 PM, Christian McNamara wrote:
> Hi all,
> 
> I recently inherited a FreeIPA system that I believe is running v3.0, and I'm 
> trying to upgrade to the latest version. Following documentation, I'm trying 
> to 
> create a replica but I'm running into problems connecting to the LDAP server. 
> Here's the output I get when trying to prepare a replica:
> 
> $ sudo ipa-replica-prepare auth4.sshchicago.org
>  --ip-address 172.31.31.36
> Directory Manager (existing master) password:
> 
> Preparing replica for auth4.sshchicago.org 
> from auth3.sshchicago.org 
> preparation of replica failed: cannot connect to
> u'ldaps://auth3.sshchicago.org : 
>  
>   
>   
>7390':
> LDAP Server Down
> cannot connect to u'ldaps://auth3.sshchicago.org:7390
> ': LDAP Server Down
>File "/usr/sbin/ipa-replica-prepare", line 529, in 
>  main()
> 
>File "/usr/sbin/ipa-replica-prepare", line 391, in main
>  update_pki_admin_password(dirman_password)
> 
>File "/usr/sbin/ipa-replica-prepare", line 247, in 
> update_pki_admin_password
>  bind_pw=dirman_password
> 
>File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
> connect
>  conn = self.create_connection(*args, **kw)
> 
>File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", 
> line
> 846,  
>   
>   
>   
>   in create_connection
>  self.handle_errors(e)
> 
>File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", 
> line
> 736,  
>   
>   
>   
>   in handle_errors
>  error=u'LDAP Server Down')
> 
> 
> It says that our LDAP server is down, but it's trying to connect using the 
> wrong 
> port number. Our LDAP server runs on 389, not 7390, and I can't figure out 
> how 
> to specify this to the prepare script.
> 
> Any ideas?
> 

IPA 3.0 has 2 instances of directory server. One for domain data second
for PKI CA data. IPA 4.x instances have them merged.

So port 7390 is ldaps for of PKI-IPA DS instance, e.g. equivalent for
636 port of domain DS instance.  Similar mapping is with 7389 and 389 ports.

Therefore I'd check if PKI-IPA is running or if it is listening there.

Relevant logs are in:
  /var/log/dirsrv/slapd-PKI-IPA/errors

Example  of `ipactl restart`:

Shutting down dirsrv:
DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...  [  OK  ]
PKI-IPA... [  OK  ]
Starting dirsrv:
DOM-189-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM...  [  OK  ]
PKI-IPA... [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:   [  OK  ]
Starting Kerberos 5 KDC:   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:  [  OK  ]
Starting Kerberos 5 Admin Server:  [  OK  ]
Restarting DNS Service
Stopping named: .  [  OK  ]
Starting named:[  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:[  OK  ]
Starting ipa_memcached:[  OK  ]
Restarting HTTP Service
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]
Restarting CA Service  [  OK  ]
Starting pki-ca:   [  OK  ]

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

[Petr Vobornik]

On 12/12/2016 08:53 PM, Rob Verduijn wrote:
> Hello,
> 
> I've recently upgraded to centos 7.3.
> Didn't intend to so soon but should have checked the anounce lists before 
> launching my ansible update playbook.
> 
> Most of my servers came through, and mostly also the ipa server.
> There were duplicate rpms and a failed rpm upgrade.
> After some yum magic the rpm duplicates where gone and all the updates 
> installed.
> 
> Manually running ipa-server-upgrade also seems to finish properly.
> 
> However
> ipactl start keeps failing on the ntpd service.
> Not a big surprise since its running chronyd.
> 
> I now start the ipa server with 'ipactl start --ignore-service-failure'
> 
> Is there a way to explain the script that it should check for chronyd instead 
> of 
> ntpd ?
> 
> I also see this a lot in the logs:
> dns_rdatatype_fromtext() failed for attribute 
> 'idnsTemplateAttribute;cnamerecord': unknown class/type
> 
> Is that a serious error ?
> 
> Rob Verduijn
> 

This looks like 7.3 update incorrectly added NTP service to IPA server
services (which is displayed as NTP role in `ipa server-show $server`).

A workaround might be to disable the service or remove the service
entry. Disabling is IMHO safer.  IPA CLI tools don't allow
enabling/disabling of services so it must be done by LDAP mod.

It can be done by removing  'enabledService' config value from server's
service entry, e.g.:

dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
changetype: modify
delete: ipaConfigString
ipaConfigString: enabledService
-

Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g.
dc=example,dc=com


Rob, have you originally installed the replica with NTPD and then later
switched manually to chrony?

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos and 2fa with mac OS X client

[Mark Steele]

Hi,

Has anyone managed to make this work and if so, is there some documentation for 
doing so?

I can successfully authenticate to my linux servers using 2FA, but am unable to 
get my Mac to be able to get a ticket with kinit.

Kinit returns: “password incorrect”, and isn’t prompting for the second factor. 
I’ve also tried appending the second factor to the password (like when logging 
into the UI).

Any help would be appreciated.


Thanks

Mark


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos and 2fa with mac OS X client

[Sumit Bose]

On Thu, Dec 15, 2016 at 03:38:14PM +, Mark Steele wrote:
> Hi,
> 
> Has anyone managed to make this work and if so, is there some documentation 
> for doing so?
> 
> I can successfully authenticate to my linux servers using 2FA, but am unable 
> to get my Mac to be able to get a ticket with kinit.
> 
> Kinit returns: “password incorrect”, and isn’t prompting for the second 
> factor. I’ve also tried appending the second factor to the password (like 
> when logging into the UI).
> 
> Any help would be appreciated.

For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
For MacOS I found
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
and according to this the MacOS kinit does not support FAST, i.e. using
an armor credential cache. But maybe there are newer or alternative
versions which supports it?

HTH

bye,
Sumit
> 
> 
> Thanks
> 
> Mark
> 
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

[Florence Blanc-Renaud]

On 12/14/2016 07:49 PM, beeth beeth wrote:

Hi Flo,

Thanks for the great hint! I reran the ipa-client-install on the rhel6
box(ipadev6), and monitored the access log file you mentioned on the
replica:

# ipa-client-install --domain=ipa.example.com 
--server=ipaprd2.example.com 
 --hostname=ipadev6.example.com  -d

( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on RHEL6 )

AFTER about 3 seconds, I saw these on the replica ipaprd2:
[14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73
connection from  to 
[14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT err=2
tag=120 nentries=0 etime=0
[14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND
[14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 closed - U1
[14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73
connection from  to 
[14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
[14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT err=2
tag=120 nentries=0 etime=0
[14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND
[14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 closed - U1
[14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND
[14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 closed - U1

So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I checked the
oid and got:

1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511)

It looked to be related with TLS... pease advise. Thanks!



Hi,

when the replica got installed, the installer must have configured the 
directory server for SSL and start TLS. I tend to suspect an expired 
certificate issue rather than a misconfiguration. Could you please check 
that dirsrv certificate is still valid?


$ certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM/ -n Server-Cert |grep Not
Not Before: Wed Dec 14 16:56:02 2016
Not After : Sat Dec 15 16:56:02 2018

If the certificate is still valid, you may want to read 389-ds How-To to 
make sure that SSL is properly setup:

http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#deploy-the-settings

Flo.



On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud mailto:f...@redhat.com>> wrote:

On 12/14/2016 01:08 PM, beeth beeth wrote:

Thanks David. I installed both the master and replica IPA
servers with
third-party certificates(Verisign), but I doubt that could be
the issue,
because I had no problem to run the same ipa-client-install
command on a
RHEL7 machine(of course, the --hostname used a different
hostname of the
server). And I had no problem to run the ipa-client-install
command with
--server= on such RHEL6 machine. So what could cause the
LDAP
communication failed during the client enrollment with the
replica? Is
there a way I can troubleshoot this by running some commands? So
far I
did telnet to check the open ports, as well as run the ldapsearch
towards the replica. Thanks again!


On Tue, Dec 13, 2016 at 8:46 AM, David Kupka mailto:dku...@redhat.com>
>> wrote:

On 13/12/16 05:44, beeth beeth wrote:

I have two IPA servers ipaprd1.example.com

 and ipaprd2.example.com

, running
ipa 4.4 on RHEL7. When I tried to install/configure the
client
on a RHEL6
system(called ipadev6), I had issue when I tried to
enroll it
with the
replica(ipaprd2), while no issue with the primary(ipaprd1):

# ipa-client-install --domain=ipa.example.com

 --server=ipaprd1.example.com


--server=ipaprd2.example.com
 
--hostname=ipadev6.example.com
 
LDAP Error: Protocol error: unsupported extended operation
Autodiscovery of servers for failover cannot work with this
configuration.
If you proceed with the installation, services will be
configured to always
access the discovered server for all operations and will not
fail over to
other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]

  

Re: [Freeipa-users] Kerberos and 2fa with mac OS X client

[Alexander Bokovoy]

On to, 15 joulu 2016, Sumit Bose wrote:

On Thu, Dec 15, 2016 at 03:38:14PM +, Mark Steele wrote:

Hi,

Has anyone managed to make this work and if so, is there some documentation for 
doing so?

I can successfully authenticate to my linux servers using 2FA, but am
unable to get my Mac to be able to get a ticket with kinit.

Kinit returns: “password incorrect”, and isn’t prompting for the
second factor. I’ve also tried appending the second factor to the
password (like when logging into the UI).

Any help would be appreciated.


For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
For MacOS I found
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
and according to this the MacOS kinit does not support FAST, i.e. using
an armor credential cache. But maybe there are newer or alternative
versions which supports it?

Starting with Mac OS X 10.8, Heimdal does support FAST.

kinit --fast-armor-cache /path/to/ccache

In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos and 2fa with mac OS X client

[Mark Steele]

Still no luck.


klist
Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279
Principal: ad...@int.domain.com

  IssuedExpires   Principal
Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  krbtgt/int.domain@int.domain.com


KRB5_TRACE=/dev/stdout kinit 
--fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 
mark.ste...@int.domain.com
2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
2016-12-15T13:35:35 set-error: -1765328243: Principal 
mark.ste...@int.domain.com not found in any credential cache
mark.ste...@int.domain.com's password: 
2016-12-15T13:35:50 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2016-12-15T13:35:50 Adding PA mech: SRP
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
2016-12-15T13:35:50 krb5_get_init_creds: loop 1
2016-12-15T13:35:50 KDC sent 0 patypes
2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags 0
2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
2016-12-15T13:35:50 submissing new requests to new host
2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to 
DNS
2016-12-15T13:35:51 out of hosts, waiting for replies
2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to 
pulling more hosts
2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm 
INT.DOMAIN.COM, tried 1 KDC
2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 hosts 
1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 0001
kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, 
tried 1 KDC


mac client config (OS 10.11.1):

cat /etc/krb5.conf 
[libdefaults]
default_realm = INT.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
renewable = true


[realms]
 INT.DOMAIN.COM = {
  kdc = ds01.int.domain.com:88
  master_kdc = ds01.int.domain.com:88
  admin_server = ds01.int.domain.com:749
  default_domain = int.domain.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .int.domain.com = INT.DOMAIN.COM
 int.domain.com = INT.DOMAIN.COM

On the freeipa server’s krb5kdc.log:

krb5kdc: Realm not local to KDC - while dispatching (udp)

When authenticating with a non 2FA user, works fine.

Anyone can hit me with a clue-stick?

Cheers,

Mark



On 2016-12-15, 11:20 AM, "freeipa-users-boun...@redhat.com on behalf of 
Alexander Bokovoy"  wrote:

On to, 15 joulu 2016, Sumit Bose wrote:
>On Thu, Dec 15, 2016 at 03:38:14PM +, Mark Steele wrote:
>> Hi,
>>
>> Has anyone managed to make this work and if so, is there some 
documentation for doing so?
>>
>> I can successfully authenticate to my linux servers using 2FA, but am
>> unable to get my Mac to be able to get a ticket with kinit.
>>
>> Kinit returns: “password incorrect”, and isn’t prompting for the
>> second factor. I’ve also tried appending the second factor to the
>> password (like when logging into the UI).
>>
>> Any help would be appreciated.
>
>For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
>For MacOS I found

>https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
>and according to this the MacOS kinit does not support FAST, i.e. using
>an armor credential cache. But maybe there are newer or alternative
>versions which supports it?
Starting with Mac OS X 10.8, Heimdal does support FAST.

kinit --fast-armor-cache /path/to/ccache

In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

[beeth beeth]

Hi Flo,

That's a good point! I checked the dirsrv certificate and confirmed
valid(good until later next year).
Since I had no problem to enroll another new IPA client(RHEL7 box instead
of RHEL6) to such replica server, I thought it might not be a server end
issue. However, when I tried to restart the DIRSRV service on the replica
server, I found these messages in the log
file /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors:

[15/Dec/2016:13:38:15.891301246 -0500] 389-Directory/1.3.5.10
B2016.257.1817 starting up
[15/Dec/2016:13:38:15.911777373 -0500] default_mr_indexer_create: warning -
plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[15/Dec/2016:13:38:15.926320306 -0500] WARNING: changelog: entry cache size
2097152 B is less than db size 5488640 B; We recommend to increase the
entry cache size nsslapd-cachememsize.
[15/Dec/2016:13:38:16.132155534 -0500] schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server startup!
[15/Dec/2016:13:38:16.167896279 -0500] NSACLPlugin - The ACL target
cn=dns,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.173317345 -0500] NSACLPlugin - The ACL target
cn=dns,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.178354342 -0500] NSACLPlugin - The ACL target
cn=keys,cn=sec,cn=dns,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.183579322 -0500] NSACLPlugin - The ACL target
cn=dns,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.188786976 -0500] NSACLPlugin - The ACL target
cn=dns,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.193275650 -0500] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.197580407 -0500] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.201863256 -0500] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.206318629 -0500] NSACLPlugin - The ACL target
ou=sudoers,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.211559100 -0500] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.216146819 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.220786596 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.225594942 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.229986749 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.234518367 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.238763121 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.243031116 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.247507984 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.252327210 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.259046910 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.263856581 -0500] NSACLPlugin - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.269301704 -0500] NSACLPlugin - The ACL target
cn=ad,cn=etc,dc=ipa,dc=example,dc=com does not exist
[15/Dec/2016:13:38:16.283511408 -0500] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does not
exist
[15/Dec/2016:13:38:16.287853825 -0500] NSACLPlugin - The ACL target
cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com does not
exist
[15/Dec/2016:13:38:16.395872649 -0500] NSACLPlugin - The ACL target
cn=automember rebuild membership,cn=tasks,cn=config does not exist
[15/Dec/2016:13:38:16.405404114 -0500] Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ipa,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[15/Dec/2016:13:38:16.463117873 -0500] set_krb5_creds - Could not get
initial credentials for principal [ldap/ipaprd2.example@ipa.example.com]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
e-text))
[15/Dec/2016:13:38:16.471256279 -0500] schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[15/Dec/2016:13:38:16.479213976 -0500] slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[15/Dec/2016:13:38:16.483683353 -0500] Listening on
/var/run/slapd-IPA-EXAMPLE-COM.socket for LDAPI requests
[15/Dec/2016:13:38:21.634319974 -0500] schema-compat-plugin - warni

Re: [Freeipa-users] Kerberos and 2fa with mac OS X client

[Alexander Bokovoy]

On to, 15 joulu 2016, Mark Steele wrote:

Still no luck.


klist
Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279
   Principal: ad...@int.domain.com

 IssuedExpires   Principal
Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  krbtgt/int.domain@int.domain.com


KRB5_TRACE=/dev/stdout kinit 
--fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 
mark.ste...@int.domain.com
2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
2016-12-15T13:35:35 set-error: -1765328243: Principal 
mark.ste...@int.domain.com not found in any credential cache
mark.ste...@int.domain.com's password:
2016-12-15T13:35:50 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2016-12-15T13:35:50 Adding PA mech: SRP
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
2016-12-15T13:35:50 krb5_get_init_creds: loop 1
2016-12-15T13:35:50 KDC sent 0 patypes
2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags 0
2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
2016-12-15T13:35:50 submissing new requests to new host
2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to 
DNS
2016-12-15T13:35:51 out of hosts, waiting for replies
2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos 
(ds01.int.domain.com) tid: 0001
2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to 
pulling more hosts
2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm 
INT.DOMAIN.COM, tried 1 KDC
2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 hosts 
1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 0001
kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, 
tried 1 KDC
mac client config (OS 10.11.1):

cat /etc/krb5.conf
[libdefaults]
   default_realm = INT.DOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   forwardable = yes
   renewable = true


[realms]
INT.DOMAIN.COM = {
 kdc = ds01.int.domain.com:88
 master_kdc = ds01.int.domain.com:88
 admin_server = ds01.int.domain.com:749
 default_domain = int.domain.com
 pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.int.domain.com = INT.DOMAIN.COM
int.domain.com = INT.DOMAIN.COM

On the freeipa server’s krb5kdc.log:

krb5kdc: Realm not local to KDC - while dispatching (udp)

When authenticating with a non 2FA user, works fine.

Anyone can hit me with a clue-stick?

This does not look like related to the FAST processing, but what does
ipa-otpd log looks like (journalctl-wise)?


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

[Brian Candler]

On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote:



yes you can do it. DNS domain and Kerberos realm are two different
things. It's common and AFAIK recommended to capitalize DNS domain
to get the realm but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com  is under your
control,
b) you don't already have other Kerberos instance (FreeIPA, MIT
KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
 realm deployed.

With FreeIPA you can run
# ipa-server-install --domain example.com
 --realm ANOTHERDOMAIN.COM


But before you do, why do you want to have the realm different
from the domain?




Question: what "domain" does the --domain option to ipa-server-install 
actually refer to?


The man page just says " Your DNS domain name". But what does it 
actually alter?


1. the DNS domain which holds the kerberos realm location information? I 
don't think so; I think if you are searching for realm FOO.COM you'll 
always look in the DNS under "foo.com", that's a fixed relationship.


2. the DNS name of the IPA server itself? But if set up correctly, it 
already has an FQDN (as reported by "hostname -f"). And if you give the 
"--hostname" option, that's a FQDN not a bare hostname.


3. the DNS zone which IPA is authoritative for? But you can run IPA 
without integrated DNS.


4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" 
puts everything under tree "dc=foo,dc=com"?


5. something else?

Thanks,

Brian.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos and 2fa with mac OS X client

[Sumit Bose]

On Thu, Dec 15, 2016 at 06:50:53PM +, Mark Steele wrote:
> Still no luck.
> 
> 
> klist
> Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279
> Principal: ad...@int.domain.com
> 
>   IssuedExpires   Principal
> Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  
> krbtgt/int.domain@int.domain.com
> 
> 
> KRB5_TRACE=/dev/stdout kinit 
> --fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 
> mark.ste...@int.domain.com
> 2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
> 2016-12-15T13:35:35 set-error: -1765328243: Principal 
> mark.ste...@int.domain.com not found in any credential cache
> mark.ste...@int.domain.com's password: 
> 2016-12-15T13:35:50 set-error: -1765328234: Encryption type 
> des-cbc-md5-deprecated not supported
> 2016-12-15T13:35:50 Adding PA mech: SRP
> 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
> 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
> 2016-12-15T13:35:50 krb5_get_init_creds: loop 1
> 2016-12-15T13:35:50 KDC sent 0 patypes
> 2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags > 0
> 2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
> 2016-12-15T13:35:50 submissing new requests to new host
> 2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to 
> DNS
> 2016-12-15T13:35:51 out of hosts, waiting for replies
> 2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001
> 2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos 
> (ds01.int.domain.com) tid: 0001

Your client does not fall back to TCP. It is at least recommended to use
TCP with OTP (see https://fedorahosted.org/freeipa/ticket/4725). Iirc
with heimdal you can use

   kdc = tcp/ds01.int.domain.com:88

to force the client using TCP.

HTH

bye,
Sumit
  
> 2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to 
> pulling more hosts
> 2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm 
> INT.DOMAIN.COM, tried 1 KDC
> 2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 
> hosts 1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 0001
> kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, 
> tried 1 KDC
> 
> 
> mac client config (OS 10.11.1):
> 
> cat /etc/krb5.conf 
> [libdefaults]
> default_realm = INT.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
> renewable = true
> 
> 
> [realms]
>  INT.DOMAIN.COM = {
>   kdc = ds01.int.domain.com:88
>   master_kdc = ds01.int.domain.com:88
>   admin_server = ds01.int.domain.com:749
>   default_domain = int.domain.com
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
> 
> [domain_realm]
>  .int.domain.com = INT.DOMAIN.COM
>  int.domain.com = INT.DOMAIN.COM
> 
> On the freeipa server’s krb5kdc.log:
> 
> krb5kdc: Realm not local to KDC - while dispatching (udp)
> 
> When authenticating with a non 2FA user, works fine.
> 
> Anyone can hit me with a clue-stick?
> 
> Cheers,
> 
> Mark
> 
> 
> 
> On 2016-12-15, 11:20 AM, "freeipa-users-boun...@redhat.com on behalf of 
> Alexander Bokovoy"  aboko...@redhat.com> wrote:
> 
> On to, 15 joulu 2016, Sumit Bose wrote:
> >On Thu, Dec 15, 2016 at 03:38:14PM +, Mark Steele wrote:
> >> Hi,
> >>
> >> Has anyone managed to make this work and if so, is there some 
> documentation for doing so?
> >>
> >> I can successfully authenticate to my linux servers using 2FA, but am
> >> unable to get my Mac to be able to get a ticket with kinit.
> >>
> >> Kinit returns: “password incorrect”, and isn’t prompting for the
> >> second factor. I’ve also tried appending the second factor to the
> >> password (like when logging into the UI).
> >>
> >> Any help would be appreciated.
> >
> >For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
> >For MacOS I found
> 
> >https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
> >and according to this the MacOS kinit does not support FAST, i.e. using
> >an armor credential cache. But maybe there are newer or alternative
> >versions which supports it?
> Starting with Mac OS X 10.8, Heimdal does support FAST.
> 
> kinit --fast-armor-cache /path/to/ccache
> 
> In Mac OS