Re: [Freeipa-users] DM Password Reset in 4.4.0

2017-02-16 Thread Martin Basti 



On 15.02.2017 23:11, Jason B. Nance wrote:

Hello All,

I have managed to lose the Directory Manager password for my FreeIPA 4.4.0 
instance.  I've found the following documentation:

 
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html

And:

 http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

I'm confused as to whether I need to follow the procedure in the second link 
because of the following note on the page:

 The following procedure is only applicable to FreeIPA 3.2.1 or older. 
Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a part of 
preparing a replica info file by using ipa-replica-prepare

The wording of that seems to indicate that it is a copy/paste from a different 
doc on how to setup PKI (due to the reference to ipa-replica-prepare).

Could someone shed some light on the proper way to go about resetting the 
Directory Manager password in 4.4.0?

Thanks,

j


Hello,

"Following procedure needs to be performed on all FreeIPA replicas with 
PKI." and see Prerequisites


if you have 3.2.1 and older with CA installed you should use this steps, 
otherwise you need only change DM password as is stated in Dirsrv 
documentation.


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud 

On 02/15/2017 05:40 PM, Matt . wrote:

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.


Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below 
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias 
but I don't remember it removing certs.


Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b 
cn=certificates,cn=ipa,cn=etc,$BASEDN


It should contain one entry for each CA that you added.

Flo.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . :

Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt




2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :

On 02/14/2017 05:43 PM, Matt . wrote:


Hi Florance,

Thanks for your update, good to see some good into about it. For
Comodo I have install all these:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

 Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.

I have tried this with setenforce 0


Hi Matt,

can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)

Thanks,
Flo.



Cheers,

Matt

2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :


On 02/14/2017 02:54 PM, Matt . wrote:



Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.


Hi Matt,

if your certificate was provided by an intermediate CA, you need to add
each
CA before running ipa-server-certinstall (start from the top-level CA
with
ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
CA
with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in enforcing
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.



Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
:



Have you validated the cert (and dumped the contents) from the command
line using the openssl tools?  I’ve seen the message you are seeing
before,
for some reason I seem to remember that it has to do with either a
missing
or an extra - at either the -BEGIN CERTIFICATE or -END
CERTIFICATE (an error from copy and pasting and not copying the
actual
file).

I’ve never used certupdate so if what is described above doesn’t help
somebody else will have to chime in.

Dan


On Feb 14, 2017, at 2:18 AM, Matt .  wrote:

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a certupdate
?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
:



Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
cert only (disclaimer: I’ve never done this).

Dan


On Feb 13, 2017, at 4:08 PM, Matt .  wrote:

Hi Guys,

I'm trying to install a 3rd party certificate using:



http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key
mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.


If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project














--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how to resolve replication conflicts

2017-02-16 Thread Tiemen Ruiten 
Hello,

I have a FreeIPA setup in which some masters suffered from a few
uncontrolled shutdowns and now there are replication conflicts (which
prevent from setting the Domain Level to 1).

I was trying to follow the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html

But unfortunately I'm not getting anywhere. This the result of an
ldapsearch for replication conflicts:


> [root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
> "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: nsds5ReplConflict=*
> # requesting: * nsds5ReplConflict
> #
> # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns, ipa.rdmedia.com
> dn:
> cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc
>  =rdmedia,dc=com
> objectClass: nsContainer
> objectClass: top
> cn: servers
> nsds5ReplConflict: namingConflict
> cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com
> # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae, permissions, pbac,
> ipa.
>  rdmedia.com
> dn: cn=System: Add
> CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis
>  sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: add
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Add CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: add
> ca,cn=permissions,cn=pbac,dc=
>  ipa,dc=rdmedia,dc=com

# System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae, permissions,
> pbac, i
>  pa.rdmedia.com
> dn: cn=System: Delete
> CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per
>  missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: delete
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Delete CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: delete
> ca,cn=permissions,cn=pbac,
>  dc=ipa,dc=rdmedia,dc=com
> # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae, permissions,
> pbac, i
>  pa.rdmedia.com
> dn: cn=System: Modify
> CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per
>  missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify CA
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: modify
> ca,cn=permissions,cn=pbac,
>  dc=ipa,dc=rdmedia,dc=com
> # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae, permissions,
> pbac, ip
>  a.rdmedia.com
> dn: cn=System: Read
> CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm
>  issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermRight: read
> ipaPermRight: compare
> ipaPermRight: search
> ipaPermBindRuleType: all
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Read CAs
> objectClass: ipapermission
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermissionv2
> ipaPermDefaultAttr: description
> ipaPermDefaultAttr: ipacaissuerdn
> ipaPermDefaultAttr: objectclass
> ipaPermDefaultAttr: ipacasubjectdn
> ipaPermDefaultAttr: ipacaid
> ipaPermDefaultAttr: cn
> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
> nsds5ReplConflict: namingConflict cn=system: read
> cas,cn=permissions,cn=pbac,d
>  c=ipa,dc=rdmedia,dc=com
> # System: Modify DNS Servers Configuration +
> 334bfbf6-cdae11e6-8a85a70a-bda98fa
>  e, permissions, pbac, ipa.rdmedia.com
> dn: cn=System: Modify DNS Servers
> Configuration+nsuniqueid=334bfbf6-cdae11e6-8
>  a85a70a-bda98fae,cn=permissions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
> ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
> ipaPermRight: write
> ipaPermBindRuleType: permission
> ipaPermissionType: V2
> ipaPermissionType: MANAGED
> ipaPermissionType: SYSTEM
> cn: System: Modify DNS Servers Configuration
> objectClass: ipapermission
> objectClass: top
> obje

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread William Muriithi 
Morning David,

Thank you very much for your help.

> first you're mentioning "key expiry" but if I understand correctly you're
> interested in "ticket lifetime".
Yes, want to increase ticket lifetime.
>
> As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
>
> You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> [libdefaults] in /etc/krb5.conf on client).
>
> To increase 2) you need to change maxlife for krbtgt service. There're two 
> ways
> this ca be done:
> a) modifying krbMaxTicketLife attribute in
> krbPrincipalName=krbtgt/example@example.org,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> b) using kadmin.local:
> # kadmin.local
> Authenticating as principal admin/ad...@example.org
> : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> Principal "krbtgt/example@example.org" modified.
> : exit

Will try 2 b and see how it goes

>
> To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
> and restart krb5kdc service.
>

okay, wasn't actually aware of this.  Will look at it

> But generally I don't think it's a good idea to have such long tickets. Would
> it make sense in your use case to deploy SSSD on user systems to handle
> Kerberos tickets for them?
>
I am actually using SSSD on all the systems, even the desktops.  I
agree the changes above aren't ideal and would prefer to get SSSD
working well.  Where would like to avoid this error showing around
every 12 hours.

antimony:  Could not chdir to home directory /home/william: Key has expired


Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to resolve replication conflicts

2017-02-16 Thread Ludwig Krispenz 


On 02/16/2017 01:32 PM, Tiemen Ruiten wrote:

Hello,

I have a FreeIPA setup in which some masters suffered from a few 
uncontrolled shutdowns and now there are replication conflicts (which 
prevent from setting the Domain Level to 1).


I was trying to follow the instructions here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html


But unfortunately I'm not getting anywhere. This the result of an 
ldapsearch for replication conflicts:



[root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
"dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns,
ipa.rdmedia.com 
dn:
cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-bda98fae,cn=dns,dc=ipa,dc
 =rdmedia,dc=com
objectClass: nsContainer
objectClass: top
cn: servers
nsds5ReplConflict: namingConflict
cn=servers,cn=dns,dc=ipa,dc=rdmedia,dc=com
# System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ipa.
rdmedia.com 
dn: cn=System: Add
CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=permis
 sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: add
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Add CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: add
ca,cn=permissions,cn=pbac,dc=
 ipa,dc=rdmedia,dc=com 


# System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, i
pa.rdmedia.com 
dn: cn=System: Delete
CA+nsuniqueid=334bfbe9-cdae11e6-8a85a70a-bda98fae,cn=per
 missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: delete
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Delete CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: delete
ca,cn=permissions,cn=pbac,
 dc=ipa,dc=rdmedia,dc=com
# System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, i
pa.rdmedia.com 
dn: cn=System: Modify
CA+nsuniqueid=334bfbed-cdae11e6-8a85a70a-bda98fae,cn=per
 missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify CA
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=CA
Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermDefaultAttr: description
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: modify
ca,cn=permissions,cn=pbac,
 dc=ipa,dc=rdmedia,dc=com
# System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae,
permissions, pbac, ip
a.rdmedia.com 
dn: cn=System: Read
CAs+nsuniqueid=334bfbf1-cdae11e6-8a85a70a-bda98fae,cn=perm
 issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: all
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read CAs
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
ipaPermDefaultAttr: description
ipaPermDefaultAttr: ipacaissuerdn
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipacasubjectdn
ipaPermDefaultAttr: ipacaid
ipaPermDefaultAttr: cn
ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
nsds5ReplConflict: namingConflict cn=system: read
cas,cn=permissions,cn=pbac,d
 c=ipa,dc=rdmedia,dc=com
# System: Modify DNS Servers Configuration +
334bfbf6-cdae11e6-8a85a70a-bda98fa
 e, permissions, pbac, ipa.rdmedia.com

[Freeipa-users] Add IP-address client to error-log file

2017-02-16 Thread Alexandr Slavov 
Hello all. 
We use CentOS 7 ,FreeIPA 4.4, Apache 2.4 
We installed audit system like http://www.freeipa.org/page/Centralized_Logging  
for monitoring "Who's What's Doing". 
Audit system parsing /var/log/httpd/error_log and logging to Elasticsearch. 

Some string for Remove user from group in FreeIPA from 
/var/log/httpd/error_log: 
[Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732] ipa: INFO: 
admin-u...@domain.com: batch: group_remove_member(u'somegroup', 
user=u'someuser'): SUCCESS 

Parsed string loaded in Elasticsearch: 
{ 
  "_index": "logstash-2017.02.15", 
  "_type": "events", 
  "_id": "Uniq-ID", 
  "_score": null, 
  "_source": { 
    "timestamp": "2017-02-15T03:46:08-06:00", 
    "status": "SUCCESS", 
    "parameters": "'u'somegroup', user=u'someuser'", 
    "action": "group_remove_member", 
    "principal": "admin-u...@domain.com", 
    "pid": "31732", 
    "event.tags": [ 
  "ipa", 
  "ipa-call", 
  "batch" 
    ], 
    "host": "server-1", 
    "facility": "local0", 
    "severity": "notice", 
    "tag": "httpderror", 
    "message": " [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732] ipa: 
INFO: admin-u...@domain.com: batch: group_remove_member(u'somegroup', 
user=u'someuser'): SUCCESS" 
  }, 
  "fields": { 
    "timestamp": [ 
  1487151968000 
    ] 
  }, 
  "sort": [ 
    1487151968000 
  ] 
} 


But we need add IP-address of admin-u...@domain.com  outputting to error_log.  
How can  add IP-address to this error_log file ? 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-server-install fails at client phase

2017-02-16 Thread Ryan Hutchison 
Hello All,

 

Version: IPAv4.4

OS: RHEL 7.3

 

Having a python import issue during ipa-server-install here, and the internets 
are failing me. Please note that the urls and server names have been 
abstracted. During the install run, I get the following:

 

Forwarding 'schema' to json server 'https://ipaserver.domain.com/ipa/json'

Traceback (most recent call last):

  File "/usr/sbin/ipa-client-install", line 3128, in 

    sys.exit(main())

  File "/usr/sbin/ipa-client-install", line 3109, in main

    rval = install(options, env, fstore, statestore)

  File "/usr/sbin/ipa-client-install", line 2818, in install

    api.finalize()

  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in 
finalize

    self.__do_if_not_done('load_plugins')

  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in 
__do_if_not_done

    getattr(self, name)()

  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in 
load_plugins

    for package in self.packages:

  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in 
packages

    ipaclient.remote_plugins.get_package(self),

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 118, in get_package

    plugins = schema.get_package(server_info, client)

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 543, in get_package

    schema = Schema(client)

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 387, in __init__

    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)

  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", 
line 426, in _fetch

    schema = client.forward(u'schema', **kwargs)['result']

  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1033, in forward

    raise NetworkError(uri=server, error=e.errmsg)

ipalib.errors.NetworkError: cannot connect to 
''https://ipaserver.domain.com/ipa/json: Internal Server Error

ipa.ipapython.install.cli.install_tool(Server): ERROR    Configuration of 
client side components failed!

ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install 
command failed. See /var/log/ipaserver-install.log for more information

 

The install log doesn’t really tell me whole lot, save for a full stacktrace 
when running “ipa-client-install”:

 

2017-02-15T20:40:12Z DEBUG args=/usr/sbin/ipa-client-install --on-master 
--unattended --domain domain.com --server ipaserver.domain.com --realm 
REALM.COM --hostname ipaserver.domain.com

2017-02-15T20:40:13Z DEBUG Process finished, return code=1

2017-02-15T20:40:13Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute

    return_value = self.run()

  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
in run

    cfgr.run()

…truncated…

 

 

However, in the httpd logs I see the following:

 

[Wed Feb 15 14:40:13.488496 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476] mod_wsgi (pid=39142): Target WSGI script 
'/usr/share/ipa/wsgi.py' cannot be loaded as Python module.

[Wed Feb 15 14:40:13.488546 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476] mod_wsgi (pid=39142): Exception occurred processing WSGI 
script '/usr/share/ipa/wsgi.py'.

[Wed Feb 15 14:40:13.488638 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476] Traceback (most recent call last):

[Wed Feb 15 14:40:13.488664 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476]   File "/usr/share/ipa/wsgi.py", line 26, in 

[Wed Feb 15 14:40:13.488674 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476] from ipalib import api

[Wed Feb 15 14:40:13.488691 2017] [wsgi:error] [pid 39142] [remote 
172.20.151.7:58476] ImportError: No module named 'ipalib'

 

Along with other import errors. However, I have confirmed I am able to import 
these global modules:

 

[root@720941-ipa ~]# python

Python 2.7.5 (default, Aug  2 2016, 04:20:16)

[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> from ipalib import api

>>> api



 

I can also run the wsgi script directly without issue:

 

[root@720941-ipa ~]# python /usr/share/ipa/wsgi.py

ipa: INFO: *** PROCESS START ***

 

Can someone point me in the right direction here? Thank you in advance for your 
help! 

 

--

Ryan Hutchison, RHCE/CCNA

Enterprise Support Architect

Rackspace Hosting

Direct: (210) 312-8157

Mobile: (210) 452-4349

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread David Kupka 
On Thu, Feb 16, 2017 at 07:54:47AM -0500, William Muriithi wrote:
> Morning David,
> 
> Thank you very much for your help.
> 
> > first you're mentioning "key expiry" but if I understand correctly you're
> > interested in "ticket lifetime".
> Yes, want to increase ticket lifetime.
> >
> > As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> > 1) maxlife for the user principal
> > 2) maxlife for the service [principal]
> > 3) max_life in the kdc.conf
> > 4) requested lifetime in the ticket request
> >
> > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> > [libdefaults] in /etc/krb5.conf on client).
> >
> > To increase 2) you need to change maxlife for krbtgt service. There're two 
> > ways
> > this ca be done:
> > a) modifying krbMaxTicketLife attribute in
> > krbPrincipalName=krbtgt/example@example.org,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> > b) using kadmin.local:
> > # kadmin.local
> > Authenticating as principal admin/ad...@example.org
> > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> > Principal "krbtgt/example@example.org" modified.
> > : exit
> 
> Will try 2 b and see how it goes
> 
> >
> > To increase 3) you need to change 'max_life' in 
> > /var/kerberos/krb5kdc/kdc.conf
> > and restart krb5kdc service.
> >
> 
> okay, wasn't actually aware of this.  Will look at it
> 
> > But generally I don't think it's a good idea to have such long tickets. 
> > Would
> > it make sense in your use case to deploy SSSD on user systems to handle
> > Kerberos tickets for them?
> >
> I am actually using SSSD on all the systems, even the desktops.  I
> agree the changes above aren't ideal and would prefer to get SSSD
> working well.  Where would like to avoid this error showing around
> every 12 hours.
> 
> antimony:  Could not chdir to home directory /home/william: Key has expired
> 
> 
> Regards,
> William

Hello William!

The fact that your desktops are using SSSD changes the situation dramatically.

SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
And can be configured to renew the ticket for the user until the ticket renew
life time expires. 

Given this you can keep ticket life time reasonable short (~1 day) set ticket
renewable life time to longer period (~2 weeks) and maintain reasonable
security level without negative impact on user's daily work.

Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
in sssd-krb5 man page.

-- 
David Kupka


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to resolve replication conflicts

2017-02-16 Thread Tiemen Ruiten 
Thank you very much Ludwig, that worked. I had to do a ldapdelete -r
(recursive) to remove a few containers which apparently had some tombstone
entries in them. Domain is now running at level 1!

On 16 February 2017 at 13:58, Ludwig Krispenz  wrote:

>
> On 02/16/2017 01:32 PM, Tiemen Ruiten wrote:
>
> Hello,
>
> I have a FreeIPA setup in which some masters suffered from a few
> uncontrolled shutdowns and now there are replication conflicts (which
> prevent from setting the Domain Level to 1).
>
> I was trying to follow the instructions here: https://access.redhat.
> com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/
> Identity_Management_Guide/ipa-replica-manage.html
>
> But unfortunately I'm not getting anywhere. This the result of an
> ldapsearch for replication conflicts:
>
>
>> [root@moscovium ~]# ldapsearch -x -D "cn=directory manager" -W -b
>> "dc=ipa,dc=rdmedia,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: nsds5ReplConflict=*
>> # requesting: * nsds5ReplConflict
>> #
>> # servers + 334bfc53-cdae11e6-8a85a70a-bda98fae, dns, ipa.rdmedia.com
>> dn: cn=servers+nsuniqueid=334bfc53-cdae11e6-8a85a70a-
>> bda98fae,cn=dns,dc=ipa,dc
>>  =rdmedia,dc=com
>> objectClass: nsContainer
>> objectClass: top
>> cn: servers
>> nsds5ReplConflict: namingConflict cn=servers,cn=dns,dc=ipa,dc=
>> rdmedia,dc=com
>> # System: Add CA + 334bfbe5-cdae11e6-8a85a70a-bda98fae, permissions,
>> pbac, ipa.
>>  rdmedia.com
>> dn: cn=System: Add CA+nsuniqueid=334bfbe5-cdae11e6-8a85a70a-bda98fae,cn=
>> permis
>>  sions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
>> ipaPermTargetFilter: (objectclass=ipaca)
>> ipaPermRight: add
>> ipaPermBindRuleType: permission
>> ipaPermissionType: V2
>> ipaPermissionType: MANAGED
>> ipaPermissionType: SYSTEM
>> cn: System: Add CA
>> objectClass: ipapermission
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermissionv2
>> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=
>> com
>> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
>> nsds5ReplConflict: namingConflict cn=system: add
>> ca,cn=permissions,cn=pbac,dc=
>>  ipa,dc=rdmedia,dc=com
>
> # System: Delete CA + 334bfbe9-cdae11e6-8a85a70a-bda98fae, permissions,
>> pbac, i
>>  pa.rdmedia.com
>> dn: cn=System: Delete CA+nsuniqueid=334bfbe9-
>> cdae11e6-8a85a70a-bda98fae,cn=per
>>  missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
>> ipaPermTargetFilter: (objectclass=ipaca)
>> ipaPermRight: delete
>> ipaPermBindRuleType: permission
>> ipaPermissionType: V2
>> ipaPermissionType: MANAGED
>> ipaPermissionType: SYSTEM
>> cn: System: Delete CA
>> objectClass: ipapermission
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermissionv2
>> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=
>> com
>> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
>> nsds5ReplConflict: namingConflict cn=system: delete
>> ca,cn=permissions,cn=pbac,
>>  dc=ipa,dc=rdmedia,dc=com
>> # System: Modify CA + 334bfbed-cdae11e6-8a85a70a-bda98fae, permissions,
>> pbac, i
>>  pa.rdmedia.com
>> dn: cn=System: Modify CA+nsuniqueid=334bfbed-
>> cdae11e6-8a85a70a-bda98fae,cn=per
>>  missions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
>> ipaPermTargetFilter: (objectclass=ipaca)
>> ipaPermRight: write
>> ipaPermBindRuleType: permission
>> ipaPermissionType: V2
>> ipaPermissionType: MANAGED
>> ipaPermissionType: SYSTEM
>> cn: System: Modify CA
>> objectClass: ipapermission
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermissionv2
>> member: cn=CA Administrator,cn=privileges,cn=pbac,dc=ipa,dc=rdmedia,dc=
>> com
>> ipaPermDefaultAttr: description
>> ipaPermDefaultAttr: cn
>> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
>> nsds5ReplConflict: namingConflict cn=system: modify
>> ca,cn=permissions,cn=pbac,
>>  dc=ipa,dc=rdmedia,dc=com
>> # System: Read CAs + 334bfbf1-cdae11e6-8a85a70a-bda98fae, permissions,
>> pbac, ip
>>  a.rdmedia.com
>> dn: cn=System: Read CAs+nsuniqueid=334bfbf1-
>> cdae11e6-8a85a70a-bda98fae,cn=perm
>>  issions,cn=pbac,dc=ipa,dc=rdmedia,dc=com
>> ipaPermTargetFilter: (objectclass=ipaca)
>> ipaPermRight: read
>> ipaPermRight: compare
>> ipaPermRight: search
>> ipaPermBindRuleType: all
>> ipaPermissionType: V2
>> ipaPermissionType: MANAGED
>> ipaPermissionType: SYSTEM
>> cn: System: Read CAs
>> objectClass: ipapermission
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermissionv2
>> ipaPermDefaultAttr: description
>> ipaPermDefaultAttr: ipacaissuerdn
>> ipaPermDefaultAttr: objectclass
>> ipaPermDefaultAttr: ipacasubjectdn
>> ipaPermDefaultAttr: ipacaid
>> ipaPermDefaultAttr: cn
>> ipaPermLocation: cn=cas,cn=ca,dc=ipa,dc=rdmedia,dc=com
>> nsds5ReplConflict: namingConflict cn=system: read
>> cas,cn=permissions,cn=pbac,d
>>  c=ipa,dc=rdmedia,dc=com
>> # System: Modify DNS Servers Configuration + 334bfbf6-cdae11e6-8a85a70a-
>> bda98fa
>>  e, permissions, pbac

Re: [Freeipa-users] Add IP-address client to error-log file

2017-02-16 Thread Rob Crittenden 
Alexandr Slavov wrote:
> Hello all.
> We use CentOS 7 ,FreeIPA 4.4, Apache 2.4
> We installed audit system like
> http://www.freeipa.org/page/Centralized_Logging  for monitoring "Who's
> What's Doing".
> Audit system parsing /var/log/httpd/error_log and logging to Elasticsearch.
> 
> Some string for Remove user from group in FreeIPA from
> /var/log/httpd/error_log:
> [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732] ipa: INFO:
> admin-u...@domain.com: batch: group_remove_member(u'somegroup',
> user=u'someuser'): SUCCESS
> 
> Parsed string loaded in Elasticsearch:
> {
>   "_index": "logstash-2017.02.15",
>   "_type": "events",
>   "_id": "Uniq-ID",
>   "_score": null,
>   "_source": {
> "timestamp": "2017-02-15T03:46:08-06:00",
> "status": "SUCCESS",
> "parameters": "'u'somegroup', user=u'someuser'",
> "action": "group_remove_member",
> "principal": "admin-u...@domain.com",
> "pid": "31732",
> "event.tags": [
>   "ipa",
>   "ipa-call",
>   "batch"
> ],
> "host": "server-1",
> "facility": "local0",
> "severity": "notice",
> "tag": "httpderror",
> "message": " [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732]
> ipa: INFO: admin-u...@domain.com: batch:
> group_remove_member(u'somegroup', user=u'someuser'): SUCCESS"
>   },
>   "fields": {
> "timestamp": [
>   1487151968000
> ]
>   },
>   "sort": [
> 1487151968000
>   ]
> }
> 
> 
> But we need add IP-address of admin-u...@domain.com  outputting to
> error_log.  How can  add IP-address to this error_log file ?

See https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat

You'd have to manually configure this on each master and ensure that it
survives IPA updates.

Alternatively you can open a ticket asking IPA to add this.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA rewrite conf

2017-02-16 Thread Jan Pazdziora 
On Mon, Nov 28, 2016 at 03:09:51PM +, Deepak Dimri wrote:
> Hi Jan, sorry to ask but  where exactly i can modify the referer with 
> RequestHeader on IPA Server?
> 

I've now described the load-balancing setup for WebUI with FreeIPA
replicas at

https://www.adelton.com/freeipa/freeipa-behind-load-balancer

Hope this helps,

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add IP-address client to error-log file

2017-02-16 Thread Alexandr Slavov 
Thanks   for your response. 
I was added custom ErrorLogFormat  , but not resolved. 
I think this is python output information. 

Can your have any idea? 

Where can I open ticket about add this? 

Alexandr Slavov wrote:
> Hello all.
> We use CentOS 7 ,FreeIPA 4.4, Apache 2.4
> We installed audit system like
> http://www.freeipa.org/page/Centralized_Logging   for monitoring "Who's
> What's Doing".
> Audit system parsing /var/log/httpd/error_log and logging to Elasticsearch.
> 
> Some string for Remove user from group in FreeIPA from
> /var/log/httpd/error_log:
> [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732] ipa: INFO:
> admin-u...@domain.com : batch: group_remove_member(u'somegroup',
> user=u'someuser'): SUCCESS
> 
> Parsed string loaded in Elasticsearch:
> {
>   "_index": "logstash-2017.02.15",
>   "_type": "events",
>   "_id": "Uniq-ID",
>   "_score": null,
>   "_source": {
> "timestamp": "2017-02-15T03:46:08-06:00",
> "status": "SUCCESS",
> "parameters": "'u'somegroup', user=u'someuser'",
> "action": "group_remove_member",
> "principal": "admin-u...@domain.com",
> "pid": "31732",
> "event.tags": [
>   "ipa",
>   "ipa-call",
>   "batch"
> ],
> "host": "server-1",
> "facility": "local0",
> "severity": "notice",
> "tag": "httpderror",
> "message": " [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732]
> ipa: INFO: admin-u...@domain.com : batch:
> group_remove_member(u'somegroup', user=u'someuser'): SUCCESS"
>   },
>   "fields": {
> "timestamp": [
>   1487151968000
> ]
>   },
>   "sort": [
> 1487151968000
>   ]
> }
> 
> 
> But we need add IP-address of admin-u...@domain.com   outputting to
> error_log.  How can  add IP-address to this error_log file ?

See https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat 

You'd have to manually configure this on each master and ensure that it
survives IPA updates.

Alternatively you can open a ticket asking IPA to add this.

rob
 
 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add IP-address client to error-log file

2017-02-16 Thread Rob Crittenden 
Alexandr Slavov wrote:
> Thanks   for your response.
> I was added custom ErrorLogFormat  , but not resolved.
> I think this is python output information.
> 
> Can your have any idea?
> 
> Where can I open ticket about add this?

For the short term https://fedorahosted.org/freeipa/newticket

You need a FAS (Fedora Account) to open one.

rob

> 
> Alexandr Slavov wrote:
> > Hello all.
> > We use CentOS 7 ,FreeIPA 4.4, Apache 2.4
> > We installed audit system like
> > http://www.freeipa.org/page/Centralized_Logging  for monitoring "Who's
> > What's Doing".
> > Audit system parsing /var/log/httpd/error_log and logging to 
> Elasticsearch.
> > 
> > Some string for Remove user from group in FreeIPA from
> > /var/log/httpd/error_log:
> > [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732] ipa: INFO:
> > admin-u...@domain.com : batch: 
> group_remove_member(u'somegroup',
> > user=u'someuser'): SUCCESS
> > 
> > Parsed string loaded in Elasticsearch:
> > {
> >   "_index": "logstash-2017.02.15",
> >   "_type": "events",
> >   "_id": "Uniq-ID",
> >   "_score": null,
> >   "_source": {
> > "timestamp": "2017-02-15T03:46:08-06:00",
> > "status": "SUCCESS",
> > "parameters": "'u'somegroup', user=u'someuser'",
> > "action": "group_remove_member",
> > "principal": "admin-u...@domain.com",
> > "pid": "31732",
> > "event.tags": [
> >   "ipa",
> >   "ipa-call",
> >   "batch"
> > ],
> > "host": "server-1",
> > "facility": "local0",
> > "severity": "notice",
> > "tag": "httpderror",
> > "message": " [Wed Feb 15 03:46:07.381231 2017] [:error] [pid 31732]
> > ipa: INFO: admin-u...@domain.com : batch:
> > group_remove_member(u'somegroup', user=u'someuser'): SUCCESS"
> >   },
> >   "fields": {
> > "timestamp": [
> >   1487151968000
> > ]
> >   },
> >   "sort": [
> > 1487151968000
> >   ]
> > }
> > 
> > 
> > But we need add IP-address of admin-u...@domain.com 
>   outputting to
> > error_log.  How can  add IP-address to this error_log file ?
> 
> See https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat
> 
> You'd have to manually configure this on each master and ensure that it
> survives IPA updates.
> 
> Alternatively you can open a ticket asking IPA to add this.
> 
> rob
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Jeff Goddard 
Might be another instance of this:
https://fedorahosted.org/freeipa/ticket/6613

Jeff

On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten 
wrote:

> Hello,
>
> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
> I'm getting this error:
>
> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
>> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
>> Checking DNS forwarders, please wait ...
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>   [1/44]: creating directory server user
>>   [2/44]: creating directory server instance
>>   [3/44]: updating configuration in dse.ldif
>>   [4/44]: restarting directory server
>>   [5/44]: adding default schema
>>   [6/44]: enabling memberof plugin
>>   [7/44]: enabling winsync plugin
>>   [8/44]: configuring replication version plugin
>>   [9/44]: enabling IPA enrollment plugin
>>   [10/44]: enabling ldapi
>>   [11/44]: configuring uniqueness plugin
>>   [12/44]: configuring uuid plugin
>>   [13/44]: configuring modrdn plugin
>>   [14/44]: configuring DNS plugin
>>   [15/44]: enabling entryUSN plugin
>>   [16/44]: configuring lockout plugin
>>   [17/44]: configuring topology plugin
>>   [18/44]: creating indices
>>   [19/44]: enabling referential integrity plugin
>>   [20/44]: configuring certmap.conf
>>   [21/44]: configure autobind for root
>>   [22/44]: configure new location for managed entries
>>   [23/44]: configure dirsrv ccache
>>   [24/44]: enabling SASL mapping fallback
>>   [25/44]: restarting directory server
>>   [26/44]: creating DS keytab
>>   [27/44]: retrieving DS Certificate
>>   [28/44]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server (Command
>> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned
>> non-zero exit status 1). See the installation log for details.
>>   [29/44]: setting up initial replication
>>   [error] error: [Errno 111] Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>> Connection refused
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more information
>
>
> In /var/log/ipareplica-install.log we find:
>
> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>> 2017-02-16T15:53:59Z DEBUG stdout=
>>
>> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
>> IPA.RDMEDIA.COM  IPA CA: PR_FILE_NOT_FOUND_ERROR:
>> File not found*
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f /etc/dirsrv/slapd-IPA-RDMEDIA-
>> COM//pwdfile.txt
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>> 2017-02-16T15:53:59Z DEBUG stdout=
>> 2017-02-16T15:53:59Z DEBUG stderr=
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM IPA CA -t
>> CT,C,C -a
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>> 2017-02-16T15:53:59Z DEBUG stdout=
>> 2017-02-16T15:53:59Z DEBUG stderr=
>> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
>> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
>> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>> 2017-02-16T15:54:04Z DEBUG flushing 
>> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>> from SchemaCache
>> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
>> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>> conn=
>> 2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
>> 2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
>> 2017-02-16T15:54:05Z DEBUG Starting external process
>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
>> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
>> 2017-02-16T15:54:05Z DEBUG stdout=
>> 2017-02-16T15:54:05Z DEBUG stderr=
>> 2017-02-16T15:54:05Z DEBUG Starting external process
>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
>> dirsrv@IPA-RDMEDIA-COM.service
>> 2017-02-16T15:54:06Z DEBUG Proces

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Martin Basti 



On 16.02.2017 17:21, Tiemen Ruiten wrote:

Hello,

I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), 
but I'm getting this error:


[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
"XX" --mkhomedir --setup-dns --forwarder 8.8.8.8
--forwarder 8.8.4.4
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
ipa : CRITICAL Failed to restart the directory server
(Command '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service'
returned non-zero exit status 1). See the installation log for
details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR  [Errno
111] Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERROR  The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information


In /var/log/ipareplica-install.log we find:

2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
2017-02-16T15:53:59Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
 IPA CA -a
2017-02-16T15:53:59Z DEBUG Process finished, return code=255
2017-02-16T15:53:59Z DEBUG stdout=
*2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
IPA.RDMEDIA.COM  IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found*
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
2017-02-16T15:53:59Z DEBUG Process finished, return code=0
2017-02-16T15:53:59Z DEBUG stdout=
2017-02-16T15:53:59Z DEBUG stderr=
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM
 IPA CA -t CT,C,C -a
2017-02-16T15:53:59Z DEBUG Process finished, return code=0
2017-02-16T15:53:59Z DEBUG stdout=
2017-02-16T15:53:59Z DEBUG stderr=
2017-02-16T15:53:59Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2017-02-16T15:54:04Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2017-02-16T15:54:04Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from SchemaCache
2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
conn=
2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
2017-02-16T15:54:05Z DEBUG Starting external process
2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
2017-02-16T15:54:05Z DEBUG Process finished, return code=0
2017-02-16T15:54:05Z DEBUG stdout=
2017-02-16T15:54:05Z DEBUG stderr=
2017-02-16T15:54:05Z DEBUG Starting external process
2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
dirsrv@IPA-RDMEDIA-COM.serv

[Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Tiemen Ruiten 
Hello,

I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
I'm getting this error:

[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
> Checking DNS forwarders, please wait ...
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>   [1/44]: creating directory server user
>   [2/44]: creating directory server instance
>   [3/44]: updating configuration in dse.ldif
>   [4/44]: restarting directory server
>   [5/44]: adding default schema
>   [6/44]: enabling memberof plugin
>   [7/44]: enabling winsync plugin
>   [8/44]: configuring replication version plugin
>   [9/44]: enabling IPA enrollment plugin
>   [10/44]: enabling ldapi
>   [11/44]: configuring uniqueness plugin
>   [12/44]: configuring uuid plugin
>   [13/44]: configuring modrdn plugin
>   [14/44]: configuring DNS plugin
>   [15/44]: enabling entryUSN plugin
>   [16/44]: configuring lockout plugin
>   [17/44]: configuring topology plugin
>   [18/44]: creating indices
>   [19/44]: enabling referential integrity plugin
>   [20/44]: configuring certmap.conf
>   [21/44]: configure autobind for root
>   [22/44]: configure new location for managed entries
>   [23/44]: configure dirsrv ccache
>   [24/44]: enabling SASL mapping fallback
>   [25/44]: restarting directory server
>   [26/44]: creating DS keytab
>   [27/44]: retrieving DS Certificate
>   [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information


In /var/log/ipareplica-install.log we find:

2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
> 2017-02-16T15:53:59Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
> 2017-02-16T15:53:59Z DEBUG stdout=
>
> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
> IPA.RDMEDIA.COM  IPA CA: PR_FILE_NOT_FOUND_ERROR:
> File not found*
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM IPA CA -t CT,C,C
> -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from SchemaCache
> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
> conn=
> 2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
> 2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
> 2017-02-16T15:54:05Z DEBUG stdout=
> 2017-02-16T15:54:05Z DEBUG stderr=
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
> dirsrv@IPA-RDMEDIA-COM.service
> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1
> 2017-02-16T15:54:06Z DEBUG stdout=
> 2017-02-16T15:54:06Z DEBUG stderr=Job for dirsrv@IPA-RDMEDIA-COM.service
> failed because the control process exited with error code. See "systemctl
> status dirsrv@IPA-RDMEDIA-COM.service" and "jo

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Tiemen Ruiten 
@Martin: No messages are generated in the errors log during the failed
replica install, there are some warnings, but they are generated at
different times and they don't look related.

@Jeff, I did see that on one of the existing masters the listener was
configured to be "::1". I changed it to 127.0.0.1 but no difference. I
commented the ::1 localhost entry in /etc/hosts on all three nodes, no
difference either. My journal looks the same as in the bugreport you linked:

Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.445272051 +0100] SSL alert: Security Initialization:
> Can't find certificate (Server-Cert) for family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.445891468 +0100] SSL alert: Security Initialization:
> Unable to retrieve private key for cert Server-Cert of family
> cn=RSA,cn=encryption,cn=config (Netscape Po
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.446420819 +0100] SSL failure: None of the cipher are
> valid
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.446913819 +0100] ERROR: SSL2 Initialization Failed.
> Disabling SSL2.
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.447550894 +0100] 389-Directory/1.3.5.10
> B2017.017.2314 starting up
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.460575142 +0100] default_mr_indexer_create: warning -
> plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.470162594 +0100] Can't find certificate Server-Cert
> in attrcrypt_fetch_private_key: -8174 - security library: bad database.
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.470985550 +0100] Can't get private key from cert
> Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad
> database.
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.471763716 +0100] Error: unable to initialize
> attrcrypt system for userRoot
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.472487718 +0100] start: Failed to start databases,
> err=-1 BDB0092 Unknown error: -1
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.473207435 +0100] Failed to start database plugin ldbm
> database
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.475663288 +0100] WARNING: ldbm instance userRoot
> already exists
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.476418009 +0100] ldbm_config_read_instance_entries:
> failed to add instance entry cn=userRoot,cn=ldbm
> database,cn=plugins,cn=config
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.477152165 +0100] ldbm_config_load_dse_info: failed to
> read instance entries
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.477915898 +0100] start: Loading database
> configuration failed
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.478593267 +0100] Failed to start database plugin ldbm
> database
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.479243074 +0100] Error: Failed to resolve plugin
> dependencies
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.479836990 +0100] Error: betxnpreoperation plugin
> 7-bit check is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.480476048 +0100] Error: preoperation plugin Account
> Usability Plugin is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.481116304 +0100] Error: accesscontrol plugin ACL
> Plugin is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.482357723 +0100] Error: preoperation plugin ACL
> preoperation is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.483158681 +0100] Error: betxnpreoperation plugin Auto
> Membership Plugin is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.483763046 +0100] Error: object plugin Class of
> Service is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.484398389 +0100] Error: preoperation plugin deref is
> not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.485001277 +0100] Error: preoperation plugin HTTP
> Client is not started
> Feb 16 18:12:05 copernicum.ipa.rdmedia.com ns-slapd[6200]:
> [16/Feb/2017:18:12:05.485612725 +0100] Error: preoperation plugin IPA DNS
> is not started
> Feb 16 18:12:05 copern

Re: [Freeipa-users] Ubuntu client 2FA not working

2017-02-16 Thread Jochen Hein 
Tommy Nikjoo  writes:

> I'm having some issues with 2FA PAM config's on Ubuntu clients. 
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol.  Is anyone able to give an in site into how to get
> this working correctly?

You may need to fix /etc/pam.d/common-auth, so that only pam_sss get's
called for IPA users:

# here are the per-package modules (the "Primary" block)
auth[default=1 success=ok] pam_localuser.so 
auth[success=3 default=ignore]  pam_unix.so nullok_secure try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
auth[success=1 default=ignore]  pam_sss.so forward_pass
# here's the fallback if no module succeeds
authrequisite   pam_deny.so


I'm running a 14.04 client with an older IPA client - there I have to
enter password+OTP in one string and it works perfect.

On my 16.10 Laptop I use IPA 4.3.2 against CentOS 7.3 server. That
client had problems with OTP users which were not obvious to me.
The system asked for first and second factor but would give me system
error 7. I think the following entry in /etc/krb5.conf helped:

[libdefaults]
...
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
...

Otherwise please enable the debug trace and review the logs. They are
really verbose and you need to check both client and server for errors.
There is hope - I run Ubuntu clients with OTP user (OTP is via
privacyidea/radius, but that shouldn't matter).

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Matt . 
Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
> On 02/15/2017 05:40 PM, Matt . wrote:
>>
>> Hi,
>>
>> Is there any update on this ? I need to install 3 other instances but
>> I would like to know upfront if it might be a bug.
>>
> Hi Matt,
>
> I was not able to reproduce your issue. Here were my steps:
>
> Install FreeIPA with self-signed cert:
> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>
> The certificate chain is ca1 -> subca -> server.
> Install the root CA:
> kinit admin
> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
> ipa-certupdate
>
> Install the subca:
> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
> ipa-certupdate
>
> Install the server cert:
> ipa-server-certinstall -d -w server.pem key.pem
>
> ipa-certupdate basically retrieves the certificates from LDAP (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
> I don't remember it removing certs.
>
> Can you check the content of your LDAP server?
> kinit admin
> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
> cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> It should contain one entry for each CA that you added.
>
> Flo.
>
>> Thanks,
>>
>> Matt
>>
>> 2017-02-14 17:59 GMT+01:00 Matt . :
>>>
>>> Hi Florance,
>>>
>>> Sure I can, here you go:
>>>
>>> Fedora 24
>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>
>>> I installed this server as self-signed CA
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :

 On 02/14/2017 05:43 PM, Matt . wrote:
>
>
> Hi Florance,
>
> Thanks for your update, good to see some good into about it. For
> Comodo I have install all these:
>
> AddTrustExternalCARoot.crt
> COMODORSAAddTrustCA.crt
> COMODORSADomainValidationSecureServerCA.crt
>
>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
> far as I know but the same issues still exist, the Server-Cert is
> removed again on ipa-certupdate and fails.
>
> I have tried this with setenforce 0
>
 Hi Matt,

 can you provide more info in order to reproduce the issue?
 - which OS are you using
 - IPA version
 - how did you install ipa server (CA-less or with self-signed CA or with
 externally-signed CA?)

 Thanks,
 Flo.


> Cheers,
>
> Matt
>
> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :
>>
>>
>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>
>>>
>>>
>>> Certs are valid, I will check what you mentioned.
>>>
>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>> seem to work always. At least for the CAroot a bundle was required.
>>>
>> Hi Matt,
>>
>> if your certificate was provided by an intermediate CA, you need to
>> add
>> each
>> CA before running ipa-server-certinstall (start from the top-level CA
>> with
>> ipa-cacert-manage install, then run ipa-certupdate, then the
>> intermediate
>> CA
>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>
>> There is also a known issue with ipa-certupdate and SELinux in
>> enforcing
>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>
>> Flo.
>>
>>
>>> Matt
>>>
>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>> :



 Have you validated the cert (and dumped the contents) from the
 command
 line using the openssl tools?  I’ve seen the message you are seeing
 before,
 for some reason I seem to remember that it has to do with either a
 missing
 or an extra - at either the -BEGIN CERTIFICATE or -END
 CERTIFICATE (an error from copy and pasting and not copying the
 actual
 file).

 I’ve never used certupdate so if what is described above doesn’t
 help
 somebody else will have to chime in.

 Dan

> On Feb 14, 2017, at 2:18 AM, Matt .  wrote:
>
> Hi Dan,
>
> Ues i have tried that and I get the message that it misses the full
> chain for the certificate.
>
> My issue is more, why is the Server-Cert being removed on a
> certupdate
> ?
>
> Cheers,
>
> Matt
>
> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
> :
>>
>>
>>
>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with
>> the
>> cert only (disclaimer: I’ve never done this).
>>
>> Dan
>>
>>> On Feb 13, 2

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Florence Blanc-Renaud 

On 02/16/2017 09:55 PM, Matt . wrote:

Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.


Hi Matt,

glad I could help. What did you do differently that could explain the 
failure, though? Maybe the cert installation needs some hardening.


Flo.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :

On 02/15/2017 05:40 PM, Matt . wrote:


Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.


Hi Matt,

I was not able to reproduce your issue. Here were my steps:

Install FreeIPA with self-signed cert:
ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD

The certificate chain is ca1 -> subca -> server.
Install the root CA:
kinit admin
ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
ipa-certupdate

Install the subca:
ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
ipa-certupdate

Install the server cert:
ipa-server-certinstall -d -w server.pem key.pem

ipa-certupdate basically retrieves the certificates from LDAP (below
cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
I don't remember it removing certs.

Can you check the content of your LDAP server?
kinit admin
ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
cn=certificates,cn=ipa,cn=etc,$BASEDN

It should contain one entry for each CA that you added.

Flo.


Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . :


Hi Florance,

Sure I can, here you go:

Fedora 24
Freeipa VERSION: 4.4.2, API_VERSION: 2.215

I installed this server as self-signed CA

Cheers,

Matt




2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :


On 02/14/2017 05:43 PM, Matt . wrote:



Hi Florance,

Thanks for your update, good to see some good into about it. For
Comodo I have install all these:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

 Where COMODORSADomainValidationSecureServerCA.crt is not needed as
far as I know but the same issues still exist, the Server-Cert is
removed again on ipa-certupdate and fails.

I have tried this with setenforce 0


Hi Matt,

can you provide more info in order to reproduce the issue?
- which OS are you using
- IPA version
- how did you install ipa server (CA-less or with self-signed CA or with
externally-signed CA?)

Thanks,
Flo.



Cheers,

Matt

2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :



On 02/14/2017 02:54 PM, Matt . wrote:




Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.


Hi Matt,

if your certificate was provided by an intermediate CA, you need to
add
each
CA before running ipa-server-certinstall (start from the top-level CA
with
ipa-cacert-manage install, then run ipa-certupdate, then the
intermediate
CA
with ipa-cacert-manage install, then ipa-certupdate etc...)

There is also a known issue with ipa-certupdate and SELinux in
enforcing
mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

Flo.



Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
:




Have you validated the cert (and dumped the contents) from the
command
line using the openssl tools?  I’ve seen the message you are seeing
before,
for some reason I seem to remember that it has to do with either a
missing
or an extra - at either the -BEGIN CERTIFICATE or -END
CERTIFICATE (an error from copy and pasting and not copying the
actual
file).

I’ve never used certupdate so if what is described above doesn’t
help
somebody else will have to chime in.

Dan


On Feb 14, 2017, at 2:18 AM, Matt .  wrote:

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a
certupdate
?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
:




Is the chain in mydomain_com_bundle.crt?  Have you tried it with
the
cert only (disclaimer: I’ve never done this).

Dan


On Feb 13, 2017, at 4:08 PM, Matt . 
wrote:

Hi Guys,

I'm trying to install a 3rd party certificate using:




http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key
mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.


If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread William Muriithi 
David


>
> The fact that your desktops are using SSSD changes the situation dramatically.
>
> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
> logging-in.
> And can be configured to renew the ticket for the user until the ticket renew
> life time expires.
>
> Given this you can keep ticket life time reasonable short (~1 day) set ticket
> renewable life time to longer period (~2 weeks) and maintain reasonable
> security level without negative impact on user's daily work.
>
> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> in sssd-krb5 man page.
>
Thanks a lot.  I did actually end up using this.   Will wait for a
couple of days and see if anybody if the situation is better and
update you.

Curious though, why isn't renewal interval setup by default?  Is there
a negative consequence of having SSSD renewing tickets by default?  I
can't think of any and hence a bit lost on explaining the default
setup
> --
Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-16 Thread Matt . 
Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud :
> On 02/16/2017 09:55 PM, Matt . wrote:
>>
>> Hi Flo! (if I may call you like that, saves some characters in typing
>> but with this extra line it doesn't anymore :))
>>
>> This works perfectly, thank you very much.
>>
> Hi Matt,
>
> glad I could help. What did you do differently that could explain the
> failure, though? Maybe the cert installation needs some hardening.
>
> Flo.
>
>> No questions further actually :)
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud :
>>>
>>> On 02/15/2017 05:40 PM, Matt . wrote:


 Hi,

 Is there any update on this ? I need to install 3 other instances but
 I would like to know upfront if it might be a bug.

>>> Hi Matt,
>>>
>>> I was not able to reproduce your issue. Here were my steps:
>>>
>>> Install FreeIPA with self-signed cert:
>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>
>>> The certificate chain is ca1 -> subca -> server.
>>> Install the root CA:
>>> kinit admin
>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>> ipa-certupdate
>>>
>>> Install the subca:
>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>> ipa-certupdate
>>>
>>> Install the server cert:
>>> ipa-server-certinstall -d -w server.pem key.pem
>>>
>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>> but
>>> I don't remember it removing certs.
>>>
>>> Can you check the content of your LDAP server?
>>> kinit admin
>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>
>>> It should contain one entry for each CA that you added.
>>>
>>> Flo.
>>>
 Thanks,

 Matt

 2017-02-14 17:59 GMT+01:00 Matt . :
>
>
> Hi Florance,
>
> Sure I can, here you go:
>
> Fedora 24
> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>
> I installed this server as self-signed CA
>
> Cheers,
>
> Matt
>
>
>
>
> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud :
>>
>>
>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>
>>>
>>>
>>> Hi Florance,
>>>
>>> Thanks for your update, good to see some good into about it. For
>>> Comodo I have install all these:
>>>
>>> AddTrustExternalCARoot.crt
>>> COMODORSAAddTrustCA.crt
>>> COMODORSADomainValidationSecureServerCA.crt
>>>
>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>> far as I know but the same issues still exist, the Server-Cert is
>>> removed again on ipa-certupdate and fails.
>>>
>>> I have tried this with setenforce 0
>>>
>> Hi Matt,
>>
>> can you provide more info in order to reproduce the issue?
>> - which OS are you using
>> - IPA version
>> - how did you install ipa server (CA-less or with self-signed CA or
>> with
>> externally-signed CA?)
>>
>> Thanks,
>> Flo.
>>
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud :



 On 02/14/2017 02:54 PM, Matt . wrote:
>
>
>
>
> Certs are valid, I will check what you mentioned.
>
> I'm also no fan of bundles, more the seperate files but this
> doesn't
> seem to work always. At least for the CAroot a bundle was required.
>
 Hi Matt,

 if your certificate was provided by an intermediate CA, you need to
 add
 each
 CA before running ipa-server-certinstall (start from the top-level
 CA
 with
 ipa-cacert-manage install, then run ipa-certupdate, then the
 intermediate
 CA
 with ipa-cacert-manage install, then ipa-certupdate etc...)

 There is also a known issue with ipa-certupdate and SELinux in
 enforcing
 mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).

 Flo.


> Matt
>
> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
> :
>>
>>
>>
>>
>> Have you validated the cert (and dumped the contents) from the
>> command
>> line using the openssl tools?  I’ve seen the message you are
>> seeing
>> before,
>> for some reason I seem to remember that it has to do with either a
>> missing
>> or an extra - at either the -BEGIN CERTIFICATE or -END
>> CERTIFICATE (an error from copy and pasting and not copying
>> the
>> actual
>> file).
>>
>> I’ve never used certupdate so if wha

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Carlos Silva 
On Thu, Feb 16, 2017 at 5:23 PM, Tiemen Ruiten  wrote:

> @Jeff, I did see that on one of the existing masters the listener was
> configured to be "::1". I changed it to 127.0.0.1 but no difference. I
> commented the ::1 localhost entry in /etc/hosts on all three nodes, no
> difference either. My journal looks the same as in the bugreport you linked:
>

You did restart the service right? (Just to be sure)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread David Kupka 
On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote:
> David
> 
> 
> >
> > The fact that your desktops are using SSSD changes the situation 
> > dramatically.
> >
> > SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
> > logging-in.
> > And can be configured to renew the ticket for the user until the ticket 
> > renew
> > life time expires.
> >
> > Given this you can keep ticket life time reasonable short (~1 day) set 
> > ticket
> > renewable life time to longer period (~2 weeks) and maintain reasonable
> > security level without negative impact on user's daily work.
> >
> > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> > in sssd-krb5 man page.
> >
> Thanks a lot.  I did actually end up using this.   Will wait for a
> couple of days and see if anybody if the situation is better and
> update you.
> 
> Curious though, why isn't renewal interval setup by default?  Is there
> a negative consequence of having SSSD renewing tickets by default?  I
> can't think of any and hence a bit lost on explaining the default
> setup
> > --
> Regards,
> William

Honestly, I don't know why krb5_renew_interval isn't set by default.

My wild guess would be that in typical SSSD deployment user logs-in in the
begining of work day, SSSD gets ticket that last for a day for him and he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.

But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.

[1] https://fedorahosted.org/sssd/newticket

-- 
David Kupka


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project