[Freeipa-users] Weird problem with DNS updates from dhcp clients

[Sameer Gurung]

Hi all,

I have installed freeipa server in a centos macning with about 70 client
machines running linux mint. Since I am in a mixed enviroment my DHCP
server is running in windows 2008 r2. The setup and  joining the ipa domain
went off without a hitch. However I now find that when the IP addresses of
my client change they do not update the ipa dns server. And the weird thing
is if i log in to the client machine and manually put the network on and
off using the NetworkManager applet it updates the ipa dns server with the
new ip. That is the only way the update happens.

I would appreciate any help in this .. I have been struggling to up my
network for a while and its  driving me insane


with regards,



*---Sameer ---*

-- 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 
The sender therefore does not accept liability for any errors or omissions 
in the contents of this message, which arise as a result of e-mail 
transmission. If verification is required please request a hard-copy 
version. 
Saint Mary's College, Shillong, Meghalaya, India-793003,
smcs.ac.in
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] U2F and ipa for ssh

[Fraser Tweedale]

On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote:
> Has anyone looked into using U2F with freeipa?  My guess is you would need
> a customized ssh client to interact with the device but in theory you could
> just transform the users U2F public key into an ssh key.
> 
> Marc Boorshtein
> CTO, Tremolo Security, Inc.

Hi Marc,

We have had preliminary discussion about U2F.

As you suggest, U2F requires client support.  U2F does not provide a
general signing operation (it only signs a specific kind of
message[1]) so some server support is probably required as well.

[1] 
https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success

That said, a lot of U2F devices have additional / alternative modes
with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
generic crypto tokens.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

[Fraser Tweedale]

On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote:
> I can confirm that I see this behaviour too. My ipa server install is a
> pretty stock install with no 3rd party certificates.
> 
> On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
> simon.willi...@thehelpfulcat.com> wrote:
> 
> > Yesterday, Chrome on both my Ubuntu and Windows machines updated to
> > version 58.0.3029.81.  It appears that this version of Chrome will not
> > trust certificates based on Common Name.  Looking at the Chrome
> > documentation and borne out by one of the messages, from Chrome 58,
> > the subjectAltName is required to identify the DNS name of the host that
> > the certificate is issued for.  I would be grateful if someone could point
> > me in the direction of how to recreate my SSL certificates so that
> > the subjectAltName is populated.
> >
> > Thanks in advance
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
Which version of IPA are you using?

The first thing you should do, which I think should be sufficient in
most cases, is to tell certmonger to submit a new cert request for
each affected certificate, instructing to include the relevant
DNSName in the subjectAltName extension in the CSR.

To list certmonger tracking requests and look for the HTTPS
certificate.  For example:

$ getcert list
Number of certificate and requests being tracked: 11
...
Request ID '20170418012901':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317
subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317
expires: 2019-03-22 03:20:19 UTC
dns: f25-2.ipa.local
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
...

Using the Request ID of the HTTPS certificate, resubmit the request
but use the ``-D `` option to specify a DNSName to include
in the SAN extension:

  $ getcert resubmit -i  -D 

``-D `` can be specified multiple times, if necessary.

This should request a new certificate that will have the server DNS
name in the SAN extension.

HTH,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

[Prasun Gera]

I can confirm that I see this behaviour too. My ipa server install is a
pretty stock install with no 3rd party certificates.

On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
simon.willi...@thehelpfulcat.com> wrote:

> Yesterday, Chrome on both my Ubuntu and Windows machines updated to
> version 58.0.3029.81.  It appears that this version of Chrome will not
> trust certificates based on Common Name.  Looking at the Chrome
> documentation and borne out by one of the messages, from Chrome 58,
> the subjectAltName is required to identify the DNS name of the host that
> the certificate is issued for.  I would be grateful if someone could point
> me in the direction of how to recreate my SSL certificates so that
> the subjectAltName is populated.
>
> Thanks in advance
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

[Simon Williams]

Yesterday, Chrome on both my Ubuntu and Windows machines updated to
version 58.0.3029.81.  It appears that this version of Chrome will not
trust certificates based on Common Name.  Looking at the Chrome
documentation and borne out by one of the messages, from Chrome 58,
the subjectAltName is required to identify the DNS name of the host that
the certificate is issued for.  I would be grateful if someone could point
me in the direction of how to recreate my SSL certificates so that
the subjectAltName is populated.

Thanks in advance
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

[Rob Crittenden]

Andrew Krause wrote:
> Sorry for the self bump but no one has any insight on this?
> 
> 
>> On Apr 17, 2017, at 11:31 AM, Andrew Krause 
>>  wrote:
>>
>> Many hosts in our web ui show a null status for “enrolled”.  When you do a 
>> search that includes any of these host objects the web UI posts errors, and 
>> if you click on one of the problem hosts the same error stops anything from 
>> loading on the host page.  
>>
>> I’ve been trying to solve this problem on my own for quite some time and 
>> have not been successful.  It’s impossible to remove the host through the 
>> web UI and using CLI commands seem to remove the entry from IPA (host is not 
>> found with ipa host-find), but it is still visible in the UI.  One thing 
>> that may be common with all of these hosts is that they were enrolled with 
>> our IPA system back while we were running version 3.0 and likely have had 
>> issues for quite some time.  Multiple updates have happened since then, and 
>> all of our hosts added within the last year are working fine.  I suspect 
>> there’s an issue with a path somewhere for a certificate database, but I’m 
>> unable to pinpoint what is going wrong.  

It should not be possible to have different views in the UI and the CLI
since they make the same backend calls. What you'd want to do, hopefully
on a semi-quiet system, is to do a host-find on the CLI and then list
all hosts in the UI and compare the logs in /var/log/httpd/error_log and
look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is
a buffered log so be patient).

They should be doing more or less the exact same set of queries.

Very doubtful that this has anything to do with certs. Anything on the
client would be completely separate from what is on the server.

One thing you may be seeing though is that in 3.0 clients a host
certificate was obtained for it. This was dropped with 4.0, but it
wouldn't affect any visibility on the server.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)

[Andrew Krause]

Sorry for the self bump but no one has any insight on this?


> On Apr 17, 2017, at 11:31 AM, Andrew Krause 
>  wrote:
> 
> Many hosts in our web ui show a null status for “enrolled”.  When you do a 
> search that includes any of these host objects the web UI posts errors, and 
> if you click on one of the problem hosts the same error stops anything from 
> loading on the host page.  
> 
> I’ve been trying to solve this problem on my own for quite some time and have 
> not been successful.  It’s impossible to remove the host through the web UI 
> and using CLI commands seem to remove the entry from IPA (host is not found 
> with ipa host-find), but it is still visible in the UI.  One thing that may 
> be common with all of these hosts is that they were enrolled with our IPA 
> system back while we were running version 3.0 and likely have had issues for 
> quite some time.  Multiple updates have happened since then, and all of our 
> hosts added within the last year are working fine.  I suspect there’s an 
> issue with a path somewhere for a certificate database, but I’m unable to 
> pinpoint what is going wrong.  
> 
> 
> I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so 
> I can try things without worry...
> 
> 1. Realized we had many certificates that were expired and not renewing with 
> “getcert list” on primary IPA server
> 2. Tried every document I could find on renewing the certificates but was 
> never completely successful (on version 4.1 which is our current in 
> production)
> 3. Upgraded to 4.4 and was actually able to renew all certificates listed on 
> the main IPA server showing current below 
> 4. After having success with #3 I was able to start the CA service without 
> error and everything on the server seems to be working as expected
> 5. Have attempted many variations of removing a problem host and adding it 
> back, but the errors in the web UI persist. 
> 
> Output from "getcert list": 
> 
> Number of certificates and requests being tracked: 8.
> Request ID '20160901214852':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=CA Audit,O=DOMAIN.COM
>   expires: 2018-08-22 22:13:44 UTC
>   key usage: digitalSignature,nonRepudiation
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214853':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=OCSP Subsystem,O=DOMAIN.COM
>   expires: 2018-08-22 21:49:26 UTC
>   eku: id-kp-OCSPSigning
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214854':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=DOMAIN.COM
>   subject: CN=CA Subsystem,O=DOMAIN.COM
>   expires: 2018-08-22 21:49:18 UTC
>   key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>   eku: id-kp-serverAuth,id-kp-clientAuth
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> Request ID '20160901214855':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate 

Re: [Freeipa-users] cannot add posix group or user

[thierry bordaz]

On 04/20/2017 03:05 PM, Cox, Jason wrote:



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Wednesday, April 19, 2017 4:27 PM
To: Cox, Jason (U.S. Person) ; freeipa-
us...@redhat.com
Subject: Re: [Freeipa-users] cannot add posix group or user

Cox, Jason wrote:

Hi all,



I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
newer domain levels and topology features.

I’ve installed 3 servers.

I promoted one of the replicas to master and demoted the original
master to replica according to the documentation.

According to what documentation?

Note that they are all masters, some may just run different services and only
one has a few duties (like CRL generation).


Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
And here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca

Yes, I was referring to CRL master

And yes, I failed to continue reading 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/
 to find what I needed to know concerning the id ranges. Sorry about that.



I ran into an issue with the original master no longer replicating, so
I performed an ipa-server-install –uninstall and removed the
host/server from IPA.

This is the where the problem started.


I re-setup the replica using ipa-client-install and then
ipa-replica-install, and had no errors reported in the output.

I then went into Web UI and setup replication agreements using the
topology graph page between the new replica and the previous replica
(the master/new replica agreements being setup by the replica install
script).



I then attempted to add a posix group account and got an operational
error message. This caused ldap to crash on the server I was
interfacing with.

If you are getting a core it would be very enlightening to get a stack trace
from that (you'll need to install the debuginfo package to get any really
useful data out of it).


I haven't had to get a core file from a systemd service before, so I did it the 
wrong way, but this is what I managed to get:

>From journalctl:
*** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0 
***
Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: =
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libc.so.6(+0x7c503)[0x7fbd4522c503]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d]


>From an eventual core and gdb (and not from the same crash as the journalctl 
output):
(gdb) bt
#0  __GI___libc_free (mem=0x41) at malloc.c:2929
#1  0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at 
memory.c:180
#2  0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at 
free.c:94
#3  0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at 
ldap/servers/slapd/modify.c:390
#4  0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, 
op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627
#5  connection_threadmain () at ldap/servers/slapd/connection.c:1759
#6  0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so
#7  0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at 
pthread_create.c:308
#8  0x7f87f58f873d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


Hi,

This is looking like the heap corruption and this backstack is 
unfortunately not enough to identify if it is a known/fixed one or not.
This part of code (do_modify) was not recently changed regarding heap 
corruption and I would rather expect this thread to be the victim than 
responsible of it.

What 389-ds version are you running ?
We fixed recently a bug that could be the root cause (of course not 100% 
sure). Did you update 389-ds to the most recent one ?


Do you manage to reproduce this crash ?
For heap corruption, you may use valgrind but it could be too impacting 
for production performance.


regards
thierry


(gdb) bt full
#0  __GI___libc_free (mem=0x41) at malloc.c:2929
 ar_ptr = 
 p = 
 hook = 0x0
#1  0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at 
memory.c:180
 i = 
#2  0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at 
free.c:94
 i = 
#3  0x7f87f804a6a0 in do_modify 

Re: [Freeipa-users] cannot add posix group or user

[Rob Crittenden]

Cox, Jason wrote:
> 
>> Thank you. 
> Setting the id ranges manually fixed my problem.

Great, glad you're up and running again.

I forwarded the stack trace to the 389-ds developers, thanks for that.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cannot add posix group or user

[Cox, Jason]

> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, April 19, 2017 4:27 PM
> To: Cox, Jason (U.S. Person) ; freeipa-
> us...@redhat.com
> Subject: Re: [Freeipa-users] cannot add posix group or user
> 
> Cox, Jason wrote:
> > Hi all,
> >
> >
> >
> > I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
> > newer domain levels and topology features.
> >
> > I’ve installed 3 servers.
> >
> > I promoted one of the replicas to master and demoted the original
> > master to replica according to the documentation.
> 
> According to what documentation?
> 
> Note that they are all masters, some may just run different services and only
> one has a few duties (like CRL generation).
> 

Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master 
And here: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca
 

Yes, I was referring to CRL master

And yes, I failed to continue reading 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/
 to find what I needed to know concerning the id ranges. Sorry about that.


> > I ran into an issue with the original master no longer replicating, so
> > I performed an ipa-server-install –uninstall and removed the
> > host/server from IPA.
> 
> This is the where the problem started.
> 
> >
> > I re-setup the replica using ipa-client-install and then
> > ipa-replica-install, and had no errors reported in the output.
> >
> > I then went into Web UI and setup replication agreements using the
> > topology graph page between the new replica and the previous replica
> > (the master/new replica agreements being setup by the replica install
> > script).
> >
> >
> >
> > I then attempted to add a posix group account and got an operational
> > error message. This caused ldap to crash on the server I was
> > interfacing with.
> 
> If you are getting a core it would be very enlightening to get a stack trace
> from that (you'll need to install the debuginfo package to get any really
> useful data out of it).
> 

I haven't had to get a core file from a systemd service before, so I did it the 
wrong way, but this is what I managed to get:

>From journalctl:
*** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0 
***
Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: =
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libc.so.6(+0x7c503)[0x7fbd4522c503]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5]
Apr 19 17:13:56 server1 ns-slapd[1892]: 
/lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d]


>From an eventual core and gdb (and not from the same crash as the journalctl 
>output):
(gdb) bt
#0  __GI___libc_free (mem=0x41) at malloc.c:2929
#1  0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at 
memory.c:180
#2  0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at 
free.c:94
#3  0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at 
ldap/servers/slapd/modify.c:390
#4  0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, 
op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627
#5  connection_threadmain () at ldap/servers/slapd/connection.c:1759
#6  0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so
#7  0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at 
pthread_create.c:308
#8  0x7f87f58f873d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


(gdb) bt full
#0  __GI___libc_free (mem=0x41) at malloc.c:2929
ar_ptr = 
p = 
hook = 0x0
#1  0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at 
memory.c:180
i = 
#2  0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at 
free.c:94
i = 
#3  0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at 
ldap/servers/slapd/modify.c:390
operation = 0x7f87f931bf80
smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, 
free_mods = 0}
ber = 
tag = 
len = 18446744073709551615
normalized_mods = 0x7f876c001fb0
mod = 0x0
mods = 0x7f876c00c200
last = 0x7f876c000e23 ""
type = 0x0
old_pw = 0x0
rawdn = 0x7f876c000920 "cn=svcaccount,cn=groups,cn=accounts,dc=MYDOMAIN"
minssf_exclude_rootdse = 

[Freeipa-users] U2F and ipa for ssh

[Marc Boorshtein]

Has anyone looked into using U2F with freeipa?  My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.

Marc Boorshtein
CTO, Tremolo Security, Inc.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] oddjob_mkhomedir troubles

[Ronald Wimmer]

On 2017-04-19 13:06, Ronald Wimmer wrote:

[...]

as the default directory (by setting override_homedir in sssd.conf) 
oddjob_mkhomedir creates the user directory but I still get a 
permission denied when logging in for the first time. (cd /home/user 
works)



The only thing I see in the logs is:

Apr 20 13:10:02 testclient systemd: Starting Session 1260 of user 
myu...@mydomain.at.
Apr 20 13:10:02 testclient oddjob-mkhomedir[15879]: error setting 
permissions on /home/mydomain.at/myuser: Operation not permitted
Apr 20 13:10:02 testclient dbus[770]: [system] Activating service 
name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Activating 
service name='org.freedesktop.problems' (using servicehelper)
Apr 20 13:10:02 testclient dbus[770]: [system] Successfully activated 
service 'org.freedesktop.problems'
Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Successfully 
activated service 'org.freedesktop.problems'


This is where PAM put the module:
/etc/pam.d/fingerprint-auth:session optional pam_oddjob_mkhomedir.so 
umask=0077
/etc/pam.d/fingerprint-auth-ac:session optional 
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/password-auth:session optional pam_oddjob_mkhomedir.so 
umask=0077
/etc/pam.d/password-auth-ac:session optional pam_oddjob_mkhomedir.so 
umask=0077
/etc/pam.d/smartcard-auth:session optional pam_oddjob_mkhomedir.so 
umask=0077
/etc/pam.d/smartcard-auth-ac:session optional 
pam_oddjob_mkhomedir.so umask=0077
/etc/pam.d/system-auth:session optional pam_oddjob_mkhomedir.so 
umask=0077
/etc/pam.d/system-auth-ac:session optional pam_oddjob_mkhomedir.so 
umask=0077


Maybe it is not placed in the right line in /etc/pam.d/system-auth:
session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid

session required  pam_unix.so
session optional  pam_sss.so

Is there a PAM expert around who can tell?

Regards,
Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

[Martin Bašti]

On 19.04.2017 17:14, David Goudet wrote:


On 04/19/2017 12:31 PM, Martin Bašti wrote:



On 17.04.2017 19:42, David Goudet wrote:

Hi,

Nobody has response about my questions?

The main question is: Is it possible to configure SSSD to update DNS 
(option dyndns_update) with only IP address "primary" in ip addr 
list or which is used to FreeIPA server communication (-IP1- used on 
TCP binding)?


Thank you for your help.

Best regards,

On 03/27/2017 09:40 PM, Jakub Hrozek wrote:

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine 
updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on 
network interface: if machine have two IP address, SSSD update host DNS entry 
with these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 
1000
  link/ether 
  inet -IP1-/26 brd  scope global em1
  inet -IP2-/26 scope global secondary em1
 valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After 
restarting sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection 
is used for the updates", what does it means? Is it IP address of the DNS server 
(used to update the DNS entry)? or is it IP address on client machine used during LDAP 
TCP bind (-IP1- in my case)?

dyndns_update (boolean)
 Optional. This option tells SSSD to automatically update 
the DNS server built into FreeIPA v2 with the IP address of this client.
 The update is secured using GSS-TSIG. The IP address of 
the IPA LDAP connection is used for the updates, if it is not otherwise
 specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs 
enabled on client machine?

IIRC we added this to support multiple interfaces (user can choose 
which one to use) and to update both IPv6 () and IPv4 (A) 
records. IPA/SSSD cannot reliably determine which IP address to use, 
it is all or none from interface. With the previous behavior users 
want to use different/more addresses than the one which has been 
detected from LDAP connection and it was not possible previously.

Do you have set  dyndns_iface in sssd.conf?

Martin

Looks like this was a deliberate change:
  https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?

Is it possible to configure SSSD to update DNS with only IP address 
"primary" in ip addr list or which is used to FreeIPA server communication 
(-IP1- used on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.





I asked question here

https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html





Hi,

Thank you for your response.

In sssd.conf parameter dyndns_iface is not defined, we are in case:
Default: Use the IP addresses of the interface which is used for IPA 
LDAP connection


This point (dyndns_iface) is ok, every IPs of this interface and only 
this interface is updated on IPA host DNS entry.
I use only IPv4, so it is not possible to filter on only one IP 
("primary") it is "none" or "all" on one interface.


In my case i see two solutions:
- Split IP "primary" on one interface (bond0 for exemple) and other 
virtual IPs on one other interface (bond0.1 or bond1 for exemple)

- Disable dyndns_update functionality on this machine

You confirm, i have no other solutions?




Well, then you have only choices you wrote. Sorry.

--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project