Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Fujisan 
And with Firefox 50.0.2.

F.

On Wed, Dec 7, 2016 at 11:46 AM, Fujisan <fujisa...@gmail.com> wrote:

> I have the same issue with version 4.4.2
>
> $ rpm -qa|grep freeipa
> freeipa-server-4.4.2-1.fc25.x86_64
> freeipa-python-compat-4.4.2-1.fc25.noarch
> freeipa-server-common-4.4.2-1.fc25.noarch
> freeipa-common-4.4.2-1.fc25.noarch
> freeipa-server-trust-ad-4.4.2-1.fc25.x86_64
> freeipa-client-4.4.2-1.fc25.x86_64
> freeipa-client-common-4.4.2-1.fc25.noarch
>
>
> ​F.​
>
>
> On Wed, Dec 7, 2016 at 11:13 AM, Troels Hansen <t...@casalogic.dk> wrote:
>
>> I have a strange issue in IPA 4.4.0-12 (RHEL 7.3)
>>
>>
>> Navigating to Identity -> Services reveals 5 services. 2 cifs, 2 dogtag
>> and one empty line...
>>
>> cifs/host1.domain@REALM
>> cifs/host2.domain@REALM
>> dogtag/ipa01.domain@REALM
>> dogtag/ipa02.domain@REALM
>>
>>
>>
>> However, from CLI everything looks OK:
>>
>> # ipa service-find
>> ---
>> 11 services matched
>> ---
>> Principal name: ldap/ipa02.domain@REALM
>> Principal alias: ldap/ipa02.domain@REALM
>> Certificate: ...
>> ...
>>
>>
>> Keytab: True
>>
>> Principal name: ldap/ipa01.domain@REALM
>> Principal alias: ldap/ipa01.domain@REALM
>> Certificate: ...
>> ...
>>
>>
>> Keytab: True
>>
>> Principal name: HTTP/ipa02.domain@REALM
>> Principal alias: HTTP/ipa02.domain@REALM
>> Certificate: 
>> ...
>>
>>
>>
>> Keytab: True
>>
>> Principal name: cifs/rhellxudv01.domain@REALM
>> Principal alias: cifs/rhellxudv01.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: cifs/ipa02.domain@REALM
>> Principal alias: cifs/ipa02.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: nfs/profil01.domain@REALM
>> Principal alias: nfs/profil01.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: cifs/ipa01.domain@REALM
>> Principal alias: cifs/ipa01.domain@REALM
>> Keytab: True
>>
>> Principal name: dogtag/ipa02.domain@REALM
>> Principal alias: dogtag/ipa02.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: dogtag/ipa01.domain@REALM
>> Principal alias: dogtag/ipa01.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: cifs/rhellxudv02.domain@REALM
>> Principal alias: cifs/rhellxudv02.domain@REALM
>> Keytab: True
>>
>>
>>
>> Principal name: HTTP/ipa01.domain@REALM
>> Principal alias: HTTP/ipa01.domain@REALM
>> Certificate: ..
>> ..
>> Keytab: True
>>
>>
>>
>> -
>> Number of entries returned 11
>> -
>>
>>
>>
>>
>> (some lines truncated.)
>>
>>
>> s... somsthing must be disrupting the view in web-ui,
>>
>>
>> Tried in Chrome 43 and IE 11
>>
>>
>> Looking at what gets requested by the browser at /ipa/session/json I can
>> see in the json that it gets the correct content:
>>
>>
>> result: {count: 11, result: [,…], summary: "11 services matched",
>> truncated: false}
>> count: 11
>> result: [,…]
>> 0: {dn: "krbprincipalname=cifs/rhellxudv01.domain@REALM,cn=services,
>> cn=accounts,dc=domain",…}
>> 1: {dn: "krbprincipalname=dogtag/ipa01.domain@REALM,cn=services,cn=a
>> ccounts,dc=domain",…}
>> 2: {dn: "krbprincipalname=nfs/profil01.domain@REALM,cn=services,cn=a
>> ccounts,dc=domain",…}
>> 3: {dn: "krbprincipalname=cifs/rhellxudv02.domain@REALM,cn=services,
>> cn=accounts,dc=domain",…}
>> 4: {dn: "krbprincipalname=dogtag/ipa02.domain@REALM,cn=services,cn=a
>> ccounts,dc=domain",…}
>> 5: {dn: "krbprincipalname=HTTP/ipa01.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> 6: {dn: "krbprincipalname=cifs/ipa02.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> 7: {dn: "krbprincipalname=cifs/ipa01.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> 8: {dn: "krbprincipalname=ldap/ipa01.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> 9: {dn: "krbprincipalname=HTTP/ipa02.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> 10: {dn: "krbprincipalname=ldap/ipa02.domain@REALM,cn=services,cn=acc
>> ounts,dc=domain",…}
>> summary: "11 services matched"
>> truncated: false
>>
>>
>>
>> So this is obviously only a web-ui problem, but I can't see what causes
>> the problem?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Fujisan 
I have the same issue with version 4.4.2

$ rpm -qa|grep freeipa
freeipa-server-4.4.2-1.fc25.x86_64
freeipa-python-compat-4.4.2-1.fc25.noarch
freeipa-server-common-4.4.2-1.fc25.noarch
freeipa-common-4.4.2-1.fc25.noarch
freeipa-server-trust-ad-4.4.2-1.fc25.x86_64
freeipa-client-4.4.2-1.fc25.x86_64
freeipa-client-common-4.4.2-1.fc25.noarch


​F.​


On Wed, Dec 7, 2016 at 11:13 AM, Troels Hansen  wrote:

> I have a strange issue in IPA 4.4.0-12 (RHEL 7.3)
>
>
> Navigating to Identity -> Services reveals 5 services. 2 cifs, 2 dogtag
> and one empty line...
>
> cifs/host1.domain@REALM
> cifs/host2.domain@REALM
> dogtag/ipa01.domain@REALM
> dogtag/ipa02.domain@REALM
>
>
>
> However, from CLI everything looks OK:
>
> # ipa service-find
> ---
> 11 services matched
> ---
> Principal name: ldap/ipa02.domain@REALM
> Principal alias: ldap/ipa02.domain@REALM
> Certificate: ...
> ...
>
>
> Keytab: True
>
> Principal name: ldap/ipa01.domain@REALM
> Principal alias: ldap/ipa01.domain@REALM
> Certificate: ...
> ...
>
>
> Keytab: True
>
> Principal name: HTTP/ipa02.domain@REALM
> Principal alias: HTTP/ipa02.domain@REALM
> Certificate: 
> ...
>
>
>
> Keytab: True
>
> Principal name: cifs/rhellxudv01.domain@REALM
> Principal alias: cifs/rhellxudv01.domain@REALM
> Keytab: True
>
>
>
> Principal name: cifs/ipa02.domain@REALM
> Principal alias: cifs/ipa02.domain@REALM
> Keytab: True
>
>
>
> Principal name: nfs/profil01.domain@REALM
> Principal alias: nfs/profil01.domain@REALM
> Keytab: True
>
>
>
> Principal name: cifs/ipa01.domain@REALM
> Principal alias: cifs/ipa01.domain@REALM
> Keytab: True
>
> Principal name: dogtag/ipa02.domain@REALM
> Principal alias: dogtag/ipa02.domain@REALM
> Keytab: True
>
>
>
> Principal name: dogtag/ipa01.domain@REALM
> Principal alias: dogtag/ipa01.domain@REALM
> Keytab: True
>
>
>
> Principal name: cifs/rhellxudv02.domain@REALM
> Principal alias: cifs/rhellxudv02.domain@REALM
> Keytab: True
>
>
>
> Principal name: HTTP/ipa01.domain@REALM
> Principal alias: HTTP/ipa01.domain@REALM
> Certificate: ..
> ..
> Keytab: True
>
>
>
> -
> Number of entries returned 11
> -
>
>
>
>
> (some lines truncated.)
>
>
> s... somsthing must be disrupting the view in web-ui,
>
>
> Tried in Chrome 43 and IE 11
>
>
> Looking at what gets requested by the browser at /ipa/session/json I can
> see in the json that it gets the correct content:
>
>
> result: {count: 11, result: [,…], summary: "11 services matched",
> truncated: false}
> count: 11
> result: [,…]
> 0: {dn: "krbprincipalname=cifs/rhellxudv01.domain@REALM,cn=services,
> cn=accounts,dc=domain",…}
> 1: {dn: "krbprincipalname=dogtag/ipa01.domain@REALM,cn=services,cn=
> accounts,dc=domain",…}
> 2: {dn: "krbprincipalname=nfs/profil01.domain@REALM,cn=services,cn=
> accounts,dc=domain",…}
> 3: {dn: "krbprincipalname=cifs/rhellxudv02.domain@REALM,cn=services,
> cn=accounts,dc=domain",…}
> 4: {dn: "krbprincipalname=dogtag/ipa02.domain@REALM,cn=services,cn=
> accounts,dc=domain",…}
> 5: {dn: "krbprincipalname=HTTP/ipa01.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> 6: {dn: "krbprincipalname=cifs/ipa02.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> 7: {dn: "krbprincipalname=cifs/ipa01.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> 8: {dn: "krbprincipalname=ldap/ipa01.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> 9: {dn: "krbprincipalname=HTTP/ipa02.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> 10: {dn: "krbprincipalname=ldap/ipa02.domain@REALM,cn=services,cn=acc
> ounts,dc=domain",…}
> summary: "11 services matched"
> truncated: false
>
>
>
> So this is obviously only a web-ui problem, but I can't see what causes
> the problem?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
Ok so why is it still not working?
Any suggestion?

On Fri, Dec 2, 2016 at 11:20 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On pe, 02 joulu 2016, Fujisan wrote:
>
>> I'm not sure my problem is linked to this 'dedicated keytab file' with
>> FILE: before the path to keytab file.
>>
> Yes, it does. Your client log below reports that the server cannot
> communicate with you because _the_server_ is unable to read its keytab
> when initializing GENSEC backed gssapi_krb5 and thus client switches to
> SPNEGO which also fails as the server cannot work without proper keytab
> using kerberos and password-based auth is not possible.
>
>
>
>> # smbclient -d3 -L \\10.0.21.200  -U smith
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[global]"
>> lp_load_ex: changing to config backend registry
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[global]"
>> added interface eno1 ip=10.0.21.18 bcast=10.0.21.31
>> netmask=255.255.255.240
>> Client started (version 4.5.1).
>> Enter smith's password:
>> Connecting to 10.0.21.200 at port 445
>> Doing spnego session setup (blob length=74)
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178@please_ignore
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x628a8215
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On pe, 02 joulu 2016, Fujisan wrote:
>>>
>>> Alexander,
>>>>
>>>> I have now in my conf on server A and client B
>>>>
>>>> dedicated keytab file = /etc/samba/samba.keytab
>>>>
>>>> instead of
>>>>
>>>> dedicated keytab file = FILE:/etc/samba/samba.keytab
>>>>
>>>>
>>>> But unfortunately, it did not solve the problem.
>>>>
>>>> It did solve for me. The offending commit in Samba is c2f5c30b
>>>
>>> $ git tag --contains c2f5c30b|grep samba
>>> samba-4.5.0
>>> samba-4.5.0rc1
>>> samba-4.5.0rc2
>>> samba-4.5.0rc3
>>> samba-4.5.1
>>>
>>> It has following code:
>>> +krb5_error_code smb_krb5_open_keytab(krb5_context context,
>>> +const char *keytab_name_req,
>>> +bool write_access,
>>> +krb5_keytab *keytab)
>>> +{
>>> +   if (keytab_name_req != NULL) {
>>> +   if (keytab_name_req[0] != '/') {
>>> +   return KRB5_KT_BADNAME;
>>> +   }
>>> +   }
>>> +
>>> +   return smb_krb5_open_keytab_relative(context,
>>> +keytab_name_req,
>>> +write_access,
>>> +keytab);
>>> +}
>>>
>>> It is the check for keytab_name_req[0] not starting from '/' what causes
>>> the break.
>>>
>>>
>>>
>>>
>>>>
>>>> On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <aboko...@redhat.com
>>>> >
>>>> wrote:
>>>>
>>>> On to, 01 joulu 2016, Fujisan wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>>
>>>>>> I have upgraded a client and a freeipa se

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
I'm not sure my problem is linked to this 'dedicated keytab file' with
FILE: before the path to keytab file.

# smbclient -d3 -L \\10.0.21.200  -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eno1 ip=10.0.21.18 bcast=10.0.21.31 netmask=255.255.255.240
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.200 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On pe, 02 joulu 2016, Fujisan wrote:
>
>> Alexander,
>>
>> I have now in my conf on server A and client B
>>
>> dedicated keytab file = /etc/samba/samba.keytab
>>
>> instead of
>>
>> dedicated keytab file = FILE:/etc/samba/samba.keytab
>>
>>
>> But unfortunately, it did not solve the problem.
>>
> It did solve for me. The offending commit in Samba is c2f5c30b
>
> $ git tag --contains c2f5c30b|grep samba
> samba-4.5.0
> samba-4.5.0rc1
> samba-4.5.0rc2
> samba-4.5.0rc3
> samba-4.5.1
>
> It has following code:
> +krb5_error_code smb_krb5_open_keytab(krb5_context context,
> +const char *keytab_name_req,
> +bool write_access,
> +krb5_keytab *keytab)
> +{
> +   if (keytab_name_req != NULL) {
> +   if (keytab_name_req[0] != '/') {
> +   return KRB5_KT_BADNAME;
> +   }
> +   }
> +
> +   return smb_krb5_open_keytab_relative(context,
> +keytab_name_req,
> +write_access,
> +keytab);
> +}
>
> It is the check for keytab_name_req[0] not starting from '/' what causes
> the break.
>
>
>
>>
>>
>> On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On to, 01 joulu 2016, Fujisan wrote:
>>>
>>> Hello,
>>>>
>>>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>>>> recently.
>>>> And I *cannot* access linux shares located on the F25 freeipa client
>>>> from
>>>> a
>>>> windows desktop.
>>>> But I can access linux shares located on the F25 freeipa server from
>>>> that
>>>> windows desktop.
>>>> And I can access linux shares located on the F24 freeipa client from
>>>> that
>>>> windows desktop.
>>>>
>>>> To be clear, I have:
>>>>  A/ 1 F25 freeipa server
>>>>  B/ 1 F25 freeipa client
>>>>  C/ 1 F24 freeipa client
>>>>  D/ 1 windows desktop
>>>>
>>>> I can access linux shares of A from D.
>>>> I can access linux shares of C from D.
>>>> I *cannot* access linux shares of B from D.
>>>>
>>>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>>>
>>>> [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
>>>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>>>> (Key
>>>> table name malformed)
>>>> [2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
>>>> krb5.c:627(gse_krb5_get_server_keytab)
>>>>  ../

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
Alexander,

I have now in my conf on server A and client B

dedicated keytab file = /etc/samba/samba.keytab

instead of

dedicated keytab file = FILE:/etc/samba/samba.keytab


But unfortunately, it did not solve the problem.



On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On to, 01 joulu 2016, Fujisan wrote:
>
>> Hello,
>>
>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>> recently.
>> And I *cannot* access linux shares located on the F25 freeipa client from
>> a
>> windows desktop.
>> But I can access linux shares located on the F25 freeipa server from that
>> windows desktop.
>> And I can access linux shares located on the F24 freeipa client from that
>> windows desktop.
>>
>> To be clear, I have:
>>  A/ 1 F25 freeipa server
>>  B/ 1 F25 freeipa client
>>  C/ 1 F24 freeipa client
>>  D/ 1 windows desktop
>>
>> I can access linux shares of A from D.
>> I can access linux shares of C from D.
>> I *cannot* access linux shares of B from D.
>>
>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>
>> [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.261653,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.263330,  2] ../source3/auth/auth.c:315(
>> auth_check_ntlm_password)
>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>> with error NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.263380,  2] ../auth/gensec/spnego.c:720(
>> gensec_spnego_server_negTokenTarg)
>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.270531,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.270562,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.270586,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.313479,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.313506,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.313523,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.315256,  2] ../source3/auth/auth.c:315(
>> auth_check_ntlm_password)
>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>> with error NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.315291,  2] ../auth/gensec/spnego.c:720(
>> gensec_spnego_server_negTokenTarg)
>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>
>> Also from the F25 server, I have the following when I run smbclient
>>
>> f25server # smbclient -k -L f25desktop.mydomain
>> lp_load_ex: changing to config backend registry
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan 
Yes. I had to restart the browser.
Now everything is working again.

Thank you.

On Mon, Sep 12, 2016 at 12:07 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Mon, 12 Sep 2016, Fujisan wrote:
>
>> Here is what i get when restarting ipa:
>>
>> # systemctl restart ipa
>>
> []
>
> Sep 12 11:32:59 myserver ipactl: ipa: INFO: The ipactl command was
>> successful
>> Sep 12 11:32:59 myserver ipactl: Starting Directory Service
>> Sep 12 11:32:59 myserver ipactl: Starting krb5kdc Service
>> Sep 12 11:32:59 myserver ipactl: Starting kadmin Service
>> Sep 12 11:32:59 myserver ipactl: Starting named Service
>> Sep 12 11:32:59 myserver ipactl: Starting ipa_memcached Service
>> Sep 12 11:32:59 myserver ipactl: Starting httpd Service
>> Sep 12 11:32:59 myserver ipactl: Starting pki-tomcatd Service
>> Sep 12 11:32:59 myserver ipactl: Starting smb Service
>> Sep 12 11:32:59 myserver ipactl: Starting winbind Service
>> Sep 12 11:32:59 myserver ipactl: Starting ipa-otpd Service
>> Sep 12 11:32:59 myserver ipactl: Starting ipa-dnskeysyncd Service
>> Sep 12 11:32:59 myserver systemd: Started Identity, Policy, Audit.
>>
> So everything has started successfully.
>
> Any other problem?
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan 
Ok I installed the missing package and restarted ipa but it is still not
woking.

On Mon, Sep 12, 2016 at 11:13 AM, Fujisan <fujisa...@gmail.com> wrote:

> No it is missing!
>
> On Mon, Sep 12, 2016 at 10:55 AM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On Mon, 12 Sep 2016, Fujisan wrote:
>>
>>> Hello,
>>>
>>> This morning I noticed I could not reload the Freeipa web ui. Its was
>>> working well friday but something must have happend over the weekend.
>>>
>> Do you have pki-symkey installed?
>>
>> /usr/share/pki/server/common/lib/symkey.jar points to
>> /usr/lib/java/symkey.jar which is missing in your setup:
>>
>>
>>
>> Sep 12 09:12:49 myserver server: WARNING: Problem with JAR file
>>> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
>>> [false]
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan 
No it is missing!

On Mon, Sep 12, 2016 at 10:55 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Mon, 12 Sep 2016, Fujisan wrote:
>
>> Hello,
>>
>> This morning I noticed I could not reload the Freeipa web ui. Its was
>> working well friday but something must have happend over the weekend.
>>
> Do you have pki-symkey installed?
>
> /usr/share/pki/server/common/lib/symkey.jar points to
> /usr/lib/java/symkey.jar which is missing in your setup:
>
>
>
> Sep 12 09:12:49 myserver server: WARNING: Problem with JAR file
>> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead:
>> [false]
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa not working after upgrade to F24

2016-09-07 Thread Fujisan 
Is this issue documented somewhere?

On Wed, Sep 7, 2016 at 3:03 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Wed, 07 Sep 2016, Fujisan wrote:
>
>> Selinux is disabled on my server.
>> Do I still need to run 'pki-server-upgrade -v'?
>>
> You need to read the ticket I pointed to and look at the files mentioned
> there. You'll see the issue and it is fixed by running
> pki-server-upgrade.
>
> The issue is not about SELinux itself.
>
>
>
>> Regards,
>> F.
>>
>> On Wed, Sep 7, 2016 at 2:53 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On Wed, 07 Sep 2016, Fujisan wrote:
>>>
>>> Hello,
>>>>
>>>> I just upgraded my server to F24 but ipa is not starting.
>>>>
>>>> No DNS, no access to the Freeipa web page.
>>>>
>>>> It is an issue with Java jar classes being renamed. Run
>>> 'pki-server-upgrade -v' to re-apply changes. There is an issue with
>>> upgrade script that fails to import some Python code for SELinux during
>>> rpm upgrade and that stops pki-server-upgrade from completing its job.
>>>
>>> See https://fedorahosted.org/pki/ticket/2452 for more details.
>>>
>>> Sep  7 14:11:10 myserver server: Sep 07, 2016 2:11:10 PM
>>>
>>>> org.apache.tomcat.util.digester.Digester startElement
>>>> Sep  7 14:11:10 myserver server: SEVERE: Begin event threw error
>>>> Sep  7 14:11:10 myserver server: java.lang.NoClassDefFoundError:
>>>> javax/ws/rs/ServiceUnavailableException
>>>>
>>>> ^^^ this is it.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa not working after upgrade to F24

2016-09-07 Thread Fujisan 
Ok I just tried and you are right.

It works! Pfiuuu! You saved my a$$.

Thanks.

On Wed, Sep 7, 2016 at 2:58 PM, Fujisan <fujisa...@gmail.com> wrote:

> Selinux is disabled on my server.
> Do I still need to run 'pki-server-upgrade -v'?
>
> Regards,
> F.
>
> On Wed, Sep 7, 2016 at 2:53 PM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On Wed, 07 Sep 2016, Fujisan wrote:
>>
>>> Hello,
>>>
>>> I just upgraded my server to F24 but ipa is not starting.
>>>
>>> No DNS, no access to the Freeipa web page.
>>>
>> It is an issue with Java jar classes being renamed. Run
>> 'pki-server-upgrade -v' to re-apply changes. There is an issue with
>> upgrade script that fails to import some Python code for SELinux during
>> rpm upgrade and that stops pki-server-upgrade from completing its job.
>>
>> See https://fedorahosted.org/pki/ticket/2452 for more details.
>>
>> Sep  7 14:11:10 myserver server: Sep 07, 2016 2:11:10 PM
>>> org.apache.tomcat.util.digester.Digester startElement
>>> Sep  7 14:11:10 myserver server: SEVERE: Begin event threw error
>>> Sep  7 14:11:10 myserver server: java.lang.NoClassDefFoundError:
>>> javax/ws/rs/ServiceUnavailableException
>>>
>> ^^^ this is it.
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa not working after upgrade to F24

2016-09-07 Thread Fujisan 
Selinux is disabled on my server.
Do I still need to run 'pki-server-upgrade -v'?

Regards,
F.

On Wed, Sep 7, 2016 at 2:53 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Wed, 07 Sep 2016, Fujisan wrote:
>
>> Hello,
>>
>> I just upgraded my server to F24 but ipa is not starting.
>>
>> No DNS, no access to the Freeipa web page.
>>
> It is an issue with Java jar classes being renamed. Run
> 'pki-server-upgrade -v' to re-apply changes. There is an issue with
> upgrade script that fails to import some Python code for SELinux during
> rpm upgrade and that stops pki-server-upgrade from completing its job.
>
> See https://fedorahosted.org/pki/ticket/2452 for more details.
>
> Sep  7 14:11:10 myserver server: Sep 07, 2016 2:11:10 PM
>> org.apache.tomcat.util.digester.Digester startElement
>> Sep  7 14:11:10 myserver server: SEVERE: Begin event threw error
>> Sep  7 14:11:10 myserver server: java.lang.NoClassDefFoundError:
>> javax/ws/rs/ServiceUnavailableException
>>
> ^^^ this is it.
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot start freeipa after reboot of server

2016-02-06 Thread Fujisan 
I couldn't login to the server (totally freezed) so no logs to show.

It is a kernel problem. the server was running kernel 4.3.4-300. I had to
boot kernel 4.2.6-301 to have a functional server again.

# abrt-cli list
id 29e33b5c96e28619dca309942a505fc8e2ef19e2
reason: BUG: unable to handle kernel NULL pointer dereference at
0060
time:   Fri 05 Feb 2016 03:35:14 PM CET
cmdline:BOOT_IMAGE=/vmlinuz-4.3.4-300.fc23.x86_64
root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root
rhgb quiet LANG=en_US.UTF-8
count:  289
Directory:  /var/spool/abrt/oops-2016-02-05-15:35:10-1606-4
Reported:   cannot be reported

Regards,
F.

On Sat, Feb 6, 2016 at 12:32 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 05.02.2016 16:52, Fujisan wrote:
>
> Hello,
>
> I have a big problem here
> I have rebooted my freeipa server and noticed that no login screen
> appeared after the reboot making it impossible to log in, even through an
> ssh session from my desktop.
> I also rebooted the replica and got the same problem.
>
> I rebooted again the replica in rescue mode and tried to start freeipa
> manually:
>
> # systemctl restart ipa.service
> Error getting authority: Error initializing authority: could not connect:
> No such file or directory
> Welcome to emergency mode! After logging in, type 'journalctl -xb' to view
> system logs. ...
> Try again to boot into default mode.
> Give root password for maintenance
> (or press Control-D to continue)
>
> # systemctl status ipa.service
> ...
> ... active: Inactive (dead)
> ... Stopped Identity, Policy, Audit.
>
> freeipa version is 4.2.3-2 .
>
> What can I do to fix this?
>
> Thank you
>
> Fuji
>
>
>
> hello,
>
> can you inspect journal why system cannot be start in normal mode?
>
> without any logs we cannot help you.
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot start freeipa after reboot of server

2016-02-05 Thread Fujisan 
Hello,

I have a big problem here
I have rebooted my freeipa server and noticed that no login screen appeared
after the reboot making it impossible to log in, even through an ssh
session from my desktop.
I also rebooted the replica and got the same problem.

I rebooted again the replica in rescue mode and tried to start freeipa
manually:

# systemctl restart ipa.service
Error getting authority: Error initializing authority: could not connect:
No such file or directory
Welcome to emergency mode! After logging in, type 'journalctl -xb' to view
system logs. ...
Try again to boot into default mode.
Give root password for maintenance
(or press Control-D to continue)

# systemctl status ipa.service
...
... active: Inactive (dead)
... Stopped Identity, Policy, Audit.

freeipa version is 4.2.3-2 .

What can I do to fix this?

Thank you

Fuji
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] What is the recommended procedure for upgrading clients and servers to F23?

2015-10-31 Thread Fujisan 
Hi there,

F23 is coming out very soon and I'm wondering what machine I should upgrade
first, the spa clients or the ipa servers?
In other words, can the ipa system work with ipa client upgraded to 4.2 and
the servers still at 4.1.4?
Or do I have to upgrade the servers first?

And should I upgrade to freeipa 4.2 first and then upgrade the machines to
F23?

Regards,
Fuji.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, Windows and Kerberos

2015-10-24 Thread Fujisan 
Have you tried with /setdomain?
ksetup /setdomain CHEM.BYU.EDU 

I've done like this on windows 8.1 and windows 10. I had trouble doing it
on one windows 7 desktop so I upgraded to windows 10.

​These are the only steps I did to authenticate a windows desktop via
kerberos, nothing more:​

1. ksetup /setdomain [REALM NAME]
2. ksetup /addkdc [REALM NAME] [kdc DNS name]
3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
5. ksetup /mapuser * *


On Fri, Oct 23, 2015 at 8:51 PM, Randolph Morgan 
wrote:

> We are running a mixed environment network.  However, all of our
> authentication is performed via LDAP, we do not have an AD on our network,
> nor do we have any Windows servers, all of our servers are running RHEL.
> We are working on implementing a new authentication server that is running
> FreeIPA, but would like to do single sign-on via Kerberos.  I have been
> reading posts for the better part of two weeks and can not find
> instructions that work, on how to get Windows (XP - 10) to authenticate via
> Kerberos.  Here is a list of some of the sites that I have looked at:
>
> https://support.microsoft.com/en-us/kb/837361
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2573486
> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
>
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html
> (This is an older post but I was getting desperate)
>
> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step
>
> So here is the problem, when I attempt to set the Realm on the Windows
> client I receive the following error:
>
> C:\Users\randym>ksetup /setrealm CHEM.BYU.EDU
> Setting Dns Domain
> Failed to set dns domain info: 0xc022
> Failed /SetRealm : 0xc022
>
> I have tried several varieties of this command, including setting the
> domain instead of the realm and always get the same result.  Can someone
> please put together a step by step process that includes both server side
> and client side for configuring Kerberos to work with Windows and FreeIPA.
>
> Thank You in advance,
>
> Randy
>
> --
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Why are some user's information not stored in the LDAP database?

2015-10-16 Thread Fujisan 
Hello,

When I enter the email address, the phone number or the mailing address of
ipa user 'smith' in the web ui "Identity/Users/smith", it does not appears
in the output of ldapsearch.
Sendmail can look into the ldap database and get the email address of a
user and send mail to that user.

Is it possible to add those info especially the email address in the ldap
database?

Regards,
Fuji.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Why are some user's information not stored in the LDAP database?

2015-10-16 Thread Fujisan 
Yes, sorry, you're right. It works. I was using the wrong command:

$ ldapsearch -x -h localhost uid=smith

instead of

$ ldapsearch -x -h localhost -D cn=directory\ manager -W -b
cn=users,cn=accounts,dc=example,dc=test uid=smith




On Fri, Oct 16, 2015 at 3:52 PM, David Kupka <dku...@redhat.com> wrote:

> On 16/10/15 15:26, Fujisan wrote:
>
>> Hello,
>>
>> When I enter the email address, the phone number or the mailing address of
>> ipa user 'smith' in the web ui "Identity/Users/smith", it does not appears
>> in the output of ldapsearch.
>> Sendmail can look into the ldap database and get the email address of a
>> user and send mail to that user.
>>
>> Is it possible to add those info especially the email address in the ldap
>> database?
>>
>> Regards,
>> Fuji.
>>
>>
>>
>>
> Hello,
> I just tried and it worked as expected. Could you post your ldapsearch and
> its result?
>
> $ ldapsearch -D"cn=Directory Manager" -w Secret123 -h localhost -b
> cn=users,cn=accounts,dc=example,dc=test uid=tuser1
> # extended LDIF
> #
> # LDAPv3
> # base

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan 
Good morning,
​
Any suggestion what I should do?​

​I still have

​$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized


Regards.


On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote:

> I only have this:
>
> $ keyctl list @s
> 1 key in keyring:
> 641467419: --alswrv 0 65534 keyring: _uid.0
> $
>
>
>
> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> I forgot to mention that
>>>
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>> This is most likely because of the cached session to your server.
>>
>> You can check if  keyctl list @s
>> returns you something like
>> [root@m1 ~]# keyctl list @s
>> 2 keys in keyring:
>> 496745412: --alswrv 0 65534 keyring: _uid.0
>> 215779962: --alswrv 0 0 user:
>> ipa_session_cookie:ad...@example.com
>>
>> If so, then notice the key number (215779962) for the session cookie,
>> and do:
>>  keyctl purge 215779962
>>  keyctl reap
>>
>> This should make a next 'ipa ...' command run to ask for new cookie.
>>
>>
>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>
>>> I still cannot login to the web UI.
>>>>
>>>> Here is what I did:
>>>>
>>>>1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>2. kinit admin
>>>>Password for admin@OPERA:
>>>>3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
>>>>/etc/krb5.keytab
>>>>4. systemctl restart sssd.service
>>>>5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
>>>>/etc/httpd/conf/ipa.keytab
>>>>7. systemctl restart httpd.service
>>>>
>>>>
>>>> The log says now:
>>>>
>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>> 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA
>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com>
>>>> wrote:
>>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>> kerberos.
>>>>>>
>>>>>> What should I do to fix this?
>>>>>>
>>>>>> I have this on the ipa server:
>>>>>> $ klist -k
>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>> KVNO Principal
>>>>>> 
>>>>>>
>>>>>>
>>>>>> --
>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>   1 nfs/zaira2.opera@OPERA
>>>>>>   1 nfs/zaira2.opera@OPERA
>>>>>>   1 nfs/zaira2.opera@OPERA
>>>>>>   1 nfs/zaira2.opera@OPERA
>>>>>>   3 HTTP/zaira2.opera@OPERA
>>>>>>   3 HTTP/zaira2.opera@OPERA
>>>>>>   3 HTTP/zaira2.opera@OPERA
>>>>>>   3 HTTP/zaira2.opera@OPERA
>>>>>>
>>>>>> You can start by:
>>>>>>
>>>>> 0. backup every file mentioned below
>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>> 2. kinit as admin
>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>> 4. restart SSSD
>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>> /etc/httpd/conf/ipa.keytab
>>>>> 7. Restart httpd
>>>>>
>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>> specified by you is replaced on the server side so that keys in the
>>>>> keytabs become unusable.
>>>>>
>>>>> I guess cockpit instructions were for some

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan 
I just noticed I can log in to the web UI with user admin and his password.

But when I try to configure firefox to use kerberos, I click on "Install
Kerberos Configuration Firefox Extension" button, a message appears saying
"Firefox prevented this site from asking you to install software on your
computer", so I click on the "Allow" button and then another message
appears "The add-on downloaded from this site could not be installed
because it appears to be corrupt.".

And the ipa commands are still not working.
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized


On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisa...@gmail.com> wrote:

> I uninstalled the ipa server and reinstalled it. Then restored the backup.
> And then the following:
>
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv 0 65534 keyring: _uid.0
> 556579409: --alswrv 0 0 user:
> ipa_session_cookie:host/zaira2.opera@OPERA
> 286806445: ---lswrv 0 65534 keyring: _persistent.0
> $ keyctl purge 556579409
> purged 0 keys
> $ keyctl reap
> 0 keys reaped
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv 0 65534 keyring: _uid.0
> 556579409: --alswrv 0 0 user:
> ipa_session_cookie:host/zaira2.opera@OPERA
> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>
> ​It doesn't seem to purge or to reap.​
>
>
>
> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote:
>
>> Good morning,
>> ​
>> Any suggestion what I should do?​
>>
>> ​I still have
>>
>> ​$ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>>
>> Regards.
>>
>>
>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote:
>>
>>> I only have this:
>>>
>>> $ keyctl list @s
>>> 1 key in keyring:
>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>> $
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com>
>>> wrote:
>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>>> I forgot to mention that
>>>>>
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>> This is most likely because of the cached session to your server.
>>>>
>>>> You can check if  keyctl list @s
>>>> returns you something like
>>>> [root@m1 ~]# keyctl list @s
>>>> 2 keys in keyring:
>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>> 215779962: --alswrv 0 0 user:
>>>> ipa_session_cookie:ad...@example.com
>>>>
>>>> If so, then notice the key number (215779962) for the session cookie,
>>>> and do:
>>>>  keyctl purge 215779962
>>>>  keyctl reap
>>>>
>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>
>>>>
>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>>>
>>>>> I still cannot login to the web UI.
>>>>>>
>>>>>> Here is what I did:
>>>>>>
>>>>>>1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>2. kinit admin
>>>>>>Password for admin@OPERA:
>>>>>>3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
>>>>>>/etc/krb5.keytab
>>>>>>4. systemctl restart sssd.service
>>>>>>5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
>>>>>>/etc/httpd/conf/ipa.keytab
>>>>>>7. systemctl restart httpd.service
>>>>>>
>>>>>>
>>>>>> The log says now:
>>>>>>
>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>> HTTP/zaira2.opera@OPERA
>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required
>>>>>>
>>>>>>
>>>>&g

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan 
It is actually on the ipa server that ipa commands are not working. On ipa
clients, I do not have errors.



On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisa...@gmail.com> wrote:

> I just noticed I can log in to the web UI with user admin and his password.
>
> But when I try to configure firefox to use kerberos, I click on "Install
> Kerberos Configuration Firefox Extension" button, a message appears saying
> "Firefox prevented this site from asking you to install software on your
> computer", so I click on the "Allow" button and then another message
> appears "The add-on downloaded from this site could not be installed
> because it appears to be corrupt.".
>
> And the ipa commands are still not working.
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisa...@gmail.com> wrote:
>
>> I uninstalled the ipa server and reinstalled it. Then restored the backup.
>> And then the following:
>>
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera@OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>> $ keyctl purge 556579409
>> purged 0 keys
>> $ keyctl reap
>> 0 keys reaped
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera@OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>
>> ​It doesn't seem to purge or to reap.​
>>
>>
>>
>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote:
>>
>>> Good morning,
>>> ​
>>> Any suggestion what I should do?​
>>>
>>> ​I still have
>>>
>>> ​$ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>>
>>> Regards.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>
>>>> I only have this:
>>>>
>>>> $ keyctl list @s
>>>> 1 key in keyring:
>>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>>> $
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>>> I forgot to mention that
>>>>>>
>>>>>> $ ipa user-show admin
>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>> Unauthorized
>>>>>>
>>>>> This is most likely because of the cached session to your server.
>>>>>
>>>>> You can check if  keyctl list @s
>>>>> returns you something like
>>>>> [root@m1 ~]# keyctl list @s
>>>>> 2 keys in keyring:
>>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>>> 215779962: --alswrv 0 0 user:
>>>>> ipa_session_cookie:ad...@example.com
>>>>>
>>>>> If so, then notice the key number (215779962) for the session cookie,
>>>>> and do:
>>>>>  keyctl purge 215779962
>>>>>  keyctl reap
>>>>>
>>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>>
>>>>>
>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>>>>
>>>>>> I still cannot login to the web UI.
>>>>>>>
>>>>>>> Here is what I did:
>>>>>>>
>>>>>>>1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>>2. kinit admin
>>>>>>>Password for admin@OPERA:
>>>>>>>3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
>>>>>>>/etc/krb5.keytab
>>>>>>>4. systemctl restart sssd.service
>>>>>>>5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>>6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan 
I uninstalled the ipa server and reinstalled it. Then restored the backup.
And then the following:

$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera@OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0
$ keyctl purge 556579409
purged 0 keys
$ keyctl reap
0 keys reaped
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera@OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0

​It doesn't seem to purge or to reap.​



On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote:

> Good morning,
> ​
> Any suggestion what I should do?​
>
> ​I still have
>
> ​$ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> Regards.
>
>
> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote:
>
>> I only have this:
>>
>> $ keyctl list @s
>> 1 key in keyring:
>> 641467419: --alswrv 0 65534 keyring: _uid.0
>> $
>>
>>
>>
>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> I forgot to mention that
>>>>
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>> This is most likely because of the cached session to your server.
>>>
>>> You can check if  keyctl list @s
>>> returns you something like
>>> [root@m1 ~]# keyctl list @s
>>> 2 keys in keyring:
>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>> 215779962: --alswrv 0 0 user:
>>> ipa_session_cookie:ad...@example.com
>>>
>>> If so, then notice the key number (215779962) for the session cookie,
>>> and do:
>>>  keyctl purge 215779962
>>>  keyctl reap
>>>
>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>
>>>
>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>>
>>>> I still cannot login to the web UI.
>>>>>
>>>>> Here is what I did:
>>>>>
>>>>>1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>2. kinit admin
>>>>>Password for admin@OPERA:
>>>>>3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
>>>>>/etc/krb5.keytab
>>>>>4. systemctl restart sssd.service
>>>>>5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
>>>>>/etc/httpd/conf/ipa.keytab
>>>>>7. systemctl restart httpd.service
>>>>>
>>>>>
>>>>> The log says now:
>>>>>
>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera@OPERA
>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com
>>>>> >
>>>>> wrote:
>>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>> kerberos.
>>>>>>>
>>>>>>> What should I do to fix this?
>>>>>>>
>>>>>>> I have this on the ipa server:
>>>>>>> $ klist -k
>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>> KVNO Principal
>>>>>>> 
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>>   2 host/zaira2.opera@OPERA
>>>>>>>   1 nfs

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan 
I was going to ask about the ipa command error on the ipa server and how to
fix it. But then I just tried again and it works.

$ ipa user-show admin
  User login: admin
  Last name: Administrator
  Home directory: /home/zaira/admin
  Login shell: /bin/bash
  UID: 1000
  GID: 1000
  Account disabled: False
  Password: True
  Member of groups: stagiaires, opera, ipausers, trust admins, admins,
oldstaff
  Kerberos keys available: True
  SSH public key fingerprint:
FA:76:85:EF:2A:D1:12:B9:A8:A4:F4:AE:45:B2:63:05 admin@ipasrv (ssh-dss)

Before trying again, I just ran a 'dnf update' and rebooted the server on
the new kernel (4.1.8-200.fc22.x86_64).

On Mon, Oct 5, 2015 at 4:07 PM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 10/05/2015 12:55 PM, Fujisan wrote:
>
>> It is actually on the ipa server that ipa commands are not working. On ipa
>> clients, I do not have errors.
>>
>>
>>
>> On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisa...@gmail.com> wrote:
>>
>> I just noticed I can log in to the web UI with user admin and his
>>> password.
>>>
>>> But when I try to configure firefox to use kerberos, I click on "Install
>>> Kerberos Configuration Firefox Extension" button, a message appears
>>> saying
>>> "Firefox prevented this site from asking you to install software on your
>>> computer", so I click on the "Allow" button and then another message
>>> appears "The add-on downloaded from this site could not be installed
>>> because it appears to be corrupt.".
>>>
>>
> Here you hit https://fedorahosted.org/freeipa/ticket/4906
>
> Fix(will be in 4.2.2 release) for this ticket changes the procedure for
> new versions of Firefox to a manual configuration. Basically the steps for
> Firefox which are described on page
> http://your-ipa.example.test/ipa/config/ssbrowser.html
>
>
>
>>> And the ipa commands are still not working.
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>>
>>> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>
>>> I uninstalled the ipa server and reinstalled it. Then restored the
>>>> backup.
>>>> And then the following:
>>>>
>>>> $ keyctl list @s
>>>> 3 keys in keyring:
>>>> 437165764: --alswrv 0 65534 keyring: _uid.0
>>>> 556579409: --alswrv 0 0 user:
>>>> ipa_session_cookie:host/zaira2.opera@OPERA
>>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>>> $ keyctl purge 556579409
>>>> purged 0 keys
>>>> $ keyctl reap
>>>> 0 keys reaped
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>> $ keyctl list @s
>>>> 3 keys in keyring:
>>>> 437165764: --alswrv 0 65534 keyring: _uid.0
>>>> 556579409: --alswrv 0 0 user:
>>>> ipa_session_cookie:host/zaira2.opera@OPERA
>>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>>>
>>>> ​It doesn't seem to purge or to reap.​
>>>>
>>>>
>>>>
>>>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote:
>>>>
>>>> Good morning,
>>>>> ​
>>>>> Any suggestion what I should do?​
>>>>>
>>>>> ​I still have
>>>>>
>>>>> ​$ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>>>
>>>>> I only have this:
>>>>>>
>>>>>> $ keyctl list @s
>>>>>> 1 key in keyring:
>>>>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>>>>> $
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <
>>>>>> aboko...@redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>> I forgot to mention that
>>>>>>>>
>>>>>>>> $ ipa user-sho

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Fujisan 
More info:

I can initiate a ticket:
$ kdestroy
$ kinit admin

but cannot view user admin:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized

$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

/var/log/messages:
Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.



On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote:

> Hello,
>
> I cannot login to the web UI anymore.
>
> The password or username you entered is incorrect.
>
> Log says:
>
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA
> for krbtgt/OPERA@OPERA, Additional pre-authentication required
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
> (encrypted_timestamp) verify failure: Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA
> for krbtgt/OPERA@OPERA, Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>
>
> I have no idea what went wrong.
>
> What can I do?
>
> ​Regards,
> Fuji​
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Fujisan 
Well, I think I messed up when trying to configure cockpit to use kerberos.

What should I do to fix this?

I have this on the ipa server:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
   2 host/zaira2.opera@OPERA
   2 host/zaira2.opera@OPERA
   2 host/zaira2.opera@OPERA
   2 host/zaira2.opera@OPERA
   1 nfs/zaira2.opera@OPERA
   1 nfs/zaira2.opera@OPERA
   1 nfs/zaira2.opera@OPERA
   1 nfs/zaira2.opera@OPERA
   3 HTTP/zaira2.opera@OPERA
   3 HTTP/zaira2.opera@OPERA
   3 HTTP/zaira2.opera@OPERA
   3 HTTP/zaira2.opera@OPERA


On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> More info:
>>
>> I can initiate a ticket:
>> $ kdestroy
>> $ kinit admin
>>
>> but cannot view user admin:
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>> $ ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> /var/log/messages:
>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>> check
>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>
> What did you do?
>
> This and the log below about HTTP/zaira2.opera@OPERA show that you have
> different keys in LDAP and in your keytab files for host/zaira2.opera
> and HTTP/zaira2.opera principals. This might happen if somebody removed
> the principals from LDAP (ipa service-del/ipa service-add, or ipa
> host-del/ipa host-add) so that they become non-synchronized with
> whatever you have in the keytab files.
>
>
> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote:
>>
>> Hello,
>>>
>>> I cannot login to the web UI anymore.
>>>
>>> The password or username you entered is incorrect.
>>>
>>> Log says:
>>>
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA
>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA
>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>
>>>
>>> I have no idea what went wrong.
>>>
>>> What can I do?
>>>
>>> ​Regards,
>>> Fuji​
>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Fujisan 
Hello,

I cannot login to the web UI anymore.

The password or username you entered is incorrect.

Log says:

Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for
krbtgt/OPERA@OPERA, Additional pre-authentication required
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA for
krbtgt/OPERA@OPERA, Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12


I have no idea what went wrong.

What can I do?

​Regards,
Fuji​
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Fujisan 
I forgot to mention that

$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized

On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote:

> I still cannot login to the web UI.
>
> Here is what I did:
>
>1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>2. kinit admin
>Password for admin@OPERA:
>3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
>/etc/krb5.keytab
>4. systemctl restart sssd.service
>5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
>/etc/httpd/conf/ipa.keytab
>7. systemctl restart httpd.service
>
> The log says now:
>
> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA
> for krbtgt/OPERA@OPERA, Additional pre-authentication required
>
>
>
> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> Well, I think I messed up when trying to configure cockpit to use
>>> kerberos.
>>>
>>> What should I do to fix this?
>>>
>>> I have this on the ipa server:
>>> $ klist -k
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> 
>>>
>>> --
>>>   2 host/zaira2.opera@OPERA
>>>   2 host/zaira2.opera@OPERA
>>>   2 host/zaira2.opera@OPERA
>>>   2 host/zaira2.opera@OPERA
>>>   1 nfs/zaira2.opera@OPERA
>>>   1 nfs/zaira2.opera@OPERA
>>>   1 nfs/zaira2.opera@OPERA
>>>   1 nfs/zaira2.opera@OPERA
>>>   3 HTTP/zaira2.opera@OPERA
>>>   3 HTTP/zaira2.opera@OPERA
>>>   3 HTTP/zaira2.opera@OPERA
>>>   3 HTTP/zaira2.opera@OPERA
>>>
>>> You can start by:
>> 0. backup every file mentioned below
>> 1. Move /etc/krb5.keytab somewhere
>> 2. kinit as admin
>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>> 4. restart SSSD
>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>> /etc/httpd/conf/ipa.keytab
>> 7. Restart httpd
>>
>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>> specified by you is replaced on the server side so that keys in the
>> keytabs become unusable.
>>
>> I guess cockpit instructions were for something that was not supposed to
>> run on IPA master. On IPA master there are already all needed services
>> (host/ and HTTP/) and their keytabs are in place.
>>
>>
>>
>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com>
>>> wrote:
>>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>> More info:
>>>>>
>>>>> I can initiate a ticket:
>>>>> $ kdestroy
>>>>> $ kinit admin
>>>>>
>>>>> but cannot view user admin:
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>>> $ ipactl status
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: RUNNING
>>>>> ipa_memcached Service: RUNNING
>>>>> httpd Service: RUNNING
>>>>> pki-tomcatd Service: RUNNING
>>>>> smb Service: RUNNING
>>>>> winbind Service: RUNNING
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>> ipa: INFO: The ipactl command was successful
>>>>>
>>>>> /var/log/messages:
>>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>> check
>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>
>>>>> What did you do?
>>>>
>>>> This and the log below about HTTP/zaira2.opera@OPERA show that you have
>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
&g

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Fujisan 
I still cannot login to the web UI.

Here is what I did:

   1. mv /etc/krb5.keytab /etc/krb5.keytab.save
   2. kinit admin
   Password for admin@OPERA:
   3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
   /etc/krb5.keytab
   4. systemctl restart sssd.service
   5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
   6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
   /etc/httpd/conf/ipa.keytab
   7. systemctl restart httpd.service

The log says now:

Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for
krbtgt/OPERA@OPERA, Additional pre-authentication required



On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> Well, I think I messed up when trying to configure cockpit to use
>> kerberos.
>>
>> What should I do to fix this?
>>
>> I have this on the ipa server:
>> $ klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> 
>> --
>>   2 host/zaira2.opera@OPERA
>>   2 host/zaira2.opera@OPERA
>>   2 host/zaira2.opera@OPERA
>>   2 host/zaira2.opera@OPERA
>>   1 nfs/zaira2.opera@OPERA
>>   1 nfs/zaira2.opera@OPERA
>>   1 nfs/zaira2.opera@OPERA
>>   1 nfs/zaira2.opera@OPERA
>>   3 HTTP/zaira2.opera@OPERA
>>   3 HTTP/zaira2.opera@OPERA
>>   3 HTTP/zaira2.opera@OPERA
>>   3 HTTP/zaira2.opera@OPERA
>>
>> You can start by:
> 0. backup every file mentioned below
> 1. Move /etc/krb5.keytab somewhere
> 2. kinit as admin
> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
> 4. restart SSSD
> 5. Move /etc/httpd/conf/ipa.keytab somewhere
> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
> /etc/httpd/conf/ipa.keytab
> 7. Restart httpd
>
> Every time you run 'ipa-getkeytab', Kerberos key for the service
> specified by you is replaced on the server side so that keys in the
> keytabs become unusable.
>
> I guess cockpit instructions were for something that was not supposed to
> run on IPA master. On IPA master there are already all needed services
> (host/ and HTTP/) and their keytabs are in place.
>
>
>
>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>> More info:
>>>>
>>>> I can initiate a ticket:
>>>> $ kdestroy
>>>> $ kinit admin
>>>>
>>>> but cannot view user admin:
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>>> $ ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> smb Service: RUNNING
>>>> winbind Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> /var/log/messages:
>>>> Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>> check
>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>
>>>> What did you do?
>>>
>>> This and the log below about HTTP/zaira2.opera@OPERA show that you have
>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>> host-del/ipa host-add) so that they become non-synchronized with
>>> whatever you have in the keytab files.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote:
>>>
>>>>
>>>> Hello,
>>>>
>>>>>
>>>>> I cannot login to the web UI anymore.
>>>>>
>>>>> The password or username you entered is incorrect.
>>>>>
>>>>> Log says:
>>>>>
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>>

[Freeipa-users] User removed from IPA but still present in LDAP, so cannot him again in IPA web UI

2015-10-01 Thread Fujisan 
Hello,

I want to add user 'user1'  with the freeipa web UI. It is not present in
the list of users in the web UI but when I click "add", it says 'user with
name "user1" already exists'.

ldapsearch shows 'user1' is there:
---
$ ldapsearch -x -h ipasrv uid=user1
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] User removed from IPA but still present in LDAP, so cannot him again in IPA web UI

2015-10-01 Thread Fujisan 
I get this:

-
$ ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain
'(uid=user1*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base