From pspacek at redhat.com  Mon Jul  1 06:50:02 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 01 Jul 2013 08:50:02 +0200
Subject: [Freeipa-users] Service...not found in Kerberos database
In-Reply-To: <1464774.RA4R9SJAkZ@hosanna>
References: <1464774.RA4R9SJAkZ@hosanna>
Message-ID: <51D1269A.30101@redhat.com>

On 29.6.2013 09:40, Joshua J. Kugler wrote:
> We are trying to query an IPA server from a new IPA server (not replication,
> just trying to query to recreate accounts).
>
> But, when I run the query, I get this:
>
> [root at ipan ~]# ipa -vvv -e xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
> user-show jkugler
> ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
> ipa: INFO: Forwarding 'user_show' to server
> u'https://ipa0.lab.whamcloud.com/ipa/xml'
> ipa: ERROR: Service 'HTTP at ipa0.lab.whamcloud.com' not found in Kerberos
> database
>
> I've done some googling, and what the answers I found had to do with DNS
> issues, but I don't believe that is the cause in our case, due to DNS lookups
> seeming to work.
>
> [root at ipan ~]# host ipan.lab.whamcloud.com
> ipan.lab.whamcloud.com has address 10.10.0.50
> [root at ipan ~]# host ipa0.lab.whamcloud.com
> ipa0.lab.whamcloud.com has address 10.10.0.4
> [root at ipan ~]# host 10.10.0.50
> 50.0.10.10.in-addr.arpa domain name pointer ipan.lab.whamcloud.com.
> [root at ipan ~]# host 10.10.0.4
> 4.0.10.10.in-addr.arpa domain name pointer ipa0.lab.whamcloud.com.
>
> What config do I need to tweak on the new server to allow it to query the old
> server?

I guess that now you have two FreeIPA servers with different host names but 
with the same FreeIPA domain and Kerberos REALM name, right? Please correct me 
if I'm wrong.

This configuration can't work with Kerberos authentication. Authentication to 
only one server will work at one time, because there is no reliable way how to 
find which KDC (old or new) you should query.

IMHO the simplest way how to work around this situation is to generate list of 
users etc. on the 'old' server, save the data to a file and transfer files to 
the new server. (And then decommission the old server.)

This will save you a pain caused by mis-configured Kerberos, but you will have 
to solve file parsing.

-- 
Petr^2 Spacek



From james.hogarth at gmail.com  Mon Jul  1 07:56:23 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 1 Jul 2013 08:56:23 +0100
Subject: [Freeipa-users] named seg faulting
Message-ID: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>

Hi all,

We're seeing an odd issue where when rndc reload is called named segfaults
but not 100% of the time ... so the exact circumstances are hard to
reproduce although it happens on all four instances (sometime at the same
time which is problematic).

When it happens we see the following in the logs:

Jun 30 03:07:02 ipa01 named[4228]: client 10.137.17.1#52842: received
notify for zone 'example.com'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#1131: received notify
for zone '9.139.10.in-addr.arpa'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#1131: received notify
for zone 'dev.example.com'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#1131: received notify
for zone '8.139.10.in-addr.arpa'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#1131: received notify
for zone 'prod.example.com'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#64362: received
notify for zone '16.137.10.in-addr.arpa'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#64362: received
notify for zone '17.137.10.in-addr.arpa'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#64362: received
notify for zone '18.137.10.in-addr.arpa'
Jun 30 03:07:03 ipa01 named[4228]: client 10.137.17.1#64362: received
notify for zone '19.137.10.in-addr.arpa'
Jun 30 03:07:07 ipa01 named[4228]: client 10.137.17.1#56263: received
notify for zone '17.137.10.in-addr.arpa'
Jun 30 03:07:08 ipa01 named[4228]: client 10.137.17.1#30345: received
notify for zone '18.137.10.in-addr.arpa'
Jun 30 03:07:08 ipa01 named[4228]: client 10.137.17.1#30345: received
notify for zone '19.137.10.in-addr.arpa'
Jun 30 03:10:01 ipa01 named[4228]: received control channel command 'reload'
Jun 30 03:10:01 ipa01 named[4228]: loading configuration from
'/etc/named.conf'
Jun 30 03:10:01 ipa01 named[4228]: using default UDP/IPv4 port range:
[1024, 65535]
Jun 30 03:10:01 ipa01 named[4228]: using default UDP/IPv6 port range:
[1024, 65535]
Jun 30 03:10:01 ipa01 named[4228]: sizing zone task pool based on 6 zones
Jun 30 03:10:01 ipa01 named[4228]: /etc/named.conf:12: no forwarders seen;
disabling forwarding
Jun 30 03:10:01 ipa01 named[4228]: Warning:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty
zones
Jun 30 03:10:01 ipa01 named[4228]: /etc/named.conf:12: no forwarders seen;
disabling forwarding
Jun 30 03:10:01 ipa01 named[4228]: reloading configuration succeeded
Jun 30 03:10:01 ipa01 named[4228]: reloading zones succeeded
Jun 30 03:10:01 ipa01 named[4228]: task.c:1448: REQUIRE(task->state ==
task_state_running) failed, back trace
Jun 30 03:10:01 ipa01 named[4228]: #0 0x7f1996e74eff in ??
Jun 30 03:10:01 ipa01 named[4228]: #1 0x7f199582589a in ??
Jun 30 03:10:01 ipa01 named[4228]: #2 0x7f1995843a8f in ??
Jun 30 03:10:01 ipa01 named[4228]: #3 0x7f19904df97f in ??
Jun 30 03:10:01 ipa01 named[4228]: #4 0x7f19904e0df3 in ??
Jun 30 03:10:01 ipa01 named[4228]: #5 0x7f19904e3e8c in ??
Jun 30 03:10:01 ipa01 named[4228]: #6 0x7f19951f9851 in ??
Jun 30 03:10:01 ipa01 named[4228]: #7 0x7f199475b90d in ??
Jun 30 03:10:01 ipa01 named[4228]: exiting (due to assertion failure)

Has anyone else seen similar behaviour or have any idea what could be
causing this?

The systems are CentOS 6.4 with:
bind-9.8.2-0.17.rc1.el6_4.4.x86_64
bind-dyndb-ldap-2.3-2.el6.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.7.el6_4.x86_64
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64

Cheers,

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130701/09f2aefc/attachment.htm>

From pspacek at redhat.com  Mon Jul  1 08:26:11 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 01 Jul 2013 10:26:11 +0200
Subject: [Freeipa-users] named seg faulting
In-Reply-To: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
References: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
Message-ID: <51D13D23.3080404@redhat.com>

On 1.7.2013 09:56, James Hogarth wrote:
> Jun 30 03:10:01 ipa01 named[4228]: reloading configuration succeeded
> Jun 30 03:10:01 ipa01 named[4228]: reloading zones succeeded
> Jun 30 03:10:01 ipa01 named[4228]: task.c:1448: REQUIRE(task->state ==
> task_state_running) failed, back trace
> Jun 30 03:10:01 ipa01 named[4228]: #0 0x7f1996e74eff in ??
> Jun 30 03:10:01 ipa01 named[4228]: #1 0x7f199582589a in ??
> Jun 30 03:10:01 ipa01 named[4228]: #2 0x7f1995843a8f in ??
> Jun 30 03:10:01 ipa01 named[4228]: #3 0x7f19904df97f in ??
> Jun 30 03:10:01 ipa01 named[4228]: #4 0x7f19904e0df3 in ??
> Jun 30 03:10:01 ipa01 named[4228]: #5 0x7f19904e3e8c in ??
> Jun 30 03:10:01 ipa01 named[4228]: #6 0x7f19951f9851 in ??
> Jun 30 03:10:01 ipa01 named[4228]: #7 0x7f199475b90d in ??
> Jun 30 03:10:01 ipa01 named[4228]: exiting (due to assertion failure)
>
> Has anyone else seen similar behaviour or have any idea what could be
> causing this?
>
> The systems are CentOS 6.4 with:
> bind-9.8.2-0.17.rc1.el6_4.4.x86_64
> bind-dyndb-ldap-2.3-2.el6.x86_64

You are using old version of bind-dyndb-ldap.

Please see:
http://rhn.redhat.com/errata/RHBA-2013-0739.html
https://bugzilla.redhat.com/show_bug.cgi?id=928429

Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.

As usual, we recommend to use latest released bits.

-- 
Petr^2 Spacek



From james.hogarth at gmail.com  Mon Jul  1 09:45:47 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 1 Jul 2013 10:45:47 +0100
Subject: [Freeipa-users] named seg faulting
In-Reply-To: <51D13D23.3080404@redhat.com>
References: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
	<51D13D23.3080404@redhat.com>
Message-ID: <CAGkb5vfNuoTUxUr6PHiZk5M-a4sb2AhcJ-JdTcFuv0nnto7EAQ@mail.gmail.com>

> You are using old version of bind-dyndb-ldap.
>
> Please see:
> http://rhn.redhat.com/errata/**RHBA-2013-0739.html<http://rhn.redhat.com/errata/RHBA-2013-0739.html>
> https://bugzilla.redhat.com/**show_bug.cgi?id=928429<https://bugzilla.redhat.com/show_bug.cgi?id=928429>
>
> Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.
>
>
Thanks Petr ... looks like that's not in the CentOS repositories ... I'll
give those guys a heads up ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130701/b41f5293/attachment.htm>

From james.hogarth at gmail.com  Mon Jul  1 10:06:22 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 1 Jul 2013 11:06:22 +0100
Subject: [Freeipa-users] named seg faulting
In-Reply-To: <CAGkb5vfNuoTUxUr6PHiZk5M-a4sb2AhcJ-JdTcFuv0nnto7EAQ@mail.gmail.com>
References: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
	<51D13D23.3080404@redhat.com>
	<CAGkb5vfNuoTUxUr6PHiZk5M-a4sb2AhcJ-JdTcFuv0nnto7EAQ@mail.gmail.com>
Message-ID: <CAGkb5vc7LmwMAK_xRAz=uJM3_7HpjYyE0XMM40ou2UM4_uU_4w@mail.gmail.com>

> Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.
>>
>>
> Thanks Petr ... looks like that's not in the CentOS repositories ... I'll
> give those guys a heads up ...
>
>
>
>

A quick look and it appears that the SRPM isn't in the public FTP server
... opened bug https://bugzilla.redhat.com/show_bug.cgi?id=980046 to get
this corrected.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130701/caff5ee6/attachment.htm>

From pspacek at redhat.com  Mon Jul  1 10:39:50 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 01 Jul 2013 12:39:50 +0200
Subject: [Freeipa-users] named seg faulting
In-Reply-To: <CAGkb5vc7LmwMAK_xRAz=uJM3_7HpjYyE0XMM40ou2UM4_uU_4w@mail.gmail.com>
References: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
	<51D13D23.3080404@redhat.com>
	<CAGkb5vfNuoTUxUr6PHiZk5M-a4sb2AhcJ-JdTcFuv0nnto7EAQ@mail.gmail.com>
	<CAGkb5vc7LmwMAK_xRAz=uJM3_7HpjYyE0XMM40ou2UM4_uU_4w@mail.gmail.com>
Message-ID: <51D15C76.4060600@redhat.com>

On 1.7.2013 12:06, James Hogarth wrote:
>> Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem.
>>>
>>>
>> Thanks Petr ... looks like that's not in the CentOS repositories ... I'll
>> give those guys a heads up ...
>>
>>
>>
>>
>
> A quick look and it appears that the SRPM isn't in the public FTP server
> ... opened bug https://bugzilla.redhat.com/show_bug.cgi?id=980046 to get
> this corrected.

I meanwhile I recommend you to build version 2.6:
https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2

It includes some fixes not-yet accepted for RHEL.

Build-requires list is pretty small: only bind-devel, krb5-devel and 
openldap-devel. The build itself is pretty straight-forward.

-- 
Petr^2 Spacek



From rcritten at redhat.com  Mon Jul  1 18:16:18 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Jul 2013 14:16:18 -0400
Subject: [Freeipa-users] Service...not found in Kerberos database
In-Reply-To: <51D1269A.30101@redhat.com>
References: <1464774.RA4R9SJAkZ@hosanna> <51D1269A.30101@redhat.com>
Message-ID: <51D1C772.4030703@redhat.com>

Petr Spacek wrote:
> On 29.6.2013 09:40, Joshua J. Kugler wrote:
>> We are trying to query an IPA server from a new IPA server (not
>> replication,
>> just trying to query to recreate accounts).
>>
>> But, when I run the query, I get this:
>>
>> [root at ipan ~]# ipa -vvv -e
>> xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
>> user-show jkugler
>> ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
>> ipa: INFO: Forwarding 'user_show' to server
>> u'https://ipa0.lab.whamcloud.com/ipa/xml'
>> ipa: ERROR: Service 'HTTP at ipa0.lab.whamcloud.com' not found in Kerberos
>> database
>>
>> I've done some googling, and what the answers I found had to do with DNS
>> issues, but I don't believe that is the cause in our case, due to DNS
>> lookups
>> seeming to work.
>>
>> [root at ipan ~]# host ipan.lab.whamcloud.com
>> ipan.lab.whamcloud.com has address 10.10.0.50
>> [root at ipan ~]# host ipa0.lab.whamcloud.com
>> ipa0.lab.whamcloud.com has address 10.10.0.4
>> [root at ipan ~]# host 10.10.0.50
>> 50.0.10.10.in-addr.arpa domain name pointer ipan.lab.whamcloud.com.
>> [root at ipan ~]# host 10.10.0.4
>> 4.0.10.10.in-addr.arpa domain name pointer ipa0.lab.whamcloud.com.
>>
>> What config do I need to tweak on the new server to allow it to query
>> the old
>> server?
>
> I guess that now you have two FreeIPA servers with different host names
> but with the same FreeIPA domain and Kerberos REALM name, right? Please
> correct me if I'm wrong.
>
> This configuration can't work with Kerberos authentication.
> Authentication to only one server will work at one time, because there
> is no reliable way how to find which KDC (old or new) you should query.
>
> IMHO the simplest way how to work around this situation is to generate
> list of users etc. on the 'old' server, save the data to a file and
> transfer files to the new server. (And then decommission the old server.)
>
> This will save you a pain caused by mis-configured Kerberos, but you
> will have to solve file parsing.
>

You can also use ipa migrate-ds command to move users and groups from 
one IPA server to another.

rob



From rcritten at redhat.com  Mon Jul  1 18:21:48 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 01 Jul 2013 14:21:48 -0400
Subject: [Freeipa-users] migrate-ds "is not a POSIX user"
In-Reply-To: <51CDFF35.8090604@redhat.com>
References: <CAM0XOKD-1bsRo3TvwRjSHVsApJhkSTTvPVTHyB_DLX0kLaegUg@mail.gmail.com>
	<51CDE055.10801@redhat.com> <51CDFF35.8090604@redhat.com>
Message-ID: <51D1C8BC.30005@redhat.com>

Dmitri Pal wrote:
> On 06/28/2013 03:13 PM, Dmitri Pal wrote:
>> On 06/19/2013 04:39 PM, Alex Lawrence wrote:
>>> Hello!
>>>
>>> I'm working on trying to migrate users into FreeIPA 3.1.5 (Fedora 18)
>>> from DS389 (CentOS 6) 1.2.2.  I've enabled migration on DS389 and I'm
>>> attempting to migrate a subset of people using:
>>>
>>> ipa migrate-ds --user-container="ou=Systems &
>>> Networking,ou=Personnel,dc=plu,dc=edu" --ignore* ldap://LDAP-SERVER:389
>>>
>>> The out put is:
>>>
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> Failed user:
>>>   %UID%: %UID% is not a POSIX user
>>>   %UID%: %UID% is not a POSIX user
>>>   %UID%: %UID% is not a POSIX user
>>>
>>> And so on.
>>>
>>> I've imported my schema into FreeIPA so that it knows my additional
>>> attributes; however, just to be safe I've also tried running the
>>> import ignoring any objectclass in use with the same output.
>>>
>>> --user-ignore-objectclass=pluEduPerson,mailRecipient,eduPerson,posixAccount,inetOrgPerson,organizationalPerson
>>>
>>> I've added the posixAccount object class to a handful of accounts in
>>> question on my DS389 side to be sure that was not an issue either and
>>> that gives me the same result.
>>>
>>> I'm sure this is something simple that I'm missing, any suggestions
>>> would be appreciated.
>
>
> Please check the accounts that are skipped, they are most likely missing
> some POSIX required attribute (though from LDAP point of view it is an
> optional attribute), UID for example or SN.
> Please add missing attributes and try again. The easiest way to do this
> is to compare posix attributes between the entry that is migrated
> without problems and one that is not accepted. There are only 6 posix
> attributes so it should be easy to spot.
>
> If you can't do it in your existing instance take an LDIF load it it
> into another instance and modify users there then migrate from that
> instance.
> I hope this would give you at least a starting point, have a nice weekend.

We look for gidNumber when doing the migration. Users without one aren't 
migrated.

rob



From joshua at azariah.com  Tue Jul  2 06:28:58 2013
From: joshua at azariah.com (Joshua J. Kugler)
Date: Mon, 01 Jul 2013 22:28:58 -0800
Subject: [Freeipa-users] Service...not found in Kerberos database
In-Reply-To: <51D1C772.4030703@redhat.com>
References: <1464774.RA4R9SJAkZ@hosanna> <51D1269A.30101@redhat.com>
	<51D1C772.4030703@redhat.com>
Message-ID: <2718450.WmELabvR7a@hosanna>

On Monday, July 01, 2013 14:16:18 Rob Crittenden wrote:
> You can also use ipa migrate-ds command to move users and groups from
> one IPA server to another.

That might be an option, but I take it, due to the Kerberos stuff, that it will 
not migrate passwords?  Getting full replication working would be required for 
that, no?

j

-- 
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
joshua at azariah.com - Jabber: pedahzur at gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A



From james.hogarth at gmail.com  Tue Jul  2 06:34:26 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Tue, 2 Jul 2013 07:34:26 +0100
Subject: [Freeipa-users] named seg faulting
In-Reply-To: <51D15C76.4060600@redhat.com>
References: <CAGkb5vfs_BcjvsjsmBbj1T78oTQfMUcQuYCFpBAeZm2YDBzr6g@mail.gmail.com>
	<51D13D23.3080404@redhat.com>
	<CAGkb5vfNuoTUxUr6PHiZk5M-a4sb2AhcJ-JdTcFuv0nnto7EAQ@mail.gmail.com>
	<CAGkb5vc7LmwMAK_xRAz=uJM3_7HpjYyE0XMM40ou2UM4_uU_4w@mail.gmail.com>
	<51D15C76.4060600@redhat.com>
Message-ID: <CAGkb5ve7q_eRXDEu00Vd38yHu52Ox=CH4vLqO0ZfFn0-ah29MQ@mail.gmail.com>

>
> I meanwhile I recommend you to build version 2.6:
>
https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2
>
> It includes some fixes not-yet accepted for RHEL.
>

Interesting... I might build and test but generally I prefer to keep to
packages accepted to rhel...

As an FYI to other CentOS users the srpm was published yesterday and was
built and pushed to the CentOS repositories last night.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130702/c2705970/attachment.htm>

From linux at karasik.org  Tue Jul  2 12:41:54 2013
From: linux at karasik.org (Vitaly)
Date: Tue, 2 Jul 2013 15:41:54 +0300
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
	accounts
Message-ID: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>

I already read
https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
but I am not sure I understand suggested solution.
So my question - how I can change krbPasswordExpiration for certain account?

ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z

returns

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=service,cn=users,cn=accounts,dc=example,dc=com'.

TIA,
Vitaly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130702/8622cd80/attachment.htm>

From linux at karasik.org  Tue Jul  2 13:00:15 2013
From: linux at karasik.org (Vitaly)
Date: Tue, 2 Jul 2013 16:00:15 +0300
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
	accounts
Message-ID: <CANpTS00Wddk_tiABy+=B+j71DjTxg9OtGiD91-oSwwcBV6+ENA@mail.gmail.com>

>I already read https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.html >thread, but I am not sure I understand suggested solution.
>So my question - how I can change krbPasswordExpiration for certain account?

>ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z

>returns

>ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute >of entry 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.

Sorry, my bad, please ignore - ldapmodify workaround works,



From sbose at redhat.com  Tue Jul  2 13:07:33 2013
From: sbose at redhat.com (Sumit Bose)
Date: Tue, 2 Jul 2013 15:07:33 +0200
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
 accounts
In-Reply-To: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>
References: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>
Message-ID: <20130702130733.GM27655@localhost.localdomain>

On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
> I already read
> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
> but I am not sure I understand suggested solution.
> So my question - how I can change krbPasswordExpiration for certain account?
> 
> ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z

if you want that the password never expires for some users you should
created a password policy where the password never expires and assign
the policy to the users.

See 'ipa help pwpolicy' for more details.

HTH

bye,
Sumit
> 
> returns
> 
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'krbPasswordExpiration' attribute of entry
> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
> 
> TIA,
> Vitaly

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From linux at karasik.org  Tue Jul  2 13:21:37 2013
From: linux at karasik.org (Vitaly)
Date: Tue, 2 Jul 2013 16:21:37 +0300
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
	accounts
In-Reply-To: <20130702130733.GM27655@localhost.localdomain>
References: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>
	<20130702130733.GM27655@localhost.localdomain>
Message-ID: <CANpTS03fSpsmQQz1q=ijtfuR5Xs5feYYUoOLXJOhQJcg=xHEpQ@mail.gmail.com>

>if you want that the password never expires for some users you should
>created a password policy where the password never expires and assign
>the policy to the users.
Thank you, Sumit.
As far as I understand, I need to tweak krbPasswordExpiration anyway
if password was changed before password policy was applied.

>From another side, I have a weird issue with password policy:

#ipa user-show  serviceinvoker  --all
....
  Member of groups: ...., services

#ipa pwpolicy-show services
  Group: services

But
# ipa pwpolicy-show --user serviceinvoker
  Group: global_policy

On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sbose at redhat.com> wrote:
> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
>> I already read
>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
>> but I am not sure I understand suggested solution.
>> So my question - how I can change krbPasswordExpiration for certain account?
>>
>> ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z
>
> if you want that the password never expires for some users you should
> created a password policy where the password never expires and assign
> the policy to the users.
>
> See 'ipa help pwpolicy' for more details.
>
> HTH
>
> bye,
> Sumit
>>
>> returns
>>
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>> 'krbPasswordExpiration' attribute of entry
>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
>>
>> TIA,
>> Vitaly
>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From rcritten at redhat.com  Tue Jul  2 13:32:30 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 02 Jul 2013 09:32:30 -0400
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
 accounts
In-Reply-To: <CANpTS03fSpsmQQz1q=ijtfuR5Xs5feYYUoOLXJOhQJcg=xHEpQ@mail.gmail.com>
References: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>
	<20130702130733.GM27655@localhost.localdomain>
	<CANpTS03fSpsmQQz1q=ijtfuR5Xs5feYYUoOLXJOhQJcg=xHEpQ@mail.gmail.com>
Message-ID: <51D2D66E.5040009@redhat.com>

Vitaly wrote:
>> if you want that the password never expires for some users you should
>> created a password policy where the password never expires and assign
>> the policy to the users.
> Thank you, Sumit.
> As far as I understand, I need to tweak krbPasswordExpiration anyway
> if password was changed before password policy was applied.
>
>>From another side, I have a weird issue with password policy:
>
> #ipa user-show  serviceinvoker  --all
> ....
>    Member of groups: ...., services
>
> #ipa pwpolicy-show services
>    Group: services
>
> But
> # ipa pwpolicy-show --user serviceinvoker
>    Group: global_policy

Curious. We'd need to see more details of the password policy, priority 
for example.

Does this show the right policy?

ipa user-show --all serviceinvoker |grep krbpwdpolicyreference

>
> On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sbose at redhat.com> wrote:
>> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
>>> I already read
>>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
>>> but I am not sure I understand suggested solution.
>>> So my question - how I can change krbPasswordExpiration for certain account?
>>>
>>> ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z
>>
>> if you want that the password never expires for some users you should
>> created a password policy where the password never expires and assign
>> the policy to the users.
>>
>> See 'ipa help pwpolicy' for more details.
>>
>> HTH
>>
>> bye,
>> Sumit
>>>
>>> returns
>>>
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>> 'krbPasswordExpiration' attribute of entry
>>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
>>>
>>> TIA,
>>> Vitaly
>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From linux at karasik.org  Tue Jul  2 13:43:46 2013
From: linux at karasik.org (Vitaly)
Date: Tue, 2 Jul 2013 16:43:46 +0300
Subject: [Freeipa-users] How to change krbPasswordExpiration for service
	accounts
In-Reply-To: <51D2D66E.5040009@redhat.com>
References: <CANpTS03jnOgZzZ8sMLQexsD7MUvHTC6MQ6+qyn5wPhMOinExfQ@mail.gmail.com>
	<20130702130733.GM27655@localhost.localdomain>
	<CANpTS03fSpsmQQz1q=ijtfuR5Xs5feYYUoOLXJOhQJcg=xHEpQ@mail.gmail.com>
	<51D2D66E.5040009@redhat.com>
Message-ID: <CANpTS023kO=OHxXPJMDyPkzgb4Ck5a4KTHfJeCkgkxQkc=uLYA@mail.gmail.com>

# ipa user-show --all serviceinvoker |grep krbpwdpolicyreference
  krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

On Tue, Jul 2, 2013 at 4:32 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Vitaly wrote:
>>>
>>> if you want that the password never expires for some users you should
>>> created a password policy where the password never expires and assign
>>> the policy to the users.
>>
>> Thank you, Sumit.
>> As far as I understand, I need to tweak krbPasswordExpiration anyway
>> if password was changed before password policy was applied.
>>
>>> From another side, I have a weird issue with password policy:
>>
>>
>> #ipa user-show  serviceinvoker  --all
>> ....
>>    Member of groups: ...., services
>>
>> #ipa pwpolicy-show services
>>    Group: services
>>
>> But
>> # ipa pwpolicy-show --user serviceinvoker
>>    Group: global_policy
>
>
> Curious. We'd need to see more details of the password policy, priority for
> example.
>
> Does this show the right policy?
>
> ipa user-show --all serviceinvoker |grep krbpwdpolicyreference
>
>
>>
>> On Tue, Jul 2, 2013 at 4:07 PM, Sumit Bose <sbose at redhat.com> wrote:
>>>
>>> On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
>>>>
>>>> I already read
>>>>
>>>> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
>>>> but I am not sure I understand suggested solution.
>>>> So my question - how I can change krbPasswordExpiration for certain
>>>> account?
>>>>
>>>> ipa user-mod service  --setattr=krbPasswordExpiration=20381231011529Z
>>>
>>>
>>> if you want that the password never expires for some users you should
>>> created a password policy where the password never expires and assign
>>> the policy to the users.
>>>
>>> See 'ipa help pwpolicy' for more details.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>>
>>>>
>>>> returns
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>> 'krbPasswordExpiration' attribute of entry
>>>> 'uid=service,cn=users,cn=accounts,dc=example,dc=com'.
>>>>
>>>> TIA,
>>>> Vitaly
>>>
>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>



From rcritten at redhat.com  Tue Jul  2 14:49:16 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 02 Jul 2013 10:49:16 -0400
Subject: [Freeipa-users] Service...not found in Kerberos database
In-Reply-To: <2718450.WmELabvR7a@hosanna>
References: <1464774.RA4R9SJAkZ@hosanna> <51D1269A.30101@redhat.com>
	<51D1C772.4030703@redhat.com> <2718450.WmELabvR7a@hosanna>
Message-ID: <51D2E86C.2050009@redhat.com>

Joshua J. Kugler wrote:
> On Monday, July 01, 2013 14:16:18 Rob Crittenden wrote:
>> You can also use ipa migrate-ds command to move users and groups from
>> one IPA server to another.
>
> That might be an option, but I take it, due to the Kerberos stuff, that it will
> not migrate passwords?  Getting full replication working would be required for
> that, no?

Passwords are migrated but users will need to go through a password 
migration process to create Kerberos credentials. This is all seemless 
with sssd.

rob



From arthur at deus.pro  Tue Jul  2 18:35:36 2013
From: arthur at deus.pro (Arthur)
Date: Wed, 03 Jul 2013 00:35:36 +0600
Subject: [Freeipa-users] FreeIPA as Samba 4 Backend
In-Reply-To: <1372424252.31944.10.camel@willson.li.ssimo.org>
References: <CANW6EMAu27uVHg=gONT=1Aao8o+H-kWn_ENdndQCie6nLvb+JQ@mail.gmail.com>
	<1372424252.31944.10.camel@willson.li.ssimo.org>
Message-ID: <51D31D78.1090507@deus.pro>

28.06.2013 18:57, Simo Sorce ?????:
> On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:
>> Hi everyone,
>>
>>
>> I am new to this mailing list.
>>
>>
>> At the moment I would like to migrate all of my users from Microsoft
>> Active Directory to Open Source, and what I have in mind is getting it
>> into Samba 4.
>>
>>
>> In extending the functionality of it, I decided to intergrate FreeIPA
>> as the backend to Samba 4.
>>
>>
>> I saw some obsolete reference on how to use FreeIPA as Samba 4
>> backend, but I don't know where are the new reference.
>>
>>
>> Herewith I would seek advise on how to go for my mission.
> Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
> Samba4.
> We abandoned that path a few years ago as it became clear it was highly
> unlikely it would work.
>
> What we've done is that we change our integratioj strategy and
> introduced cross-realm trusts that would with Active Directory. In the
> future this should work also with Samba4, but Samba4 code base currently
> lacks support for cross-forest trusts.
>
> Simo.
>
Does it mean, that I can not make cross-realm trust between IPA-server & 
Samba4-server at this time?



From arthur at deus.pro  Tue Jul  2 18:40:31 2013
From: arthur at deus.pro (Arthur)
Date: Wed, 03 Jul 2013 00:40:31 +0600
Subject: [Freeipa-users] question about bind 10 plans
In-Reply-To: <1367226587.2436.15.camel@arthur.bashnl.ru>
References: <1367208810.2436.10.camel@arthur.bashnl.ru>
	<20130429051135.GG7607@redhat.com>
	<1367217618.2436.12.camel@arthur.bashnl.ru>
	<517E25C1.4020507@redhat.com>
	<1367226587.2436.15.camel@arthur.bashnl.ru>
Message-ID: <51D31E9F.80501@deus.pro>

29.04.2013 15:09, ????? ????????? ?????:
> ? ??., 29/04/2013 ? 09:48 +0200, Petr Spacek ?????:
>> On 29.4.2013 08:40, ????? ????????? wrote:
>>> ? ??., 29/04/2013 ? 08:11 +0300, Alexander Bokovoy ?????:
>>>> Bind 10 module is on our radar.
>> There is not much to add. I'm in touch with one Bind 10 developer and we are
>> discussing various possibilities of integration.
>>
>> Let me know if you are interested in aplha/beta testing. I will send you an
>> e-mail as soon as we have some testable code.
>>
> Yes, I am interested in that :)
> Now I have some resources to do that, I do not know about future, but
> know I do :)
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
I am even interested in just bind10 ldap-backend, not allready 
IPA-server with bind10.



From pspacek at redhat.com  Wed Jul  3 06:47:40 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Wed, 03 Jul 2013 08:47:40 +0200
Subject: [Freeipa-users] FreeIPA as Samba 4 Backend
In-Reply-To: <51D31D78.1090507@deus.pro>
References: <CANW6EMAu27uVHg=gONT=1Aao8o+H-kWn_ENdndQCie6nLvb+JQ@mail.gmail.com>
	<1372424252.31944.10.camel@willson.li.ssimo.org>
	<51D31D78.1090507@deus.pro>
Message-ID: <51D3C90C.8040908@redhat.com>

On 2.7.2013 20:35, Arthur wrote:
> 28.06.2013 18:57, Simo Sorce ?????:
>> On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:
>>> Hi everyone,
>>>
>>>
>>> I am new to this mailing list.
>>>
>>>
>>> At the moment I would like to migrate all of my users from Microsoft
>>> Active Directory to Open Source, and what I have in mind is getting it
>>> into Samba 4.
>>>
>>>
>>> In extending the functionality of it, I decided to intergrate FreeIPA
>>> as the backend to Samba 4.
>>>
>>>
>>> I saw some obsolete reference on how to use FreeIPA as Samba 4
>>> backend, but I don't know where are the new reference.
>>>
>>>
>>> Herewith I would seek advise on how to go for my mission.
>> Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
>> Samba4.
>> We abandoned that path a few years ago as it became clear it was highly
>> unlikely it would work.
>>
>> What we've done is that we change our integratioj strategy and
>> introduced cross-realm trusts that would with Active Directory. In the
>> future this should work also with Samba4, but Samba4 code base currently
>> lacks support for cross-forest trusts.
>>
>> Simo.
>>
> Does it mean, that I can not make cross-realm trust between IPA-server &
> Samba4-server at this time?

Yes, it is Samba 4 limitation.

-- 
Petr^2 Spacek



From pspacek at redhat.com  Wed Jul  3 06:50:18 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Wed, 03 Jul 2013 08:50:18 +0200
Subject: [Freeipa-users] question about bind 10 plans
In-Reply-To: <51D31E9F.80501@deus.pro>
References: <1367208810.2436.10.camel@arthur.bashnl.ru>
	<20130429051135.GG7607@redhat.com>
	<1367217618.2436.12.camel@arthur.bashnl.ru>
	<517E25C1.4020507@redhat.com>
	<1367226587.2436.15.camel@arthur.bashnl.ru>
	<51D31E9F.80501@deus.pro>
Message-ID: <51D3C9AA.5030703@redhat.com>

On 2.7.2013 20:40, Arthur wrote:
> 29.04.2013 15:09, ????? ????????? ?????:
>> ? ??., 29/04/2013 ? 09:48 +0200, Petr Spacek ?????:
>>> On 29.4.2013 08:40, ????? ????????? wrote:
>>>> ? ??., 29/04/2013 ? 08:11 +0300, Alexander Bokovoy ?????:
>>>>> Bind 10 module is on our radar.
>>> There is not much to add. I'm in touch with one Bind 10 developer and we are
>>> discussing various possibilities of integration.
>>>
>>> Let me know if you are interested in aplha/beta testing. I will send you an
>>> e-mail as soon as we have some testable code.
>>>
>> Yes, I am interested in that :)
>> Now I have some resources to do that, I do not know about future, but
>> know I do :)

Please stay tuned. At the moment we have hands full with DNSSEC support, but 
one student from Brno University of Technology took this topic as his diploma 
thesis. Hopefully we will see some prototype in near future.

-- 
Petr^2 Spacek



From fvzwieten at vxcompany.com  Wed Jul  3 07:33:16 2013
From: fvzwieten at vxcompany.com (Fred van Zwieten)
Date: Wed, 3 Jul 2013 09:33:16 +0200
Subject: [Freeipa-users] IPA, Samba and AD
Message-ID: <CALVifsZ12su406+Z8YVb2sUngXvsXQEjR3ZvLEWXnXovVJnePg@mail.gmail.com>

Hi there,

We have an IPA domain and an AD domain with the exact same domain name.
This was set up like this because we had the idea at the time that we
wanted to migrate all AD to IPA. This is still the long term goal, but we
need to postpone that.

All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to
provision a new RHEL64 server who must run a Samba Server which must be
member of the AD domain.

Questions:

1. If this possible?
2. Will the fact that both IPA and AD have the same name be a problem?

I did some preliminary looking around and found the file /etc/krb5.conf as
a possible problem point.

Thanks for thinking along!

Fred

Seeing, contrary to popular wisdom, isn?t believing. It?s where belief
stops, because it isn?t needed any more.. (Terry Pratchett)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130703/ec6ecc8a/attachment.htm>

From abokovoy at redhat.com  Wed Jul  3 10:01:03 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 3 Jul 2013 13:01:03 +0300
Subject: [Freeipa-users] IPA, Samba and AD
In-Reply-To: <CALVifsZ12su406+Z8YVb2sUngXvsXQEjR3ZvLEWXnXovVJnePg@mail.gmail.com>
References: <CALVifsZ12su406+Z8YVb2sUngXvsXQEjR3ZvLEWXnXovVJnePg@mail.gmail.com>
Message-ID: <20130703100103.GB12345@leiri.espoo.7ia.org>

On Wed, 03 Jul 2013, Fred van Zwieten wrote:
>Hi there,
>
>We have an IPA domain and an AD domain with the exact same domain name.
>This was set up like this because we had the idea at the time that we
>wanted to migrate all AD to IPA. This is still the long term goal, but we
>need to postpone that.
>
>All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to
>provision a new RHEL64 server who must run a Samba Server which must be
>member of the AD domain.
>
>Questions:
>
>1. If this possible?
>2. Will the fact that both IPA and AD have the same name be a problem?
>
>I did some preliminary looking around and found the file /etc/krb5.conf as
>a possible problem point.
It would help to explain a bit more about your setup.

1. Do you have the same realms for both IPA and AD?
2. Do you have exactly same DNS domains for both IPA and AD?

If I get correctly from the above description, your new RHEL 6.4 server
is enrolled into IPA domain, i.e. its host keytab contains keys to
the host service coming from IPA KDC. It probably also uses SSSD in both
nsswitch and PAM configurations? Are you planning to use
pam_winbind/nss_winbind for the Samba/AD interoperability?

You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD
uses by containing Samba to use separate krb5.conf. You'll need to add

KRB5_CONFIG=/path/to/specific/krb5.conf

to the files that are sources during start up of smbd/winbindd/nmbd.

However, there will be certain problem with pam_winbind since it does
not allow to redefine krb5.conf.



-- 
/ Alexander Bokovoy



From abokovoy at redhat.com  Wed Jul  3 10:01:56 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 3 Jul 2013 13:01:56 +0300
Subject: [Freeipa-users] FreeIPA as Samba 4 Backend
In-Reply-To: <51D31D78.1090507@deus.pro>
References: <CANW6EMAu27uVHg=gONT=1Aao8o+H-kWn_ENdndQCie6nLvb+JQ@mail.gmail.com>
	<1372424252.31944.10.camel@willson.li.ssimo.org>
	<51D31D78.1090507@deus.pro>
Message-ID: <20130703100156.GC12345@leiri.espoo.7ia.org>

On Wed, 03 Jul 2013, Arthur wrote:
>28.06.2013 18:57, Simo Sorce ?????:
>>On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:
>>>Hi everyone,
>>>
>>>
>>>I am new to this mailing list.
>>>
>>>
>>>At the moment I would like to migrate all of my users from Microsoft
>>>Active Directory to Open Source, and what I have in mind is getting it
>>>into Samba 4.
>>>
>>>
>>>In extending the functionality of it, I decided to intergrate FreeIPA
>>>as the backend to Samba 4.
>>>
>>>
>>>I saw some obsolete reference on how to use FreeIPA as Samba 4
>>>backend, but I don't know where are the new reference.
>>>
>>>
>>>Herewith I would seek advise on how to go for my mission.
>>Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
>>Samba4.
>>We abandoned that path a few years ago as it became clear it was highly
>>unlikely it would work.
>>
>>What we've done is that we change our integratioj strategy and
>>introduced cross-realm trusts that would with Active Directory. In the
>>future this should work also with Samba4, but Samba4 code base currently
>>lacks support for cross-forest trusts.
>>
>>Simo.
>>
>Does it mean, that I can not make cross-realm trust between 
>IPA-server & Samba4-server at this time?
No, you cannot achieve cross-realm trust with Samba AD DC right now.



-- 
/ Alexander Bokovoy



From fvzwieten at vxcompany.com  Wed Jul  3 12:01:40 2013
From: fvzwieten at vxcompany.com (Fred van Zwieten)
Date: Wed, 3 Jul 2013 14:01:40 +0200
Subject: [Freeipa-users] IPA, Samba and AD
In-Reply-To: <20130703091127.GN24422@vda.li>
References: <CALVifsZ12su406+Z8YVb2sUngXvsXQEjR3ZvLEWXnXovVJnePg@mail.gmail.com>
	<20130703091127.GN24422@vda.li>
Message-ID: <CALVifsbaDWDfpT8HNBKAjE0Abmfp_Apzef0e2WChMoJUbfWxkw@mail.gmail.com>

1. Do you have the same realms for both IPA and AD?
Yes.

2. Do you have exactly same DNS domains for both IPA and AD?
Also yes. Because of this we must, for now, maintain 2 seperate DNS
implementations: one for AD and one for IPA, because otherwise the service
records would name-clash.

If I get correctly from the above description, your new RHEL 6.4 server
is enrolled into IPA domain, i.e. its host keytab contains keys to
the host service coming from IPA KDC. It probably also uses SSSD in both
nsswitch and PAM configurations?
Correct!

Are you planning to use pam_winbind/nss_winbind for the Samba/AD
interoperability?
I don't know yet. It depends on what works best with this setup. I am not
(yet) a Samba wunderguy, so these discussions help me (thanks for that).

Fred

On Wed, Jul 3, 2013 at 11:11 AM, Alexander Bokovoy <ab at vda.li> wrote:

> On Wed, 03 Jul 2013, Fred van Zwieten wrote:
> >Hi there,
> >
> >We have an IPA domain and an AD domain with the exact same domain name.
> >This was set up like this because we had the idea at the time that we
> >wanted to migrate all AD to IPA. This is still the long term goal, but we
> >need to postpone that.
> >
> >All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to
> >provision a new RHEL64 server who must run a Samba Server which must be
> >member of the AD domain.
> >
> >Questions:
> >
> >1. If this possible?
> >2. Will the fact that both IPA and AD have the same name be a problem?
> >
> >I did some preliminary looking around and found the file /etc/krb5.conf as
> >a possible problem point.
> It would help to explain a bit more about your setup.
>
> 1. Do you have the same realms for both IPA and AD?
> 2. Do you have exactly same DNS domains for both IPA and AD?
>
> If I get correctly from the above description, your new RHEL 6.4 server
> is enrolled into IPA domain, i.e. its host keytab contains keys to
> the host service coming from IPA KDC. It probably also uses SSSD in both
> nsswitch and PAM configurations? Are you planning to use
> pam_winbind/nss_winbind for the Samba/AD interoperability?
>
> You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD
> uses by containing Samba to use separate krb5.conf. You'll need to add
>
> KRB5_CONFIG=/path/to/specific/krb5.conf
>
> to the files that are sources during start up of smbd/winbindd/nmbd.
>
> However, there will be certain problem with pam_winbind since it does
> not allow to redefine krb5.conf.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130703/b102d435/attachment.htm>

From mmercier at gmail.com  Wed Jul  3 14:17:19 2013
From: mmercier at gmail.com (Michael Mercier)
Date: Wed, 3 Jul 2013 10:17:19 -0400
Subject: [Freeipa-users] Login hangs / hung task?
Message-ID: <C56055F2-CA1E-40C5-A476-4AD08BCF70C7@gmail.com>

Hello,

I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success.

Running 'ssh root at service-2', the server would reply with a password prompt and then hang.  I went to the system console to discover many of the following messages on screen:

Jun 30 <time> service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
Jun 30 <time> service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. 

Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password.  After rebooting the system, I see the following in /var/log/messages

Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
Jun 30 00:29:29 service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Jun 30 00:29:29 service-2 kernel: sssd_be       D 000000000000000e     0 22447   3673 0x00000084
Jun 30 00:29:29 service-2 kernel: ffff880827dffce8 0000000000000086 0000000000000000 0000000000000000
Jun 30 00:29:29 service-2 kernel: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Jun 30 00:29:29 service-2 kernel: ffff880827255058 ffff880827dfffd8 000000000000fb88 ffff880827255058
Jun 30 00:29:29 service-2 kernel: Call Trace:
Jun 30 00:29:29 service-2 kernel: [<ffffffffa00aabf0>] ? ext4_file_open+0x0/0x130 [ext4]
Jun 30 00:29:29 service-2 kernel: [<ffffffff8150ea85>] schedule_timeout+0x215/0x2e0
Jun 30 00:29:29 service-2 kernel: [<ffffffff8117e574>] ? nameidata_to_filp+0x54/0x70
Jun 30 00:29:29 service-2 kernel: [<ffffffff812773c9>] ? cpumask_next_and+0x29/0x50
Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e703>] wait_for_common+0x123/0x180
Jun 30 00:29:29 service-2 kernel: [<ffffffff81063310>] ? default_wake_function+0x0/0x20
Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e81d>] wait_for_completion+0x1d/0x20
Jun 30 00:29:29 service-2 kernel: [<ffffffff8106513c>] sched_exec+0xdc/0xe0
Jun 30 00:29:29 service-2 kernel: [<ffffffff8118a100>] do_execve+0xe0/0x2c0
Jun 30 00:29:29 service-2 kernel: [<ffffffff810095ea>] sys_execve+0x4a/0x80
Jun 30 00:29:29 service-2 kernel: [<ffffffff8100b4ca>] stub_execve+0x6a/0xc0

This sequence of messages is repeated many times.

I did not have any problems logging into the other two freeipa systems on the network.  The servers are currently used exclusively for freeipa.

Any ideas what may have happened?


rpm -qa | grep ipa
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-admintools-3.0.0-26.el6_4.4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch


Thanks,
Mike



From abokovoy at redhat.com  Wed Jul  3 14:19:44 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 3 Jul 2013 17:19:44 +0300
Subject: [Freeipa-users] IPA, Samba and AD
In-Reply-To: <CALVifsbaDWDfpT8HNBKAjE0Abmfp_Apzef0e2WChMoJUbfWxkw@mail.gmail.com>
References: <CALVifsZ12su406+Z8YVb2sUngXvsXQEjR3ZvLEWXnXovVJnePg@mail.gmail.com>
	<20130703091127.GN24422@vda.li>
	<CALVifsbaDWDfpT8HNBKAjE0Abmfp_Apzef0e2WChMoJUbfWxkw@mail.gmail.com>
Message-ID: <20130703141944.GA7273@redhat.com>

On Wed, 03 Jul 2013, Fred van Zwieten wrote:
>1. Do you have the same realms for both IPA and AD?
>Yes.
>
>2. Do you have exactly same DNS domains for both IPA and AD?
>Also yes. Because of this we must, for now, maintain 2 seperate DNS
>implementations: one for AD and one for IPA, because otherwise the service
>records would name-clash.
>
>If I get correctly from the above description, your new RHEL 6.4 server
>is enrolled into IPA domain, i.e. its host keytab contains keys to
>the host service coming from IPA KDC. It probably also uses SSSD in both
>nsswitch and PAM configurations?
>Correct!
>
>Are you planning to use pam_winbind/nss_winbind for the Samba/AD
>interoperability?
>I don't know yet. It depends on what works best with this setup. I am not
>(yet) a Samba wunderguy, so these discussions help me (thanks for that).
I'm not sure that this configuration will work flawlessly.

If the host is not enrolled to IPA realm, you can easily make it
working against AD domain. If you enrolled the host to IPA realm which
is exactly same as AD domain, both DNS and krb5.conf collisions will be
creating quite serious issues. Basically, it is 'either - either' case.

-- 
/ Alexander Bokovoy



From sbose at redhat.com  Wed Jul  3 14:38:48 2013
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 3 Jul 2013 16:38:48 +0200
Subject: [Freeipa-users] Login hangs / hung task?
In-Reply-To: <C56055F2-CA1E-40C5-A476-4AD08BCF70C7@gmail.com>
References: <C56055F2-CA1E-40C5-A476-4AD08BCF70C7@gmail.com>
Message-ID: <20130703143847.GP27655@localhost.localdomain>

On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote:
> Hello,
> 
> I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success.
> 
> Running 'ssh root at service-2', the server would reply with a password prompt and then hang.  I went to the system console to discover many of the following messages on screen:
> 
> Jun 30 <time> service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
> Jun 30 <time> service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. 
> 
> Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password.  After rebooting the system, I see the following in /var/log/messages
> 
> Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
> Jun 30 00:29:29 service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> Jun 30 00:29:29 service-2 kernel: sssd_be       D 000000000000000e     0 22447   3673 0x00000084
> Jun 30 00:29:29 service-2 kernel: ffff880827dffce8 0000000000000086 0000000000000000 0000000000000000
> Jun 30 00:29:29 service-2 kernel: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> Jun 30 00:29:29 service-2 kernel: ffff880827255058 ffff880827dfffd8 000000000000fb88 ffff880827255058
> Jun 30 00:29:29 service-2 kernel: Call Trace:
> Jun 30 00:29:29 service-2 kernel: [<ffffffffa00aabf0>] ? ext4_file_open+0x0/0x130 [ext4]
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150ea85>] schedule_timeout+0x215/0x2e0
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8117e574>] ? nameidata_to_filp+0x54/0x70
> Jun 30 00:29:29 service-2 kernel: [<ffffffff812773c9>] ? cpumask_next_and+0x29/0x50
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e703>] wait_for_common+0x123/0x180
> Jun 30 00:29:29 service-2 kernel: [<ffffffff81063310>] ? default_wake_function+0x0/0x20
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e81d>] wait_for_completion+0x1d/0x20
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8106513c>] sched_exec+0xdc/0xe0
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8118a100>] do_execve+0xe0/0x2c0
> Jun 30 00:29:29 service-2 kernel: [<ffffffff810095ea>] sys_execve+0x4a/0x80
> Jun 30 00:29:29 service-2 kernel: [<ffffffff8100b4ca>] stub_execve+0x6a/0xc0
> 
> This sequence of messages is repeated many times.
> 
> I did not have any problems logging into the other two freeipa systems on the network.  The servers are currently used exclusively for freeipa.
> 
> Any ideas what may have happened?

do you see anything in the sssd logs in /var/log/sssd ? ext4_file_open
might indicate that sssd is stuck while trying to open a file. Have you
tried to run a filesystem check?

bye,
Sumit

> 
> 
> rpm -qa | grep ipa
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-client-3.0.0-26.el6_4.4.x86_64
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
> ipa-server-3.0.0-26.el6_4.4.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.4.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> 
> 
> Thanks,
> Mike
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From mmercier at gmail.com  Wed Jul  3 20:35:34 2013
From: mmercier at gmail.com (Michael Mercier)
Date: Wed, 3 Jul 2013 16:35:34 -0400
Subject: [Freeipa-users] Login hangs / hung task?
In-Reply-To: <20130703143847.GP27655@localhost.localdomain>
References: <C56055F2-CA1E-40C5-A476-4AD08BCF70C7@gmail.com>
	<20130703143847.GP27655@localhost.localdomain>
Message-ID: <784C13B6-6A51-40FD-869C-6BCAE06912F3@gmail.com>

Hello,

The log files are empty in /var/log/sssd, and the filesystems checked clean after the hard boot.

Thanks,
Mike

On 2013-07-03, at 10:38 AM, Sumit Bose wrote:

> On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote:
>> Hello,
>> 
>> I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success.
>> 
>> Running 'ssh root at service-2', the server would reply with a password prompt and then hang.  I went to the system console to discover many of the following messages on screen:
>> 
>> Jun 30 <time> service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
>> Jun 30 <time> service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. 
>> 
>> Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password.  After rebooting the system, I see the following in /var/log/messages
>> 
>> Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds.
>> Jun 30 00:29:29 service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> Jun 30 00:29:29 service-2 kernel: sssd_be       D 000000000000000e     0 22447   3673 0x00000084
>> Jun 30 00:29:29 service-2 kernel: ffff880827dffce8 0000000000000086 0000000000000000 0000000000000000
>> Jun 30 00:29:29 service-2 kernel: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> Jun 30 00:29:29 service-2 kernel: ffff880827255058 ffff880827dfffd8 000000000000fb88 ffff880827255058
>> Jun 30 00:29:29 service-2 kernel: Call Trace:
>> Jun 30 00:29:29 service-2 kernel: [<ffffffffa00aabf0>] ? ext4_file_open+0x0/0x130 [ext4]
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150ea85>] schedule_timeout+0x215/0x2e0
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8117e574>] ? nameidata_to_filp+0x54/0x70
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff812773c9>] ? cpumask_next_and+0x29/0x50
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e703>] wait_for_common+0x123/0x180
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff81063310>] ? default_wake_function+0x0/0x20
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8150e81d>] wait_for_completion+0x1d/0x20
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8106513c>] sched_exec+0xdc/0xe0
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8118a100>] do_execve+0xe0/0x2c0
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff810095ea>] sys_execve+0x4a/0x80
>> Jun 30 00:29:29 service-2 kernel: [<ffffffff8100b4ca>] stub_execve+0x6a/0xc0
>> 
>> This sequence of messages is repeated many times.
>> 
>> I did not have any problems logging into the other two freeipa systems on the network.  The servers are currently used exclusively for freeipa.
>> 
>> Any ideas what may have happened?
> 
> do you see anything in the sssd logs in /var/log/sssd ? ext4_file_open
> might indicate that sssd is stuck while trying to open a file. Have you
> tried to run a filesystem check?
> 
> bye,
> Sumit
> 
>> 
>> 
>> rpm -qa | grep ipa
>> libipa_hbac-1.9.2-82.7.el6_4.x86_64
>> ipa-admintools-3.0.0-26.el6_4.4.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-client-3.0.0-26.el6_4.4.x86_64
>> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>> ipa-server-3.0.0-26.el6_4.4.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>> ipa-python-3.0.0-26.el6_4.4.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> 
>> 
>> Thanks,
>> Mike
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From c.schmitt at briefdomain.de  Thu Jul  4 18:36:59 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Thu, 4 Jul 2013 20:36:59 +0200
Subject: [Freeipa-users] ipa-dns-install on a remote host?
Message-ID: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>

is it possible to install ipa-dns-install on a remote host that is only
connect via vpn?

I mean this i my current network structure:

Host (Internet)                                               Intranet
VPN Access Provider  tun   <  -  > tun             FreeIPA Server dc01
dc02

when i now try to ipa-dns-install with the ip from the client ip of the tun
device of the FreeIPA Server i always get an error that the ip is not on my
device. Is there an easy way of having the DNS of the FreeIPA Server on an
Internet Machine? I mean it will work if i replicate the whole ipa-server
but that is somehow a little bit of an overkill.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130704/7fd3252b/attachment.htm>

From tainsworth at vsi-corp.com  Fri Jul  5 12:15:49 2013
From: tainsworth at vsi-corp.com (Ainsworth, Thomas)
Date: Fri, 5 Jul 2013 08:15:49 -0400
Subject: [Freeipa-users] server to replica sync question...
Message-ID: <CAF7GOwsymM=roT5twR=J-G5t+CTraWEEM119bEwV2FthDT=itw@mail.gmail.com>

Greetings,

We have been running FreeIPA 3.0 with a replica host for months now and
love it.  I discovered what I *believe* is an anomaly pertaining to the
sync'ing between the replica host and the server.  We have our maximum
failures set to three (3).  We also have each ipa-client configured to
point to the server then the replica in the /etc/sssd/sssd.conf file.  If I
open up a terminal window to the server and replica, and execute a "watch
-n 1 'ipa user-status test'" I can see the status of the user "test" on a
one second boundary.  Now, if I connect to the server and purposely fail
the password, I get a failure on both the server and replica.  If I try it
again and authenticate correctly, the failures clear to zero on the server
but the replica still displays the failures and does not clear.  There may
be more conditions where things do not sync across, but this is the first I
have discovered.  If I modify the attributes of a user or host on the
server, the modification reflects almost immediately on the replica.  Like
I stated, this is the first sync'ing issue I have discovered.

Thanks in advance,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130705/f3e91394/attachment.htm>

From rcritten at redhat.com  Fri Jul  5 14:07:46 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Jul 2013 10:07:46 -0400
Subject: [Freeipa-users] ipa-dns-install on a remote host?
In-Reply-To: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
References: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
Message-ID: <51D6D332.4010101@redhat.com>

Schmitt, Christian wrote:
> is it possible to install ipa-dns-install on a remote host that is only
> connect via vpn?
>
> I mean this i my current network structure:
>
> Host (Internet)                                               Intranet
> VPN Access Provider  tun   <  -  > tun             FreeIPA Server dc01
> dc02
>
> when i now try to ipa-dns-install with the ip from the client ip of the
> tun device of the FreeIPA Server i always get an error that the ip is
> not on my device. Is there an easy way of having the DNS of the FreeIPA
> Server on an Internet Machine? I mean it will work if i replicate the
> whole ipa-server but that is somehow a little bit of an overkill.

We provide no tool to configure DNS as a standalone service. The 
ipa-dns-install tool will only configure a bind server running on an IPA 
master.

It is possible to configure bind/bind-dyndb-ldap to run on another host 
but you'd likely have performance issues and there could be problems at 
upgrade if we make configuration changes (they wouldn't be applied to 
your manually-configured instance).

rob



From rcritten at redhat.com  Fri Jul  5 14:16:05 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 05 Jul 2013 10:16:05 -0400
Subject: [Freeipa-users] server to replica sync question...
In-Reply-To: <CAF7GOwsymM=roT5twR=J-G5t+CTraWEEM119bEwV2FthDT=itw@mail.gmail.com>
References: <CAF7GOwsymM=roT5twR=J-G5t+CTraWEEM119bEwV2FthDT=itw@mail.gmail.com>
Message-ID: <51D6D525.9000107@redhat.com>

Ainsworth, Thomas wrote:
> Greetings,
>
> We have been running FreeIPA 3.0 with a replica host for months now and
> love it.  I discovered what I _/*believe*/_ is an anomaly pertaining to
> the sync'ing between the replica host and the server.  We have our
> maximum failures set to three (3).  We also have each ipa-client
> configured to point to the server then the replica in the
> /etc/sssd/sssd.conf file.  If I open up a terminal window to the server
> and replica, and execute a "watch -n 1 'ipa user-status test'" I can see
> the status of the user "test" on a one second boundary.  Now, if I
> connect to the server and purposely fail the password, I get a failure
> on both the server and replica.  If I try it again and authenticate
> correctly, the failures clear to zero on the server but the replica
> still displays the failures and does not clear.  There may be more
> conditions where things do not sync across, but this is the first I have
> discovered.  If I modify the attributes of a user or host on the server,
> the modification reflects almost immediately on the replica.  Like I
> stated, this is the first sync'ing issue I have discovered.

Currently login failures (and success) are not replicated between 
machines due to anticipated performance issues (MIT Kerberos does the 
same).

We have an RFE to investigate this further: 
https://fedorahosted.org/freeipa/ticket/3700

rob



From c.schmitt at briefdomain.de  Fri Jul  5 14:18:37 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Fri, 5 Jul 2013 16:18:37 +0200
Subject: [Freeipa-users] ipa-dns-install on a remote host?
In-Reply-To: <51D6D332.4010101@redhat.com>
References: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
	<51D6D332.4010101@redhat.com>
Message-ID: <CAPDLAU6Rn2Yo_7bE7YFx5VadFzJGmDxZ_0T7M_0D9Y_S8JSVYw@mail.gmail.com>

At the moment i configured bind to be a slave and just get the zone from
the ipa dns. but still i think thats not the best way to do it. since i
will also have some hosts in the zonefile that shouldn't be public.

But I think that problem isn't related to ipa. I'm really happy about ipa
right know and just playing around with it and hope that we could deploy it
live, soon.

Btw. are there any tips by having a second nameserver (public) that just
gives out the important/public hosts?
Or is there a good way in having a domain configured twice? like the
internal ip for ipa-users and the external ip for the people outside of the
internal firewall?


P.S.: I'm not that much familiar with bind9/10. I'm just learning to use it
correctly and make a good enviroment with ipa.


2013/7/5 Rob Crittenden <rcritten at redhat.com>

> Schmitt, Christian wrote:
>
>> is it possible to install ipa-dns-install on a remote host that is only
>> connect via vpn?
>>
>> I mean this i my current network structure:
>>
>> Host (Internet)                                               Intranet
>> VPN Access Provider  tun   <  -  > tun             FreeIPA Server dc01
>> dc02
>>
>> when i now try to ipa-dns-install with the ip from the client ip of the
>> tun device of the FreeIPA Server i always get an error that the ip is
>> not on my device. Is there an easy way of having the DNS of the FreeIPA
>> Server on an Internet Machine? I mean it will work if i replicate the
>> whole ipa-server but that is somehow a little bit of an overkill.
>>
>
> We provide no tool to configure DNS as a standalone service. The
> ipa-dns-install tool will only configure a bind server running on an IPA
> master.
>
> It is possible to configure bind/bind-dyndb-ldap to run on another host
> but you'd likely have performance issues and there could be problems at
> upgrade if we make configuration changes (they wouldn't be applied to your
> manually-configured instance).
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130705/2c82839e/attachment.htm>

From amessina at messinet.com  Fri Jul  5 15:24:29 2013
From: amessina at messinet.com (Anthony Messina)
Date: Fri, 05 Jul 2013 10:24:29 -0500
Subject: [Freeipa-users] ipa-dns-install on a remote host?
In-Reply-To: <CAPDLAU6Rn2Yo_7bE7YFx5VadFzJGmDxZ_0T7M_0D9Y_S8JSVYw@mail.gmail.com>
References: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
	<51D6D332.4010101@redhat.com>
	<CAPDLAU6Rn2Yo_7bE7YFx5VadFzJGmDxZ_0T7M_0D9Y_S8JSVYw@mail.gmail.com>
Message-ID: <14935296.zKB2IOuNAT@linux-ws1.messinet.com>

On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote:
> Btw. are there any tips by having a second nameserver (public) that just
> gives out the important/public hosts? Or is there a good way in having a
> domain configured twice? like the internal ip for ipa-users and the
> external ip for the people outside of the internal firewall?

Unrelated to FreeIPA, BIND has support for views, which may accomplish this 
task for you:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409

-A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130705/3cd104e2/attachment.sig>

From c.schmitt at briefdomain.de  Fri Jul  5 15:59:07 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Fri, 5 Jul 2013 17:59:07 +0200
Subject: [Freeipa-users] ipa-dns-install on a remote host?
In-Reply-To: <14935296.zKB2IOuNAT@linux-ws1.messinet.com>
References: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
	<51D6D332.4010101@redhat.com>
	<CAPDLAU6Rn2Yo_7bE7YFx5VadFzJGmDxZ_0T7M_0D9Y_S8JSVYw@mail.gmail.com>
	<14935296.zKB2IOuNAT@linux-ws1.messinet.com>
Message-ID: <CAPDLAU4yAL9xDcM-J9n3SO6xHhvJ6ZX0QNXsA3i_xm982C54Rg@mail.gmail.com>

Yeah i know that feature, but when i have a View i need to declare two
zonefiles (i need to create one by hand and the other will getting created
by the ipa-dns) thats not exactly what i'm looking for since some sites
shall be the same on both sites, like domain.tld and www.domain.tld are the
same on both sites. but domain.tld is also a freeipa domain and
intra.domain.tld should only be routed through clients but stash.domain.tld
and jira.domain.tld should have both so that it is accessible through the
internet but the local clients should use the local ips.
isn't there a delegate like feature? or even a feature in freeipa that lets
me delegate some entries only to internal hosts.


2013/7/5 Anthony Messina <amessina at messinet.com>

> On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote:
> > Btw. are there any tips by having a second nameserver (public) that just
> > gives out the important/public hosts? Or is there a good way in having a
> > domain configured twice? like the internal ip for ipa-users and the
> > external ip for the people outside of the internal firewall?
>
> Unrelated to FreeIPA, BIND has support for views, which may accomplish this
> task for you:
> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409
>
> -A
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130705/0929aa1f/attachment.htm>

From c.schmitt at briefdomain.de  Sun Jul  7 21:11:18 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Sun, 7 Jul 2013 23:11:18 +0200
Subject: [Freeipa-users] Replicate on Servers with diffrent Version (Minor)
Message-ID: <CAPDLAU6nXz7bBS4Wxg3eYqk3QP7qvWHXMfAYM3n_SxqX9YV5LQ@mail.gmail.com>

Hello is it possible to replicate FreeIPA Server with diffrent Minor
versions?
Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL
only has a FreeIPA 2.X Server and we wanted the features of FreeIPA 3.X.
Would it be possible to replicate that Server to a Red Hat Enterprise Linux
7 FreeIPA Server when it's arrive, when the minor version is diffrent and
it is a 3.X Server? or does the Major, Minor needs to be completly the same?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130707/5538fe15/attachment.htm>

From sbingram at gmail.com  Sun Jul  7 23:46:27 2013
From: sbingram at gmail.com (Stephen Ingram)
Date: Sun, 7 Jul 2013 16:46:27 -0700
Subject: [Freeipa-users] Replicate on Servers with diffrent Version
	(Minor)
In-Reply-To: <CAPDLAU6nXz7bBS4Wxg3eYqk3QP7qvWHXMfAYM3n_SxqX9YV5LQ@mail.gmail.com>
References: <CAPDLAU6nXz7bBS4Wxg3eYqk3QP7qvWHXMfAYM3n_SxqX9YV5LQ@mail.gmail.com>
Message-ID: <CAPsaoBd5FijfB_kGiSXWGVmYwXXuM13H7P7S5Z6eaU1-48dAxw@mail.gmail.com>

On Sun, Jul 7, 2013 at 2:11 PM, Schmitt, Christian <c.schmitt at briefdomain.de
> wrote:

> Hello is it possible to replicate FreeIPA Server with diffrent Minor
> versions?
> Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL
> only has a FreeIPA 2.X Server and we wanted the features of FreeIPA 3.X.
> Would it be possible to replicate that Server to a Red Hat Enterprise
> Linux 7 FreeIPA Server when it's arrive, when the minor version is diffrent
> and it is a 3.X Server? or does the Major, Minor needs to be completly the
> same?
>

Actually RHEL 6.4 has version 3.0.x of IPA. I was told that after the
release of RHEL 7, there will be a RHEL 6.x version of IPA (3.0.?) that
will support replication up to RHEL 7 (most likely version 3.2.x, 3.3.x or
wherever they get to before RHEL 7 release). I'm not sure about replication
from a Fedora IPA release to a RHEL release.

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130707/53996fe7/attachment.htm>

From mrorourke at earthlink.net  Mon Jul  8 00:15:53 2013
From: mrorourke at earthlink.net (Michael ORourke)
Date: Sun, 7 Jul 2013 20:15:53 -0400 (GMT-04:00)
Subject: [Freeipa-users] named (DNS) dumping core
Message-ID: <31701738.1373242554151.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net>

We have 4 replicated IPA servers running in our environment, 2 in each data center and we have been having some problems with named quiting.  Early this morning 'named' on both IPA servers in our production data center died.  I was able to login and simply restart named.  So I am not sure what could have caused it to fail.
Is anyone else having this problem?

# From /var/log/messages...
Saved core dump of pid 11494 (/usr/sbin/named) to /var/spool/abrt/ccpp-2013-07-07-03:47:03-11494 (121303040 bytes)

# rpm -qa | grep ipa
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.4.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-client-3.0.0-26.el6_4.2.x86_64

# cat /etc/redhat-release
CentOS release 6.4 (Final)

Thanks,
Mike



From pspacek at redhat.com  Mon Jul  8 07:32:17 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 08 Jul 2013 09:32:17 +0200
Subject: [Freeipa-users] named (DNS) dumping core
In-Reply-To: <31701738.1373242554151.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net>
References: <31701738.1373242554151.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net>
Message-ID: <51DA6B01.8050202@redhat.com>

Hello,

On 8.7.2013 02:15, Michael ORourke wrote:
> We have 4 replicated IPA servers running in our environment, 2 in each data center and we have been having some problems with named quiting.  Early this morning 'named' on both IPA servers in our production data center died.  I was able to login and simply restart named.  So I am not sure what could have caused it to fail.
> Is anyone else having this problem?
Does it seem similar to 
https://www.redhat.com/archives/freeipa-users/2013-July/msg00001.html ?

Please follow 
https://www.redhat.com/archives/freeipa-users/2013-July/msg00002.html if your 
answer is 'yes'.

> # From /var/log/messages...
> Saved core dump of pid 11494 (/usr/sbin/named) to /var/spool/abrt/ccpp-2013-07-07-03:47:03-11494 (121303040 bytes)
We will need to get a copy of the 
/var/spool/abrt/ccpp-2013-07-07-03:47:03-11494 directory if upgrade doesn't 
solve the problem.


> # rpm -qa | grep ipa
Please attach output from "rpm -qa | grep bind" if you experience any problem 
with DNS integrated to IPA.

If you are unsure, please follow 
https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting .

Have a nice day.

> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
> ipa-admintools-3.0.0-26.el6_4.2.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> libipa_hbac-1.9.2-82.4.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-client-3.0.0-26.el6_4.2.x86_64
>
> # cat /etc/redhat-release
> CentOS release 6.4 (Final)

-- 
Petr^2 Spacek



From pspacek at redhat.com  Mon Jul  8 07:47:32 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 08 Jul 2013 09:47:32 +0200
Subject: [Freeipa-users] ipa-dns-install on a remote host?
In-Reply-To: <CAPDLAU4yAL9xDcM-J9n3SO6xHhvJ6ZX0QNXsA3i_xm982C54Rg@mail.gmail.com>
References: <CAPDLAU50hjw4KwKae5z1E8Bc54xdLCarRtat6dhjTKPTFSr2Eg@mail.gmail.com>
	<51D6D332.4010101@redhat.com>
	<CAPDLAU6Rn2Yo_7bE7YFx5VadFzJGmDxZ_0T7M_0D9Y_S8JSVYw@mail.gmail.com>
	<14935296.zKB2IOuNAT@linux-ws1.messinet.com>
	<CAPDLAU4yAL9xDcM-J9n3SO6xHhvJ6ZX0QNXsA3i_xm982C54Rg@mail.gmail.com>
Message-ID: <51DA6E94.2040709@redhat.com>

On 5.7.2013 17:59, Schmitt, Christian wrote:
> Yeah i know that feature, but when i have a View i need to declare two
> zonefiles (i need to create one by hand and the other will getting created
> by the ipa-dns) thats not exactly what i'm looking for since some sites
> shall be the same on both sites, like domain.tld and www.domain.tld are the
> same on both sites. but domain.tld is also a freeipa domain and
> intra.domain.tld should only be routed through clients but stash.domain.tld
> and jira.domain.tld should have both so that it is accessible through the
> internet but the local clients should use the local ips.
> isn't there a delegate like feature? or even a feature in freeipa that lets
> me delegate some entries only to internal hosts.
>
>
> 2013/7/5 Anthony Messina <amessina at messinet.com>
>
>> On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote:
>>> Btw. are there any tips by having a second nameserver (public) that just
>>> gives out the important/public hosts? Or is there a good way in having a
>>> domain configured twice? like the internal ip for ipa-users and the
>>> external ip for the people outside of the internal firewall?
>>
>> Unrelated to FreeIPA, BIND has support for views, which may accomplish this
>> task for you:
>> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409

Hello,

FreeIPA doesn't support BIND views.

The simplest way how to serve some records only to internal network but not to 
the public Internet is this:
1. create public zone example.com, fill it with shared (public + internal) records
2. create internal zone 'in.example.com', configure zone delegation from 
example.com (NS+A records), add 'internal only' records
3. configure internal zone 'in.example.com' to accept queries only from 
internal network ($ ipa dnszone-mod in.example.com --allow-query='192.0.2.0/24;')

I believe that this solves the basic use case.

-- 
Petr^2 Spacek



From c.schmitt at briefdomain.de  Mon Jul  8 13:49:03 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Mon, 8 Jul 2013 15:49:03 +0200
Subject: [Freeipa-users] Virtual Machines??
Message-ID: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>

Hello, is there currently a good way to install FreeIPA or IdM in virtual
machines?
Currently we having some Windows Hyper-V Hypervisors since we are planning
to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
Also we want to reuse our Windows Server Datacenter Licenses.
Is there a good way to do it?

At the moment I tried it, but I get a lot of problems when trying to login,
i think that happens cause of the ntp server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130708/e1ed4df5/attachment.htm>

From matthew.joseph at lmco.com  Mon Jul  8 14:01:16 2013
From: matthew.joseph at lmco.com (Joseph, Matthew (EXP))
Date: Mon, 8 Jul 2013 10:01:16 -0400
Subject: [Freeipa-users] Windows 2008 winsync failure
Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0F479BDAEE@HCXMSP1.ca.lmco.com>

Hello,

I am trying to setup the SSL on my Windows 2008 R2 AD server but I am getting the following error when I try to apply the request.inf changes.
Certreq -submit request.req certnew.cer

The request does not contain a certificate template extension.

So it complains about the [Extensions] field with the OID.
[Extensions]
OID = 1.3.6.1.5.5.7.3.1

Going by Microsoft's documentation I have it setup correct.

Anyone have a suggestion?

Thanks,

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130708/636134e8/attachment.htm>

From rcritten at redhat.com  Mon Jul  8 14:05:50 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Jul 2013 10:05:50 -0400
Subject: [Freeipa-users] Replicate on Servers with diffrent Version
	(Minor)
In-Reply-To: <CAPsaoBd5FijfB_kGiSXWGVmYwXXuM13H7P7S5Z6eaU1-48dAxw@mail.gmail.com>
References: <CAPDLAU6nXz7bBS4Wxg3eYqk3QP7qvWHXMfAYM3n_SxqX9YV5LQ@mail.gmail.com>
	<CAPsaoBd5FijfB_kGiSXWGVmYwXXuM13H7P7S5Z6eaU1-48dAxw@mail.gmail.com>
Message-ID: <51DAC73E.5090200@redhat.com>

Stephen Ingram wrote:
> On Sun, Jul 7, 2013 at 2:11 PM, Schmitt, Christian
> <c.schmitt at briefdomain.de <mailto:c.schmitt at briefdomain.de>> wrote:
>
>     Hello is it possible to replicate FreeIPA Server with diffrent Minor
>     versions?
>     Currently we are running a FreeIPA Server on Fedora 19 since
>     CentOS/RHEL only has a FreeIPA 2.X Server and we wanted the features
>     of FreeIPA 3.X.
>     Would it be possible to replicate that Server to a Red Hat
>     Enterprise Linux 7 FreeIPA Server when it's arrive, when the minor
>     version is diffrent and it is a 3.X Server? or does the Major, Minor
>     needs to be completly the same?
>
>
> Actually RHEL 6.4 has version 3.0.x of IPA. I was told that after the
> release of RHEL 7, there will be a RHEL 6.x version of IPA (3.0.?) that
> will support replication up to RHEL 7 (most likely version 3.2.x, 3.3.x
> or wherever they get to before RHEL 7 release). I'm not sure about
> replication from a Fedora IPA release to a RHEL release.

That is correct. Replication between versions is a way to bridge from 
one release to another. One can create an agreement from a lower to a 
higher version, but not the other way around.

It is expected that users will quickly migrate all masters from the old 
version to the new one (days or weeks, not months).

rob



From jhrozek at redhat.com  Mon Jul  8 14:40:24 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 8 Jul 2013 16:40:24 +0200
Subject: [Freeipa-users] Virtual Machines??
In-Reply-To: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
References: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
Message-ID: <20130708144024.GJ17598@hendrix.redhat.com>

On Mon, Jul 08, 2013 at 03:49:03PM +0200, Schmitt, Christian wrote:
> Hello, is there currently a good way to install FreeIPA or IdM in virtual
> machines?
> Currently we having some Windows Hyper-V Hypervisors since we are planning
> to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
> Also we want to reuse our Windows Server Datacenter Licenses.
> Is there a good way to do it?
> 
> At the moment I tried it, but I get a lot of problems when trying to login,
> i think that happens cause of the ntp server.

Can you post the errors you are seeing? In general yes, you want to have
the servers and clients synchronized (although recent Kerberos releases
are more forgiving in this respect)



From sakodak at gmail.com  Mon Jul  8 17:44:13 2013
From: sakodak at gmail.com (KodaK)
Date: Mon, 8 Jul 2013 12:44:13 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
Message-ID: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>

We've just discovered that AIX does not honor HBAC rules with telnet.  ssh
is fine.

[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=sshd
---------------------
Access granted: False
---------------------

There was no telnet service by default, I created one (but I'm not sure I
did so correctly.)

[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=telnet
---------------------
Access granted: False
---------------------

[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com
Service: any
---------------------
Access granted: False
---------------------

[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=login
---------------------
Access granted: False
---------------------

But:

[jebalicki at mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
 telnet (sla765q1.unix.magellanhealth.com)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.

AIX was configured with standard authentication at first:

ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix

But I changed that to add kerberos:

ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix

However, all that does is cause kerberos to timeout on the invalid user and
then fall back to allowing the user in anyway.

I'm still investigating to see if this is an implementation problem, or if
AIX is just incapable of this.

I continue to lobby for turning off telnet, but there is political pressure
to keep it open.

Anyone have any ideas for things I could try?

Thanks,

--Jason


-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130708/cbf70860/attachment.htm>

From rcritten at redhat.com  Mon Jul  8 17:50:22 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 08 Jul 2013 13:50:22 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
Message-ID: <51DAFBDE.30109@redhat.com>

KodaK wrote:
> We've just discovered that AIX does not honor HBAC rules with telnet.
>   ssh is fine.
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=sshd
> ---------------------
> Access granted: False
> ---------------------
>
> There was no telnet service by default, I created one (but I'm not sure
> I did so correctly.)
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=telnet
> ---------------------
> Access granted: False
> ---------------------
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com>
> Service: any
> ---------------------
> Access granted: False
> ---------------------
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=login
> ---------------------
> Access granted: False
> ---------------------
>
> But:
>
> [jebalicki at mo0033802 ~]$ telnet sla765q1
> Trying 10.200.5.137...
> Connected to sla765q1.
> Escape character is '^]'.
>   telnet (sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com>)
> [login banner and blank lines removed]
> AIX Version 6
> Copyright IBM Corporation, 1982, 2011.
> login: testuser
> testuser's Password:
> -bash-3.2$ logout
> Connection closed by foreign host.
>
> AIX was configured with standard authentication at first:
>
> ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
> Standard Aix
>
> But I changed that to add kerberos:
>
> ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
> Kerberos 5
> Standard Aix
>
> However, all that does is cause kerberos to timeout on the invalid user
> and then fall back to allowing the user in anyway.
>
> I'm still investigating to see if this is an implementation problem, or
> if AIX is just incapable of this.
>
> I continue to lobby for turning off telnet, but there is political
> pressure to keep it open.
>
> Anyone have any ideas for things I could try?

HBAC is enforced by sssd, so no sssd, no HBAC.

I think you need to use pam_access to limit users in AIX.

rob



From bjvetter at gmail.com  Tue Jul  9 00:15:41 2013
From: bjvetter at gmail.com (Brian Vetter)
Date: Mon, 8 Jul 2013 19:15:41 -0500
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
Message-ID: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>

We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:

"Failed to init credentials (Cannot contact any KDC for realm ..."
"startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
"startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
"krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
"kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"

>From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,

pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem

If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.

Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?

Thanks for any suggestions/guidance,

Brian




From rmeggins at redhat.com  Tue Jul  9 01:13:51 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 08 Jul 2013 19:13:51 -0600
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
Message-ID: <51DB63CF.2050304@redhat.com>

On 07/08/2013 06:15 PM, Brian Vetter wrote:
> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>
> "Failed to init credentials (Cannot contact any KDC for realm ..."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."

ls -alrtF /etc/dirsrv/slapd-*

> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>
> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>
> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>
> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>
> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>
> Thanks for any suggestions/guidance,
>
> Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From mrorourke at earthlink.net  Tue Jul  9 01:14:36 2013
From: mrorourke at earthlink.net (Michael ORourke)
Date: Mon, 8 Jul 2013 21:14:36 -0400
Subject: [Freeipa-users] named (DNS) dumping core
References: <31701738.1373242554151.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net>
	<51DA6B01.8050202@redhat.com>
Message-ID: <B79AC602F503404EAB5C0893197E138A@mainlivingroom>

Petr,

Yes, it looks like we ran into the same bug.
We will schedule an update for our IPA servers soon to address this issue.

Thanks,
Mike


----- Original Message ----- 
From: "Petr Spacek" <pspacek at redhat.com>
To: <freeipa-users at redhat.com>
Sent: Monday, July 08, 2013 3:32 AM
Subject: Re: [Freeipa-users] named (DNS) dumping core


> Hello,
>
> On 8.7.2013 02:15, Michael ORourke wrote:
>> We have 4 replicated IPA servers running in our environment, 2 in each 
>> data center and we have been having some problems with named quiting. 
>> Early this morning 'named' on both IPA servers in our production data 
>> center died.  I was able to login and simply restart named.  So I am not 
>> sure what could have caused it to fail.
>> Is anyone else having this problem?
> Does it seem similar to 
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00001.html ?
>
> Please follow 
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00002.html if 
> your answer is 'yes'.
>
>> # From /var/log/messages...
>> Saved core dump of pid 11494 (/usr/sbin/named) to 
>> /var/spool/abrt/ccpp-2013-07-07-03:47:03-11494 (121303040 bytes)
> We will need to get a copy of the 
> /var/spool/abrt/ccpp-2013-07-07-03:47:03-11494 directory if upgrade 
> doesn't solve the problem.
>
>
>> # rpm -qa | grep ipa
> Please attach output from "rpm -qa | grep bind" if you experience any 
> problem with DNS integrated to IPA.
>
> If you are unsure, please follow 
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting .
>
> Have a nice day.
>
>> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.9.2-82.4.el6_4.x86_64
>> ipa-admintools-3.0.0-26.el6_4.2.x86_64
>> ipa-server-3.0.0-26.el6_4.2.x86_64
>> libipa_hbac-1.9.2-82.4.el6_4.x86_64
>> ipa-python-3.0.0-26.el6_4.2.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> ipa-client-3.0.0-26.el6_4.2.x86_64
>>
>> # cat /etc/redhat-release
>> CentOS release 6.4 (Final)
>
> -- 
> Petr^2 Spacek
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2013.0.3345 / Virus Database: 3204/6474 - Release Date: 07/08/13
> 



From arthur at deus.pro  Tue Jul  9 06:28:47 2013
From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=)
Date: Tue, 09 Jul 2013 12:28:47 +0600
Subject: [Freeipa-users] Virtual Machines??
In-Reply-To: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
References: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
Message-ID: <1373351327.15539.1.camel@arthur.bashnl.ru>

Try to use "iburst" option, that has helped me, sometimes time goes
wrong on VM. but now I do use phisical server.

? ??, 08/07/2013 ? 15:49 +0200, Schmitt, Christian ?????:
> Hello, is there currently a good way to install FreeIPA or IdM in
> virtual machines?
> 
> Currently we having some Windows Hyper-V Hypervisors since we are
> planning to buy some Dell Hardware that can't run Linux yet, the Dell
> VRTX. 
> 
> Also we want to reuse our Windows Server Datacenter Licenses.
> 
> Is there a good way to do it?
> 
> 
> 
> At the moment I tried it, but I get a lot of problems when trying to
> login, i think that happens cause of the ntp server.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From james.hogarth at gmail.com  Tue Jul  9 09:26:50 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Tue, 9 Jul 2013 10:26:50 +0100
Subject: [Freeipa-users] named (DNS) dumping core
In-Reply-To: <B79AC602F503404EAB5C0893197E138A@mainlivingroom>
References: <31701738.1373242554151.JavaMail.root@elwamui-hybrid.atl.sa.earthlink.net>
	<51DA6B01.8050202@redhat.com>
	<B79AC602F503404EAB5C0893197E138A@mainlivingroom>
Message-ID: <CAGkb5vcwV7qsWXTrm_kNOALLEtTQwjgFc=JA3P8UUg4v7iWnMQ@mail.gmail.com>

>
> Yes, it looks like we ran into the same bug.
> We will schedule an update for our IPA servers soon to address this issue.
>

As a heads up you can do these one at a time and for this particular issue
it doesn't require a full IPA restart... Just named.

When we updated ours after the srpm got published and rebuilt we carried
out the following process on each IPA server one at a time...

1) for i in {1..300}; do rndc reload; sleep 1; done
2) observe the named segfault
3) yum update bind-dyndb-ldap
4) service named restart
5) for i in {1..300}; do rndc reload; sleep 1; done
6) observe a stable named
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/d582b070/attachment.htm>

From natxo.asenjo at gmail.com  Tue Jul  9 10:00:10 2013
From: natxo.asenjo at gmail.com (natxo asenjo)
Date: Tue, 09 Jul 2013 12:00:10 +0200
Subject: [Freeipa-users] Virtual Machines??
In-Reply-To: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
References: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
Message-ID: <51DBDF2A.8020904@gmail.com>

On 07/08/2013 03:49 PM, Schmitt, Christian wrote:
> Hello, is there currently a good way to install FreeIPA or IdM in
> virtual machines?
> Currently we having some Windows Hyper-V Hypervisors since we are
> planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
> Also we want to reuse our Windows Server Datacenter Licenses.
> Is there a good way to do it?

we run a fully virtualized IdM environment on ESX. We did run in time 
synch problems after a server was rebooted for updates, the time was way 
out of sync.

Running ntpdate to synchronize to the ntp server on boot with the 
/etc/sysconfig/ntpdate config file was the solution for us. the iburst 
option in ntp.conf works if your clock skew is not greater than 300 
seconds, but then you do not have login problems either.

-- 
groet,
natxo



From linux at karasik.org  Tue Jul  9 10:32:27 2013
From: linux at karasik.org (Vitaly)
Date: Tue, 9 Jul 2013 13:32:27 +0300
Subject: [Freeipa-users] Where is ipa-client RPMs for RHEL/CENTOS4?
Message-ID: <CANpTS01Yxhr3HFCbVtk3AUFywkLw-qC72_0kgwZrF4P4wEcrgA@mail.gmail.com>

I have a few RHEL4.9 boxes and I need to join them to IPA2 domain.
Unfortunately, there is no ipa-client RPM available for RHEL/CENTO4.
Somewhere I saw suggestion to use ipa-client package from CENTOS5, but
of course, it fails because older glibc.
In the same time, many sources speak about RHEL4 as IPA client.
Did I miss something?

TIA,
Vitaly



From aissabrah at gmail.com  Mon Jul  8 23:55:53 2013
From: aissabrah at gmail.com (Aissa)
Date: Mon, 8 Jul 2013 23:55:53 +0000 (UTC)
Subject: [Freeipa-users] FreeIPA Client Setup in Windows 7 & Ubuntu
References: <50FD0E1C.1080006@loopmethods.com>
Message-ID: <loom.20130709T015320-460@post.gmane.org>




Vijay Thakur <vijay.thakur at ...> writes:

> 
> Dear All List Members,
> 
> I have installed and configured FreeIPA Server 2.2.1 in Fedora 17. All 
> is working very fine at server end. I have
> successfully configure my Centos 6.0 Box as FreeIPA Client. Now i have 
> to set up FreeIPA clients of Ubuntu 12.04
> and windows 7.  There is no available documentation for Windows 7 and 
> Ubuntu 12.04. During the first login of
> Windows 7 as FreeIPA Client, i have followed the following steps:
> 
> (1) Login as user1 at ... and Password: 12345678
> (2) Message "Your Password has expired and must be changed".
> (3) Changed the Password to new one successfully.
> (4) Again login with new credentials.
> (5) Windows 7 giving message "The User Name or Password is incorrect".
> 
> I have already stopped the Windows 7 firewall.
> 
> Guide me about Ubuntu 12.04 as FreeIPA Client setting.
> 
> With Warm Wishes,
> 
> Vijay Thakur
> 
> 
Vijay,

I would like to know if you can send me the procedure how to install client
centos with FreeIPA server.
Like you, I was able to install the server side but got "stock" with the
client authentication.

Thank you in advance

AB





From rcritten at redhat.com  Tue Jul  9 15:29:51 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 09 Jul 2013 11:29:51 -0400
Subject: [Freeipa-users] Where is ipa-client RPMs for RHEL/CENTOS4?
In-Reply-To: <CANpTS01Yxhr3HFCbVtk3AUFywkLw-qC72_0kgwZrF4P4wEcrgA@mail.gmail.com>
References: <CANpTS01Yxhr3HFCbVtk3AUFywkLw-qC72_0kgwZrF4P4wEcrgA@mail.gmail.com>
Message-ID: <51DC2C6F.2050002@redhat.com>

Vitaly wrote:
> I have a few RHEL4.9 boxes and I need to join them to IPA2 domain.
> Unfortunately, there is no ipa-client RPM available for RHEL/CENTO4.
> Somewhere I saw suggestion to use ipa-client package from CENTOS5, but
> of course, it fails because older glibc.
> In the same time, many sources speak about RHEL4 as IPA client.
> Did I miss something?

There is no ipa-client package for RHEL 4. Around 6 years ago we wrote a 
script that can configure a 4.x client but AFAIK it hasn't been used for 
a very, very long time. You can find it at 
https://git.fedorahosted.org/cgit/freeipa.git/tree/contrib/RHEL4

It has probably never been tested against a v2 server.

You may be better off manually configuring these clients.

rob



From rcritten at redhat.com  Tue Jul  9 15:31:11 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 09 Jul 2013 11:31:11 -0400
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
Message-ID: <51DC2CBF.7060007@redhat.com>

Brian Vetter wrote:
> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:

What do you mean by move it? Physically move a machine or did you try to 
move the configuration?

rob


> "Failed to init credentials (Cannot contact any KDC for realm ..."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>
>>From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>
> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>
> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>
> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>
> Thanks for any suggestions/guidance,
>
> Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From bjvetter at gmail.com  Tue Jul  9 18:49:26 2013
From: bjvetter at gmail.com (Brian Vetter)
Date: Tue, 9 Jul 2013 13:49:26 -0500
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <51DB63CF.2050304@redhat.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DB63CF.2050304@redhat.com>
Message-ID: <C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>

Here is the directory listing ...

On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:

> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>> 
>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
> 
> ls -alrtF /etc/dirsrv/slapd-*

# ls -alrtF /etc/dirsrv/slapd-*
/etc/dirsrv/slapd-PKI-IPA:
total 484
-r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
-r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
-r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
-rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
-rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
-r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
-rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
-rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
-rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
-rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
-rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
-rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
-rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
-rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db

/etc/dirsrv/slapd-TESTREALM-COM:
total 1316
-r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
-r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
-rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
-rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
-r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
-r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
-rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
-rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
-rw-------. 1 dirsrv root   88102 Oct 16  2012 dse.ldif.ipa.7536ea943b6ffd19
-rw-------. 1 dirsrv root   88050 Oct 18  2012 dse.ldif.ipa.b321343f4245e859
-rw-------. 1 dirsrv root   88050 Oct 28  2012 dse.ldif.ipa.6f187ed275f2c8d6
-rw-------. 1 dirsrv root   88050 Oct 31  2012 dse.ldif.ipa.a77259fe47a3f1ef
-rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.45e94baeae26de8b
-rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.df63ce99558b2b8b
-rw-------. 1 dirsrv root   88361 Dec 19  2012 dse.ldif.ipa.2808d9c2613eaf22
-rw-------. 1 dirsrv root   88361 Jan 21 14:22 dse.ldif.ipa.da912fc817573d85
-rw-------. 1 dirsrv root   88361 Mar 16 14:03 dse.ldif.ipa.17df93a6a8d16ed9
-rw-------. 1 dirsrv root   88361 Jun 24 15:33 dse.ldif.ipa.f5dec6078ee62fe5
-rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
-rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
-rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
-rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.e9532be9acc9603f
-rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.5cec24995ad13b30
-rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
-rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
-rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db

> 
>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>> 
>> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>> 
>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>> 
>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>> 
>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>> 
>> Thanks for any suggestions/guidance,
>> 
>> Brian
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 




From rmeggins at redhat.com  Tue Jul  9 18:53:45 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 09 Jul 2013 12:53:45 -0600
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DB63CF.2050304@redhat.com>
	<C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>
Message-ID: <51DC5C39.1050906@redhat.com>

On 07/09/2013 12:49 PM, Brian Vetter wrote:
> Here is the directory listing ...
>
> On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:
>
>> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>>>
>>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
>> ls -alrtF /etc/dirsrv/slapd-*
> # ls -alrtF /etc/dirsrv/slapd-*
> /etc/dirsrv/slapd-PKI-IPA:
> total 484
> -r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
> -r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
> -r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
> -rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
> -r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
> drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
> -rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
> drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
> -rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
> -rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
> drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
> -rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
> -rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db
>
> /etc/dirsrv/slapd-TESTREALM-COM:
> total 1316
> -r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
> -r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
> -rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
> -r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
> -r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
> -rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
> drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
> -rw-------. 1 dirsrv root   88102 Oct 16  2012 dse.ldif.ipa.7536ea943b6ffd19
> -rw-------. 1 dirsrv root   88050 Oct 18  2012 dse.ldif.ipa.b321343f4245e859
> -rw-------. 1 dirsrv root   88050 Oct 28  2012 dse.ldif.ipa.6f187ed275f2c8d6
> -rw-------. 1 dirsrv root   88050 Oct 31  2012 dse.ldif.ipa.a77259fe47a3f1ef
> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.45e94baeae26de8b
> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.df63ce99558b2b8b
> -rw-------. 1 dirsrv root   88361 Dec 19  2012 dse.ldif.ipa.2808d9c2613eaf22
> -rw-------. 1 dirsrv root   88361 Jan 21 14:22 dse.ldif.ipa.da912fc817573d85
> -rw-------. 1 dirsrv root   88361 Mar 16 14:03 dse.ldif.ipa.17df93a6a8d16ed9
> -rw-------. 1 dirsrv root   88361 Jun 24 15:33 dse.ldif.ipa.f5dec6078ee62fe5
> -rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
> drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
> -rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
> -rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.e9532be9acc9603f
> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.5cec24995ad13b30
> -rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
> drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
> -rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
> -rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db

if 389/dirsrv is not running, you can replace the 0 length dse.ldif with 
the dse.ldif.bak.
cp -p dse.ldif.bak dse.ldif

We have fixed this issue in 1.3.2

Are these servers running in a VM?
>
>>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>>>
>>> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>>>
>>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>>>
>>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>>>
>>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>>>
>>> Thanks for any suggestions/guidance,
>>>
>>> Brian
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users



From bjvetter at gmail.com  Tue Jul  9 18:54:11 2013
From: bjvetter at gmail.com (Brian Vetter)
Date: Tue, 9 Jul 2013 13:54:11 -0500
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <51DC2CBF.7060007@redhat.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DC2CBF.7060007@redhat.com>
Message-ID: <17AD4525-5C40-4B61-AA17-82AEF34EB487@gmail.com>

On Jul 9, 2013, at 10:31 AM, Rob Crittenden wrote:

> Brian Vetter wrote:
>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
> 
> What do you mean by move it? Physically move a machine or did you try to move the configuration?

We shutdown the server and physically moved it and its network to a new physical location. When I started the server after the move, I started getting these errors and none of the freeipa services were operational. As far as I can tell, the rest of the network is OK/the same. I can ssh into the server provided I use an ip address (no DNS as this is the DNS server) and I use a native account (no kerberos/kinit required).

>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>> 
>>> From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>> 
>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>> 
>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>> 
>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>> 
>> Thanks for any suggestions/guidance,
>> 
>> Brian
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 




From bjvetter at gmail.com  Tue Jul  9 19:08:21 2013
From: bjvetter at gmail.com (Brian Vetter)
Date: Tue, 9 Jul 2013 14:08:21 -0500
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <51DC5C39.1050906@redhat.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DB63CF.2050304@redhat.com>
	<C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>
	<51DC5C39.1050906@redhat.com>
Message-ID: <B3C88C93-79F8-4283-AC22-860354CD3DDC@gmail.com>

Copying dse.ldif.bak worked.

Thanks,

Brian

On Jul 9, 2013, at 1:53 PM, Rich Megginson wrote:

> On 07/09/2013 12:49 PM, Brian Vetter wrote:
>> Here is the directory listing ...
>> 
>> On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:
>> 
>>> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>>>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>>>> 
>>>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
>>> ls -alrtF /etc/dirsrv/slapd-*
>> # ls -alrtF /etc/dirsrv/slapd-*
>> /etc/dirsrv/slapd-PKI-IPA:
>> total 484
>> -r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
>> -r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
>> -r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
>> -rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
>> -r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
>> drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
>> -rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
>> drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
>> -rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
>> -rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
>> drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
>> -rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
>> -rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db
>> 
>> /etc/dirsrv/slapd-TESTREALM-COM:
>> total 1316
>> -r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
>> -r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
>> -rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
>> -r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
>> -r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
>> -rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
>> drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
>> -rw-------. 1 dirsrv root   88102 Oct 16  2012 dse.ldif.ipa.7536ea943b6ffd19
>> -rw-------. 1 dirsrv root   88050 Oct 18  2012 dse.ldif.ipa.b321343f4245e859
>> -rw-------. 1 dirsrv root   88050 Oct 28  2012 dse.ldif.ipa.6f187ed275f2c8d6
>> -rw-------. 1 dirsrv root   88050 Oct 31  2012 dse.ldif.ipa.a77259fe47a3f1ef
>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.45e94baeae26de8b
>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.df63ce99558b2b8b
>> -rw-------. 1 dirsrv root   88361 Dec 19  2012 dse.ldif.ipa.2808d9c2613eaf22
>> -rw-------. 1 dirsrv root   88361 Jan 21 14:22 dse.ldif.ipa.da912fc817573d85
>> -rw-------. 1 dirsrv root   88361 Mar 16 14:03 dse.ldif.ipa.17df93a6a8d16ed9
>> -rw-------. 1 dirsrv root   88361 Jun 24 15:33 dse.ldif.ipa.f5dec6078ee62fe5
>> -rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
>> drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
>> -rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
>> -rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.e9532be9acc9603f
>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.5cec24995ad13b30
>> -rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
>> drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
>> -rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
>> -rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db
> 
> if 389/dirsrv is not running, you can replace the 0 length dse.ldif with the dse.ldif.bak.
> cp -p dse.ldif.bak dse.ldif
> 
> We have fixed this issue in 1.3.2
> 
> Are these servers running in a VM?
>> 
>>>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>>>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>>>> 
>>>> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>>>> 
>>>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>>>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>>>> 
>>>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>>>> 
>>>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>>>> 
>>>> Thanks for any suggestions/guidance,
>>>> 
>>>> Brian
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 




From rmeggins at redhat.com  Tue Jul  9 19:30:27 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 09 Jul 2013 13:30:27 -0600
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <B3C88C93-79F8-4283-AC22-860354CD3DDC@gmail.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DB63CF.2050304@redhat.com>
	<C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>
	<51DC5C39.1050906@redhat.com>
	<B3C88C93-79F8-4283-AC22-860354CD3DDC@gmail.com>
Message-ID: <51DC64D3.6040405@redhat.com>

On 07/09/2013 01:08 PM, Brian Vetter wrote:
> Copying dse.ldif.bak worked.

Great!  Are these systems running on a VM?

>
> Thanks,
>
> Brian
>
> On Jul 9, 2013, at 1:53 PM, Rich Megginson wrote:
>
>> On 07/09/2013 12:49 PM, Brian Vetter wrote:
>>> Here is the directory listing ...
>>>
>>> On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:
>>>
>>>> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>>>>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>>>>>
>>>>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
>>>> ls -alrtF /etc/dirsrv/slapd-*
>>> # ls -alrtF /etc/dirsrv/slapd-*
>>> /etc/dirsrv/slapd-PKI-IPA:
>>> total 484
>>> -r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
>>> -r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
>>> -r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
>>> -rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
>>> -r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
>>> drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
>>> -rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
>>> drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
>>> -rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
>>> -rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
>>> drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
>>> -rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
>>> -rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db
>>>
>>> /etc/dirsrv/slapd-TESTREALM-COM:
>>> total 1316
>>> -r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
>>> -r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
>>> -rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
>>> -r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
>>> -r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
>>> -rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
>>> drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
>>> -rw-------. 1 dirsrv root   88102 Oct 16  2012 dse.ldif.ipa.7536ea943b6ffd19
>>> -rw-------. 1 dirsrv root   88050 Oct 18  2012 dse.ldif.ipa.b321343f4245e859
>>> -rw-------. 1 dirsrv root   88050 Oct 28  2012 dse.ldif.ipa.6f187ed275f2c8d6
>>> -rw-------. 1 dirsrv root   88050 Oct 31  2012 dse.ldif.ipa.a77259fe47a3f1ef
>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.45e94baeae26de8b
>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.df63ce99558b2b8b
>>> -rw-------. 1 dirsrv root   88361 Dec 19  2012 dse.ldif.ipa.2808d9c2613eaf22
>>> -rw-------. 1 dirsrv root   88361 Jan 21 14:22 dse.ldif.ipa.da912fc817573d85
>>> -rw-------. 1 dirsrv root   88361 Mar 16 14:03 dse.ldif.ipa.17df93a6a8d16ed9
>>> -rw-------. 1 dirsrv root   88361 Jun 24 15:33 dse.ldif.ipa.f5dec6078ee62fe5
>>> -rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
>>> drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
>>> -rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
>>> -rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
>>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.e9532be9acc9603f
>>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.5cec24995ad13b30
>>> -rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
>>> drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
>>> -rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
>>> -rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db
>> if 389/dirsrv is not running, you can replace the 0 length dse.ldif with the dse.ldif.bak.
>> cp -p dse.ldif.bak dse.ldif
>>
>> We have fixed this issue in 1.3.2
>>
>> Are these servers running in a VM?
>>>>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>>>>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>>>>>
>>>>> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>>>>>
>>>>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>>>>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>>>>>
>>>>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>>>>>
>>>>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>>>>>
>>>>> Thanks for any suggestions/guidance,
>>>>>
>>>>> Brian
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users



From sakodak at gmail.com  Tue Jul  9 19:57:31 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 9 Jul 2013 14:57:31 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DAFBDE.30109@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
Message-ID: <CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>

On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcritten at redhat.com> wrote:

>
> HBAC is enforced by sssd, so no sssd, no HBAC.
>
> I think you need to use pam_access to limit users in AIX.
>
>
I have some work-arounds now, but I'd like to find a way to automate them.
 What
I need is a way to ask IPA "who is allowed to access this particular
server?"

The goal is go just get a list of allowed users, then there are various
mechanisms
I can employ to allow access to only the listed users.  I plan to do this
from the
puppet master so I can push the configs from there.  I have ipa-admintools
and
openldap-clients installed on the puppet master.

Right now I'm iterating through all the hbacrules and grepping for the
server in
question, then getting the details of that rule.  This is a lot of requests.


-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/a7cec604/attachment.htm>

From bjvetter at gmail.com  Tue Jul  9 20:10:49 2013
From: bjvetter at gmail.com (Brian Vetter)
Date: Tue, 9 Jul 2013 15:10:49 -0500
Subject: [Freeipa-users] What happened to my {cacert,kdc}.pem files?
In-Reply-To: <51DC64D3.6040405@redhat.com>
References: <26F5480F-CA94-4164-9EB0-194D131F810B@gmail.com>
	<51DB63CF.2050304@redhat.com>
	<C9EC2F43-5D9C-44E0-AE5E-4C54E1ECEFF9@gmail.com>
	<51DC5C39.1050906@redhat.com>
	<B3C88C93-79F8-4283-AC22-860354CD3DDC@gmail.com>
	<51DC64D3.6040405@redhat.com>
Message-ID: <84398F8E-3FE7-4403-AC99-B68B7B7E3FCF@gmail.com>

No. They are running on Fedora 17 on bare metal.

Brian

On Jul 9, 2013, at 2:30 PM, Rich Megginson wrote:

> On 07/09/2013 01:08 PM, Brian Vetter wrote:
>> Copying dse.ldif.bak worked.
> 
> Great!  Are these systems running on a VM?
> 
>> 
>> Thanks,
>> 
>> Brian
>> 
>> On Jul 9, 2013, at 1:53 PM, Rich Megginson wrote:
>> 
>>> On 07/09/2013 12:49 PM, Brian Vetter wrote:
>>>> Here is the directory listing ...
>>>> 
>>>> On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:
>>>> 
>>>>> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>>>>>> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:
>>>>>> 
>>>>>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>>>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
>>>>>> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
>>>>> ls -alrtF /etc/dirsrv/slapd-*
>>>> # ls -alrtF /etc/dirsrv/slapd-*
>>>> /etc/dirsrv/slapd-PKI-IPA:
>>>> total 484
>>>> -r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
>>>> -r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
>>>> -r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
>>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
>>>> -rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
>>>> -r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
>>>> drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
>>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
>>>> -rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
>>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
>>>> drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
>>>> -rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
>>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
>>>> -rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
>>>> drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
>>>> -rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
>>>> -rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db
>>>> 
>>>> /etc/dirsrv/slapd-TESTREALM-COM:
>>>> total 1316
>>>> -r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
>>>> -r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
>>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
>>>> -rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
>>>> -r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
>>>> -r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
>>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
>>>> -rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
>>>> drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
>>>> -rw-------. 1 dirsrv root   88102 Oct 16  2012 dse.ldif.ipa.7536ea943b6ffd19
>>>> -rw-------. 1 dirsrv root   88050 Oct 18  2012 dse.ldif.ipa.b321343f4245e859
>>>> -rw-------. 1 dirsrv root   88050 Oct 28  2012 dse.ldif.ipa.6f187ed275f2c8d6
>>>> -rw-------. 1 dirsrv root   88050 Oct 31  2012 dse.ldif.ipa.a77259fe47a3f1ef
>>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.45e94baeae26de8b
>>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 dse.ldif.ipa.df63ce99558b2b8b
>>>> -rw-------. 1 dirsrv root   88361 Dec 19  2012 dse.ldif.ipa.2808d9c2613eaf22
>>>> -rw-------. 1 dirsrv root   88361 Jan 21 14:22 dse.ldif.ipa.da912fc817573d85
>>>> -rw-------. 1 dirsrv root   88361 Mar 16 14:03 dse.ldif.ipa.17df93a6a8d16ed9
>>>> -rw-------. 1 dirsrv root   88361 Jun 24 15:33 dse.ldif.ipa.f5dec6078ee62fe5
>>>> -rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
>>>> drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
>>>> -rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
>>>> -rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
>>>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.e9532be9acc9603f
>>>> -rw-------. 1 root   root       0 Jul  3 18:43 dse.ldif.ipa.5cec24995ad13b30
>>>> -rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
>>>> drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
>>>> -rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
>>>> -rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db
>>> if 389/dirsrv is not running, you can replace the 0 length dse.ldif with the dse.ldif.bak.
>>> cp -p dse.ldif.bak dse.ldif
>>> 
>>> We have fixed this issue in 1.3.2
>>> 
>>> Are these servers running in a VM?
>>>>>> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
>>>>>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>>>>>> 
>>>>>> >From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>>>>>> 
>>>>>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>>>>>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>>>>>> 
>>>>>> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>>>>>> 
>>>>>> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>>>>>> 
>>>>>> Thanks for any suggestions/guidance,
>>>>>> 
>>>>>> Brian
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 




From dpal at redhat.com  Tue Jul  9 21:27:04 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 09 Jul 2013 17:27:04 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
Message-ID: <51DC8028.2060703@redhat.com>

On 07/09/2013 03:57 PM, KodaK wrote:
>
>
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>
>     HBAC is enforced by sssd, so no sssd, no HBAC.
>
>     I think you need to use pam_access to limit users in AIX.
>
>
> I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
>
> The goal is go just get a list of allowed users, then there are
> various mechanisms
> I can employ to allow access to only the listed users.  I plan to do
> this from the
> puppet master so I can push the configs from there.  I have
> ipa-admintools and
> openldap-clients installed on the puppet master.
>
> Right now I'm iterating through all the hbacrules and grepping for the
> server in 
> question, then getting the details of that rule.  This is a lot of
> requests.


A valid RFE I would say...
May be it should be an enhancement for the hbac-test tool?
However getting a list of the users verbatim is probably costly too.
May be it would make sense for you to create a group of AIX users in IPA
and then fetch it from the puppet master traverse its memberOf attribute
for list of members?
It will not use HBAC but still would provide some access control
optimization.
Will that solve the problem for you?


>
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/dff279bc/attachment.htm>

From sakodak at gmail.com  Tue Jul  9 22:01:22 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 9 Jul 2013 17:01:22 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DC8028.2060703@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
	<51DC8028.2060703@redhat.com>
Message-ID: <CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>

On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 07/09/2013 03:57 PM, KodaK wrote:
>
>
>
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>>
>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>> I think you need to use pam_access to limit users in AIX.
>>
>>
>  I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
>
>  The goal is go just get a list of allowed users, then there are various
> mechanisms
> I can employ to allow access to only the listed users.  I plan to do this
> from the
> puppet master so I can push the configs from there.  I have ipa-admintools
> and
> openldap-clients installed on the puppet master.
>
>  Right now I'm iterating through all the hbacrules and grepping for the
> server in
> question, then getting the details of that rule.  This is a lot of
> requests.
>
>
>
> A valid RFE I would say...
> May be it should be an enhancement for the hbac-test tool?
> However getting a list of the users verbatim is probably costly too.
> May be it would make sense for you to create a group of AIX users in IPA
> and then fetch it from the puppet master traverse its memberOf attribute
> for list of members?
> It will not use HBAC but still would provide some access control
> optimization.
> Will that solve the problem for you?
>

I thought about that, but there are some drawbacks.  I don't have "a" group
of AIX users that access all AIX machines.  I have a bunch of different AIX
machines with different user sets.  I can create a group for each host
called hostname_access -- but then I'm just replicating (quite
inefficently) information that already exists in the HBAC rules.  I can
probably create one rule per host in HBAC and query that particular rule
for the allowed users, but this loses the benefit of being able to use host
and user groups.  This is probably where we'll end up, though, since it's
the least-effort-to-implement (if worst to maintain) option.

How does sssd determine if a user is allowed access?  Another option may be
to replicate that functionality in a program or script on the puppet master
and have it populate some files once a day or so.  Alternately we could
write a PAM module for AIX that replicates that functionality.  Right now,
though, I have no idea how it's done in SSSD (a pointer to where it is in
the code would be helpful, even.)
-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/b2e8fbbd/attachment.htm>

From dpal at redhat.com  Tue Jul  9 22:43:55 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 09 Jul 2013 18:43:55 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
	<51DC8028.2060703@redhat.com>
	<CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>
Message-ID: <51DC922B.4070109@redhat.com>

On 07/09/2013 06:01 PM, KodaK wrote:
>
>
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 07/09/2013 03:57 PM, KodaK wrote:
>>
>>
>>     On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
>>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>>
>>         HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>>         I think you need to use pam_access to limit users in AIX.
>>
>>
>>     I have some work-arounds now, but I'd like to find a way to
>>     automate them.  What
>>     I need is a way to ask IPA "who is allowed to access this
>>     particular server?"
>>
>>     The goal is go just get a list of allowed users, then there are
>>     various mechanisms
>>     I can employ to allow access to only the listed users.  I plan to
>>     do this from the
>>     puppet master so I can push the configs from there.  I have
>>     ipa-admintools and
>>     openldap-clients installed on the puppet master.
>>
>>     Right now I'm iterating through all the hbacrules and grepping
>>     for the server in 
>>     question, then getting the details of that rule.  This is a lot
>>     of requests.
>
>
>     A valid RFE I would say...
>     May be it should be an enhancement for the hbac-test tool?
>     However getting a list of the users verbatim is probably costly too.
>     May be it would make sense for you to create a group of AIX users
>     in IPA and then fetch it from the puppet master traverse its
>     memberOf attribute for list of members?
>     It will not use HBAC but still would provide some access control
>     optimization.
>     Will that solve the problem for you?
>
>
> I thought about that, but there are some drawbacks.  I don't have "a"
> group of AIX users that access all AIX machines.  I have a bunch of
> different AIX machines with different user sets.  I can create a group
> for each host called hostname_access -- but then I'm just replicating
> (quite inefficently) information that already exists in the HBAC
> rules.  I can probably create one rule per host in HBAC and query that
> particular rule for the allowed users, but this loses the benefit of
> being able to use host and user groups.  This is probably where we'll
> end up, though, since it's the least-effort-to-implement (if worst to
> maintain) option.
>
> How does sssd determine if a user is allowed access?  Another option
> may be to replicate that functionality in a program or script on the
> puppet master and have it populate some files once a day or so.
>  Alternately we could write a PAM module for AIX that replicates that
> functionality.  Right now, though, I have no idea how it's done in
> SSSD (a pointer to where it is in the code would be helpful, even.)
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6 

SSSD and IPA share the same library.
I do not remember the name of it but it takes input: user, host, service
and determines whether user is allowed or not.
It is written in C. So it probably can be ported to AIX.

Here is another option, I do not know if that would work for you.
It really depends on your setup.
You can allow SSH into AIX machines only from a corresponding gateway
machine.
Say you have 5 classes of AIX machines then you will have 5 gateway
machines.
The access to a set of AIX machines will be restricted to SSH from a
gateway system.
Logging to a gateway system would be protected with HBAC.

Not the best but yet an alternative approach.

If you go with the "implement yourself approach" on the puppet master
you should taker a look at the code of the library and see how it does
things. It might be a good start.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/c213cc77/attachment.htm>

From jhrozek at redhat.com  Wed Jul 10 07:07:08 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 10 Jul 2013 09:07:08 +0200
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DC922B.4070109@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
	<51DC8028.2060703@redhat.com>
	<CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>
	<51DC922B.4070109@redhat.com>
Message-ID: <20130710070708.GT6481@hendrix.brq.redhat.com>

On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote:
> On 07/09/2013 06:01 PM, KodaK wrote:
> >
> >
> > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com
> > <mailto:dpal at redhat.com>> wrote:
> >
> >     On 07/09/2013 03:57 PM, KodaK wrote:
> >>
> >>
> >>     On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
> >>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> >>
> >>
> >>         HBAC is enforced by sssd, so no sssd, no HBAC.
> >>
> >>         I think you need to use pam_access to limit users in AIX.
> >>
> >>
> >>     I have some work-arounds now, but I'd like to find a way to
> >>     automate them.  What
> >>     I need is a way to ask IPA "who is allowed to access this
> >>     particular server?"
> >>
> >>     The goal is go just get a list of allowed users, then there are
> >>     various mechanisms
> >>     I can employ to allow access to only the listed users.  I plan to
> >>     do this from the
> >>     puppet master so I can push the configs from there.  I have
> >>     ipa-admintools and
> >>     openldap-clients installed on the puppet master.
> >>
> >>     Right now I'm iterating through all the hbacrules and grepping
> >>     for the server in 
> >>     question, then getting the details of that rule.  This is a lot
> >>     of requests.
> >
> >
> >     A valid RFE I would say...
> >     May be it should be an enhancement for the hbac-test tool?
> >     However getting a list of the users verbatim is probably costly too.
> >     May be it would make sense for you to create a group of AIX users
> >     in IPA and then fetch it from the puppet master traverse its
> >     memberOf attribute for list of members?
> >     It will not use HBAC but still would provide some access control
> >     optimization.
> >     Will that solve the problem for you?
> >
> >
> > I thought about that, but there are some drawbacks.  I don't have "a"
> > group of AIX users that access all AIX machines.  I have a bunch of
> > different AIX machines with different user sets.  I can create a group
> > for each host called hostname_access -- but then I'm just replicating
> > (quite inefficently) information that already exists in the HBAC
> > rules.  I can probably create one rule per host in HBAC and query that
> > particular rule for the allowed users, but this loses the benefit of
> > being able to use host and user groups.  This is probably where we'll
> > end up, though, since it's the least-effort-to-implement (if worst to
> > maintain) option.
> >
> > How does sssd determine if a user is allowed access?  Another option
> > may be to replicate that functionality in a program or script on the
> > puppet master and have it populate some files once a day or so.
> >  Alternately we could write a PAM module for AIX that replicates that
> > functionality.  Right now, though, I have no idea how it's done in
> > SSSD (a pointer to where it is in the code would be helpful, even.)
> > -- 
> > The government is going to read our mail anyway, might as well make it
> > tough for them.  GPG Public key ID:  B6A1A7C6 
> 
> SSSD and IPA share the same library.
> I do not remember the name of it but it takes input: user, host, service
> and determines whether user is allowed or not.
> It is written in C. So it probably can be ported to AIX.
> 

The library that evaluates the rules comes from sssd and is called libipa_hbac.

I actually wanted to implement the same couple of months ago
to run on my NAS (which can't realistically run SSSD) at home:
https://github.com/jhrozek/pam_hbac

It's not complete but perhaps it's a start.



From pspacek at redhat.com  Wed Jul 10 07:42:10 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Wed, 10 Jul 2013 09:42:10 +0200
Subject: [Freeipa-users] FreeIPA Client Setup in Windows 7 & Ubuntu
In-Reply-To: <loom.20130709T015320-460@post.gmane.org>
References: <50FD0E1C.1080006@loopmethods.com>
	<loom.20130709T015320-460@post.gmane.org>
Message-ID: <51DD1052.1040001@redhat.com>

On 9.7.2013 01:55, Aissa wrote:
>
>
>
> Vijay Thakur <vijay.thakur at ...> writes:
>
>>
>> Dear All List Members,
>>
>> I have installed and configured FreeIPA Server 2.2.1 in Fedora 17. All
>> is working very fine at server end. I have
>> successfully configure my Centos 6.0 Box as FreeIPA Client. Now i have
>> to set up FreeIPA clients of Ubuntu 12.04
>> and windows 7.  There is no available documentation for Windows 7 and
>> Ubuntu 12.04. During the first login of
>> Windows 7 as FreeIPA Client, i have followed the following steps:
>>
>> (1) Login as user1 at ... and Password: 12345678
>> (2) Message "Your Password has expired and must be changed".
>> (3) Changed the Password to new one successfully.
>> (4) Again login with new credentials.
>> (5) Windows 7 giving message "The User Name or Password is incorrect".
>>
>> I have already stopped the Windows 7 firewall.
>>
>> Guide me about Ubuntu 12.04 as FreeIPA Client setting.
>>
>> With Warm Wishes,
>>
>> Vijay Thakur
>>
>>
> Vijay,
>
> I would like to know if you can send me the procedure how to install client
> centos with FreeIPA server.
> Like you, I was able to install the server side but got "stock" with the
> client authentication.

Please try to follow 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html 
and let us know if something is unclear.

The best option for MS Windows clients is to create trust between Windows AD 
and FreeIPA.

Article http://www.freeipa.org/page/Windows_authentication_against_FreeIPA 
describes how to configure plain MS Windows client, but make sure that you 
fully understood limitations mentioned in the article.

-- 
Petr^2 Spacek



From c.schmitt at briefdomain.de  Wed Jul 10 10:20:14 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Wed, 10 Jul 2013 12:20:14 +0200
Subject: [Freeipa-users] Virtual Machines??
In-Reply-To: <51DBDF2A.8020904@gmail.com>
References: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
	<51DBDF2A.8020904@gmail.com>
Message-ID: <CAPDLAU4kOTXe1tst_gLHBvwQXhfBBdbUcLj-10BdkdGT=FQ2Tw@mail.gmail.com>

Did you used the --no-ntp option or freeipa? or did you use the internal
freeipa ntp?


2013/7/9 natxo asenjo <natxo.asenjo at gmail.com>

> On 07/08/2013 03:49 PM, Schmitt, Christian wrote:
>
>> Hello, is there currently a good way to install FreeIPA or IdM in
>> virtual machines?
>> Currently we having some Windows Hyper-V Hypervisors since we are
>> planning to buy some Dell Hardware that can't run Linux yet, the Dell
>> VRTX.
>> Also we want to reuse our Windows Server Datacenter Licenses.
>> Is there a good way to do it?
>>
>
> we run a fully virtualized IdM environment on ESX. We did run in time
> synch problems after a server was rebooted for updates, the time was way
> out of sync.
>
> Running ntpdate to synchronize to the ntp server on boot with the
> /etc/sysconfig/ntpdate config file was the solution for us. the iburst
> option in ntp.conf works if your clock skew is not greater than 300
> seconds, but then you do not have login problems either.
>
> --
> groet,
> natxo
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/f44be8f3/attachment.htm>

From james.hogarth at gmail.com  Wed Jul 10 12:40:16 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Wed, 10 Jul 2013 13:40:16 +0100
Subject: [Freeipa-users] heads up on dirsrv failure to start on fedora19
Message-ID: <CAGkb5vcS90n5-_okCMGbt5Y6NSb=x7r+anC6-LFo9+yJX=jt5g@mail.gmail.com>

Hi all,

A heads up in case someone else bumps into this when doing any
389-ds/freeipa work on F19.

The /etc/tmpfiles.d/dirsrv-EXAMPLE-COM.conf file is configured to create
the lockfiles in /var/lock/dirsrv/slapd-EXAMPLE-COM but on F19 /var/lock is
a symlink to /var/run/lock...

As a result after a reboot the directory does not exist and dirsrv fails to
start.

Appending (or amending) the lines to read /var/run/lock instead of
/var/lock (ie manually dereference the symlink in the conf file) allows
dirsrv to start after a reboot.

I've opened https://bugzilla.redhat.com/show_bug.cgi?id=983073 for this to
get it amended... but at least it's a simple workaround to 'fix' for now.

Cheers,

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/47adca1f/attachment.htm>

From sakodak at gmail.com  Wed Jul 10 14:37:30 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 10 Jul 2013 09:37:30 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <20130710070708.GT6481@hendrix.brq.redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
	<51DC8028.2060703@redhat.com>
	<CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>
	<51DC922B.4070109@redhat.com>
	<20130710070708.GT6481@hendrix.brq.redhat.com>
Message-ID: <CAA9J0ZEX=AF3HXUCgXhgqxakmqnzBG_Ga6ukPfVaavmdhXq+cQ@mail.gmail.com>

On Wed, Jul 10, 2013 at 2:07 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote:
> > On 07/09/2013 06:01 PM, KodaK wrote:
> > >
> > >
> > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com
> > > <mailto:dpal at redhat.com>> wrote:
> > >
> > >     On 07/09/2013 03:57 PM, KodaK wrote:
> > >>
> > >>
> > >>     On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
> > >>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> > >>
> > >>
> > >>         HBAC is enforced by sssd, so no sssd, no HBAC.
> > >>
> > >>         I think you need to use pam_access to limit users in AIX.
> > >>
> > >>
> > >>     I have some work-arounds now, but I'd like to find a way to
> > >>     automate them.  What
> > >>     I need is a way to ask IPA "who is allowed to access this
> > >>     particular server?"
> > >>
> > >>     The goal is go just get a list of allowed users, then there are
> > >>     various mechanisms
> > >>     I can employ to allow access to only the listed users.  I plan to
> > >>     do this from the
> > >>     puppet master so I can push the configs from there.  I have
> > >>     ipa-admintools and
> > >>     openldap-clients installed on the puppet master.
> > >>
> > >>     Right now I'm iterating through all the hbacrules and grepping
> > >>     for the server in
> > >>     question, then getting the details of that rule.  This is a lot
> > >>     of requests.
> > >
> > >
> > >     A valid RFE I would say...
> > >     May be it should be an enhancement for the hbac-test tool?
> > >     However getting a list of the users verbatim is probably costly
> too.
> > >     May be it would make sense for you to create a group of AIX users
> > >     in IPA and then fetch it from the puppet master traverse its
> > >     memberOf attribute for list of members?
> > >     It will not use HBAC but still would provide some access control
> > >     optimization.
> > >     Will that solve the problem for you?
> > >
> > >
> > > I thought about that, but there are some drawbacks.  I don't have "a"
> > > group of AIX users that access all AIX machines.  I have a bunch of
> > > different AIX machines with different user sets.  I can create a group
> > > for each host called hostname_access -- but then I'm just replicating
> > > (quite inefficently) information that already exists in the HBAC
> > > rules.  I can probably create one rule per host in HBAC and query that
> > > particular rule for the allowed users, but this loses the benefit of
> > > being able to use host and user groups.  This is probably where we'll
> > > end up, though, since it's the least-effort-to-implement (if worst to
> > > maintain) option.
> > >
> > > How does sssd determine if a user is allowed access?  Another option
> > > may be to replicate that functionality in a program or script on the
> > > puppet master and have it populate some files once a day or so.
> > >  Alternately we could write a PAM module for AIX that replicates that
> > > functionality.  Right now, though, I have no idea how it's done in
> > > SSSD (a pointer to where it is in the code would be helpful, even.)
> > > --
> > > The government is going to read our mail anyway, might as well make it
> > > tough for them.  GPG Public key ID:  B6A1A7C6
> >
> > SSSD and IPA share the same library.
> > I do not remember the name of it but it takes input: user, host, service
> > and determines whether user is allowed or not.
> > It is written in C. So it probably can be ported to AIX.
> >
>
> The library that evaluates the rules comes from sssd and is called
> libipa_hbac.
>
> I actually wanted to implement the same couple of months ago
> to run on my NAS (which can't realistically run SSSD) at home:
> https://github.com/jhrozek/pam_hbac
>
> It's not complete but perhaps it's a start.
>


Thanks, Jakub, I'll take a look.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/1f36beb0/attachment.htm>

From sakodak at gmail.com  Wed Jul 10 14:55:32 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 10 Jul 2013 09:55:32 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DC922B.4070109@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DAFBDE.30109@redhat.com>
	<CAA9J0ZESA5J+qcpoiRV=ykDSdszNOAbpLzhMFTExKOCa3y_SrQ@mail.gmail.com>
	<51DC8028.2060703@redhat.com>
	<CAA9J0ZFqcer_tJG-AkN+NB1kmUkisp2HgM8D8zYFQH2=34t4hg@mail.gmail.com>
	<51DC922B.4070109@redhat.com>
Message-ID: <CAA9J0ZHOXn0i-WapoZrjqXyYTorHK4QxX-3V1hyVpL-ciMGF_Q@mail.gmail.com>

On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 07/09/2013 06:01 PM, KodaK wrote:
>
>
>
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>  On 07/09/2013 03:57 PM, KodaK wrote:
>>
>>
>>
>> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>>
>>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>>
>>> I think you need to use pam_access to limit users in AIX.
>>>
>>>
>>  I have some work-arounds now, but I'd like to find a way to automate
>> them.  What
>> I need is a way to ask IPA "who is allowed to access this particular
>> server?"
>>
>>  The goal is go just get a list of allowed users, then there are various
>> mechanisms
>> I can employ to allow access to only the listed users.  I plan to do this
>> from the
>> puppet master so I can push the configs from there.  I have
>> ipa-admintools and
>> openldap-clients installed on the puppet master.
>>
>>  Right now I'm iterating through all the hbacrules and grepping for the
>> server in
>> question, then getting the details of that rule.  This is a lot of
>> requests.
>>
>>
>>
>>  A valid RFE I would say...
>> May be it should be an enhancement for the hbac-test tool?
>> However getting a list of the users verbatim is probably costly too.
>> May be it would make sense for you to create a group of AIX users in IPA
>> and then fetch it from the puppet master traverse its memberOf attribute
>> for list of members?
>> It will not use HBAC but still would provide some access control
>> optimization.
>> Will that solve the problem for you?
>>
>
>  I thought about that, but there are some drawbacks.  I don't have "a"
> group of AIX users that access all AIX machines.  I have a bunch of
> different AIX machines with different user sets.  I can create a group for
> each host called hostname_access -- but then I'm just replicating (quite
> inefficently) information that already exists in the HBAC rules.  I can
> probably create one rule per host in HBAC and query that particular rule
> for the allowed users, but this loses the benefit of being able to use host
> and user groups.  This is probably where we'll end up, though, since it's
> the least-effort-to-implement (if worst to maintain) option.
>
>  How does sssd determine if a user is allowed access?  Another option may
> be to replicate that functionality in a program or script on the puppet
> master and have it populate some files once a day or so.  Alternately we
> could write a PAM module for AIX that replicates that functionality.  Right
> now, though, I have no idea how it's done in SSSD (a pointer to where it is
> in the code would be helpful, even.)
>  --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> SSSD and IPA share the same library.
> I do not remember the name of it but it takes input: user, host, service
> and determines whether user is allowed or not.
> It is written in C. So it probably can be ported to AIX.
>
> Here is another option, I do not know if that would work for you.
> It really depends on your setup.
> You can allow SSH into AIX machines only from a corresponding gateway
> machine.
> Say you have 5 classes of AIX machines then you will have 5 gateway
> machines.
> The access to a set of AIX machines will be restricted to SSH from a
> gateway system.
> Logging to a gateway system would be protected with HBAC.
>
> Not the best but yet an alternative approach.
>
> If you go with the "implement yourself approach" on the puppet master you
> should taker a look at the code of the library and see how it does things.
> It might be a good start.
>
>
Thanks, Dmitri.  IRT the gateway machines:  I can already block on a per
user basis using "AllowUsers" in sshd_config -- that's one of the
workarounds I'm using now.  This works, but I want to populate that
automatically via IPA and puppet.  Doing a gateway seems like a step back,
plus I'm sure my users would revolt. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/5ec99e75/attachment.htm>

From erinn.looneytriggs at gmail.com  Wed Jul 10 15:45:38 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Wed, 10 Jul 2013 11:45:38 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client Relay
	with FreeIPA
Message-ID: <51DD81A2.3010806@gmail.com>

Folks,
I swear I am not trying to drive up traffic to my very small blog, but I
wrote up some instruction for how to configure the postfix mail client
to use Kerberos to relay through a Postfix gateway.

Instructions are here for folks that are interested:
https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

Hopefully it is useful to some people in the future, for me it took the
help of some users on the Postfix list, a lot of it was not clear.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/d97b5987/attachment.sig>

From simo at redhat.com  Wed Jul 10 16:12:02 2013
From: simo at redhat.com (Simo Sorce)
Date: Wed, 10 Jul 2013 12:12:02 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <51DD81A2.3010806@gmail.com>
References: <51DD81A2.3010806@gmail.com>
Message-ID: <1373472723.30537.240.camel@willson.li.ssimo.org>

On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> Folks,
> I swear I am not trying to drive up traffic to my very small blog, but I
> wrote up some instruction for how to configure the postfix mail client
> to use Kerberos to relay through a Postfix gateway.
> 
> Instructions are here for folks that are interested:
> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
> 
> Hopefully it is useful to some people in the future, for me it took the
> help of some users on the Postfix list, a lot of it was not clear.

Very nice write up Erinn.

Thanks,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From alanwevans at gmail.com  Wed Jul 10 20:48:57 2013
From: alanwevans at gmail.com (Alan Evans)
Date: Wed, 10 Jul 2013 14:48:57 -0600
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts in
	directory
Message-ID: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>

So I have been kicking around an idea for a while now and thought I would
develop it but its out of my league. The FreeIPA community is very very
active in pam/sssd/ldap/so on and so on so I thought I would float the idea
here before I made a Trac [RFE] ticket.

**
Would anyone else find it useful to store environment variables in LDAP?
In the environment (no pun intended) I work in we have a few thousand
servers all authenticating to LDAP and a home grown LDAP+sshPublicKey
implementation which is great.  But we have a bunch of different distros
which all have different default editors.  Unless I feel like touching a
lot of servers or using cfengine3 to distribute my preferred environment
variables I am at the mercy of the editor on the system.

How wonderful would it be to set EDITOR=vim, LESS='-S',
TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss pull/store
that information for me.  Sort of like pam_env but backed by LDAP.

So this got me thinking the other thing that would be wonderful to store in
LDAP would be shell profiles...  Consider having your ~/.profile or
~/.bashrc  or ~/.my.cnf or what-have-you in LDAP?

Maybe this modified pam_ldap could do things like append, remove, replace
or unset environment variables.  Consider:

dn: uid=me,dc=example,dc=com
objectClass: posixAccountEnv
...
# replace EDITOR
posixEnv: EDITOR=vim
# unset TZ
posixEnv: TZ-=
# append PATH
posixEnv: PATH=+:~/bin
# prepend PATH
posixEnv: PATH+=/opt/foo/bin:

Further perhaps the PAM module could be configured to only allow certain
environment variables to be manipulated this way admins can control which
variables users can set.

/etc/ldap/pam_ldap.conf:
...
# allow
pam_allow_env_vars PATH,EDITOR
# deny
pam_deny_env_vars PATH,TZ
# wildcards? regex?
pam_allow_env_vars LC_*,PATH,EDITOR
pam_deny_env_vars TZ

So if we're storing environment variables in LDAP why not profiles or small
files?  ~/.bashrc, ~/.my.cnf, ~/.ssh/config?  Sure there's some overlap
with env vars because you could set them in your profile but with both
options an admin is free to choose.

I can think of a couple of ways to implement this.
1. create subortinate objects to the user object
dn: cn=~/.bashrc,uid=me,dc=example,dc=com
...
objectClass: posixAccountProfile
posixProfile: <octet string>

Advantages: The advantage of this setup is that the profileScript class
could contain any number of attributes, perhaps a modified time so that the
script isn't rewritten if the subordinate object hasn't been modified since
the script was last modified.

Disadvantages: Kinda kludgy.  Extra objects (more lookups).

2. Use LDAP attribute options (See http://www.ietf.org/rfc/rfc2251.txt RFC
2251 "4.1.5. Attribute Description" if not familiar)
dn: uid=me,dc=example,dc=com
...
posixProfile;~/.bashrc: <octet string>
posixProfile;~/.my.cnf: <octet string>

Advantages: No extra objects, makes use of oft unused LDAP attribute
options :), can have ACI's applied to them.
Disadvantages: Only modified time to track is modified time of the LDAP
object not individual profileScript attrs

In both cases it might be wise to consider how file names are specified.
Perhaps leave off the ~/ and make everything relative to ~ no matter what.
Or make everything relative to ~/ even if it starts w/ a '/'.  Maybe simply
reject anything that begins with '/'.

dn: uid=me,dc=example,dc=com
...
posixProfile;.bashrc: <octetString>
posixProfile;.foo/foorc: <octetstring>

Plus I don't know if / and . are legitimate characters in attribute options.

So thanks for sticking with me if you got this far.  What do you think?

Regards,
-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/09b8111b/attachment.htm>

From dpal at redhat.com  Wed Jul 10 21:00:53 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 10 Jul 2013 17:00:53 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <1373472723.30537.240.camel@willson.li.ssimo.org>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
Message-ID: <51DDCB85.6050105@redhat.com>

On 07/10/2013 12:12 PM, Simo Sorce wrote:
> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>> Folks,
>> I swear I am not trying to drive up traffic to my very small blog, but I
>> wrote up some instruction for how to configure the postfix mail client
>> to use Kerberos to relay through a Postfix gateway.
>>
>> Instructions are here for folks that are interested:
>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
>>
>> Hopefully it is useful to some people in the future, for me it took the
>> help of some users on the Postfix list, a lot of it was not clear.
> Very nice write up Erinn.
>
> Thanks,
> Simo.
>
I think it is worth mentioning that starting Fedora 19 the step to
configure cron to fetch tickets is not needed. GSS proxy can be
configured instead to automatically acquire tickets on client's behalf.
https://fedorahosted.org/gss-proxy/

It generally applies to any unattended client that uses keytab to
authenticate it being messaging client, DB client, LDAP client or
anything else. You name it...

Thanks for the blog!


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Wed Jul 10 21:19:07 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 10 Jul 2013 21:19:07 +0000
Subject: [Freeipa-users] Virtual Machines??
In-Reply-To: <CAPDLAU4kOTXe1tst_gLHBvwQXhfBBdbUcLj-10BdkdGT=FQ2Tw@mail.gmail.com>
References: <CAPDLAU7Wp3+8xw1LOZZMyVccxxUjs8YLVfz6BFdXOpqv8DPwAg@mail.gmail.com>
	<51DBDF2A.8020904@gmail.com>,
	<CAPDLAU4kOTXe1tst_gLHBvwQXhfBBdbUcLj-10BdkdGT=FQ2Tw@mail.gmail.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A2FA138@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

We use ESX5i, the IPA servers are VMs and run ntp from our main ntp server, clients time sync to the IPA servers.

The only time we see time problems is with clients that do absolutely no work, then their time sometimes drifts excessively, we set the ticker panic to zero to get around that.

If ppl have better ideas I'd be pleased to hear them.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Schmitt, Christian [c.schmitt at briefdomain.de]
Sent: Wednesday, 10 July 2013 10:20 p.m.
To: natxo asenjo
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Virtual Machines??

Did you used the --no-ntp option or freeipa? or did you use the internal freeipa ntp?


2013/7/9 natxo asenjo <natxo.asenjo at gmail.com<mailto:natxo.asenjo at gmail.com>>
On 07/08/2013 03:49 PM, Schmitt, Christian wrote:
Hello, is there currently a good way to install FreeIPA or IdM in
virtual machines?
Currently we having some Windows Hyper-V Hypervisors since we are
planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
Also we want to reuse our Windows Server Datacenter Licenses.
Is there a good way to do it?

we run a fully virtualized IdM environment on ESX. We did run in time synch problems after a server was rebooted for updates, the time was way out of sync.

Running ntpdate to synchronize to the ntp server on boot with the /etc/sysconfig/ntpdate config file was the solution for us. the iburst option in ntp.conf works if your clock skew is not greater than 300 seconds, but then you do not have login problems either.

--
groet,
natxo


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/6951a7ce/attachment.htm>

From dpal at redhat.com  Wed Jul 10 21:20:40 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 10 Jul 2013 17:20:40 -0400
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts
 in directory
In-Reply-To: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
References: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
Message-ID: <51DDD028.7030501@redhat.com>

On 07/10/2013 04:48 PM, Alan Evans wrote:
> So I have been kicking around an idea for a while now and thought I
> would develop it but its out of my league. The FreeIPA community is
> very very active in pam/sssd/ldap/so on and so on so I thought I would
> float the idea here before I made a Trac [RFE] ticket.
>
> Would anyone else find it useful to store environment variables in
> LDAP?  In the environment (no pun intended) I work in we have a few
> thousand servers all authenticating to LDAP and a home grown
> LDAP+sshPublicKey implementation which is great.  But we have a bunch
> of different distros which all have different default editors.  Unless
> I feel like touching a lot of servers or using cfengine3 to distribute
> my preferred environment variables I am at the mercy of the editor on
> the system.
>
> How wonderful would it be to set EDITOR=vim, LESS='-S',
> TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss
> pull/store that information for me.  Sort of like pam_env but backed
> by LDAP.
>
> So this got me thinking the other thing that would be wonderful to
> store in LDAP would be shell profiles...  Consider having your
> ~/.profile or ~/.bashrc  or ~/.my.cnf or what-have-you in LDAP?
>
> Maybe this modified pam_ldap could do things like append, remove,
> replace or unset environment variables.  Consider:
>
> dn: uid=me,dc=example,dc=com
> objectClass: posixAccountEnv
> ...
> # replace EDITOR
> posixEnv: EDITOR=vim
> # unset TZ
> posixEnv: TZ-=
> # append PATH
> posixEnv: PATH=+:~/bin
> # prepend PATH
> posixEnv: PATH+=/opt/foo/bin:
>
> Further perhaps the PAM module could be configured to only allow
> certain environment variables to be manipulated this way admins can
> control which variables users can set.
>
> /etc/ldap/pam_ldap.conf:
> ...
> # allow
> pam_allow_env_vars PATH,EDITOR
> # deny
> pam_deny_env_vars PATH,TZ
> # wildcards? regex?
> pam_allow_env_vars LC_*,PATH,EDITOR
> pam_deny_env_vars TZ
>
> So if we're storing environment variables in LDAP why not profiles or
> small files?  ~/.bashrc, ~/.my.cnf, ~/.ssh/config?  Sure there's some
> overlap with env vars because you could set them in your profile but
> with both options an admin is free to choose. 
>
> I can think of a couple of ways to implement this.
> 1. create subortinate objects to the user object
> dn: cn=~/.bashrc,uid=me,dc=example,dc=com
> ...
> objectClass: posixAccountProfile
> posixProfile: <octet string>
>
> Advantages: The advantage of this setup is that the profileScript
> class could contain any number of attributes, perhaps a modified time
> so that the script isn't rewritten if the subordinate object hasn't
> been modified since the script was last modified.
>
> Disadvantages: Kinda kludgy.  Extra objects (more lookups).
>
> 2. Use LDAP attribute options (See http://www.ietf.org/rfc/rfc2251.txt
> RFC 2251 "4.1.5. Attribute Description" if not familiar)
> dn: uid=me,dc=example,dc=com
> ...
> posixProfile;~/.bashrc: <octet string>
> posixProfile;~/.my.cnf: <octet string>
>
> Advantages: No extra objects, makes use of oft unused LDAP attribute
> options :), can have ACI's applied to them.
> Disadvantages: Only modified time to track is modified time of the
> LDAP object not individual profileScript attrs
>
> In both cases it might be wise to consider how file names are
> specified.  Perhaps leave off the ~/ and make everything relative to ~
> no matter what.  Or make everything relative to ~/ even if it starts
> w/ a '/'.  Maybe simply reject anything that begins with '/'.
>
> dn: uid=me,dc=example,dc=com
> ...
> posixProfile;.bashrc: <octetString>
> posixProfile;.foo/foorc: <octetstring>
>
> Plus I don't know if / and . are legitimate characters in attribute
> options.
>
> So thanks for sticking with me if you got this far.  What do you think?
>
> Regards,
> -Alan
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

I see couple problems but in a different plane.
1) You are talking about the server storing this data, it is not
standard but extension can be made. The bigger problem is the client.
Creating the client and porting it to multiple distros is a challenge.
SSSD is in Linux but not in classical UNIXes. As you start looking at
the client side effort solutions like Puppet, Chef and friends become
much more attractive.
2) Which ENV vars need to be served to which groups of hosts. You need
the infrastructure to define and manage it. Puppet, Chef and others are
already good at it.

So I am not really sure that adding the suggested data to LDAP is the
right place. LDAP is just a storage format and client protocol. This is
the smallest part of the effort. This would effectively lead to
duplicating some of existing management systems.

We discussed things like that several years ago when we were starting
IPA project. We needed to draw the line about what to store and what not
to store in LDAP. We came up with a following definition:
Store things that are either traditionally stored in LDAP and already
have LDAP schema of some sort, store things that are dynamic and must be
looked up on the fly because security decision or configuration relies
on it.
That leaves LDAP to be storage of identities (user, groups, hosts, host
groups) and remappings of those identities to the externally managed
objects, i.e. user(s) to command(s) = sudo, user(s) to host access =
HBAC, user(s) to SELinux policies = SELinux user mappings, users and
hosts to SSH keys = SSH integration.

So realistically you might want to have something similar to what we
have for SELinux user mapping that would deliver a "tag" to a host and
then pass it to some pam module that would configure system using that
tag or use this tag to fetch something from a central policy server. But
that would again require a client and server change and if you want it
to be available on multiple platforms you face the same challenge as in 1).


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/5c573136/attachment.htm>

From alanwevans at gmail.com  Wed Jul 10 21:52:01 2013
From: alanwevans at gmail.com (Alan Evans)
Date: Wed, 10 Jul 2013 15:52:01 -0600
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts
	in directory
In-Reply-To: <51DDD028.7030501@redhat.com>
References: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
	<51DDD028.7030501@redhat.com>
Message-ID: <CAMFVOoVsFMmZfXaZuCfQ8DiURsFS+x=mpkg7wbV3=muiKAQYcA@mail.gmail.com>

Oops I think my first reply went to Dimitri only:

Dimitri,

I do not mean to store system environment variables but MY environment
variables.

dn: uid=alan,dc=example,dc=com
objectclass: top
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: posixAccountEnv
...
uid: alan
cn: Alan Evans
posixEnv: EDITOR=vim
# or
posixEnv;EDITOR: vim

In my opinion while these do not necessarily meet the definition you just
described they are distinctly MY preferences and I would argue they belong
with my object in LDAP.  Storing some environment variables isn't that
different from storing my preferred shell, or my preferred contact
information and so on.

As for implementing it could be all done in pam_ldap which would be pretty
easily portable.

HTH,
-Alan


On Wed, Jul 10, 2013 at 3:20 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 07/10/2013 04:48 PM, Alan Evans wrote:
>
>            So I have been kicking around an idea for a while now and
> thought I would develop it but its out of my league. The FreeIPA community
> is very very active in pam/sssd/ldap/so on and so on so I thought I would
> float the idea here before I made a Trac [RFE] ticket.
>
>  Would anyone else find it useful to store environment variables in
> LDAP?  In the environment (no pun intended) I work in we have a few
> thousand servers all authenticating to LDAP and a home grown
> LDAP+sshPublicKey implementation which is great.  But we have a bunch of
> different distros which all have different default editors.  Unless I feel
> like touching a lot of servers or using cfengine3 to distribute my
> preferred environment variables I am at the mercy of the editor on the
> system.
>
> How wonderful would it be to set EDITOR=vim, LESS='-S',
> TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss pull/store
> that information for me.  Sort of like pam_env but backed by LDAP.
>
>  So this got me thinking the other thing that would be wonderful to store
> in LDAP would be shell profiles...  Consider having your ~/.profile or
> ~/.bashrc  or ~/.my.cnf or what-have-you in LDAP?
>
> Maybe this modified pam_ldap could do things like append, remove, replace
> or unset environment variables.  Consider:
>
>  dn: uid=me,dc=example,dc=com
>  objectClass: posixAccountEnv
>  ...
>  # replace EDITOR
>  posixEnv: EDITOR=vim
>  # unset TZ
>  posixEnv: TZ-=
>  # append PATH
>  posixEnv: PATH=+:~/bin
>  # prepend PATH
>  posixEnv: PATH+=/opt/foo/bin:
>
>  Further perhaps the PAM module could be configured to only allow certain
> environment variables to be manipulated this way admins can control which
> variables users can set.
>
>  /etc/ldap/pam_ldap.conf:
> ...
>  # allow
>  pam_allow_env_vars PATH,EDITOR
>  # deny
>  pam_deny_env_vars PATH,TZ
>  # wildcards? regex?
>  pam_allow_env_vars LC_*,PATH,EDITOR
>  pam_deny_env_vars TZ
>
>  So if we're storing environment variables in LDAP why not profiles or
> small files?  ~/.bashrc, ~/.my.cnf, ~/.ssh/config?  Sure there's some
> overlap with env vars because you could set them in your profile but with
> both options an admin is free to choose.
>
>  I can think of a couple of ways to implement this.
>  1. create subortinate objects to the user object
>  dn: cn=~/.bashrc,uid=me,dc=example,dc=com
> ...
>  objectClass: posixAccountProfile
>  posixProfile: <octet string>
>
>  Advantages: The advantage of this setup is that the profileScript class
> could contain any number of attributes, perhaps a modified time so that the
> script isn't rewritten if the subordinate object hasn't been modified since
> the script was last modified.
>
>  Disadvantages: Kinda kludgy.  Extra objects (more lookups).
>
>  2. Use LDAP attribute options (See http://www.ietf.org/rfc/rfc2251.txtRFC 2251 "4.1.5. Attribute Description" if not familiar)
>  dn: uid=me,dc=example,dc=com
> ...
>  posixProfile;~/.bashrc: <octet string>
>  posixProfile;~/.my.cnf: <octet string>
>
>  Advantages: No extra objects, makes use of oft unused LDAP attribute
> options :), can have ACI's applied to them.
> Disadvantages: Only modified time to track is modified time of the LDAP
> object not individual profileScript attrs
>
>  In both cases it might be wise to consider how file names are specified.
> Perhaps leave off the ~/ and make everything relative to ~ no matter what.
> Or make everything relative to ~/ even if it starts w/ a '/'.  Maybe simply
> reject anything that begins with '/'.
>
> dn: uid=me,dc=example,dc=com
> ...
>  posixProfile;.bashrc: <octetString>
>  posixProfile;.foo/foorc: <octetstring>
>
> Plus I don't know if / and . are legitimate characters in attribute
> options.
>
>  So thanks for sticking with me if you got this far.  What do you think?
>
>  Regards,
>  -Alan
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> I see couple problems but in a different plane.
> 1) You are talking about the server storing this data, it is not standard
> but extension can be made. The bigger problem is the client. Creating the
> client and porting it to multiple distros is a challenge. SSSD is in Linux
> but not in classical UNIXes. As you start looking at the client side effort
> solutions like Puppet, Chef and friends become much more attractive.
> 2) Which ENV vars need to be served to which groups of hosts. You need the
> infrastructure to define and manage it. Puppet, Chef and others are already
> good at it.
>
> So I am not really sure that adding the suggested data to LDAP is the
> right place. LDAP is just a storage format and client protocol. This is the
> smallest part of the effort. This would effectively lead to duplicating
> some of existing management systems.
>
> We discussed things like that several years ago when we were starting IPA
> project. We needed to draw the line about what to store and what not to
> store in LDAP. We came up with a following definition:
> Store things that are either traditionally stored in LDAP and already have
> LDAP schema of some sort, store things that are dynamic and must be looked
> up on the fly because security decision or configuration relies on it.
> That leaves LDAP to be storage of identities (user, groups, hosts, host
> groups) and remappings of those identities to the externally managed
> objects, i.e. user(s) to command(s) = sudo, user(s) to host access = HBAC,
> user(s) to SELinux policies = SELinux user mappings, users and hosts to SSH
> keys = SSH integration.
>
> So realistically you might want to have something similar to what we have
> for SELinux user mapping that would deliver a "tag" to a host and then pass
> it to some pam module that would configure system using that tag or use
> this tag to fetch something from a central policy server. But that would
> again require a client and server change and if you want it to be available
> on multiple platforms you face the same challenge as in 1).
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/b15f7e2b/attachment.htm>

From alanwevans at gmail.com  Wed Jul 10 21:53:20 2013
From: alanwevans at gmail.com (Alan Evans)
Date: Wed, 10 Jul 2013 15:53:20 -0600
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts
	in directory
In-Reply-To: <51DDD028.7030501@redhat.com>
References: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
	<51DDD028.7030501@redhat.com>
Message-ID: <CAMFVOoX82ssvQaqCsHSBZ3Ys88nV2N3zbMheWu9zrnFOiXFF=Q@mail.gmail.com>

Man I just can't seem to reply to this list correctly.  I hope the other
two didn't actually go anywhere.

Dimitri,

I do not mean to store system environment variables but MY environment
variables.

dn: uid=alan,dc=example,dc=com
objectclass: top
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: posixAccountEnv
...
uid: alan
cn: Alan Evans
posixEnv: EDITOR=vim
# or
posixEnv;EDITOR: vim

In my opinion while these do not necessarily meet the definition you just
described they are distinctly MY preferences and I would argue they belong
with my object in LDAP.  Storing some environment variables isn't that
different from storing my preferred shell, or my preferred contact
information and so on.

As for implementing it could be all done in pam_ldap which would be pretty
easily portable.

HTH,
-Alan


On Wed, Jul 10, 2013 at 3:20 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 07/10/2013 04:48 PM, Alan Evans wrote:
>
>            So I have been kicking around an idea for a while now and
> thought I would develop it but its out of my league. The FreeIPA community
> is very very active in pam/sssd/ldap/so on and so on so I thought I would
> float the idea here before I made a Trac [RFE] ticket.
>
>  Would anyone else find it useful to store environment variables in
> LDAP?  In the environment (no pun intended) I work in we have a few
> thousand servers all authenticating to LDAP and a home grown
> LDAP+sshPublicKey implementation which is great.  But we have a bunch of
> different distros which all have different default editors.  Unless I feel
> like touching a lot of servers or using cfengine3 to distribute my
> preferred environment variables I am at the mercy of the editor on the
> system.
>
> How wonderful would it be to set EDITOR=vim, LESS='-S',
> TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss pull/store
> that information for me.  Sort of like pam_env but backed by LDAP.
>
>  So this got me thinking the other thing that would be wonderful to store
> in LDAP would be shell profiles...  Consider having your ~/.profile or
> ~/.bashrc  or ~/.my.cnf or what-have-you in LDAP?
>
> Maybe this modified pam_ldap could do things like append, remove, replace
> or unset environment variables.  Consider:
>
>  dn: uid=me,dc=example,dc=com
>  objectClass: posixAccountEnv
>  ...
>  # replace EDITOR
>  posixEnv: EDITOR=vim
>  # unset TZ
>  posixEnv: TZ-=
>  # append PATH
>  posixEnv: PATH=+:~/bin
>  # prepend PATH
>  posixEnv: PATH+=/opt/foo/bin:
>
>  Further perhaps the PAM module could be configured to only allow certain
> environment variables to be manipulated this way admins can control which
> variables users can set.
>
>  /etc/ldap/pam_ldap.conf:
> ...
>  # allow
>  pam_allow_env_vars PATH,EDITOR
>  # deny
>  pam_deny_env_vars PATH,TZ
>  # wildcards? regex?
>  pam_allow_env_vars LC_*,PATH,EDITOR
>  pam_deny_env_vars TZ
>
>  So if we're storing environment variables in LDAP why not profiles or
> small files?  ~/.bashrc, ~/.my.cnf, ~/.ssh/config?  Sure there's some
> overlap with env vars because you could set them in your profile but with
> both options an admin is free to choose.
>
>  I can think of a couple of ways to implement this.
>  1. create subortinate objects to the user object
>  dn: cn=~/.bashrc,uid=me,dc=example,dc=com
> ...
>  objectClass: posixAccountProfile
>  posixProfile: <octet string>
>
>  Advantages: The advantage of this setup is that the profileScript class
> could contain any number of attributes, perhaps a modified time so that the
> script isn't rewritten if the subordinate object hasn't been modified since
> the script was last modified.
>
>  Disadvantages: Kinda kludgy.  Extra objects (more lookups).
>
>  2. Use LDAP attribute options (See http://www.ietf.org/rfc/rfc2251.txtRFC 2251 "4.1.5. Attribute Description" if not familiar)
>  dn: uid=me,dc=example,dc=com
> ...
>  posixProfile;~/.bashrc: <octet string>
>  posixProfile;~/.my.cnf: <octet string>
>
>  Advantages: No extra objects, makes use of oft unused LDAP attribute
> options :), can have ACI's applied to them.
> Disadvantages: Only modified time to track is modified time of the LDAP
> object not individual profileScript attrs
>
>  In both cases it might be wise to consider how file names are specified.
> Perhaps leave off the ~/ and make everything relative to ~ no matter what.
> Or make everything relative to ~/ even if it starts w/ a '/'.  Maybe simply
> reject anything that begins with '/'.
>
> dn: uid=me,dc=example,dc=com
> ...
>  posixProfile;.bashrc: <octetString>
>  posixProfile;.foo/foorc: <octetstring>
>
> Plus I don't know if / and . are legitimate characters in attribute
> options.
>
>  So thanks for sticking with me if you got this far.  What do you think?
>
>  Regards,
>  -Alan
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> I see couple problems but in a different plane.
> 1) You are talking about the server storing this data, it is not standard
> but extension can be made. The bigger problem is the client. Creating the
> client and porting it to multiple distros is a challenge. SSSD is in Linux
> but not in classical UNIXes. As you start looking at the client side effort
> solutions like Puppet, Chef and friends become much more attractive.
> 2) Which ENV vars need to be served to which groups of hosts. You need the
> infrastructure to define and manage it. Puppet, Chef and others are already
> good at it.
>
> So I am not really sure that adding the suggested data to LDAP is the
> right place. LDAP is just a storage format and client protocol. This is the
> smallest part of the effort. This would effectively lead to duplicating
> some of existing management systems.
>
> We discussed things like that several years ago when we were starting IPA
> project. We needed to draw the line about what to store and what not to
> store in LDAP. We came up with a following definition:
> Store things that are either traditionally stored in LDAP and already have
> LDAP schema of some sort, store things that are dynamic and must be looked
> up on the fly because security decision or configuration relies on it.
> That leaves LDAP to be storage of identities (user, groups, hosts, host
> groups) and remappings of those identities to the externally managed
> objects, i.e. user(s) to command(s) = sudo, user(s) to host access = HBAC,
> user(s) to SELinux policies = SELinux user mappings, users and hosts to SSH
> keys = SSH integration.
>
> So realistically you might want to have something similar to what we have
> for SELinux user mapping that would deliver a "tag" to a host and then pass
> it to some pam module that would configure system using that tag or use
> this tag to fetch something from a central policy server. But that would
> again require a client and server change and if you want it to be available
> on multiple platforms you face the same challenge as in 1).
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/ec0a91cf/attachment.htm>

From james.hogarth at gmail.com  Wed Jul 10 21:59:02 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Wed, 10 Jul 2013 22:59:02 +0100
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <51DDCB85.6050105@redhat.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
Message-ID: <CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>

>
> Thanks for the blog!
>
>
>
There's dovecot in the howto section of the wiki but no postfix ... worth
one of us adding the link? OP would you be okay with the link?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/bb125456/attachment.htm>

From natxo.asenjo at gmail.com  Wed Jul 10 22:00:55 2013
From: natxo.asenjo at gmail.com (natxo asenjo)
Date: Thu, 11 Jul 2013 00:00:55 +0200
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
Message-ID: <51DDD997.3010103@gmail.com>

On 07/08/2013 07:44 PM, KodaK wrote:
> We've just discovered that AIX does not honor HBAC rules with telnet.
>   ssh is fine.

no AIX expericence, but I once overheard someone that did something like
this using pam and apparently you could use the pam_permission module:

http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm

so you could add this to /etc/pam.conf

telnet auth requisite /usr/lib/security/pam_permission 
file=/etc/pam.groups.telnet found=allow

and create the file /etc/pam.groups.telnet with info like this:

+ at mygroup1
+ at mygroup2
- at mygroup3

in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
denied access.

You could even harden it even more with good old tcp_wrappers
(hosts.allow, hosts.deny).

If you have a config tool (cfengine, puppet, whatever), this could be
quite easy to distribute once properly tested.

Totally untested :-) but maybe worth a shot.

--
groet,
natxo



From dpal at redhat.com  Wed Jul 10 23:24:11 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 10 Jul 2013 19:24:11 -0400
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts
 in directory
In-Reply-To: <CAMFVOoX82ssvQaqCsHSBZ3Ys88nV2N3zbMheWu9zrnFOiXFF=Q@mail.gmail.com>
References: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
	<51DDD028.7030501@redhat.com>
	<CAMFVOoX82ssvQaqCsHSBZ3Ys88nV2N3zbMheWu9zrnFOiXFF=Q@mail.gmail.com>
Message-ID: <51DDED1B.2000302@redhat.com>

On 07/10/2013 05:53 PM, Alan Evans wrote:
> Man I just can't seem to reply to this list correctly.  I hope the
> other two didn't actually go anywhere.
>
> Dimitri,
>
> I do not mean to store system environment variables but MY environment
> variables.

I might have looked at it in a more generic way as more system ENV VARs
than personal preferences.
But here is a question. Are your preferences same on all systems?
It seems that preferences should be more targeted to the groups of
systems rather than be a property of the user.
What your are talking about here is effectively a roaming profile. I
think in Windows you can define which groups of systems the profile
roams between.

I do not have any negative feelings about the idea of storing the
information in LDAP. But IMO it makes sense to view it more as a user
preferences. I would think that it should be something like:

userPreferences: <JSON string>

That would allow more flexibility and would not require protocol changes
to add new things as needed.
And have it be associated with user-host pair. It is expressed by
association object class in IPA.

But let us assume we say it is not a bad idea and can be done. What is next?
I can say for sure that we will not invest into changing pam_ldap to
support it. Only SSSD. Will it make the solution irrelevant for you?




>
> dn: uid=alan,dc=example,dc=com
> objectclass: top
> objectclass: posixAccount
> objectclass: inetOrgPerson
> objectclass: posixAccountEnv
> ...
> uid: alan
> cn: Alan Evans
> posixEnv: EDITOR=vim
> # or
> posixEnv;EDITOR: vim
>
> In my opinion while these do not necessarily meet the definition you
> just described they are distinctly MY preferences and I would argue
> they belong with my object in LDAP.  Storing some environment
> variables isn't that different from storing my preferred shell, or my
> preferred contact information and so on.
>
> As for implementing it could be all done in pam_ldap which would be
> pretty easily portable.
>
> HTH,
> -Alan
>
>
> On Wed, Jul 10, 2013 at 3:20 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 07/10/2013 04:48 PM, Alan Evans wrote:
>>     So I have been kicking around an idea for a while now and thought
>>     I would develop it but its out of my league. The FreeIPA
>>     community is very very active in pam/sssd/ldap/so on and so on so
>>     I thought I would float the idea here before I made a Trac [RFE]
>>     ticket.
>>
>>     Would anyone else find it useful to store environment variables
>>     in LDAP?  In the environment (no pun intended) I work in we have
>>     a few thousand servers all authenticating to LDAP and a home
>>     grown LDAP+sshPublicKey implementation which is great.  But we
>>     have a bunch of different distros which all have different
>>     default editors.  Unless I feel like touching a lot of servers or
>>     using cfengine3 to distribute my preferred environment variables
>>     I am at the mercy of the editor on the system.
>>
>>     How wonderful would it be to set EDITOR=vim, LESS='-S',
>>     TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss
>>     pull/store that information for me.  Sort of like pam_env but
>>     backed by LDAP.
>>
>>     So this got me thinking the other thing that would be wonderful
>>     to store in LDAP would be shell profiles...  Consider having your
>>     ~/.profile or ~/.bashrc  or ~/.my.cnf or what-have-you in LDAP?
>>
>>     Maybe this modified pam_ldap could do things like append, remove,
>>     replace or unset environment variables.  Consider:
>>
>>     dn: uid=me,dc=example,dc=com
>>     objectClass: posixAccountEnv
>>     ...
>>     # replace EDITOR
>>     posixEnv: EDITOR=vim
>>     # unset TZ
>>     posixEnv: TZ-=
>>     # append PATH
>>     posixEnv: PATH=+:~/bin
>>     # prepend PATH
>>     posixEnv: PATH+=/opt/foo/bin:
>>
>>     Further perhaps the PAM module could be configured to only allow
>>     certain environment variables to be manipulated this way admins
>>     can control which variables users can set.
>>
>>     /etc/ldap/pam_ldap.conf:
>>     ...
>>     # allow
>>     pam_allow_env_vars PATH,EDITOR
>>     # deny
>>     pam_deny_env_vars PATH,TZ
>>     # wildcards? regex?
>>     pam_allow_env_vars LC_*,PATH,EDITOR
>>     pam_deny_env_vars TZ
>>
>>     So if we're storing environment variables in LDAP why not
>>     profiles or small files?  ~/.bashrc, ~/.my.cnf, ~/.ssh/config? 
>>     Sure there's some overlap with env vars because you could set
>>     them in your profile but with both options an admin is free to
>>     choose. 
>>
>>     I can think of a couple of ways to implement this.
>>     1. create subortinate objects to the user object
>>     dn: cn=~/.bashrc,uid=me,dc=example,dc=com
>>     ...
>>     objectClass: posixAccountProfile
>>     posixProfile: <octet string>
>>
>>     Advantages: The advantage of this setup is that the profileScript
>>     class could contain any number of attributes, perhaps a modified
>>     time so that the script isn't rewritten if the subordinate object
>>     hasn't been modified since the script was last modified.
>>
>>     Disadvantages: Kinda kludgy.  Extra objects (more lookups).
>>
>>     2. Use LDAP attribute options (See
>>     http://www.ietf.org/rfc/rfc2251.txt RFC 2251 "4.1.5. Attribute
>>     Description" if not familiar)
>>     dn: uid=me,dc=example,dc=com
>>     ...
>>     posixProfile;~/.bashrc: <octet string>
>>     posixProfile;~/.my.cnf: <octet string>
>>
>>     Advantages: No extra objects, makes use of oft unused LDAP
>>     attribute options :), can have ACI's applied to them.
>>     Disadvantages: Only modified time to track is modified time of
>>     the LDAP object not individual profileScript attrs
>>
>>     In both cases it might be wise to consider how file names are
>>     specified.  Perhaps leave off the ~/ and make everything relative
>>     to ~ no matter what.  Or make everything relative to ~/ even if
>>     it starts w/ a '/'.  Maybe simply reject anything that begins
>>     with '/'.
>>
>>     dn: uid=me,dc=example,dc=com
>>     ...
>>     posixProfile;.bashrc: <octetString>
>>     posixProfile;.foo/foorc: <octetstring>
>>
>>     Plus I don't know if / and . are legitimate characters in
>>     attribute options.
>>
>>     So thanks for sticking with me if you got this far.  What do you
>>     think?
>>
>>     Regards,
>>     -Alan
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>     I see couple problems but in a different plane.
>     1) You are talking about the server storing this data, it is not
>     standard but extension can be made. The bigger problem is the
>     client. Creating the client and porting it to multiple distros is
>     a challenge. SSSD is in Linux but not in classical UNIXes. As you
>     start looking at the client side effort solutions like Puppet,
>     Chef and friends become much more attractive.
>     2) Which ENV vars need to be served to which groups of hosts. You
>     need the infrastructure to define and manage it. Puppet, Chef and
>     others are already good at it.
>
>     So I am not really sure that adding the suggested data to LDAP is
>     the right place. LDAP is just a storage format and client
>     protocol. This is the smallest part of the effort. This would
>     effectively lead to duplicating some of existing management systems.
>
>     We discussed things like that several years ago when we were
>     starting IPA project. We needed to draw the line about what to
>     store and what not to store in LDAP. We came up with a following
>     definition:
>     Store things that are either traditionally stored in LDAP and
>     already have LDAP schema of some sort, store things that are
>     dynamic and must be looked up on the fly because security decision
>     or configuration relies on it.
>     That leaves LDAP to be storage of identities (user, groups, hosts,
>     host groups) and remappings of those identities to the externally
>     managed objects, i.e. user(s) to command(s) = sudo, user(s) to
>     host access = HBAC, user(s) to SELinux policies = SELinux user
>     mappings, users and hosts to SSH keys = SSH integration.
>
>     So realistically you might want to have something similar to what
>     we have for SELinux user mapping that would deliver a "tag" to a
>     host and then pass it to some pam module that would configure
>     system using that tag or use this tag to fetch something from a
>     central policy server. But that would again require a client and
>     server change and if you want it to be available on multiple
>     platforms you face the same challenge as in 1).
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/5838559d/attachment.htm>

From dpal at redhat.com  Wed Jul 10 23:25:15 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 10 Jul 2013 19:25:15 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>
Message-ID: <51DDED5B.8090402@redhat.com>

On 07/10/2013 05:59 PM, James Hogarth wrote:
>
>
>     Thanks for the blog!
>
>
>
> There's dovecot in the howto section of the wiki but no postfix ...
> worth one of us adding the link? OP would you be okay with the link? 
>
Sure please add. The link is absolutely fine.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/52a1c604/attachment.htm>

From sakodak at gmail.com  Thu Jul 11 00:34:11 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 10 Jul 2013 19:34:11 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DDD997.3010103@gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
Message-ID: <CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>

On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.asenjo at gmail.com>wrote:

> On 07/08/2013 07:44 PM, KodaK wrote:
>
>> We've just discovered that AIX does not honor HBAC rules with telnet.
>>   ssh is fine.
>>
>
> no AIX expericence, but I once overheard someone that did something like
> this using pam and apparently you could use the pam_permission module:
>
> http://pic.dhe.ibm.com/**infocenter/aix/v6r1/index.jsp?**
> topic=%2Fcom.ibm.aix.files%**2Fdoc%2Faixfiles%2Fpam_**permission.htm<http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm>
>
> so you could add this to /etc/pam.conf
>
> telnet auth requisite /usr/lib/security/pam_**permission
> file=/etc/pam.groups.telnet found=allow
>
> and create the file /etc/pam.groups.telnet with info like this:
>
> + at mygroup1
> + at mygroup2
> - at mygroup3
>
> in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
> denied access.
>
> You could even harden it even more with good old tcp_wrappers
> (hosts.allow, hosts.deny).
>
> If you have a config tool (cfengine, puppet, whatever), this could be
> quite easy to distribute once properly tested.
>
> Totally untested :-) but maybe worth a shot.
>

Thanks.  I'm stuck though.

IBMs insistence on doing everything Not Unix in AIX is frustrating my
efforts.

1) they don't use straight up PAM.  They have some older version they
include with the OS.
2) their version has very few modules that come with it.  It does, however,
have pam_permissions,
    but does not include pam_krb5.

Here's the list:

pam_aix          pam_allowroot    pam_mkuserhome   pam_prohibit
pam_allow        pam_ckfile       pam_permission   pam_rhosts_auth

That's a far cry from the 69 or so pam modules I see on Linux boxes.

Before I can move on I have to get pam_krb5 to build for AIX and that's
proving to be very difficult.

I'm hoping the pam_hbac thing will pan out.

I'm about ready to just yank Kerberos from the AIX machines and fall back
to local authentication.
The actual AIX admins seem to have no interest in helping me, so they can
reap what they
sow with their inaction and have to manage individual users on individual
boxes.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/af5ff789/attachment.htm>

From erinn.looneytriggs at gmail.com  Thu Jul 11 01:04:08 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Wed, 10 Jul 2013 21:04:08 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>
Message-ID: <51DE0488.4030700@gmail.com>

On 7/10/2013 5:59 PM, James Hogarth wrote:
>>
>> Thanks for the blog!
>>
>>
>>
> There's dovecot in the howto section of the wiki but no postfix ... worth
> one of us adding the link? OP would you be okay with the link?
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


Sure no problem, the more useful to people the better.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/e2127c4f/attachment.sig>

From erinn.looneytriggs at gmail.com  Thu Jul 11 01:16:04 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Wed, 10 Jul 2013 21:16:04 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <51DDCB85.6050105@redhat.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
Message-ID: <51DE0754.5020908@gmail.com>

On 07/10/2013 05:00 PM, Dmitri Pal wrote:
> On 07/10/2013 12:12 PM, Simo Sorce wrote:
>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>>> Folks,
>>> I swear I am not trying to drive up traffic to my very small blog, but I
>>> wrote up some instruction for how to configure the postfix mail client
>>> to use Kerberos to relay through a Postfix gateway.
>>>
>>> Instructions are here for folks that are interested:
>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
>>>
>>> Hopefully it is useful to some people in the future, for me it took the
>>> help of some users on the Postfix list, a lot of it was not clear.
>> Very nice write up Erinn.
>>
>> Thanks,
>> Simo.
>>
> I think it is worth mentioning that starting Fedora 19 the step to
> configure cron to fetch tickets is not needed. GSS proxy can be
> configured instead to automatically acquire tickets on client's behalf.
> https://fedorahosted.org/gss-proxy/
> 
> It generally applies to any unattended client that uses keytab to
> authenticate it being messaging client, DB client, LDAP client or
> anything else. You name it...
> 
> Thanks for the blog!
> 
> 

Interesting I'll take a look at that.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130710/0daf4260/attachment.sig>

From james.hogarth at gmail.com  Thu Jul 11 08:26:26 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Thu, 11 Jul 2013 09:26:26 +0100
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <51DE0488.4030700@gmail.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<CAGkb5vdVa7yGJZ=TS7RN1eBShgXRC+LqRiiN2cS3bia4xPTBbQ@mail.gmail.com>
	<51DE0488.4030700@gmail.com>
Message-ID: <CAGkb5vesY9V9reYCoqNZs374eDcRisO7e2qbwz54+ybwSV=dDA@mail.gmail.com>

> Sure no problem, the more useful to people the better.
>
>
>
Great stuff - just added the link... On a side note I'm just loving the
growing collection of integration documentation - really makes 'selling'
IPA internally easier all the time!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/85ff4879/attachment.htm>

From sakodak at gmail.com  Thu Jul 11 21:39:26 2013
From: sakodak at gmail.com (KodaK)
Date: Thu, 11 Jul 2013 16:39:26 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
Message-ID: <CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>

Just thought I'd pass along my work-around.

I create a group for each host called hostname-access and populate each
group with the users allowed to connect.

Then, using puppet, I push out an sshd_config that has "AllowGroups: admins
unixadmins hostname-access".

The erb is:  "AllowGroups: admins unixadmins <%= host %>-access"

Then restart sshd.

This is a lot of up-front work, but seems to be the easiest to maintain in
the long run (at least until we can get
AIX to honor HBAC rules.)  Unfortunately, I can't have groups of groups --
that would make initial setup even
easier -- but I'm used to not having everything, as you can see. :)

This only works for sshd, obviously.  We do currently have ftp and telnet
open (yeah, I know) but I'm trying
to get those turned off.  In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect.  This is sub-optimal, since unauthorized users may be able to
telnet in from those machines.

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/deda75e5/attachment.htm>

From dpal at redhat.com  Thu Jul 11 21:40:25 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 11 Jul 2013 17:40:25 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
Message-ID: <51DF2649.2060603@redhat.com>

On 07/10/2013 08:34 PM, KodaK wrote:
>
>
> On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.asenjo at gmail.com
> <mailto:natxo.asenjo at gmail.com>> wrote:
>
>     On 07/08/2013 07:44 PM, KodaK wrote:
>
>         We've just discovered that AIX does not honor HBAC rules with
>         telnet.
>           ssh is fine.
>
>
>     no AIX expericence, but I once overheard someone that did
>     something like
>     this using pam and apparently you could use the pam_permission module:
>
>     http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm
>
>     so you could add this to /etc/pam.conf
>
>     telnet auth requisite /usr/lib/security/pam_permission
>     file=/etc/pam.groups.telnet found=allow
>
>     and create the file /etc/pam.groups.telnet with info like this:
>
>     + at mygroup1
>     + at mygroup2
>     - at mygroup3
>
>     in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
>     denied access.
>
>     You could even harden it even more with good old tcp_wrappers
>     (hosts.allow, hosts.deny).
>
>     If you have a config tool (cfengine, puppet, whatever), this could be
>     quite easy to distribute once properly tested.
>
>     Totally untested :-) but maybe worth a shot.
>
>
> Thanks.  I'm stuck though.
>
> IBMs insistence on doing everything Not Unix in AIX is frustrating my
> efforts.
>
> 1) they don't use straight up PAM.  They have some older version they
> include with the OS.
> 2) their version has very few modules that come with it.  It does,
> however, have pam_permissions,
>     but does not include pam_krb5.
>
> Here's the list:
>
> pam_aix          pam_allowroot    pam_mkuserhome   pam_prohibit
> pam_allow        pam_ckfile       pam_permission   pam_rhosts_auth
>
> That's a far cry from the 69 or so pam modules I see on Linux boxes.
>
> Before I can move on I have to get pam_krb5 to build for AIX and
> that's proving to be very difficult.
>
> I'm hoping the pam_hbac thing will pan out.
>
> I'm about ready to just yank Kerberos from the AIX machines and fall
> back to local authentication.
> The actual AIX admins seem to have no interest in helping me, so they
> can reap what they
> sow with their inaction and have to manage individual users on
> individual boxes.

How complex are your HBAC rules? Are they very dynamic or pretty static?
We might be able to tackle it from that side and come with something
custom that would work for your case but not in general.
I think PWT mail for the real data would be appropriate.

>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/a37e71d5/attachment.htm>

From dpal at redhat.com  Thu Jul 11 21:42:25 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 11 Jul 2013 17:42:25 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
Message-ID: <51DF26C1.3050508@redhat.com>

On 07/11/2013 05:39 PM, KodaK wrote:
> Just thought I'd pass along my work-around.
>
> I create a group for each host called hostname-access and populate
> each group with the users allowed to connect.
>
> Then, using puppet, I push out an sshd_config that has "AllowGroups:
> admins unixadmins hostname-access".
>
> The erb is:  "AllowGroups: admins unixadmins <%= host %>-access"
>
> Then restart sshd.
>
> This is a lot of up-front work, but seems to be the easiest to
> maintain in the long run (at least until we can get
> AIX to honor HBAC rules.)  Unfortunately, I can't have groups of
> groups -- that would make initial setup even
> easier -- but I'm used to not having everything, as you can see. :)
>
> This only works for sshd, obviously.  We do currently have ftp and
> telnet open (yeah, I know) but I'm trying
> to get those turned off.  In the meantime I can use tcp-wrappers to
> only allow those machines that need
> to connect.  This is sub-optimal, since unauthorized users may be able
> to telnet in from those machines.

Well it is something like this that I had in mind. But you have beaten me...
Great to see you found an acceptable solution.

>
> --Jason
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/92dd482e/attachment.htm>

From sakodak at gmail.com  Thu Jul 11 21:54:10 2013
From: sakodak at gmail.com (KodaK)
Date: Thu, 11 Jul 2013 16:54:10 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DF26C1.3050508@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
	<51DF26C1.3050508@redhat.com>
Message-ID: <CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com>

On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal <dpal at redhat.com> wrote:

> Well it is something like this that I had in mind. But you have beaten
> me...
> Great to see you found an acceptable solution.
>

Acceptable is a strong word.  Maybe "passable" or Microsoft-style "it
works, ship it."  :)

Out of curiosity, what were your thoughts on a solution for us?  Did it
differ significantly
from what I'm doing?  (I'm always on the lookout for a better way.)

Also, what's PWT mail?  I assume some sort of encrypted or private mail,
but I'm not
familiar with the acronym.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/af12480d/attachment.htm>

From dpal at redhat.com  Thu Jul 11 22:19:57 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 11 Jul 2013 18:19:57 -0400
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
	<51DF26C1.3050508@redhat.com>
	<CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com>
Message-ID: <51DF2F8D.7090802@redhat.com>

On 07/11/2013 05:54 PM, KodaK wrote:
>
>
> On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     Well it is something like this that I had in mind. But you have
>     beaten me...
>     Great to see you found an acceptable solution.
>
>
> Acceptable is a strong word.  Maybe "passable" or Microsoft-style "it
> works, ship it."  :)
>
> Out of curiosity, what were your thoughts on a solution for us?  Did
> it differ significantly
> from what I'm doing?  (I'm always on the lookout for a better way.)

What you need is who can access a specific AIX machine, right?
You have several sets of AIX machines, say 5, each of which has an HBAC
rule that relates a group of users X to a group of AIX machine with the
same set of users.
If you have non overlapping host groups you can fetch users with one
LDAP search from the puppet master.

I am not good with ldap syntax but SQL natural for me so conceptually
the search would look like this:

SELECT group.member FROM group JOIN hbac on group-DN JOIN host group on
hostgroup-DN WHERE hostgroup.member contains host X.

I hope it conveys what I have in mind. The result of such search would
be a list of group members that have access to the host.
This is pretty close to what you have done except it covers nested
groups too and uses HBAC rules.

>
> Also, what's PWT mail? 

Private. I made a typo. It should have been V :-)

> I assume some sort of encrypted or private mail, but I'm not
> familiar with the acronym.
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6 


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/e31cdb92/attachment.htm>

From arthur at deus.pro  Fri Jul 12 04:30:09 2013
From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=)
Date: Fri, 12 Jul 2013 10:30:09 +0600
Subject: [Freeipa-users] [RFC] Feature idea - ENV vars/profile scripts
 in directory
In-Reply-To: <CAMFVOoX82ssvQaqCsHSBZ3Ys88nV2N3zbMheWu9zrnFOiXFF=Q@mail.gmail.com>
References: <CAMFVOoX67Q4C_t+g753gsJ6WCQEzf_F=Tuxf4Pc3QhgfpCoJxQ@mail.gmail.com>
	<51DDD028.7030501@redhat.com>
	<CAMFVOoX82ssvQaqCsHSBZ3Ys88nV2N3zbMheWu9zrnFOiXFF=Q@mail.gmail.com>
Message-ID: <1373603409.2479.1.camel@arthur.bashnl.ru>

If You will use automount of home dirs, it will allready centrelaised.

? ??, 10/07/2013 ? 15:53 -0600, Alan Evans ?????:
> Man I just can't seem to reply to this list correctly.  I hope the
> other two didn't actually go anywhere.
> 
> Dimitri,
> 
> 
> I do not mean to store system environment variables but MY environment
> variables.
> 
> 
> dn: uid=alan,dc=example,dc=com
> 
> objectclass: top
> 
> objectclass: posixAccount
> 
> objectclass: inetOrgPerson
> 
> objectclass: posixAccountEnv
> ...
> 
> uid: alan
> 
> cn: Alan Evans
> 
> posixEnv: EDITOR=vim
> 
> # or 
> 
> posixEnv;EDITOR: vim
> 
> 
> 
> In my opinion while these do not necessarily meet the definition you
> just described they are distinctly MY preferences and I would argue
> they belong with my object in LDAP.  Storing some environment
> variables isn't that different from storing my preferred shell, or my
> preferred contact information and so on.
> 
> 
> As for implementing it could be all done in pam_ldap which would be
> pretty easily portable.
> 
> 
> HTH,
> 
> -Alan
> 
> 
> 
> On Wed, Jul 10, 2013 at 3:20 PM, Dmitri Pal <dpal at redhat.com> wrote:
>         On 07/10/2013 04:48 PM, Alan Evans wrote: 
>         > So I have been kicking around an idea for a while now and
>         > thought I would develop it but its out of my league. The
>         > FreeIPA community is very very active in pam/sssd/ldap/so on
>         > and so on so I thought I would float the idea here before I
>         > made a Trac [RFE] ticket.
>         > 
>         > 
>         > Would anyone else find it useful to store environment
>         > variables in LDAP?  In the environment (no pun intended) I
>         > work in we have a few thousand servers all authenticating to
>         > LDAP and a home grown LDAP+sshPublicKey implementation which
>         > is great.  But we have a bunch of different distros which
>         > all have different default editors.  Unless I feel like
>         > touching a lot of servers or using cfengine3 to distribute
>         > my preferred environment variables I am at the mercy of the
>         > editor on the system.
>         > 
>         > How wonderful would it be to set EDITOR=vim, LESS='-S',
>         > TZ='America/Hawaii', LANG='Klingon' in LDAP and have pam/sss
>         > pull/store that information for me.  Sort of like pam_env
>         > but backed by LDAP.
>         > 
>         > 
>         > So this got me thinking the other thing that would be
>         > wonderful to store in LDAP would be shell profiles...
>         > Consider having your ~/.profile or ~/.bashrc  or ~/.my.cnf
>         > or what-have-you in LDAP?
>         > 
>         > Maybe this modified pam_ldap could do things like append,
>         > remove, replace or unset environment variables.  Consider:
>         > 
>         > 
>         > dn: uid=me,dc=example,dc=com
>         > 
>         > objectClass: posixAccountEnv
>         > 
>         > ...
>         > 
>         > # replace EDITOR
>         > 
>         > posixEnv: EDITOR=vim
>         > 
>         > # unset TZ
>         > 
>         > posixEnv: TZ-=
>         > 
>         > # append PATH
>         > 
>         > posixEnv: PATH=+:~/bin
>         > 
>         > # prepend PATH
>         > 
>         > posixEnv: PATH+=/opt/foo/bin:
>         > 
>         > 
>         > 
>         > Further perhaps the PAM module could be configured to only
>         > allow certain environment variables to be manipulated this
>         > way admins can control which variables users can set.
>         > 
>         > 
>         > /etc/ldap/pam_ldap.conf:
>         > ...
>         > 
>         > # allow
>         > 
>         > pam_allow_env_vars PATH,EDITOR
>         > 
>         > # deny
>         > 
>         > pam_deny_env_vars PATH,TZ
>         > 
>         > # wildcards? regex?
>         > 
>         > pam_allow_env_vars LC_*,PATH,EDITOR
>         > 
>         > pam_deny_env_vars TZ
>         > 
>         > 
>         > 
>         > So if we're storing environment variables in LDAP why not
>         > profiles or small files?  ~/.bashrc, ~/.my.cnf,
>         > ~/.ssh/config?  Sure there's some overlap with env vars
>         > because you could set them in your profile but with both
>         > options an admin is free to choose.  
>         > 
>         > 
>         > 
>         > I can think of a couple of ways to implement this.
>         > 
>         > 1. create subortinate objects to the user object
>         > 
>         > dn: cn=~/.bashrc,uid=me,dc=example,dc=com
>         > ...
>         > 
>         > objectClass: posixAccountProfile
>         > 
>         > posixProfile: <octet string>
>         > 
>         > 
>         > Advantages: The advantage of this setup is that the
>         > profileScript class could contain any number of attributes,
>         > perhaps a modified time so that the script isn't rewritten
>         > if the subordinate object hasn't been modified since the
>         > script was last modified.
>         > 
>         > 
>         > Disadvantages: Kinda kludgy.  Extra objects (more lookups).
>         > 
>         > 
>         > 
>         > 2. Use LDAP attribute options (See
>         > http://www.ietf.org/rfc/rfc2251.txt RFC 2251 "4.1.5.
>         > Attribute Description" if not familiar) 
>         > 
>         > dn: uid=me,dc=example,dc=com
>         > ...
>         > 
>         > posixProfile;~/.bashrc: <octet string>
>         > 
>         > posixProfile;~/.my.cnf: <octet string>
>         > 
>         > 
>         > Advantages: No extra objects, makes use of oft unused LDAP
>         > attribute options :), can have ACI's applied to them.
>         > Disadvantages: Only modified time to track is modified time
>         > of the LDAP object not individual profileScript attrs
>         > 
>         > 
>         > In both cases it might be wise to consider how file names
>         > are specified.  Perhaps leave off the ~/ and make everything
>         > relative to ~ no matter what.  Or make everything relative
>         > to ~/ even if it starts w/ a '/'.  Maybe simply reject
>         > anything that begins with '/'.
>         > 
>         > dn: uid=me,dc=example,dc=com
>         > ...
>         > 
>         > posixProfile;.bashrc: <octetString>
>         > 
>         > posixProfile;.foo/foorc: <octetstring>
>         > 
>         > Plus I don't know if / and . are legitimate characters in
>         > attribute options.
>         > 
>         > 
>         > So thanks for sticking with me if you got this far.  What do
>         > you think?
>         > 
>         > 
>         > Regards,
>         > 
>         > -Alan
>         > 
>         > 
>         > 
>         > 
>         > _______________________________________________
>         > Freeipa-users mailing list
>         > Freeipa-users at redhat.com
>         > https://www.redhat.com/mailman/listinfo/freeipa-users
>         
>         I see couple problems but in a different plane.
>         1) You are talking about the server storing this data, it is
>         not standard but extension can be made. The bigger problem is
>         the client. Creating the client and porting it to multiple
>         distros is a challenge. SSSD is in Linux but not in classical
>         UNIXes. As you start looking at the client side effort
>         solutions like Puppet, Chef and friends become much more
>         attractive.
>         2) Which ENV vars need to be served to which groups of hosts.
>         You need the infrastructure to define and manage it. Puppet,
>         Chef and others are already good at it. 
>         
>         So I am not really sure that adding the suggested data to LDAP
>         is the right place. LDAP is just a storage format and client
>         protocol. This is the smallest part of the effort. This would
>         effectively lead to duplicating some of existing management
>         systems.
>         
>         We discussed things like that several years ago when we were
>         starting IPA project. We needed to draw the line about what to
>         store and what not to store in LDAP. We came up with a
>         following definition:
>         Store things that are either traditionally stored in LDAP and
>         already have LDAP schema of some sort, store things that are
>         dynamic and must be looked up on the fly because security
>         decision or configuration relies on it.
>         That leaves LDAP to be storage of identities (user, groups,
>         hosts, host groups) and remappings of those identities to the
>         externally managed objects, i.e. user(s) to command(s) = sudo,
>         user(s) to host access = HBAC, user(s) to SELinux policies =
>         SELinux user mappings, users and hosts to SSH keys = SSH
>         integration.
>         
>         So realistically you might want to have something similar to
>         what we have for SELinux user mapping that would deliver a
>         "tag" to a host and then pass it to some pam module that would
>         configure system using that tag or use this tag to fetch
>         something from a central policy server. But that would again
>         require a client and server change and if you want it to be
>         available on multiple platforms you face the same challenge as
>         in 1).
>         
>         
>         -- 
>         Thank you,
>         Dmitri Pal
>         
>         Sr. Engineering Manager for IdM portfolio
>         Red Hat Inc.
>         
>         
>         -------------------------------
>         Looking to carve out IT costs?
>         www.redhat.com/carveoutcosts/
>         
>         
>         
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com
>         https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From c.schmitt at briefdomain.de  Fri Jul 12 08:55:00 2013
From: c.schmitt at briefdomain.de (Christian Schmitt)
Date: Fri, 12 Jul 2013 10:55:00 +0200
Subject: [Freeipa-users] PKI-CAD couldn't start
Message-ID: <20130712105500.12ac4c82@london.clients.envisia.de>

Hello I'm not sure if its right to ask here, since i'm using CentOS 6.4
and the IdM (FreeIPA), but i'll hope i get help.

I can't start the IPA Service with service ipa start after an reboot.
It fails on the pki-cad service, that only outputs 
'grep --help' gives you more information.

I'm really not sure whats the correct error and how to restart ipa now.



From natxo.asenjo at gmail.com  Fri Jul 12 09:18:07 2013
From: natxo.asenjo at gmail.com (natxo asenjo)
Date: Fri, 12 Jul 2013 11:18:07 +0200
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <20130712105500.12ac4c82@london.clients.envisia.de>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
Message-ID: <51DFC9CF.90906@gmail.com>

On 07/12/2013 10:55 AM, Christian Schmitt wrote:

> I can't start the IPA Service with service ipa start after an reboot.
> It fails on the pki-cad service, that only outputs
> 'grep --help' gives you more information.
>
> I'm really not sure whats the correct error and how to restart ipa now.

logs? look in /var/log/dirsrv/slapd-PKI-{yourinstancename}/ , the answer 
should be in one of the files in there.

-- 
groet,
natxo



From c.schmitt at briefdomain.de  Fri Jul 12 09:38:35 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Fri, 12 Jul 2013 11:38:35 +0200
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <51DFC9CF.90906@gmail.com>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
	<51DFC9CF.90906@gmail.com>
Message-ID: <CAPDLAU7U9rZueCRD_tVsYAL9NpAaG5WyEuNSFvBJR7N4K4k6GQ@mail.gmail.com>

Currently this is the errors logfile:
[root at dc01 slapd-PKI-IPA]# cat errors
    389-Directory/1.2.11.15 B2013.105.2259
    dc01.envisia.de:7389 (/etc/dirsrv/slapd-PKI-IPA)

[12/Jul/2013:10:19:17 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:19:17 +0200] - slapd shutting down - waiting for 29 threads
to terminate
[12/Jul/2013:10:19:17 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:19:17 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:19:17 +0200] - All database threads now stopped
[12/Jul/2013:10:19:17 +0200] - slapd stopped.
[12/Jul/2013:10:31:20 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:31:23 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:31:23 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:32:18 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:32:18 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:32:18 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:32:18 +0200] - All database threads now stopped
[12/Jul/2013:10:32:18 +0200] - slapd stopped.
[12/Jul/2013:10:34:33 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:34:33 +0200] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[12/Jul/2013:10:34:34 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:34:34 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:35:16 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:35:16 +0200] - slapd shutting down - waiting for 29 threads
to terminate
[12/Jul/2013:10:35:16 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:35:16 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:35:16 +0200] - All database threads now stopped
[12/Jul/2013:10:35:16 +0200] - slapd stopped.
[12/Jul/2013:10:38:00 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:38:00 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:38:00 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:38:47 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:38:47 +0200] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[12/Jul/2013:10:38:48 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:38:48 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:39:32 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:39:32 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:39:32 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:39:32 +0200] - All database threads now stopped
[12/Jul/2013:10:39:32 +0200] - slapd stopped.
[12/Jul/2013:10:39:54 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:39:54 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:39:54 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:41:14 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:41:14 +0200] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[12/Jul/2013:10:41:14 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:41:14 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:41:57 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:41:57 +0200] - slapd shutting down - waiting for 29 threads
to terminate
[12/Jul/2013:10:41:57 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:41:57 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:41:57 +0200] - All database threads now stopped
[12/Jul/2013:10:41:57 +0200] - slapd stopped.
[12/Jul/2013:10:47:25 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:47:25 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:47:25 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:48:08 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:48:08 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:48:08 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:48:08 +0200] - All database threads now stopped
[12/Jul/2013:10:48:08 +0200] - slapd stopped.
[12/Jul/2013:10:48:22 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:48:22 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:48:22 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:57:21 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:10:57:21 +0200] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[12/Jul/2013:10:57:21 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:10:57:21 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:10:58:04 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:10:58:04 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:10:58:04 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:10:58:04 +0200] - All database threads now stopped
[12/Jul/2013:10:58:04 +0200] - slapd stopped.
[12/Jul/2013:11:02:59 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:11:02:59 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:11:02:59 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:11:03:45 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:11:03:45 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:11:03:45 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:11:03:45 +0200] - All database threads now stopped
[12/Jul/2013:11:03:45 +0200] - slapd stopped.
[12/Jul/2013:11:04:41 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:11:04:41 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:11:04:41 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:11:05:21 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:11:05:21 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:11:05:21 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:11:05:21 +0200] - All database threads now stopped
[12/Jul/2013:11:05:21 +0200] - slapd stopped.
[12/Jul/2013:11:11:21 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:11:11:22 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:11:11:22 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:11:12:01 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:11:12:01 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:11:12:01 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:11:12:01 +0200] - All database threads now stopped
[12/Jul/2013:11:12:01 +0200] - slapd stopped.
[12/Jul/2013:11:15:38 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:11:15:38 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:11:15:38 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[12/Jul/2013:11:16:22 +0200] - slapd shutting down - signaling operation
threads
[12/Jul/2013:11:16:22 +0200] - slapd shutting down - closing down internal
subsystems and plugins
[12/Jul/2013:11:16:22 +0200] - Waiting for 4 database threads to stop
[12/Jul/2013:11:16:22 +0200] - All database threads now stopped
[12/Jul/2013:11:16:22 +0200] - slapd stopped.
[12/Jul/2013:11:16:55 +0200] - 389-Directory/1.2.11.15 B2013.105.2259
starting up
[12/Jul/2013:11:16:56 +0200] - slapd started.  Listening on All Interfaces
port 7389 for LDAP requests
[12/Jul/2013:11:16:56 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests

Btw when i enter: 'service ipa start'
It prints out this:
Starting CA Service
Starting pki-ca:                                           [  OK  ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...

> Try `grep --help' for more information.
> Usage: grep [OPTION]... PATTERN [FILE]...

Will getting printed a lot and then it prints out:

Failed to start CA Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping named: .                                          [  OK  ]
Stopping ipa_memcached:                                    [  OK  ]
Stopping httpd:                                            [  OK  ]
Stopping pki-ca:                                           [FAILED]
Shutting down dirsrv:
    ENVISIA-DE...                                          [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl




2013/7/12 natxo asenjo <natxo.asenjo at gmail.com>

> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>
>  I can't start the IPA Service with service ipa start after an reboot.
>> It fails on the pki-cad service, that only outputs
>> 'grep --help' gives you more information.
>>
>> I'm really not sure whats the correct error and how to restart ipa now.
>>
>
> logs? look in /var/log/dirsrv/slapd-PKI-{yourinstancename}/ , the answer
> should be in one of the files in there.
>
> --
> groet,
> natxo
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/d033d61a/attachment.htm>

From natxo.asenjo at gmail.com  Fri Jul 12 12:31:54 2013
From: natxo.asenjo at gmail.com (natxo asenjo)
Date: Fri, 12 Jul 2013 14:31:54 +0200
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
Message-ID: <51DFF73A.3070800@gmail.com>

On 07/11/2013 11:39 PM, KodaK wrote:

> This only works for sshd, obviously.  We do currently have ftp and
> telnet open (yeah, I know) but I'm trying
> to get those turned off.  In the meantime I can use tcp-wrappers to only
> allow those machines that need
> to connect.  This is sub-optimal, since unauthorized users may be able
> to telnet in from those machines.

tcp wrappers support netgroups (iirc), you could use that too (you
cannot mix hosts and users though, so you should create netgroups of
users.

--
groet,
natxo




From andrew at wasielewski.co.uk  Fri Jul 12 00:15:30 2013
From: andrew at wasielewski.co.uk (Andrew Wasielewski)
Date: Fri, 12 Jul 2013 01:15:30 +0100
Subject: [Freeipa-users] Problem with Kerberised NFS mount
Message-ID: <2244402.23csPCHrou@localhost.localdomain>

Hello everyone,

I am setting up FreeIPA for a small home network.  However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.

My NFS, KDC and FreeIPA servers are all on the same host.  I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.

These are my NFS exports, which are visible both locally and remotely with "showmount -e":-

[root at server ~]# exportfs -av
exporting gss/krb5:/home
exporting gss/krb5i:/home
exporting gss/krb5p:/home

The command  "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely.  However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.

I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:

[root at server etc]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96) 
   2    2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes128-cts-hmac-sha1-96) 
   3    2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (des3-cbc-sha1) 
   4    2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (arcfour-hmac) 
   5    5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96) 

My versions are:
	Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
	FreeIPA 2.2.2
	krb5 1.10.2
	nfs-utils 1.2.6
I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd.  Everything else appears to work OK e.g. domain login, automap etc.  When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log

Here is my syslog output when  attempt the mount:

Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0
Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds
Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK
Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)
Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049
Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk
Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll
Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall
Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk, uid: -1, gid: -1, num aux grps: 0:
Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply
Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall

Any advice is much appreciated.

Andrew



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/f8051358/attachment.htm>

From ovalousek at vendavo.com  Fri Jul 12 14:51:52 2013
From: ovalousek at vendavo.com (Ondrej Valousek)
Date: Fri, 12 Jul 2013 14:51:52 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <2244402.23csPCHrou@localhost.localdomain>
References: <2244402.23csPCHrou@localhost.localdomain>
Message-ID: <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>

Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
? Upgrade to the latest fedora
? Make sure idmapper is configured and working fine
? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys).
Ondrej


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Andrew Wasielewski <andrew at wasielewski.co.uk>
Datum:
Komu: freeipa-users at redhat.com
P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount



Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with "showmount -e":-



[root at server ~]# exportfs -av

exporting gss/krb5:/home

exporting gss/krb5i:/home

exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:



[root at server etc]# ktutil

ktutil: rkt /etc/krb5.keytab

ktutil: list -e

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96)

2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes128-cts-hmac-sha1-96)

3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (des3-cbc-sha1)

4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (arcfour-hmac)

5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96)



My versions are:

Fedora 17 (kernel 3.8.13-100.fc17.x86_64)

FreeIPA 2.2.2

krb5 1.10.2

nfs-utils 1.2.6

I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0

Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds

Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)

Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049

Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll

Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request

Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel

Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!

Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall

Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk, uid: -1, gid: -1, num aux grps: 0:

Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply

Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85

Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request

Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll

Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!

Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall



Any advice is much appreciated.



Andrew






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/0650cfb8/attachment.htm>

From amessina at messinet.com  Fri Jul 12 15:04:44 2013
From: amessina at messinet.com (Anthony Messina)
Date: Fri, 12 Jul 2013 10:04:44 -0500
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
	Relay with FreeIPA
In-Reply-To: <51DDCB85.6050105@redhat.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
Message-ID: <2806598.nOdMvboudj@linux-ws1.messinet.com>

On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
> On 07/10/2013 12:12 PM, Simo Sorce wrote:
> > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> >> Folks,
> >> I swear I am not trying to drive up traffic to my very small blog, but I
> >> wrote up some instruction for how to configure the postfix mail client
> >> to use Kerberos to relay through a Postfix gateway.
> >> 
> >> Instructions are here for folks that are interested:
> >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >> relaying-smtp-client/
> >> 
> >> Hopefully it is useful to some people in the future, for me it took the
> >> help of some users on the Postfix list, a lot of it was not clear.

Erinn, this is excellent!  I've been looking for just this idea!  Thanks.

> I think it is worth mentioning that starting Fedora 19 the step to
> configure cron to fetch tickets is not needed. GSS proxy can be
> configured instead to automatically acquire tickets on client's behalf.
> https://fedorahosted.org/gss-proxy/
> 
> It generally applies to any unattended client that uses keytab to
> authenticate it being messaging client, DB client, LDAP client or
> anything else. You name it...
> 
> Thanks for the blog!
> 
> 
> -- 
> Thank you,
> Dmitri Pal


Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
but have not begun using it for other services such as an smtp client, though 
this is exactly what I'd be looking for.  Do you think you'd be able to show 
us what the gssproxy.conf file might look like for Postfix's smtp service?  
How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
this would be stored as the postfix user's uidnumber.

Thanks again.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/3b07050b/attachment.sig>

From simo at redhat.com  Fri Jul 12 15:31:49 2013
From: simo at redhat.com (Simo Sorce)
Date: Fri, 12 Jul 2013 11:31:49 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
References: <2244402.23csPCHrou@localhost.localdomain>
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
Message-ID: <1373643109.30537.322.camel@willson.li.ssimo.org>

On Fri, 2013-07-12 at 14:51 +0000, Ondrej Valousek wrote:
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ? Upgrade to the latest fedora
> ? Make sure idmapper is configured and working fine
> ? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> handle aes keys).

3des makes little sense, it is the least used enctype.

If you want to be backwards compatible with old kernels you'll have to
stick with DES (not 3DES) which is utterly insecure these days.
Otherwise go straight to AES and don't look back.

Support for AES is available since quite a few fedora release and RHEL6


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From erinn.looneytriggs at gmail.com  Fri Jul 12 15:33:32 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 11:33:32 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <2806598.nOdMvboudj@linux-ws1.messinet.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
Message-ID: <51E021CC.7070509@gmail.com>

On 07/12/2013 11:04 AM, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
>> On 07/10/2013 12:12 PM, Simo Sorce wrote:
>>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>>>> Folks,
>>>> I swear I am not trying to drive up traffic to my very small blog, but I
>>>> wrote up some instruction for how to configure the postfix mail client
>>>> to use Kerberos to relay through a Postfix gateway.
>>>>
>>>> Instructions are here for folks that are interested:
>>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >> relaying-smtp-client/
>>>>
>>>> Hopefully it is useful to some people in the future, for me it took the
>>>> help of some users on the Postfix list, a lot of it was not clear.
> 
> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
> 
>> I think it is worth mentioning that starting Fedora 19 the step to
>> configure cron to fetch tickets is not needed. GSS proxy can be
>> configured instead to automatically acquire tickets on client's behalf.
>> https://fedorahosted.org/gss-proxy/
>>
>> It generally applies to any unattended client that uses keytab to
>> authenticate it being messaging client, DB client, LDAP client or
>> anything else. You name it...
>>
>> Thanks for the blog!
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
> 
> 
> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
> but have not begun using it for other services such as an smtp client, though 
> this is exactly what I'd be looking for.  Do you think you'd be able to show 
> us what the gssproxy.conf file might look like for Postfix's smtp service?  
> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
> this would be stored as the postfix user's uidnumber.
> 
> Thanks again.  -A
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

No problem, glad it is useful.

Please note that there is a bit of a problem currently that I am trying
to document out. As it is written, the postfix config doesn't verify the
TLS connection between client and server, this can create a security issue.

Basically, you need to change the setting for smtp_tls_security_level
from 'may' to 'secure' and make sure you either have a certificate
signed by a known CA or have your own CA in the certificate trust.

Within the confines of FreeIPA this is pretty easy given that you
already have a PKI in place with IPA.

GSSAPI inside of a TLS channel apparently isn't secure unless the
channel is secure and verified. The irony being that GSSAPI auth outside
of a TLS connection is just fine for postfix.

The post will be updated with this information, but it takes a bit more
work to make what I wrote above more approachable.

-Erinn


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/83e40166/attachment.sig>

From erinn.looneytriggs at gmail.com  Fri Jul 12 15:36:30 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 11:36:30 -0400
Subject: [Freeipa-users] IPA CA install in ca-bundle.crt
Message-ID: <51E0227E.30105@gmail.com>

Is there a reason that ipa-client-install does not add the CA of the IPA
server to the ca-bundle.crt file in /etc/pki/certs/?

Seems like it would be a reasonable move to do that.

I know it imports the CA into /etc/pki/nssdb.

Hopefully I didn't miss something that allows it to. But I wanted to
check if there was a good reason for it not to before going and filing
an RFE.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/e1a0648e/attachment.sig>

From simo at redhat.com  Fri Jul 12 15:36:50 2013
From: simo at redhat.com (Simo Sorce)
Date: Fri, 12 Jul 2013 11:36:50 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <2806598.nOdMvboudj@linux-ws1.messinet.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
Message-ID: <1373643410.30537.327.camel@willson.li.ssimo.org>

On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
> > On 07/10/2013 12:12 PM, Simo Sorce wrote:
> > > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> > >> Folks,
> > >> I swear I am not trying to drive up traffic to my very small blog, but I
> > >> wrote up some instruction for how to configure the postfix mail client
> > >> to use Kerberos to relay through a Postfix gateway.
> > >> 
> > >> Instructions are here for folks that are interested:
> > >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >> relaying-smtp-client/
> > >> 
> > >> Hopefully it is useful to some people in the future, for me it took the
> > >> help of some users on the Postfix list, a lot of it was not clear.
> 
> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
> 
> > I think it is worth mentioning that starting Fedora 19 the step to
> > configure cron to fetch tickets is not needed. GSS proxy can be
> > configured instead to automatically acquire tickets on client's behalf.
> > https://fedorahosted.org/gss-proxy/
> > 
> > It generally applies to any unattended client that uses keytab to
> > authenticate it being messaging client, DB client, LDAP client or
> > anything else. You name it...
> > 
> > Thanks for the blog!
> > 
> > 
> > -- 
> > Thank you,
> > Dmitri Pal
> 
> 
> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
> but have not begun using it for other services such as an smtp client, though 
> this is exactly what I'd be looking for.  Do you think you'd be able to show 
> us what the gssproxy.conf file might look like for Postfix's smtp service? 

I will need to look at how postifix uses gssapi, it may 'just work' or
it may require some patching to avoid bad uses of gssapi or
unconditional uses of direct krb5 calls. For nfs-util I had to send a
very small patch.
If SASL is used I am relatively sure it will just work though.

> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
> this would be stored as the postfix user's uidnumber.

When you use a keytab for 'accepting' rather than 'initialing' you can
place it where you want and give it whatever name you want as it doesn't
change based on the peer name. Of course you want to place it in a place
where (only) gssproxy can use it.

The configuration for SMTP would be something like:

[service/smtp-server]
  mechs = krb5
  cred_store = keytab:/etc/postfix/smtp.keytab
  trusted = no
  euid = 12345 #smtp's process user id


HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From erinn.looneytriggs at gmail.com  Fri Jul 12 15:44:23 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 11:44:23 -0400
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
 Relay with FreeIPA
In-Reply-To: <1373643410.30537.327.camel@willson.li.ssimo.org>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
	<1373643410.30537.327.camel@willson.li.ssimo.org>
Message-ID: <51E02457.3080509@gmail.com>

On 07/12/2013 11:36 AM, Simo Sorce wrote:
> On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
>> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
>>> On 07/10/2013 12:12 PM, Simo Sorce wrote:
>>>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>>>>> Folks,
>>>>> I swear I am not trying to drive up traffic to my very small blog, but I
>>>>> wrote up some instruction for how to configure the postfix mail client
>>>>> to use Kerberos to relay through a Postfix gateway.
>>>>>
>>>>> Instructions are here for folks that are interested:
>>>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >> relaying-smtp-client/
>>>>>
>>>>> Hopefully it is useful to some people in the future, for me it took the
>>>>> help of some users on the Postfix list, a lot of it was not clear.
>>
>> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
>>
>>> I think it is worth mentioning that starting Fedora 19 the step to
>>> configure cron to fetch tickets is not needed. GSS proxy can be
>>> configured instead to automatically acquire tickets on client's behalf.
>>> https://fedorahosted.org/gss-proxy/
>>>
>>> It generally applies to any unattended client that uses keytab to
>>> authenticate it being messaging client, DB client, LDAP client or
>>> anything else. You name it...
>>>
>>> Thanks for the blog!
>>>
>>>
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>
>>
>> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
>> but have not begun using it for other services such as an smtp client, though 
>> this is exactly what I'd be looking for.  Do you think you'd be able to show 
>> us what the gssproxy.conf file might look like for Postfix's smtp service? 
> 
> I will need to look at how postifix uses gssapi, it may 'just work' or
> it may require some patching to avoid bad uses of gssapi or
> unconditional uses of direct krb5 calls. For nfs-util I had to send a
> very small patch.
> If SASL is used I am relatively sure it will just work though.
> 
>> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
>> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
>> this would be stored as the postfix user's uidnumber.
> 
> When you use a keytab for 'accepting' rather than 'initialing' you can
> place it where you want and give it whatever name you want as it doesn't
> change based on the peer name. Of course you want to place it in a place
> where (only) gssproxy can use it.
> 
> The configuration for SMTP would be something like:
> 
> [service/smtp-server]
>   mechs = krb5
>   cred_store = keytab:/etc/postfix/smtp.keytab
>   trusted = no
>   euid = 12345 #smtp's process user id
> 
> 
> HTH,
> Simo.
> 

Simo et al.
I would still recommend taking a look but Postfix delegates all of that
to SASL.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/51a14a18/attachment.sig>

From amessina at messinet.com  Fri Jul 12 16:04:57 2013
From: amessina at messinet.com (Anthony Messina)
Date: Fri, 12 Jul 2013 11:04:57 -0500
Subject: [Freeipa-users] Instructions for using Postfix SMTP Client
	Relay with FreeIPA
In-Reply-To: <1373644868.30537.329.camel@willson.li.ssimo.org>
References: <51DD81A2.3010806@gmail.com>
	<13218641.GtGVugpppZ@linux-ws1.messinet.com>
	<1373644868.30537.329.camel@willson.li.ssimo.org>
Message-ID: <1643734.02Ofl0NikB@ws1.m.messinet.com>

Sorry, I had accidentally replied to Simo privately.

Moving back to the list.  -A

On Friday, July 12, 2013 12:01:08 PM Simo Sorce wrote:
> On Fri, 2013-07-12 at 10:52 -0500, Anthony Messina wrote:
> > On Friday, July 12, 2013 11:36:50 AM you wrote:
> > > > Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS
> > > > in
> > > > F19,  but have not begun using it for other services such as an smtp
> > > > client, though this is exactly what I'd be looking for.  Do you think
> > > > you'd be able to show us what the gssproxy.conf file might look like
> > > > for
> > > > Postfix's smtp service?
> > > 
> > > I will need to look at how postifix uses gssapi, it may 'just work' or
> > > it may require some patching to avoid bad uses of gssapi or
> > > unconditional uses of direct krb5 calls. For nfs-util I had to send a
> > > very small patch.
> > > If SASL is used I am relatively sure it will just work though.
> > > 
> > > > How would one store the keytab in /var/lib/gssapi/clients?  As far as
> > > > I
> > > > can  tell, the keytabs stored there are listed as <uidnumber>.keytab,
> > > > so
> > > > I imagine this would be stored as the postfix user's uidnumber.
> > > 
> > > When you use a keytab for 'accepting' rather than 'initialing' you can
> > > place it where you want and give it whatever name you want as it doesn't
> > > change based on the peer name. Of course you want to place it in a place
> > > where (only) gssproxy can use it.
> > > 
> > > The configuration for SMTP would be something like:
> > > 
> > > [service/smtp-server]
> > > 
> > >   mechs = krb5
> > >   cred_store = keytab:/etc/postfix/smtp.keytab
> > >   trusted = no
> > >   euid = 12345 #smtp's process user id
> > > 
> > > HTH,
> > > Simo.
> > 
> > In this case, Postfix is acting as a client, which is why it seems a
> > little
> > tricky to me.  I have been using Postfix/GSSAPI on the smtpD end for
> > years,
> > but not the smtp end yet, as I hadn't figured out the sasl_maps thing,
> > until I reviewed Erinn's post.
> 
> Oh sorry, I misundertood that, however the configuration wouldn't be
> much different, you'd just add:
> cred_store = client_keytab:/etc/postfix/smtp.keytab or similar
> 
> > Erinn may already know that the smtp part of Postfix runs as the 'postfix'
> > user whereas Postfix's 'master' process runs as root.
> > 
> > Anyway, I'll keep following and I can test things out and report back as
> > well.
> Thanks, it would be really nice if we could augment this with a
> privilege separation recipy based on gssproxy
> 
> Simo.
-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/2250b5a1/attachment.sig>

From rcritten at redhat.com  Fri Jul 12 17:19:09 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Jul 2013 13:19:09 -0400
Subject: [Freeipa-users] IPA CA install in ca-bundle.crt
In-Reply-To: <51E0227E.30105@gmail.com>
References: <51E0227E.30105@gmail.com>
Message-ID: <51E03A8D.8030504@redhat.com>

Erinn Looney-Triggs wrote:
> Is there a reason that ipa-client-install does not add the CA of the IPA
> server to the ca-bundle.crt file in /etc/pki/certs/?
>
> Seems like it would be a reasonable move to do that.
>
> I know it imports the CA into /etc/pki/nssdb.
>
> Hopefully I didn't miss something that allows it to. But I wanted to
> check if there was a good reason for it not to before going and filing
> an RFE.

We will as part of the shared system certificates effort, 
http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our 
ticket is https://fedorahosted.org/freeipa/ticket/3504

They are working on tools to make managing these certificates easier for 
F-20.

rob




From erinn.looneytriggs at gmail.com  Fri Jul 12 17:20:52 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 13:20:52 -0400
Subject: [Freeipa-users] IPA CA install in ca-bundle.crt
In-Reply-To: <51E03A8D.8030504@redhat.com>
References: <51E0227E.30105@gmail.com> <51E03A8D.8030504@redhat.com>
Message-ID: <51E03AF4.1070808@gmail.com>

On 07/12/2013 01:19 PM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> Is there a reason that ipa-client-install does not add the CA of the IPA
>> server to the ca-bundle.crt file in /etc/pki/certs/?
>>
>> Seems like it would be a reasonable move to do that.
>>
>> I know it imports the CA into /etc/pki/nssdb.
>>
>> Hopefully I didn't miss something that allows it to. But I wanted to
>> check if there was a good reason for it not to before going and filing
>> an RFE.
> 
> We will as part of the shared system certificates effort,
> http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our
> ticket is https://fedorahosted.org/freeipa/ticket/3504
> 
> They are working on tools to make managing these certificates easier for
> F-20.
> 
> rob
> 
> 

Yeah I saw that effort for F19, I think it is excellent and well time
for it. Glad to know it is on the radar. For those of us in RHEL land at
least for now, it looks like this won't help.

Thanks,
-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/e1267b3b/attachment.sig>

From aellert at numeezy.com  Fri Jul 12 17:23:03 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 12 Jul 2013 19:23:03 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
Message-ID: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>

Hi,

I'm currently trying to get a functional .deb package working on Debian Wheezy.
I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success.

First error was about compiling ipa-join :
ipa-join.c: In function ?callRPC?:
ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no member named ?gssapi_delegation?
=> Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb

Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb :
dh_install --list-missing
dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere
dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere
make[1]: quittant le r?pertoire ? /root/freeipa-ppa/freeipa-3.2.0 ?
   dh_install
   dh_installdocs
   dh_installchangelogs
   dh_installexamples
   dh_installman
   dh_installcatalogs
   dh_installcron
   dh_installdebconf
   dh_installemacsen
   dh_installifupdown
   dh_installinfo
   dh_python2
E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2
make: *** [binary] Erreur 3
dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2

Any idea or me advice about how to backport freeipa-client to wheezy ?
Thanks a lot.

Alexandre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/6cb0d39f/attachment.htm>

From rcritten at redhat.com  Fri Jul 12 17:25:51 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Jul 2013 13:25:51 -0400
Subject: [Freeipa-users] IPA CA install in ca-bundle.crt
In-Reply-To: <51E03AF4.1070808@gmail.com>
References: <51E0227E.30105@gmail.com> <51E03A8D.8030504@redhat.com>
	<51E03AF4.1070808@gmail.com>
Message-ID: <51E03C1F.7080108@redhat.com>

Erinn Looney-Triggs wrote:
> On 07/12/2013 01:19 PM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> Is there a reason that ipa-client-install does not add the CA of the IPA
>>> server to the ca-bundle.crt file in /etc/pki/certs/?
>>>
>>> Seems like it would be a reasonable move to do that.
>>>
>>> I know it imports the CA into /etc/pki/nssdb.
>>>
>>> Hopefully I didn't miss something that allows it to. But I wanted to
>>> check if there was a good reason for it not to before going and filing
>>> an RFE.
>>
>> We will as part of the shared system certificates effort,
>> http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our
>> ticket is https://fedorahosted.org/freeipa/ticket/3504
>>
>> They are working on tools to make managing these certificates easier for
>> F-20.
>>
>> rob
>>
>>
>
> Yeah I saw that effort for F19, I think it is excellent and well time
> for it. Glad to know it is on the radar. For those of us in RHEL land at
> least for now, it looks like this won't help.

Yeah, sorry about that. The problem is this is one big blob of certs. In 
theory it should be relatively easy to script up something to safely 
add/remove certs from it, but there are issues like updating the 
ca-certificates package would over-write any changes we made. So it's 
the sort of thing that works, then it doesn't, and is really hard to pin 
down why.

rob



From rcritten at redhat.com  Fri Jul 12 17:27:57 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Jul 2013 13:27:57 -0400
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
Message-ID: <51E03C9D.9060903@redhat.com>

Alexandre Ellert wrote:
> Hi,
>
> I'm currently trying to get a functional .deb package working on Debian
> Wheezy.
> I have tried to recompile a package from Ubuntu Precise
> (https://launchpad.net/~freeipa/+archive/ppa) without success.
>
> First error was about compiling ipa-join :
> ipa-join.c: In function ?callRPC?:
> ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no member
> named ?gssapi_delegation?
> => Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and
> then install resultinglibxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb
>
> Now, recompile again with new patched libxmlrpc-core-c3... compilation
> go further, but I'm stuck at the end of process of building .deb :
> dh_install --list-missing
> dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in
> debian/tmp but is not installed to anywhere
> dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is
> not installed to anywhere
> make[1]: quittant le r?pertoire ? /root/freeipa-ppa/freeipa-3.2.0 ?
>     dh_install
>     dh_installdocs
>     dh_installchangelogs
>     dh_installexamples
>     dh_installman
>     dh_installcatalogs
>     dh_installcron
>     dh_installdebconf
>     dh_installemacsen
>     dh_installifupdown
>     dh_installinfo
>     dh_python2
> E: dh_python2:145: extension for python2.6 is missing. Build extensions
> for all supported Python versions (`pyversions -vr`) or adjust
> X-Python-Version field or pass --no-guessing-versions to dh_python2
> make: *** [binary] Erreur 3
> dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de
> sortie de type 2
>
> Any idea or me advice about how to backport freeipa-client to wheezy ?
> Thanks a lot.

I don't know anything about deb packaging, but it looks like you just 
need to add those two ipa-client-automount files to your packaging (in 
rpm we'd put these into the %files section).

rob



From abokovoy at redhat.com  Fri Jul 12 17:36:10 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 12 Jul 2013 20:36:10 +0300
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
Message-ID: <20130712173610.GY18587@redhat.com>

On Fri, 12 Jul 2013, Alexandre Ellert wrote:
>Hi,
>
>I'm currently trying to get a functional .deb package working on Debian Wheezy.
>I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success.
>
>First error was about compiling ipa-join :
>ipa-join.c: In function ?callRPC?:
>ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no member named ?gssapi_delegation?
>=> Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb
>
>Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb :
>dh_install --list-missing
>dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere
>dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere
>make[1]: quittant le r?pertoire ? /root/freeipa-ppa/freeipa-3.2.0 ?
>   dh_install
>   dh_installdocs
>   dh_installchangelogs
>   dh_installexamples
>   dh_installman
>   dh_installcatalogs
>   dh_installcron
>   dh_installdebconf
>   dh_installemacsen
>   dh_installifupdown
>   dh_installinfo
>   dh_python2
>E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2
>make: *** [binary] Erreur 3
>dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2
>
>Any idea or me advice about how to backport freeipa-client to wheezy ?
Perhaps, you can fix it in a manner similar to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827

-- 
/ Alexander Bokovoy



From aellert at numeezy.com  Fri Jul 12 17:57:09 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 12 Jul 2013 19:57:09 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <20130712173610.GY18587@redhat.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
Message-ID: <77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>

Thanks for pointing that bug, compilation succeeded if adding "X-Python-Version: 2.7" to debian/control file.
Now, testing functionality...
I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?)

Le 12 juil. 2013 ? 19:36, Alexander Bokovoy <abokovoy at redhat.com> a ?crit :

> On Fri, 12 Jul 2013, Alexandre Ellert wrote:
>> Hi,
>> 
>> I'm currently trying to get a functional .deb package working on Debian Wheezy.
>> I have tried to recompile a package from Ubuntu Precise (https://launchpad.net/~freeipa/+archive/ppa) without success.
>> 
>> First error was about compiling ipa-join :
>> ipa-join.c: In function ?callRPC?:
>> ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no member named ?gssapi_delegation?
>> => Fix : Add backport-gssapi-delegation.patch to package xmlrpc-c and then install resulting libxmlrpc-core-c3-dev.deb and libxmlrpc-core-c3.deb
>> 
>> Now, recompile again with new patched libxmlrpc-core-c3... compilation go further, but I'm stuck at the end of process of building .deb :
>> dh_install --list-missing
>> dh_install: usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp but is not installed to anywhere
>> dh_install: usr/sbin/ipa-client-automount exists in debian/tmp but is not installed to anywhere
>> make[1]: quittant le r?pertoire ? /root/freeipa-ppa/freeipa-3.2.0 ?
>>  dh_install
>>  dh_installdocs
>>  dh_installchangelogs
>>  dh_installexamples
>>  dh_installman
>>  dh_installcatalogs
>>  dh_installcron
>>  dh_installdebconf
>>  dh_installemacsen
>>  dh_installifupdown
>>  dh_installinfo
>>  dh_python2
>> E: dh_python2:145: extension for python2.6 is missing. Build extensions for all supported Python versions (`pyversions -vr`) or adjust X-Python-Version field or pass --no-guessing-versions to dh_python2
>> make: *** [binary] Erreur 3
>> dpkg-buildpackage: erreur: debian/rules binary a produit une erreur de sortie de type 2
>> 
>> Any idea or me advice about how to backport freeipa-client to wheezy ?
> Perhaps, you can fix it in a manner similar to
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
> 
> -- 
> / Alexander Bokovoy




From erinn.looneytriggs at gmail.com  Fri Jul 12 18:04:45 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 14:04:45 -0400
Subject: [Freeipa-users] IPA CA install in ca-bundle.crt
In-Reply-To: <51E03C1F.7080108@redhat.com>
References: <51E0227E.30105@gmail.com> <51E03A8D.8030504@redhat.com>
	<51E03AF4.1070808@gmail.com> <51E03C1F.7080108@redhat.com>
Message-ID: <51E0453D.5020705@gmail.com>

On 07/12/2013 01:25 PM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 07/12/2013 01:19 PM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> Is there a reason that ipa-client-install does not add the CA of the
>>>> IPA
>>>> server to the ca-bundle.crt file in /etc/pki/certs/?
>>>>
>>>> Seems like it would be a reasonable move to do that.
>>>>
>>>> I know it imports the CA into /etc/pki/nssdb.
>>>>
>>>> Hopefully I didn't miss something that allows it to. But I wanted to
>>>> check if there was a good reason for it not to before going and filing
>>>> an RFE.
>>>
>>> We will as part of the shared system certificates effort,
>>> http://fedoraproject.org/wiki/Features/SharedSystemCertificates Our
>>> ticket is https://fedorahosted.org/freeipa/ticket/3504
>>>
>>> They are working on tools to make managing these certificates easier for
>>> F-20.
>>>
>>> rob
>>>
>>>
>>
>> Yeah I saw that effort for F19, I think it is excellent and well time
>> for it. Glad to know it is on the radar. For those of us in RHEL land at
>> least for now, it looks like this won't help.
> 
> Yeah, sorry about that. The problem is this is one big blob of certs. In
> theory it should be relatively easy to script up something to safely
> add/remove certs from it, but there are issues like updating the
> ca-certificates package would over-write any changes we made. So it's
> the sort of thing that works, then it doesn't, and is really hard to pin
> down why.
> 
> rob
> 

Yep understood, that is they way the cookie crumbles sometimes. Again
just glad it is on the radar and that things are becoming more
centralized. Certificate management has been, in the past, a real pain
point for me.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/b3d714bb/attachment.sig>

From ovalousek at vendavo.com  Fri Jul 12 18:43:45 2013
From: ovalousek at vendavo.com (Ondrej Valousek)
Date: Fri, 12 Jul 2013 18:43:45 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
Message-ID: <lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Anyone?
O.


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Ondrej Valousek <ovalousek at vendavo.com>
Datum:
Komu: andrew at wasielewski.co.uk,freeipa-users at redhat.com
P?edm?t: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
? Upgrade to the latest fedora
? Make sure idmapper is configured and working fine
? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys).
Ondrej


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Andrew Wasielewski <andrew at wasielewski.co.uk>
Datum:
Komu: freeipa-users at redhat.com
P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount



Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with "showmount -e":-



[root at server ~]# exportfs -av

exporting gss/krb5:/home

exporting gss/krb5i:/home

exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:



[root at server etc]# ktutil

ktutil: rkt /etc/krb5.keytab

ktutil: list -e

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96)

2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes128-cts-hmac-sha1-96)

3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (des3-cbc-sha1)

4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (arcfour-hmac)

5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96)



My versions are:

Fedora 17 (kernel 3.8.13-100.fc17.x86_64)

FreeIPA 2.2.2

krb5 1.10.2

nfs-utils 1.2.6

I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0

Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds

Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)

Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049

Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll

Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request

Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel

Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!

Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall

Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk, uid: -1, gid: -1, num aux grps: 0:

Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply

Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85

Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request

Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll

Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!

Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1

Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32

Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall



Any advice is much appreciated.



Andrew






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/052f69be/attachment.htm>

From chuck.lever at oracle.com  Fri Jul 12 18:52:42 2013
From: chuck.lever at oracle.com (Chuck Lever)
Date: Fri, 12 Jul 2013 14:52:42 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
Message-ID: <56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>


On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com> wrote:

> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet?
> Expiring tickets will render the whole concept unusable otherwise.
> 
> Anyone?

Ask on linux-nfs at vger.kernel.org.  I know upstream is working on this problem.

> O.
> 
> 
> Odesl?no ze Samsung Mobile
> 
> 
> 
> -------- P?vodn? zpr?va --------
> Od: Ondrej Valousek <ovalousek at vendavo.com> 
> Datum: 
> Komu: andrew at wasielewski.co.uk,freeipa-users at redhat.com 
> P?edm?t: RE: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ? Upgrade to the latest fedora
> ? Make sure idmapper is configured and working fine
> ? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys).
> Ondrej
> 
> 
> Odesl?no ze Samsung Mobile
> 
> 
> 
> -------- P?vodn? zpr?va --------
> Od: Andrew Wasielewski <andrew at wasielewski.co.uk> 
> Datum: 
> Komu: freeipa-users at redhat.com 
> P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> 
> Hello everyone,
> 
>  
> 
> I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.
> 
>  
> 
> My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.
> 
>  
> 
> These are my NFS exports, which are visible both locally and remotely with "showmount -e":-
> 
>  
> 
> [root at server ~]# exportfs -av
> 
> exporting gss/krb5:/home
> 
> exporting gss/krb5i:/home
> 
> exporting gss/krb5p:/home
> 
>  
> 
> The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.
> 
>  
> 
> I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:
> 
>  
> 
> [root at server etc]# ktutil
> 
> ktutil: rkt /etc/krb5.keytab
> 
> ktutil: list -e
> 
> slot KVNO Principal
> 
> ---- ---- ---------------------------------------------------------------------
> 
> 1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96) 
> 
> 2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes128-cts-hmac-sha1-96) 
> 
> 3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (des3-cbc-sha1) 
> 
> 4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (arcfour-hmac) 
> 
> 5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (aes256-cts-hmac-sha1-96) 
> 
>  
> 
> My versions are:
> 
> Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
> 
> FreeIPA 2.2.2
> 
> krb5 1.10.2
> 
> nfs-utils 1.2.6
> 
> I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears
>  in /var/log/krb5kdc.log
> 
>  
> 
> Here is my syslog output when attempt the mount:
> 
>  
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk, uid: -1, gid: -1, num aux grps: 0:
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0
>  1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request
> 
> Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall
> 
>  
> 
> Any advice is much appreciated.
> 
>  
> 
> Andrew
> 
>  
> 
>  
> 
>  
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/08cec0bc/attachment.htm>

From William.Adamson at netapp.com  Fri Jul 12 18:55:29 2013
From: William.Adamson at netapp.com (Adamson, Andy)
Date: Fri, 12 Jul 2013 18:55:29 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
Message-ID: <068DB436-A076-4382-A5EF-195C15796C22@netapp.com>


On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com<mailto:ovalousek at vendavo.com>>
 wrote:

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Hi

I'm looking into Kerberized NFS client issues and bugs. I'll be sure to add this to my todo list.  Do you know if anyone has tried with the latest upstream kernel?

-->Andy


Anyone?
O.


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Ondrej Valousek <ovalousek at vendavo.com<mailto:ovalousek at vendavo.com>>
Datum:
Komu: andrew at wasielewski.co.uk<mailto:andrew at wasielewski.co.uk>,freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
P?edm?t: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
? Upgrade to the latest fedora
? Make sure idmapper is configured and working fine
? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys).
Ondrej


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Andrew Wasielewski <andrew at wasielewski.co.uk<mailto:andrew at wasielewski.co.uk>>
Datum:
Komu: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount


Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with "showmount -e":-



[root at server ~]# exportfs -av
exporting gss/krb5:/home
exporting gss/krb5i:/home
exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk<http://server.wasielewski.co.uk>:/home /mnt/test_mnt" hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:



[root at server etc]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes256-cts-hmac-sha1-96)
2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes128-cts-hmac-sha1-96)
3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (des3-cbc-sha1)
4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (arcfour-hmac)
5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes256-cts-hmac-sha1-96)



My versions are:
Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
FreeIPA 2.2.2
krb5 1.10.2
nfs-utils 1.2.6
I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0
Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK> while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds
Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK
Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)
Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk<http://server.wasielewski.co.uk>
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049
Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk<mailto:nfs at server.wasielewski.co.uk>
Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll
Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall
Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk<mailto:nfs at server.wasielewski.co.uk>, uid: -1, gid: -1, num aux grps: 0:
Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply
Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall



Any advice is much appreciated.



Andrew







_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/04e72bd4/attachment.htm>

From ovalousek at vendavo.com  Fri Jul 12 19:01:55 2013
From: ovalousek at vendavo.com (Ondrej Valousek)
Date: Fri, 12 Jul 2013 19:01:55 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>,
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
Message-ID: <vkx21f7igghdw4lf9da9m1qa.1373655707296@email.android.com>

I have only tried with latest centos 6 - i.e. pretty old :-(. But I doubt there is any change in recent kernels.

Hope Simo or Steve Dickson could perhaps shed some light...

But agree, this is not the best list to discuss this.
O.


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: "Adamson, Andy" <William.Adamson at netapp.com>
Datum:
Komu: Ondrej Valousek <ovalousek at vendavo.com>
Kopie: andrew at wasielewski.co.uk,freeipa-users at redhat.com
P?edm?t: Re: [Freeipa-users] Problem with Kerberised NFS mount



On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com<mailto:ovalousek at vendavo.com>>
 wrote:

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Hi

I'm looking into Kerberized NFS client issues and bugs. I'll be sure to add this to my todo list.  Do you know if anyone has tried with the latest upstream kernel?

-->Andy


Anyone?
O.


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Ondrej Valousek <ovalousek at vendavo.com<mailto:ovalousek at vendavo.com>>
Datum:
Komu: andrew at wasielewski.co.uk<mailto:andrew at wasielewski.co.uk>,freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
P?edm?t: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
? Upgrade to the latest fedora
? Make sure idmapper is configured and working fine
? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys).
Ondrej


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Andrew Wasielewski <andrew at wasielewski.co.uk<mailto:andrew at wasielewski.co.uk>>
Datum:
Komu: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount


Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with "showmount -e":-



[root at server ~]# exportfs -av
exporting gss/krb5:/home
exporting gss/krb5i:/home
exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk<http://server.wasielewski.co.uk>:/home /mnt/test_mnt" hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal:



[root at server etc]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes256-cts-hmac-sha1-96)
2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes128-cts-hmac-sha1-96)
3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (des3-cbc-sha1)
4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (arcfour-hmac)
5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (aes256-cts-hmac-sha1-96)



My versions are:
Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
FreeIPA 2.2.2
krb5 1.10.2
nfs-utils 1.2.6
I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0
Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is '<null>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK> while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> while getting keytab entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>'
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035
Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds
Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK
Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0)
Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk<http://server.wasielewski.co.uk>
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049
Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server nfs at server.wasielewski.co.uk<mailto:nfs at server.wasielewski.co.uk>
Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll
Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Jul 12 01:13:10 server rpc.svcgssd[32135]: sname = nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK<mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.svcgssd[32135]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall
Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1373659035 (71045 from now), clnt: nfs at server.wasielewski.co.uk<mailto:nfs at server.wasielewski.co.uk>, uid: -1, gid: -1, num aux grps: 0:
Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply
Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null request
Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll
Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx: lucid version!
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: protocol 1
Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall



Any advice is much appreciated.



Andrew







_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/c17e1469/attachment.htm>

From rcritten at redhat.com  Fri Jul 12 19:02:55 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Jul 2013 15:02:55 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
Message-ID: <51E052DF.6040908@redhat.com>

Chuck Lever wrote:
>
> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com
> <mailto:ovalousek at vendavo.com>> wrote:
>
>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
>> on the horizon yet?
>> Expiring tickets will render the whole concept unusable otherwise.
>>
>> Anyone?
>
> Ask on linux-nfs at vger.kernel.org <mailto:linux-nfs at vger.kernel.org>.  I
> know upstream is working on this problem.

https://fedorahosted.org/gss-proxy/ will solve the problem.

rob



From deanhunter at comcast.net  Fri Jul 12 19:22:42 2013
From: deanhunter at comcast.net (Dean Hunter)
Date: Fri, 12 Jul 2013 14:22:42 -0500
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
Message-ID: <1373656962.2867.22.camel@developer.hunter.org>

On Fri, 2013-07-12 at 18:55 +0000, Adamson, Andy wrote:

> 
> 
> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com>
>  wrote:
> 
> 
> 
> > Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> > on the horizon yet?
> > Expiring tickets will render the whole concept unusable otherwise.
> 
> 
> 
> Hi
> 
> 
> I'm looking into Kerberized NFS client issues and bugs. I'll be sure
> to add this to my todo list.  Do you know if anyone has tried with the
> latest upstream kernel?
> 


I have a Kerberized NFS auto mount working very nicely on Fedora 18,
FreeIPA 3.1.5-1 and company.  But I am having problems getting the same
configuration to work on Fedora 19, FreeIPA 3.2.1-1 and company.  I have
been working to refine the problem definition to more than it does not
work.

> -->Andy
> 
> 
> > 
> > 
> > Anyone?
> > O.
> > 
> > 
> > 
> > 
> > Odesl?no ze Samsung Mobile
> > 
> > 
> > 
> > 
> > -------- P?vodn? zpr?va --------
> > Od: Ondrej Valousek <ovalousek at vendavo.com> 
> > Datum: 
> > Komu: andrew at wasielewski.co.uk,freeipa-users at redhat.com 
> > P?edm?t: RE: [Freeipa-users] Problem with Kerberised NFS mount 
> > 
> > 
> > 
> > Hard to say.
> > In general, when dealing w/ nfs & kerberos, I would advise to:
> > ? Upgrade to the latest fedora
> > ? Make sure idmapper is configured and working fine
> > ? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> > handle aes keys).
> > Ondrej
> > 
> > 
> > 
> > 
> > Odesl?no ze Samsung Mobile
> > 
> > 
> > 
> > 
> > -------- P?vodn? zpr?va --------
> > Od: Andrew Wasielewski <andrew at wasielewski.co.uk> 
> > Datum: 
> > Komu: freeipa-users at redhat.com 
> > P?edm?t: [Freeipa-users] Problem with Kerberised NFS mount 
> > 
> > 
> > 
> > Hello everyone,
> > 
> >  
> > 
> > 
> > I am setting up FreeIPA for a small home network. However I have a
> > problem mounting NFS shares with Kerberos enables - see syslog
> > output below.
> > 
> >  
> > 
> > 
> > My NFS, KDC and FreeIPA servers are all on the same host. I am
> > running the NFS mount directly on the server, which has local
> > firewall disabled - I get the same outcome on a remote client, but
> > this surely eliminates any network issues.
> > 
> >  
> > 
> > 
> > These are my NFS exports, which are visible both locally and
> > remotely with "showmount -e":-
> > 
> >  
> > 
> > 
> > [root at server ~]# exportfs -av
> > exporting gss/krb5:/home
> > exporting gss/krb5i:/home
> > exporting gss/krb5p:/home
> > 
> >  
> > 
> > 
> > The command "mount -t nfs4 -o sec=krb5
> > server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely.
> > However without the Kerberos export options the NFS share can be
> > mounted both locally and remotely without problem.
> > 
> >  
> > 
> > 
> > I read in a post that the "serializing key with enctype 18 and size
> > 32" entry in syslog means I am trying to use an unsupported key with
> > AES256 encryption (I can find very little about enctype numbers
> > though); however I appear to have an AES256 service principal:
> > 
> >  
> > 
> > 
> > [root at server etc]# ktutil
> > ktutil: rkt /etc/krb5.keytab
> > ktutil: list -e
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> > 1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
> > (aes256-cts-hmac-sha1-96) 
> > 2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
> > (aes128-cts-hmac-sha1-96) 
> > 3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (des3-cbc-sha1) 
> > 4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK (arcfour-hmac) 
> > 5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
> > (aes256-cts-hmac-sha1-96) 
> > 
> >  
> > 
> > 
> > My versions are:
> > Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
> > FreeIPA 2.2.2
> > krb5 1.10.2
> > nfs-utils 1.2.6
> > I have read of this issue being fixed by downgrading nfs-utils to
> > 1.2.5; however that is not possible due to conflict with systemd.
> > Everything else appears to work OK e.g. domain login, automap etc.
> > When I try to mount the Kerberised NFS share, *nothing* appears
> > in /var/log/krb5kdc.log
> > 
> >  
> > 
> > 
> > Here is my syslog output when attempt the mount:
> > 
> >  
> > 
> > 
> > Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37
> > si 0x7fffe59b94f0 data 0x7fffe59b93c0
> > Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> > Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall:
> > 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
> > Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> > Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service
> > is '<null>'
> > Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for
> > 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> > Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for
> > 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> > Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for
> > SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab
> > entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'
> > Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for
> > root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK while getting keytab
> > entry for 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
> > Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry
> > for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK'
> > Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC
> > 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until
> > 1373659035
> > Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC
> > 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until
> > 1373659035
> > Jul 12 01:13:10 server rpc.gssd[31628]: using
> > FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for
> > machine creds
> > Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable
> > to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK
> > Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid
> > 0 (save_uid 0)
> > Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for
> > server server.wasielewski.co.uk
> > Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to
> > 2049
> > Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server
> > nfs at server.wasielewski.co.uk
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request
> > Jul 12 01:13:10 server rpc.svcgssd[32135]:
> > svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with
> > 7 enctypes from the kernel
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: sname =
> > nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG:
> > serialize_krb5_ctx: lucid version!
> > Jul 12 01:13:10 server rpc.svcgssd[32135]:
> > prepare_krb5_rfc4121_buffer: protocol 1
> > Jul 12 01:13:10 server rpc.svcgssd[32135]:
> > prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and
> > size 32
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4,
> > ctx len 52, timeout: 1373659035 (71045 from now), clnt:
> > nfs at server.wasielewski.co.uk, uid: -1, gid: -1, num aux grps: 0:
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x
> > \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0 1373588050 0 0 \x73000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null
> > request
> > Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll
> > Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx:
> > lucid version!
> > Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer:
> > protocol 1
> > Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer:
> > serializing key with enctype 18 and size 32
> > Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall
> > 
> >  
> > 
> > 
> > Any advice is much appreciated.
> > 
> >  
> > 
> > 
> > Andrew
> > 
> >  
> > 
> >  
> > 
> >  
> > 
> > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/85b7723a/attachment.htm>

From dpal at redhat.com  Fri Jul 12 20:52:36 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 12 Jul 2013 16:52:36 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <1373656962.2867.22.camel@developer.hunter.org>
References: <2244402.23csPCHrou@localhost.localdomain> ,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
	<1373656962.2867.22.camel@developer.hunter.org>
Message-ID: <51E06C94.1080906@redhat.com>

On 07/12/2013 03:22 PM, Dean Hunter wrote:
> On Fri, 2013-07-12 at 18:55 +0000, Adamson, Andy wrote:
>>
>> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com
>> <mailto:ovalousek at vendavo.com>> 
>>  wrote: 
>>
>>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
>>> on the horizon yet? 
>>> Expiring tickets will render the whole concept unusable otherwise. 
>>
>>
>> Hi 
>>
>>
>> I'm looking into Kerberized NFS client issues and bugs. I'll be sure
>> to add this to my todo list.  Do you know if anyone has tried with
>> the latest upstream kernel? 
>>
>
> I have a Kerberized NFS auto mount working very nicely on Fedora 18,
> FreeIPA 3.1.5-1 and company.  But I am having problems getting the
> same configuration to work on Fedora 19, FreeIPA 3.2.1-1 and company. 
> I have been working to refine the problem definition to more than it
> does not work.

F19 has GSS proxy. I encourage you to use it. I know it was tried and
worked as several bugs have been addressed.
Gunther CCed will be back from PTO next week and should be able to help. 

>
>> -->Andy 
>>
>>>
>>>
>>> Anyone? 
>>> O. 
>>>
>>>
>>>
>>>
>>> Odesl?no ze Samsung Mobile 
>>>
>>>
>>>
>>> -------- Pu*vodn? zpr?va --------
>>> Od: Ondrej Valousek <ovalousek at vendavo.com
>>> <mailto:ovalousek at vendavo.com>> 
>>> Datum: 
>>> Komu: andrew at wasielewski.co.uk
>>> <mailto:andrew at wasielewski.co.uk>,freeipa-users at redhat.com
>>> <mailto:freeipa-users at redhat.com> 
>>> Pr(edme(t: RE: [Freeipa-users] Problem with Kerberised NFS mount 
>>>
>>>
>>> Hard to say. 
>>> In general, when dealing w/ nfs & kerberos, I would advise to: 
>>> ? Upgrade to the latest fedora 
>>> ? Make sure idmapper is configured and working fine 
>>> ? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
>>> handle aes keys). 
>>> Ondrej 
>>>
>>>
>>>
>>>
>>> Odesl?no ze Samsung Mobile 
>>>
>>>
>>>
>>> -------- Pu*vodn? zpr?va --------
>>> Od: Andrew Wasielewski <andrew at wasielewski.co.uk
>>> <mailto:andrew at wasielewski.co.uk>> 
>>> Datum: 
>>> Komu: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com> 
>>> Pr(edme(t: [Freeipa-users] Problem with Kerberised NFS mount 
>>>
>>>
>>> Hello everyone, 
>>>  
>>>
>>> I am setting up FreeIPA for a small home network. However I have a
>>> problem mounting NFS shares with Kerberos enables - see syslog
>>> output below. 
>>>  
>>>
>>> My NFS, KDC and FreeIPA servers are all on the same host. I am
>>> running the NFS mount directly on the server, which has local
>>> firewall disabled - I get the same outcome on a remote client, but
>>> this surely eliminates any network issues. 
>>>  
>>>
>>> These are my NFS exports, which are visible both locally and
>>> remotely with "showmount -e":- 
>>>  
>>>
>>> [root at server ~]# exportfs -av 
>>> exporting gss/krb5:/home 
>>> exporting gss/krb5i:/home 
>>> exporting gss/krb5p:/home 
>>>  
>>>
>>> The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk
>>> <http://server.wasielewski.co.uk>:/home /mnt/test_mnt" hangs
>>> indefinitely. However without the Kerberos export options the NFS
>>> share can be mounted both locally and remotely without problem. 
>>>  
>>>
>>> I read in a post that the "serializing key with enctype 18 and size
>>> 32" entry in syslog means I am trying to use an unsupported key with
>>> AES256 encryption (I can find very little about enctype numbers
>>> though); however I appear to have an AES256 service principal: 
>>>  
>>>
>>> [root at server etc]# ktutil 
>>> ktutil: rkt /etc/krb5.keytab 
>>> ktutil: list -e 
>>> slot KVNO Principal 
>>> ---- ----
>>> --------------------------------------------------------------------- 
>>> 1 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
>>> (aes256-cts-hmac-sha1-96) 
>>> 2 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
>>> (aes128-cts-hmac-sha1-96) 
>>> 3 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
>>> (des3-cbc-sha1) 
>>> 4 2 host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> (arcfour-hmac) 
>>> 5 5 nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>
>>> (aes256-cts-hmac-sha1-96) 
>>>  
>>>
>>> My versions are: 
>>> Fedora 17 (kernel 3.8.13-100.fc17.x86_64) 
>>> FreeIPA 2.2.2 
>>> krb5 1.10.2 
>>> nfs-utils 1.2.6 
>>> I have read of this issue being fixed by downgrading nfs-utils to
>>> 1.2.5; however that is not possible due to conflict with systemd.
>>> Everything else appears to work OK e.g. domain login, automap etc.
>>> When I try to mount the Kerberised NFS share, *nothing* appears in
>>> /var/log/krb5kdc.log 
>>>  
>>>
>>> Here is my syslog output when attempt the mount: 
>>>  
>>>
>>> Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37
>>> si 0x7fffe59b94f0 data 0x7fffe59b93c0 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt48) 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall:
>>> 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall
>>> (/var/lib/nfs/rpc_pipefs/nfs/clnt48) 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service
>>> is '<null>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for
>>> 'server.wasielewski.co.uk <http://server.wasielewski.co.uk>' is
>>> 'server.wasielewski.co.uk <http://server.wasielewski.co.uk>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for
>>> 'server.wasielewski.co.uk <http://server.wasielewski.co.uk>' is
>>> 'server.wasielewski.co.uk <http://server.wasielewski.co.uk>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for
>>> SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK
>>> <mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK> while getting
>>> keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK
>>> <mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for
>>> root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> while
>>> getting keytab entry for
>>> 'root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:root/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry
>>> for 'nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK>' 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC
>>> 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC
>>> 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: using
>>> FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for
>>> machine creds 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable
>>> to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid
>>> 0 (save_uid 0) 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for
>>> server server.wasielewski.co.uk <http://server.wasielewski.co.uk> 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server
>>> nfs at server.wasielewski.co.uk <mailto:nfs at server.wasielewski.co.uk> 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]:
>>> svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with
>>> 7 enctypes from the kernel 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: sname =
>>> nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
>>> <mailto:nfs/server.wasielewski.co.uk at WASIELEWSKI.CO.UK> 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: DEBUG:
>>> serialize_krb5_ctx: lucid version! 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]:
>>> prepare_krb5_rfc4121_buffer: protocol 1 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]:
>>> prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and
>>> size 32 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: doing downcall 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: mech: krb5, hndl len: 4,
>>> ctx len 52, timeout: 1373659035 (71045 from now), clnt:
>>> nfs at server.wasielewski.co.uk <mailto:nfs at server.wasielewski.co.uk>,
>>> uid: -1, gid: -1, num aux grps: 0: 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: sending null reply 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: writing message: \x
>>> \x6082029f06092a864886f71201020201006e82028e3082028aa003020105a10302010ea20703050020000000a3820184618201803082017ca003020105a1131b1157415349454c4557534b492e434f2e554ba22a3028a003020103a121301f1b036e66731b187365727665722e77617369656c6577736b692e636f2e756ba38201323082012ea003020112a103020105a28201200482011ccd1627a49a2911b9662144c0c43f9e64d78f4e817846f95884f3f43ea053b3954f22fb2d287d9ad0e24f88e32301d6a6f3f70d0e415b9c957e60e773b45b3a065258f1614451a258e3ce05f5c1fb889882b336223a32db10bea70dd334f22b9e1efaddd8b417994f6168d42a065e160353243de8aa53b4449a477567673212d68c241975300d12be7a756b7d4c7c75f8e5e82d84223ad592f6fec6897baa79b92e7097ecf1237f6c2c8ac2555c7c60782f51c386782eb56147e1ffcc8c4de94fba31d1e7a20f88b2ce88a9eb8059a9fe5731c22075280ec9eaf01fc81fccac841002f65d86e0b7000074b84661cb9ceed5e77ca4bdadfbe345ea41467392441ca5f202db006e019826d81d60e383427b5cd766f23b15b4e4eb8ebc1ba481ec3081e9a003020112a281e10481de69f0cdd8b94ef7123715131198824fa3c953d25f7dfea3b253df9623e44c660e7a96629eb323e5616bd7162e0ba4ec2d6037e3b3409be10410b2d3ffc0e2b1631b5dac718c3dfde170ec050bfc1dde657fcb7f35a7ef38e20477fea9d5f7e1320a77eef539455383080522686d1fbfb7bef8cb200dc8810c56e68bc25ad011aff3397781713aa8b696ec9f94843822449d1930b96530f69203840eab8d8398faf1286fde6edf7ef315489aa6621e1be8ea8375c52084895498f57183ccd0a104e7ac244a3fab12449144499a2308103e432c47d945f80e644f4df17271c0
>>> 1373588050 0 0 \x73000000
>>> \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f87a21e99d0907eadcd179fef73a8a4b38cb8180566d1f2cea453e28b7334b0648a543c3f2588a79f516f7d2238e1cca4ca5ec290b2a5d8b9d570ba47fdc20a2d36bc54928c3addba9b68867028c9adb157e487cc0951bc1270f9f1b96e643bb614589411cc923a9fbe5654beb20d85
>>
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: finished handling null
>>> request 
>>> Jul 12 01:13:10 server rpc.svcgssd[32135]: entering poll 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: serialize_krb5_ctx:
>>> lucid version! 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer:
>>> protocol 1 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: prepare_krb5_rfc4121_buffer:
>>> serializing key with enctype 18 and size 32 
>>> Jul 12 01:13:10 server rpc.gssd[31628]: doing downcall 
>>>  
>>>
>>> Any advice is much appreciated. 
>>>  
>>>
>>> Andrew 
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users 
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/e52c9d66/attachment.htm>

From dpal at redhat.com  Fri Jul 12 20:58:38 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 12 Jul 2013 16:58:38 -0400
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <51DFC9CF.90906@gmail.com>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
	<51DFC9CF.90906@gmail.com>
Message-ID: <51E06DFE.5020404@redhat.com>

On 07/12/2013 05:18 AM, natxo asenjo wrote:
> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>
>> I can't start the IPA Service with service ipa start after an reboot.
>> It fails on the pki-cad service, that only outputs
>> 'grep --help' gives you more information.
>>
>> I'm really not sure whats the correct error and how to restart ipa now.
>
> logs? look in /var/log/dirsrv/slapd-PKI-{yourinstancename}/ , the
> answer should be in one of the files in there.
>
This is a DS log, you need to look into the PKI-CA log. Unfortunately I
do not recall its location from top of my head.
If DS is starting then it might be something with CA itself. It is a new
install or an old one that suddenly stopper working?
If the latter it might be that certs have expired.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Fri Jul 12 21:03:27 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 12 Jul 2013 17:03:27 -0400
Subject: [Freeipa-users] Is GSSAPI secure without TLS?
In-Reply-To: <51E021CC.7070509@gmail.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
	<51E021CC.7070509@gmail.com>
Message-ID: <51E06F1F.5070905@redhat.com>

On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
> GSSAPI inside of a TLS channel apparently isn't secure unless the
> channel is secure and verified. The irony being that GSSAPI auth outside
> of a TLS connection is just fine for postfix.

Is this really the case? I am under the impression that Kerberos is
secure enough outside of the TLS tunnel and this is would be just a
precaution rather than a security measure.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From nkinder at redhat.com  Fri Jul 12 21:14:48 2013
From: nkinder at redhat.com (Nathan Kinder)
Date: Fri, 12 Jul 2013 14:14:48 -0700
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <51E06DFE.5020404@redhat.com>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
	<51DFC9CF.90906@gmail.com> <51E06DFE.5020404@redhat.com>
Message-ID: <51E071C8.8030704@redhat.com>

On 07/12/2013 01:58 PM, Dmitri Pal wrote:
> On 07/12/2013 05:18 AM, natxo asenjo wrote:
>> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>>
>>> I can't start the IPA Service with service ipa start after an reboot.
>>> It fails on the pki-cad service, that only outputs
>>> 'grep --help' gives you more information.
>>>
>>> I'm really not sure whats the correct error and how to restart ipa now.
>> logs? look in /var/log/dirsrv/slapd-PKI-{yourinstancename}/ , the
>> answer should be in one of the files in there.
>>
> This is a DS log, you need to look into the PKI-CA log. Unfortunately I
> do not recall its location from top of my head.
We need to see if /var/log/pki-ca/catalina.out gives any clues when the 
startup fails.

Thanks,
-NGK
> If DS is starting then it might be something with CA itself. It is a new
> install or an old one that suddenly stopper working?
> If the latter it might be that certs have expired.
>



From rcritten at redhat.com  Fri Jul 12 21:27:35 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 12 Jul 2013 17:27:35 -0400
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <51E071C8.8030704@redhat.com>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
	<51DFC9CF.90906@gmail.com> <51E06DFE.5020404@redhat.com>
	<51E071C8.8030704@redhat.com>
Message-ID: <51E074C7.3030800@redhat.com>

Nathan Kinder wrote:
> On 07/12/2013 01:58 PM, Dmitri Pal wrote:
>> On 07/12/2013 05:18 AM, natxo asenjo wrote:
>>> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>>>
>>>> I can't start the IPA Service with service ipa start after an reboot.
>>>> It fails on the pki-cad service, that only outputs
>>>> 'grep --help' gives you more information.
>>>>
>>>> I'm really not sure whats the correct error and how to restart ipa now.
>>> logs? look in /var/log/dirsrv/slapd-PKI-{yourinstancename}/ , the
>>> answer should be in one of the files in there.
>>>
>> This is a DS log, you need to look into the PKI-CA log. Unfortunately I
>> do not recall its location from top of my head.
> We need to see if /var/log/pki-ca/catalina.out gives any clues when the
> startup fails.

I wonder if it is even getting that far. If it is failing with grep 
usage then I wonder if something is missing that the init script is 
looking for.

rob



From erinn.looneytriggs at gmail.com  Fri Jul 12 21:36:03 2013
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Fri, 12 Jul 2013 17:36:03 -0400
Subject: [Freeipa-users] Is GSSAPI secure without TLS?
In-Reply-To: <51E06F1F.5070905@redhat.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
	<51E021CC.7070509@gmail.com> <51E06F1F.5070905@redhat.com>
Message-ID: <51E076C3.50201@gmail.com>

On 07/12/2013 05:03 PM, Dmitri Pal wrote:
> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
>> GSSAPI inside of a TLS channel apparently isn't secure unless the
>> channel is secure and verified. The irony being that GSSAPI auth outside
>> of a TLS connection is just fine for postfix.
> 
> Is this really the case? I am under the impression that Kerberos is
> secure enough outside of the TLS tunnel and this is would be just a
> precaution rather than a security measure.
> 

I'll be honest, I doubt I am smart enough/ have enough time to figure
all this out. However, this is via a user on the Postfix mailing list:

"GSSAPI inside TLS currently does not perform channel binding, and
so your session can be hijacked, after the client authenticates
with GSSAPI.  You can use "fingerprint" security if your server
certificate is not signed by a usable CA."

I asked for some more details and got this back:

https://tools.ietf.org/html/rfc5056

It sounds to me like this is Postfix specific. But again I don't know
all of the nuances of this, and security on this level can be very nuanced.

Now whether this fellow who gave this information to me is the designer
of TLS in Postfix or just some other poor schlub like myself I can't
say. But it certainly appears like it could be a problem.

-Erinn


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/88d53d5a/attachment.sig>

From dpal at redhat.com  Fri Jul 12 21:46:20 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 12 Jul 2013 17:46:20 -0400
Subject: [Freeipa-users] Is GSSAPI secure without TLS?
In-Reply-To: <51E076C3.50201@gmail.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
	<51E021CC.7070509@gmail.com> <51E06F1F.5070905@redhat.com>
	<51E076C3.50201@gmail.com>
Message-ID: <51E0792C.2000903@redhat.com>

On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote:
> On 07/12/2013 05:03 PM, Dmitri Pal wrote:
>> On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
>>> GSSAPI inside of a TLS channel apparently isn't secure unless the
>>> channel is secure and verified. The irony being that GSSAPI auth outside
>>> of a TLS connection is just fine for postfix.
>> Is this really the case? I am under the impression that Kerberos is
>> secure enough outside of the TLS tunnel and this is would be just a
>> precaution rather than a security measure.
>>
> I'll be honest, I doubt I am smart enough/ have enough time to figure
> all this out. However, this is via a user on the Postfix mailing list:
>
> "GSSAPI inside TLS currently does not perform channel binding, and
> so your session can be hijacked, after the client authenticates
> with GSSAPI.  You can use "fingerprint" security if your server
> certificate is not signed by a usable CA."
>
> I asked for some more details and got this back:
>
> https://tools.ietf.org/html/rfc5056
>
> It sounds to me like this is Postfix specific. But again I don't know
> all of the nuances of this, and security on this level can be very nuanced.
>
> Now whether this fellow who gave this information to me is the designer
> of TLS in Postfix or just some other poor schlub like myself I can't
> say. But it certainly appears like it could be a problem.
>
> -Erinn

OK, makes sense. Thanks for clarifying.

>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/d39df8a9/attachment.htm>

From deanhunter at comcast.net  Fri Jul 12 22:15:19 2013
From: deanhunter at comcast.net (Dean Hunter)
Date: Fri, 12 Jul 2013 17:15:19 -0500
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <51E06C94.1080906@redhat.com>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
	<1373656962.2867.22.camel@developer.hunter.org>
	<51E06C94.1080906@redhat.com>
Message-ID: <1373667319.2867.25.camel@developer.hunter.org>

On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:

> F19 has GSS proxy. I encourage you to use it. I know it was tried and
> worked as several bugs have been addressed.
> Gunther CCed will be back from PTO next week and should be able to
> help.  


Is the GSS proxy configured by ipa-client-automount?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/a32a3510/attachment.htm>

From sakodak at gmail.com  Sat Jul 13 00:38:41 2013
From: sakodak at gmail.com (KodaK)
Date: Fri, 12 Jul 2013 19:38:41 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DF2F8D.7090802@redhat.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
	<51DF26C1.3050508@redhat.com>
	<CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com>
	<51DF2F8D.7090802@redhat.com>
Message-ID: <CAA9J0ZHgsFK-Q3pQFTDjBLpG=YhGVwyvG8JqDbvyjckErZ_9iQ@mail.gmail.com>

On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal <dpal at redhat.com> wrote:

>
> I am not good with ldap syntax but SQL natural for me so conceptually the
> search would look like this:
>
>
I don't think it's humanly possible to be good at ldap syntax.


> I hope it conveys what I have in mind. The result of such search would be
> a list of group members that have access to the host.
> This is pretty close to what you have done except it covers nested groups
> too and uses HBAC rules.
>
>
I haven't had any luck with nested groups at all anyway, so I avoid using
them.  I may give this idea some more thought.  Thanks.


> Private. I made a typo. It should have been V :-)
>
>
Ah, ok. :)
-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/8f94abc6/attachment.htm>

From sakodak at gmail.com  Sat Jul 13 00:39:27 2013
From: sakodak at gmail.com (KodaK)
Date: Fri, 12 Jul 2013 19:39:27 -0500
Subject: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
In-Reply-To: <51DFF73A.3070800@gmail.com>
References: <CAA9J0ZEX3K3n8UaPo5Wde+i8qT4NT-rdiiKU_tDJ0yUS9FeMRA@mail.gmail.com>
	<51DDD997.3010103@gmail.com>
	<CAA9J0ZF32PgS9Sob1Q3EpWQExOOyj6KrbQcTxvgTG5SvW7xuJg@mail.gmail.com>
	<CAA9J0ZH_aXDfibzJsrq2ghLGWhYXzz7m9AUpWN9k_kC5DHqBRg@mail.gmail.com>
	<51DFF73A.3070800@gmail.com>
Message-ID: <CAA9J0ZEGy-T-dvNiD2Oh_e530emkwpoYPm6XRxW_w+jthEu6LQ@mail.gmail.com>

On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo <natxo.asenjo at gmail.com>wrote:

>
>>
> tcp wrappers support netgroups (iirc), you could use that too (you
> cannot mix hosts and users though, so you should create netgroups of
> users.
>
>
I haven't used tcp wrappers in years, and I never knew it supported
netgroups.  That's great to know, thanks!

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130712/7db2b8b2/attachment.htm>

From packages at amiga-hardware.com  Sat Jul 13 03:28:51 2013
From: packages at amiga-hardware.com (Ian Chapman)
Date: Sat, 13 Jul 2013 11:28:51 +0800
Subject: [Freeipa-users] F18 -> F19 upgrade
Message-ID: <51E0C973.8010801@amiga-hardware.com>

Hi,

I've just recently upgrade my F18 server to F19 and IPA is failing to start:

Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Aborting ipactl
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting Directory Service
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting krb5kdc Service
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting kadmin Service
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting ipa_memcached 
Service
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting httpd Service
Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting pki-cad Service
Jul 13 10:52:30 rex.homenet.lan systemd[1]: ipa.service: main process 
exited, code=exited, status=1/FAILURE
Jul 13 10:52:30 rex.homenet.lan systemd[1]: Failed to start Identity, 
Policy, Audit.
Jul 13 10:52:30 rex.homenet.lan systemd[1]: Unit ipa.service entered 
failed state.



It seems that the pki-cad service fails to start. Is that in relation to 
dogtag upgrade of 9 to 10 or possibly another problem?

There is of course this page:

http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10

but frankly I don't really understand it. Well I get that the idea is to 
create a new pki cloned instance which would be dogtag 10 compatible and 
then delete the old one - I'm really don't know what I'm supposed to put 
in the configuration file. Has anybody else done this? Is there some 
more examples? Thanks.


The status of pki-cad is:

systemctl status pki-cad at pki-ca.service
pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
    Loaded: loaded (/usr/lib/systemd/system/pki-cad at .service; enabled)
    Active: failed (Result: exit-code) since Sat 2013-07-13 10:54:23 
WST; 30min ago
   Process: 98170 ExecStart=/usr/bin/pkicontrol start ca %i 
(code=exited, status=1/FAILURE)

Jul 13 10:54:23 rex.homenet.lan systemd[1]: Starting PKI Certificate 
Authority Server pki-ca...
Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: WARNING:  Symbolic 
link '/var/lib/pki-ca/pki-ca' does NOT exist!
Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: INFO:  Attempting to 
create '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' . . .
Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: ERROR:  Failed making 
'/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' since target 
'/usr/sb...T exist!
Jul 13 10:54:23 rex.homenet.lan systemd[1]: pki-cad at pki-ca.service: 
control process exited, code=exited status=1
Jul 13 10:54:23 rex.homenet.lan systemd[1]: Failed to start PKI 
Certificate Authority Server pki-ca.
Jul 13 10:54:23 rex.homenet.lan systemd[1]: Unit pki-cad at pki-ca.service 
entered failed state.


-- 
Ian Chapman.



From c.schmitt at briefdomain.de  Sat Jul 13 13:23:24 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Sat, 13 Jul 2013 15:23:24 +0200
Subject: [Freeipa-users] PKI-CAD couldn't start
In-Reply-To: <51E074C7.3030800@redhat.com>
References: <20130712105500.12ac4c82@london.clients.envisia.de>
	<51DFC9CF.90906@gmail.com> <51E06DFE.5020404@redhat.com>
	<51E071C8.8030704@redhat.com> <51E074C7.3030800@redhat.com>
Message-ID: <CAPDLAU5COpq1DJjAOU8gbuptL74p-5za7wW75YAP1ygkX6=S4w@mail.gmail.com>

btw. it was a new 'test' install.
So it wasn't an issue by making a new install.
The certs wasn't expired, and as said it couldn't get too far, but the
initscript didn't changed. i diff'd every config file of pki-ca.
i also tried to reproduce it on a second test machine, by shutting it down
and up some times on vmware esxi.

Btw. I only did a maintance mode on vmware esxi installed a new driver (an
intel driver for networking) then i stopped the maintance mode, and
shutdown the whole hypervisor.
Two machines were shutdown correct, but i think the ipa server didn't he
stucked by shutting down pki-ca (btw. this step takes a long time even when
rebooting from a shell)

then after the reboot of the hypervisor, the two other vm's started
correctly. only the ipa machine took a long time to be turned on. (btw. the
time was in sync)
but i didn't change any config file or init.d file. it was a clean install
where i only added groups / users and changed some dns things and added 2
hosts.

machine was / is a totally standard machine 2 intel nics, 4 harddrives, 1
processors e5 didn't know the correct spec, so nothing special.
the ipa machine was as already said a CentOS 6.4 with IdM and an ntp server
(btw. the config files say on virtual machines you shouldn't do this, but
since we have no chance to run any ntp outside of a vm we need to do it)
I think the problem caused by a ungraceful shutdown of the Idenity
Management. While it tried to shutdown PKI-CA.

As said even on a second test VM i couldn't reproduce it since i've always
shutdown correctly. never tried to shutdown the hypervisor off again.
But I can do it on monday.
I've also taken a look into catalina.out but there was only a socket error.
nothing that has something to do with the grep command.

I think the problem got caused by a chain of really bad steps that and i
was really unhappy to reach this kind of things.
i don't think the problem will getting reporduced that easily.

but still thanks for your help. maybe i just need to be more careful.



2013/7/12 Rob Crittenden <rcritten at redhat.com>

> Nathan Kinder wrote:
>
>> On 07/12/2013 01:58 PM, Dmitri Pal wrote:
>>
>>> On 07/12/2013 05:18 AM, natxo asenjo wrote:
>>>
>>>> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>>>>
>>>>  I can't start the IPA Service with service ipa start after an reboot.
>>>>> It fails on the pki-cad service, that only outputs
>>>>> 'grep --help' gives you more information.
>>>>>
>>>>> I'm really not sure whats the correct error and how to restart ipa now.
>>>>>
>>>> logs? look in /var/log/dirsrv/slapd-PKI-{**yourinstancename}/ , the
>>>> answer should be in one of the files in there.
>>>>
>>>>  This is a DS log, you need to look into the PKI-CA log. Unfortunately I
>>> do not recall its location from top of my head.
>>>
>> We need to see if /var/log/pki-ca/catalina.out gives any clues when the
>> startup fails.
>>
>
> I wonder if it is even getting that far. If it is failing with grep usage
> then I wonder if something is missing that the init script is looking for.
>
> rob
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130713/9c1c62f2/attachment.htm>

From pspacek at redhat.com  Mon Jul 15 06:37:11 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 15 Jul 2013 08:37:11 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
Message-ID: <51E39897.5080907@redhat.com>

On 12.7.2013 19:57, Alexandre Ellert wrote:
> Thanks for pointing that bug, compilation succeeded if adding "X-Python-Version: 2.7" to debian/control file.
> Now, testing functionality...
> I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?)

This list is not Fedora/RHEL specific. We are glad to hear about ports to 
another distributions, please continue! :-)

-- 
Petr^2 Spacek



From james.hogarth at gmail.com  Mon Jul 15 09:17:59 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 15 Jul 2013 10:17:59 +0100
Subject: [Freeipa-users] Question about design of ldap dns
Message-ID: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>

Hi guys,

I'm just picking up the nice to have ticket of configure the default TTL as
part of my general TTL refactor work seeing as the exposing and
modification of TTL in the UI is unlikely to be complete before 3.3 freeze
(mostly working but a few bugs remaining) :

https://fedorahosted.org/bind-dyndb-ldap/ticket/70

https://fedorahosted.org/freeipa/ticket/2956

The approach I'm considering is to make the record capable of an individual
TTL by just appending the TTL to the record so it would look like:
dn: idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com
idnsName: bar
ARecord: 192.168.1.100 7200

This is an approach that matches how things like MX and SRV are dealt with
(except those have numbers at the front) and would require much simpler
modifications.

Then there would be a precedence to the actual TTL used in this order:
1) If a TTL is in the record data use that
2) If a TTL is in the idnsName data (the current dnsTTL attribute) then use
that
3) If a TTL is in the zone data (as per the ticket name to be decided) then
use that
4) If a TTL is specified in the named.conf configuration for the
bind-dyndb-ldap plugin then use that.

Although potentially not as nice as making each data entry a first class
citizen as an object in LDAP such as for an example:
dn: aRecord=192.168.1.100,idnsName=bar, idnsName=example.com, cn=dns,
dc=example, dc=com
aRecordName: bar
aRecordData: 192.168.1.100
aRecordTTL: 7200

It'd require far less upheaval in terms of migrations and testing...

What are your thoughts on this before I start digging into this part of the
code base?

Cheers,

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/9d259844/attachment.htm>

From William.Adamson at netapp.com  Fri Jul 12 19:16:34 2013
From: William.Adamson at netapp.com (Adamson, Andy)
Date: Fri, 12 Jul 2013 19:16:34 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <51E052DF.6040908@redhat.com>
References: <2244402.23csPCHrou@localhost.localdomain>,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
	<51E052DF.6040908@redhat.com>
Message-ID: <173FDA90-E773-4045-B115-327517BB20F1@netapp.com>


On Jul 12, 2013, at 3:02 PM, Rob Crittenden <rcritten at redhat.com>
 wrote:

> Chuck Lever wrote:
>> 
>> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com
>> <mailto:ovalousek at vendavo.com>> wrote:
>> 
>>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
>>> on the horizon yet?
>>> Expiring tickets will render the whole concept unusable otherwise.
>>> 
>>> Anyone?
>> 
>> Ask on linux-nfs at vger.kernel.org <mailto:linux-nfs at vger.kernel.org>.  I
>> know upstream is working on this problem.
> 
> https://fedorahosted.org/gss-proxy/ will solve the problem.

Only for renewable tickets that gss-proxy renews. If a use has a non-renewable ticket, then the problem still exists.  I'm working on a set of GSS expiry patches and I'll make sure this problem is solved in the kernel.

-->Andy

> 
> rob
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From simo at redhat.com  Mon Jul 15 13:32:20 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 09:32:20 -0400
Subject: [Freeipa-users] Is GSSAPI secure without TLS?
In-Reply-To: <51E0792C.2000903@redhat.com>
References: <51DD81A2.3010806@gmail.com>
	<1373472723.30537.240.camel@willson.li.ssimo.org>
	<51DDCB85.6050105@redhat.com>
	<2806598.nOdMvboudj@linux-ws1.messinet.com>
	<51E021CC.7070509@gmail.com> <51E06F1F.5070905@redhat.com>
	<51E076C3.50201@gmail.com>  <51E0792C.2000903@redhat.com>
Message-ID: <1373895140.30537.344.camel@willson.li.ssimo.org>

On Fri, 2013-07-12 at 17:46 -0400, Dmitri Pal wrote:
> On 07/12/2013 05:36 PM, Erinn Looney-Triggs wrote: 
> > On 07/12/2013 05:03 PM, Dmitri Pal wrote:
> > > On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote:
> > > > GSSAPI inside of a TLS channel apparently isn't secure unless the
> > > > channel is secure and verified. The irony being that GSSAPI auth outside
> > > > of a TLS connection is just fine for postfix.
> > > Is this really the case? I am under the impression that Kerberos is
> > > secure enough outside of the TLS tunnel and this is would be just a
> > > precaution rather than a security measure.
> > > 
> > I'll be honest, I doubt I am smart enough/ have enough time to figure
> > all this out. However, this is via a user on the Postfix mailing list:
> > 
> > "GSSAPI inside TLS currently does not perform channel binding, and
> > so your session can be hijacked, after the client authenticates
> > with GSSAPI.  You can use "fingerprint" security if your server
> > certificate is not signed by a usable CA."
> > 
> > I asked for some more details and got this back:
> > 
> > https://tools.ietf.org/html/rfc5056
> > 
> > It sounds to me like this is Postfix specific. But again I don't know
> > all of the nuances of this, and security on this level can be very nuanced.
> > 
> > Now whether this fellow who gave this information to me is the designer
> > of TLS in Postfix or just some other poor schlub like myself I can't
> > say. But it certainly appears like it could be a problem.
> > 
> > -Erinn
> 
> OK, makes sense. Thanks for clarifying.

Just to make it more clear, what is happening here, is that when Postifx
uses GSSAPI within a TLS channel it does not ask for integrity and
confidentiality services from GSSAPI, it uses it exclusively as an
authentication method. This is why, without Channel Bindings
authentication is not cryptographically tied to the outer encryption
layer. So a MITM *could* be operated by establishing 2 valid TLS
channels and simply forwarding communications from one channel to the
other.

It is not that simple if both enpoints use certificates to validate to
each other and full SSL verification is on. But Clients usually do not
have X509 certificates, so there is no mutual authentication at the SSL
level in that case and MITM becomes much easier.

Now the question would be: why postfix doesn't do channel bindings? I
guess it maybe because GSSAPI is behind the SASL layer, but I haven't
checked.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From simo at redhat.com  Mon Jul 15 13:33:13 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 09:33:13 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <1373667319.2867.25.camel@developer.hunter.org>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
	<1373656962.2867.22.camel@developer.hunter.org>
	<51E06C94.1080906@redhat.com>
	<1373667319.2867.25.camel@developer.hunter.org>
Message-ID: <1373895193.30537.345.camel@willson.li.ssimo.org>

On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > and worked as several bugs have been addressed.
> > Gunther CCed will be back from PTO next week and should be able to
> > help.  
> 
> Is the GSS proxy configured by ipa-client-automount?

No, gssproxy is quite new and we do not configure it by default at this
stage.
It has been tested only with NFS (both server and client) on Fedora 19.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From simo at redhat.com  Mon Jul 15 13:37:16 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 09:37:16 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <173FDA90-E773-4045-B115-327517BB20F1@netapp.com>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
	<51E052DF.6040908@redhat.com>
	<173FDA90-E773-4045-B115-327517BB20F1@netapp.com>
Message-ID: <1373895436.30537.347.camel@willson.li.ssimo.org>

On Fri, 2013-07-12 at 19:16 +0000, Adamson, Andy wrote:
> On Jul 12, 2013, at 3:02 PM, Rob Crittenden <rcritten at redhat.com>
>  wrote:
> 
> > Chuck Lever wrote:
> >> 
> >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com
> >> <mailto:ovalousek at vendavo.com>> wrote:
> >> 
> >>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> >>> on the horizon yet?
> >>> Expiring tickets will render the whole concept unusable otherwise.
> >>> 
> >>> Anyone?
> >> 
> >> Ask on linux-nfs at vger.kernel.org <mailto:linux-nfs at vger.kernel.org>.  I
> >> know upstream is working on this problem.
> > 
> > https://fedorahosted.org/gss-proxy/ will solve the problem.
> 
> Only for renewable tickets that gss-proxy renews. If a use has a non-renewable ticket, then the problem still exists.  I'm working on a set of GSS expiry patches and I'll make sure this problem is solved in the kernel.

Just to avoid confusion.

GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it under the hood on its own), it
only handles acquiring new credentials using keytabs or using existing
valid credentials from a standard ccache pre-populated by the user.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From simo at redhat.com  Mon Jul 15 13:58:59 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 09:58:59 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <1373896200.1743.1.camel@developer.hunter.org>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
	<1373656962.2867.22.camel@developer.hunter.org>
	<51E06C94.1080906@redhat.com>
	<1373667319.2867.25.camel@developer.hunter.org>
	<1373895193.30537.345.camel@willson.li.ssimo.org>
	<1373896200.1743.1.camel@developer.hunter.org>
Message-ID: <1373896739.30537.352.camel@willson.li.ssimo.org>

On Mon, 2013-07-15 at 08:50 -0500, Dean Hunter wrote:
> On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote: 
> > On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > > > and worked as several bugs have been addressed.
> > > > Gunther CCed will be back from PTO next week and should be able to
> > > > help.  
> > > 
> > > Is the GSS proxy configured by ipa-client-automount?
> > 
> > No, gssproxy is quite new and we do not configure it by default at this
> > stage.
> > It has been tested only with NFS (both server and client) on Fedora 19.
> > 
> > Simo.
> > 
> Where might I find instructions on how to configure the GSS proxy for
> use with IPA and automount?
> 
The default configuration of GSS-Proxy should be sufficient, just
install it and enable it to start on the client.

You can the drop keytabs in /var/lib/gssproxy/clients, look at the
default configuration to see how the scheme works.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From jcholast at redhat.com  Mon Jul 15 14:35:41 2013
From: jcholast at redhat.com (Jan Cholasta)
Date: Mon, 15 Jul 2013 16:35:41 +0200
Subject: [Freeipa-users] Question about design of ldap dns
In-Reply-To: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>
References: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>
Message-ID: <51E408BD.4000608@redhat.com>

On 15.7.2013 11:17, James Hogarth wrote:
> Hi guys,
>
> I'm just picking up the nice to have ticket of configure the default TTL
> as part of my general TTL refactor work seeing as the exposing and
> modification of TTL in the UI is unlikely to be complete before 3.3
> freeze (mostly working but a few bugs remaining) :
>
> https://fedorahosted.org/bind-dyndb-ldap/ticket/70
>
> https://fedorahosted.org/freeipa/ticket/2956
>
> The approach I'm considering is to make the record capable of an
> individual TTL by just appending the TTL to the record so it would look
> like:
> dn: idnsName=bar, idnsName=example.com <http://example.com>, cn=dns,
> dc=example, dc=com
> idnsName: bar
> ARecord: 192.168.1.100 7200
>
> This is an approach that matches how things like MX and SRV are dealt
> with (except those have numbers at the front) and would require much
> simpler modifications.
>
> Then there would be a precedence to the actual TTL used in this order:
> 1) If a TTL is in the record data use that
> 2) If a TTL is in the idnsName data (the current dnsTTL attribute) then
> use that
> 3) If a TTL is in the zone data (as per the ticket name to be decided)
> then use that
> 4) If a TTL is specified in the named.conf configuration for the
> bind-dyndb-ldap plugin then use that.
>
> Although potentially not as nice as making each data entry a first class
> citizen as an object in LDAP such as for an example:
> dn: aRecord=192.168.1.100,idnsName=bar, idnsName=example.com
> <http://example.com>, cn=dns, dc=example, dc=com
> aRecordName: bar
> aRecordData: 192.168.1.100
> aRecordTTL: 7200
>
> It'd require far less upheaval in terms of migrations and testing...
>
> What are your thoughts on this before I start digging into this part of
> the code base?
>
> Cheers,
>
> James
>

There's a third option: group DNS records by both name and TTL, instead 
of just name, like this:

dn: idnsName=bar+dNSTTL=7200,idnsName=example.com
idnsName: bar
dNSTTL: 7200
aRecord: 1.2.3.4

dn: idnsName=bar+dNSTTL=3600,idnsName=example.com
idnsName: bar
dNSTTL: 3600
aRecord: 5.6.7.8

This way you don't have to change the format of existing attributes nor 
add new attributes.

Honza

-- 
Jan Cholasta



From klarmstrong2 at liberty.edu  Mon Jul 15 14:40:19 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 15 Jul 2013 14:40:19 +0000
Subject: [Freeipa-users] [freeipa-users] errors when trying to add public
	SSH key to user
Message-ID: <1373899219.7679.4.camel@localhost.localdomain>

I'm trying to add an SSH public key to a user, and I keep getting IPA Error 3009 or IPA Error 3008 when I try to update the page.  I have copied over the exact contents of the .ssh/id_rsa.pub file.  Even if I take the username portion out at the end of the file, I still get the same error messages.

When I try to add it from the command line, I get:

ipa: ERROR: invalid 'sshpubkey': invalid SSH public key

And yes, I verified that ssh-rsa is at the beginning of the key output.

This is on a RHEL 6 server.

Any thoughts?

Thanks.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/a34e0fb7/attachment.htm>

From deanhunter at comcast.net  Mon Jul 15 13:50:00 2013
From: deanhunter at comcast.net (Dean Hunter)
Date: Mon, 15 Jul 2013 08:50:00 -0500
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <1373895193.30537.345.camel@willson.li.ssimo.org>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<068DB436-A076-4382-A5EF-195C15796C22@netapp.com>
	<1373656962.2867.22.camel@developer.hunter.org>
	<51E06C94.1080906@redhat.com>
	<1373667319.2867.25.camel@developer.hunter.org>
	<1373895193.30537.345.camel@willson.li.ssimo.org>
Message-ID: <1373896200.1743.1.camel@developer.hunter.org>

On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote:

> On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > > and worked as several bugs have been addressed.
> > > Gunther CCed will be back from PTO next week and should be able to
> > > help.  
> > 
> > Is the GSS proxy configured by ipa-client-automount?
> 
> No, gssproxy is quite new and we do not configure it by default at this
> stage.
> It has been tested only with NFS (both server and client) on Fedora 19.
> 
> Simo.
> 

Where might I find instructions on how to configure the GSS proxy for
use with IPA and automount?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/cb99f40f/attachment.htm>

From jpazdziora at redhat.com  Mon Jul 15 15:09:40 2013
From: jpazdziora at redhat.com (Jan Pazdziora)
Date: Mon, 15 Jul 2013 17:09:40 +0200
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
	public SSH key to user
In-Reply-To: <1373899219.7679.4.camel@localhost.localdomain>
References: <1373899219.7679.4.camel@localhost.localdomain>
Message-ID: <20130715150940.GU1972@redhat.com>

On Mon, Jul 15, 2013 at 02:40:19PM +0000, Armstrong, Kenneth Lawrence wrote:
> I'm trying to add an SSH public key to a user, and I keep getting IPA Error 3009 or IPA Error 3008 when I try to update the page.  I have copied over the exact contents of the .ssh/id_rsa.pub file.  Even if I take the username portion out at the end of the file, I still get the same error messages.
> 
> When I try to add it from the command line, I get:
> 
> ipa: ERROR: invalid 'sshpubkey': invalid SSH public key
> 
> And yes, I verified that ssh-rsa is at the beginning of the key output.
> 
> This is on a RHEL 6 server.
> 
> Any thoughts?

Does it fail even if you do not copy-n-paste the key but let shell
expand it as

	ipa user-mod demo --sshpubkey "$( cat /tmp/demo.pub )"

?

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat



From klarmstrong2 at liberty.edu  Mon Jul 15 15:13:49 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 15 Jul 2013 15:13:49 +0000
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
	public SSH key to user
In-Reply-To: <20130715150940.GU1972@redhat.com>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<20130715150940.GU1972@redhat.com>
Message-ID: <1373901229.16869.0.camel@localhost.localdomain>

Good thought.  I just tried it and it still fails:

[karmstrong at linuxtest<mailto:karmstrong at linuxtest> ~]$ ipa user-mod karmstrong --sshpubkey "$(cat .ssh/id_rsa.pub)"
ipa: ERROR: invalid 'sshpubkey': invalid SSH public key


On Mon, 2013-07-15 at 17:09 +0200, Jan Pazdziora wrote:


On Mon, Jul 15, 2013 at 02:40:19PM +0000, Armstrong, Kenneth Lawrence wrote:
> I'm trying to add an SSH public key to a user, and I keep getting IPA Error 3009 or IPA Error 3008 when I try to update the page.  I have copied over the exact contents of the .ssh/id_rsa.pub file.  Even if I take the username portion out at the end of the file, I still get the same error messages.
>
> When I try to add it from the command line, I get:
>
> ipa: ERROR: invalid 'sshpubkey': invalid SSH public key
>
> And yes, I verified that ssh-rsa is at the beginning of the key output.
>
> This is on a RHEL 6 server.
>
> Any thoughts?

Does it fail even if you do not copy-n-paste the key but let shell
expand it as

        ipa user-mod demo --sshpubkey "$( cat /tmp/demo.pub )"

?



--

Kenny Armstrong
System Administrator
IS Operations

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]<http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg>

Training Champions for Christ since 1971
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/0f38ec1f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wordmark-for-email.jpg
Type: image/jpeg
Size: 4988 bytes
Desc: wordmark-for-email.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/0f38ec1f/attachment.jpg>

From tbabej at redhat.com  Mon Jul 15 15:30:15 2013
From: tbabej at redhat.com (Tomas Babej)
Date: Mon, 15 Jul 2013 17:30:15 +0200
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
	public SSH key to user
In-Reply-To: <1373901229.16869.0.camel@localhost.localdomain>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<20130715150940.GU1972@redhat.com>
	<1373901229.16869.0.camel@localhost.localdomain>
Message-ID: <1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>

On Monday 15 of July 2013 15:13:49 Armstrong, Kenneth Lawrence wrote:
> Good thought.  I just tried it and it still fails:
> 
> [karmstrong at linuxtest<mailto:karmstrong at linuxtest> ~]$ ipa user-mod karmstrong --sshpubkey "$(cat .ssh/id_rsa.pub)"
> ipa: ERROR: invalid 'sshpubkey': invalid SSH public key
> 

Are you sure the ssh public key file is not damaged? The following sequence of commands works for me (verified now):

[root at vm-154 tbabej]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/tbabej/test_rsa
[..]

[root at vm-154 tbabej]# ipa user-mod admin --sshpubkey "$(cat test_rsa.pub)"
---------------------
Modified user "admin"
---------------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
[..]

Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/3bfbffd0/attachment.htm>

From klarmstrong2 at liberty.edu  Mon Jul 15 15:36:46 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 15 Jul 2013 15:36:46 +0000
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
 public SSH key to user
In-Reply-To: <1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<20130715150940.GU1972@redhat.com>
	<1373901229.16869.0.camel@localhost.localdomain>
	<1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
Message-ID: <1373902606.16869.3.camel@localhost.localdomain>

I do not believe that it is damaged.  I have tried this out three times now (deleting the key files between each attempt).

-Kenny

On Mon, 2013-07-15 at 17:30 +0200, Tomas Babej wrote:
On Monday 15 of July 2013 15:13:49 Armstrong, Kenneth Lawrence wrote:

> Good thought. I just tried it and it still fails:

>

> [karmstrong at linuxtest<mailto:karmstrong at linuxtest> ~]$ ipa user-mod karmstrong --sshpubkey "$(cat .ssh/id_rsa.pub)"

> ipa: ERROR: invalid 'sshpubkey': invalid SSH public key

>



Are you sure the ssh public key file is not damaged? The following sequence of commands works for me (verified now):



[root at vm-154 tbabej]# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): /home/tbabej/test_rsa

[..]



[root at vm-154 tbabej]# ipa user-mod admin --sshpubkey "$(cat test_rsa.pub)"

---------------------

Modified user "admin"

---------------------

User login: admin

Last name: Administrator

Home directory: /home/admin

Login shell: /bin/bash

[..]



Tomas


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/33f84921/attachment.htm>

From tbabej at redhat.com  Mon Jul 15 15:41:50 2013
From: tbabej at redhat.com (Tomas Babej)
Date: Mon, 15 Jul 2013 17:41:50 +0200
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
	public SSH key to user
In-Reply-To: <1373902606.16869.3.camel@localhost.localdomain>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
	<1373902606.16869.3.camel@localhost.localdomain>
Message-ID: <2713317.Xc6b775qVC@thinkpad7.brq.redhat.com>

On Monday 15 of July 2013 15:36:46 Armstrong, Kenneth Lawrence wrote:
> I do not believe that it is damaged.  I have tried this out three times now (deleting the key files between each attempt).
> 
> -Kenny

What is the version of your IPA server?

Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/c38c8d8a/attachment.htm>

From klarmstrong2 at liberty.edu  Mon Jul 15 15:42:51 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 15 Jul 2013 15:42:51 +0000
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
 public SSH key to user
In-Reply-To: <2713317.Xc6b775qVC@thinkpad7.brq.redhat.com>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
	<1373902606.16869.3.camel@localhost.localdomain>
	<2713317.Xc6b775qVC@thinkpad7.brq.redhat.com>
Message-ID: <1373902971.16869.4.camel@localhost.localdomain>

ipa-server-2.2.0-17.el6_3.1.x86_64

-Kenny

On Mon, 2013-07-15 at 17:41 +0200, Tomas Babej wrote:
On Monday 15 of July 2013 15:36:46 Armstrong, Kenneth Lawrence wrote:

> I do not believe that it is damaged. I have tried this out three times now (deleting the key files between each attempt).

>

> -Kenny



What is the version of your IPA server?



Tomas


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/7341d9ad/attachment.htm>

From mkosek at redhat.com  Mon Jul 15 15:47:24 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 15 Jul 2013 17:47:24 +0200
Subject: [Freeipa-users] F18 -> F19 upgrade
In-Reply-To: <51E0C973.8010801@amiga-hardware.com>
References: <51E0C973.8010801@amiga-hardware.com>
Message-ID: <51E4198C.40305@redhat.com>

On 07/13/2013 05:28 AM, Ian Chapman wrote:
> Hi,
> 
> I've just recently upgrade my F18 server to F19 and IPA is failing to start:
> 
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Aborting ipactl
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting Directory Service
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting krb5kdc Service
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting kadmin Service
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting ipa_memcached Service
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting httpd Service
> Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting pki-cad Service
> Jul 13 10:52:30 rex.homenet.lan systemd[1]: ipa.service: main process exited,
> code=exited, status=1/FAILURE
> Jul 13 10:52:30 rex.homenet.lan systemd[1]: Failed to start Identity, Policy,
> Audit.
> Jul 13 10:52:30 rex.homenet.lan systemd[1]: Unit ipa.service entered failed state.
> 
> 
> 
> It seems that the pki-cad service fails to start. Is that in relation to dogtag
> upgrade of 9 to 10 or possibly another problem?
> 
> There is of course this page:
> 
> http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10
> 
> but frankly I don't really understand it. Well I get that the idea is to create
> a new pki cloned instance which would be dogtag 10 compatible and then delete
> the old one - I'm really don't know what I'm supposed to put in the
> configuration file. Has anybody else done this? Is there some more examples?
> Thanks.
> 
> 
> The status of pki-cad is:
> 
> systemctl status pki-cad at pki-ca.service
> pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
>    Loaded: loaded (/usr/lib/systemd/system/pki-cad at .service; enabled)
>    Active: failed (Result: exit-code) since Sat 2013-07-13 10:54:23 WST; 30min ago
>   Process: 98170 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited,
> status=1/FAILURE)
> 
> Jul 13 10:54:23 rex.homenet.lan systemd[1]: Starting PKI Certificate Authority
> Server pki-ca...
> Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: WARNING:  Symbolic link
> '/var/lib/pki-ca/pki-ca' does NOT exist!
> Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: INFO:  Attempting to create
> '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' . . .
> Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: ERROR:  Failed making
> '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' since target '/usr/sb...T
> exist!
> Jul 13 10:54:23 rex.homenet.lan systemd[1]: pki-cad at pki-ca.service: control
> process exited, code=exited status=1
> Jul 13 10:54:23 rex.homenet.lan systemd[1]: Failed to start PKI Certificate
> Authority Server pki-ca.
> Jul 13 10:54:23 rex.homenet.lan systemd[1]: Unit pki-cad at pki-ca.service entered
> failed state.
>

Adding PKI/Dogtag developers to CC to advise.

Martin



From ovalousek at vendavo.com  Mon Jul 15 16:15:02 2013
From: ovalousek at vendavo.com (Ondrej Valousek)
Date: Mon, 15 Jul 2013 16:15:02 +0000
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <1373895436.30537.347.camel@willson.li.ssimo.org>
References: <2244402.23csPCHrou@localhost.localdomain>	,
	<gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
	<51E052DF.6040908@redhat.com>
	<173FDA90-E773-4045-B115-327517BB20F1@netapp.com>,
	<1373895436.30537.347.camel@willson.li.ssimo.org>
Message-ID: <7oqj8l5wjen9kly88j6yakiv.1373904870503@email.android.com>

Ok. I agree that the problem needs to be fixed in kernel - lets hope the patches will find their way into RHEL 7 ;-).
Does it mean that since Fedora 19 the default location of krb5.keytab is /var/lib/gssproxy?
O.


Odesl?no ze Samsung Mobile



-------- P?vodn? zpr?va --------
Od: Simo Sorce <simo at redhat.com>
Datum:
Komu: "Adamson, Andy" <William.Adamson at netapp.com>
Kopie: andrew at wasielewski.co.uk,freeipa-users at redhat.com
P?edm?t: Re: [Freeipa-users] Problem with Kerberised NFS mount


On Fri, 2013-07-12 at 19:16 +0000, Adamson, Andy wrote:
> On Jul 12, 2013, at 3:02 PM, Rob Crittenden <rcritten at redhat.com>
>  wrote:
>
> > Chuck Lever wrote:
> >>
> >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek <ovalousek at vendavo.com
> >> <mailto:ovalousek at vendavo.com>> wrote:
> >>
> >>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> >>> on the horizon yet?
> >>> Expiring tickets will render the whole concept unusable otherwise.
> >>>
> >>> Anyone?
> >>
> >> Ask on linux-nfs at vger.kernel.org <mailto:linux-nfs at vger.kernel.org>.  I
> >> know upstream is working on this problem.
> >
> > https://fedorahosted.org/gss-proxy/ will solve the problem.
>
> Only for renewable tickets that gss-proxy renews. If a use has a non-renewable ticket, then the problem still exists.  I'm working on a set of GSS expiry patches and I'll make sure this problem is solved in the kernel.

Just to avoid confusion.

GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it under the hood on its own), it
only handles acquiring new credentials using keytabs or using existing
valid credentials from a standard ccache pre-populated by the user.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/20cd9218/attachment.htm>

From diaulasacn at primeinformatica.com.br  Mon Jul 15 16:57:11 2013
From: diaulasacn at primeinformatica.com.br (diaulasacn at primeinformatica.com.br)
Date: Mon, 15 Jul 2013 13:57:11 -0300 (BRT)
Subject: [Freeipa-users] Error uninstalling ipa-client
Message-ID: <25882.200.220.180.66.1373907431.squirrel@www.primeinformatica.com.br>

Hi,

  Im trying to "reinstall" a unsuccessful instalation...

   ipa-client-install tells me to uninstall first

   ipa-client-install --uninstall return that error:

"  Failed to remove krb5/LDAP configuration: Command '/usr/sbin/authconfig
--disablekrb5 --disablesssd --update --disablemkhomedir --disableldap
--disablesssdauth' returned non-zero exit status 6"



My enviroment:


lsb_release -a
LSB Version:   
:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 6.4 (Santiago)
Release:        6.4
Codename:       Santiago


# rpm -qa ipa*
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64


All updates installed.




From james.hogarth at gmail.com  Mon Jul 15 17:25:21 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 15 Jul 2013 18:25:21 +0100
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
 public SSH key to user
In-Reply-To: <1373902971.16869.4.camel@localhost.localdomain>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
	<1373902606.16869.3.camel@localhost.localdomain>
	<2713317.Xc6b775qVC@thinkpad7.brq.redhat.com>
	<1373902971.16869.4.camel@localhost.localdomain>
Message-ID: <CAGkb5vdd7YQx4vdbAQu4AWdXE0+fSuwzmKy5Bzwdmw8nab6rcA@mail.gmail.com>

ipa-server-2.2.0-17.el6_3.1.x86_64
>
>
>

Think I see the problem here ....

>From the 3.0 release notes:

   - SSH public key format has been changed to OpenSSH-style public keys.


http://www.freeipa.org/page/IPAv3_300_ga

You really ought to get those servers updated to RHEL 6.4 with IPA 3.0
(which is part of 6.4) ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/d584e2d1/attachment.htm>

From MTovey at go2uti.com  Mon Jul 15 18:00:19 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Mon, 15 Jul 2013 18:00:19 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
Message-ID: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>



    Did anyone find a solution for this?  I am having the same experience.

ipa sudorule-show my_sudo_rule
  Rule name: my_sudo_rule
  Enabled: TRUE
  Command category: all
  User Groups: ugroup1, ugroup2, ugroup3
  Host Groups: hgroup1

ipa hostgroup-show hgroup1
  Host-group: hgroup1
  Description: Test host group
  Member hosts: server1.my_domain.com, server2.my_domain.com,
                server3.my_domain.com, server4.my_domain.com
  Member of HBAC rule: hbac_rule1
  Member of Sudo rule: my_sudo_rule

    Only when I add the hosts directly into the sudo rule instead of indirectly through a host group does the sudo rule work.

    Thanks,
    -Mark



On Jun 5, 2013, at 1:47 PM, KodaK wrote:

Sorry, for some reason gmail makes me forget about "reply all."

On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal <dpal redhat com<mailto:dpal redhat com>> wrote:
On 06/05/2013 11:20 AM, KodaK wrote:
I know this has been discussed before, but I didn't see anything with a cursory search.

There are bugs when using user and host groups with sudo rules.  I have to split out my users and hosts into individual entries.  I'm running ipa 3.0.0-26 on RHEL.

All I really want to know is if this is fixed upstream.


I am not sure I recall a bug you are referring to. A quick scan against the open tickets does not reveal anything like what you describe.
Can you provide the description of the issue or point to the earlier thread on the matter?


I'm going off of memory on seeing the previous bug.  It very well could be a false memory.

I have a rule like this:

[jebalicki mo0033802 ~]$ ipa sudorule-show esolutions-sandbox-root-access
  Rule name: esolutions-sandbox-root-access
  Enabled: TRUE
  Users: slfries, awellard
  Hosts: slnessbxl01.unix.magellanhealth.com
  Sudo Allow Commands: /bin/su -

This works.  However, if I change the rule to use hostgroups instead of listing the hosts individually the rule will not work.

The groups still exist and look like this:

[jebalicki mo0033802 ~]$ ipa hostgroup-show esolutions-sandbox-hosts
  Host-group: esolutions-sandbox-hosts
  Description: esolutions sandbox hosts
  Member hosts: slnessbxl01.unix.magellanhealth.com
  Member of HBAC rule: esolutions-sandbox-access

[jebalicki mo0033802 ~]$ ipa group-show esolutions
  Group name: esolutions
  Description: esolutions group
  GID: 1115600250
  Member users: awellard, slfries
  Member of HBAC rule: esolutions-sandbox-access

Client machine is pretty much default-out-of-the-box IRT IPA configuration, here's the installer output (installs during kickstart):

[root slnessbxl01 ~]# cat ks-post.log
Discovery was successful!
Hostname: slnessbxl01.unix.magellanhealth.com
Realm: UNIX.MAGELLANHEALTH.COM
DNS Domain: UNIX.MAGELLANHEALTH.COM
IPA Server: slpidml01.unix.magellanhealth.com
BaseDN: dc=unix,dc=magellanhealth,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm UNIX.MAGELLANHEALTH.COM
Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.MAGELLANHEALTH.COM
Warning: Hostname (slnessbxl01.unix.magellanhealth.com) not found in DNS
DNS server record set to: slnessbxl01.unix.magellanhealth.com -> 10.200.12.104
SSSD enabled
NTP enabled
Client configuration complete.

[root slnessbxl01 ~]# rpm -qa | grep ipa
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
[root slnessbxl01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root slnessbxl01 ~]#

Troubleshooting:

Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?


Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.

This should result in a long list of search criteria and status.  The last few lines should indicate where any matches occurred.

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Exploit Researcher and Advanced Penetration Tester |
GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler
JR Aquino citrix com<mailto:JR Aquino citrix com>

[cid:image002.jpg at 01CD4A37.5451DC00]



Powering mobile workstyles and cloud services


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/e614775a/attachment.htm>

From simo at redhat.com  Mon Jul 15 18:23:25 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 14:23:25 -0400
Subject: [Freeipa-users] Problem with Kerberised NFS mount
In-Reply-To: <7oqj8l5wjen9kly88j6yakiv.1373904870503@email.android.com>
References: <2244402.23csPCHrou@localhost.localdomain>
	, <gqgnplqubq3r0c47nwm67250.1373640706644@email.android.com>
	<lrf0tgvyq7xcgruqhtq1jyxs.1373654616909@email.android.com>
	<56040F96-3D2B-441F-A007-2A1E486CADD4@oracle.com>
	<51E052DF.6040908@redhat.com>
	<173FDA90-E773-4045-B115-327517BB20F1@netapp.com>
	,<1373895436.30537.347.camel@willson.li.ssimo.org>
	<7oqj8l5wjen9kly88j6yakiv.1373904870503@email.android.com>
Message-ID: <1373912605.30537.372.camel@willson.li.ssimo.org>

On Mon, 2013-07-15 at 16:15 +0000, Ondrej Valousek wrote:
> Ok. I agree that the problem needs to be fixed in kernel - lets hope
> the patches will find their way into RHEL 7 ;-).

I am not aware of any kernel issue.

> Does it mean that since Fedora 19 the default location of krb5.keytab
> is /var/lib/gssproxy?

no the default keytab is always /etc/krb5.keytab
> 
Simo.
> 
> 
> Odesl?no ze Samsung Mobile
> 
> 
> 
> -------- P?vodn? zpr?va --------
> Od: Simo Sorce <simo at redhat.com> 
> Datum: 
> Komu: "Adamson, Andy" <William.Adamson at netapp.com> 
> Kopie: andrew at wasielewski.co.uk,freeipa-users at redhat.com 
> P?edm?t: Re: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> 
> On Fri, 2013-07-12 at 19:16 +0000, Adamson, Andy wrote:
> > On Jul 12, 2013, at 3:02 PM, Rob Crittenden <rcritten at redhat.com>
> >  wrote:
> > 
> > > Chuck Lever wrote:
> > >> 
> > >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek
> <ovalousek at vendavo.com
> > >> <mailto:ovalousek at vendavo.com>> wrote:
> > >> 
> > >>> Just back to the Kerberized NFS. Any solution to RH bugzilla
> #786463
> > >>> on the horizon yet?
> > >>> Expiring tickets will render the whole concept unusable
> otherwise.
> > >>> 
> > >>> Anyone?
> > >> 
> > >> Ask on linux-nfs at vger.kernel.org
> <mailto:linux-nfs at vger.kernel.org>.  I
> > >> know upstream is working on this problem.
> > > 
> > > https://fedorahosted.org/gss-proxy/ will solve the problem.
> > 
> > Only for renewable tickets that gss-proxy renews. If a use has a
> non-renewable ticket, then the problem still exists.  I'm working on a
> set of GSS expiry patches and I'll make sure this problem is solved in
> the kernel.
> 
> Just to avoid confusion.
> 
> GSS-Proxy doesn't really handle renews at this stage (except as a a
> possible side effect of GSSAPI doing it under the hood on its own), it
> only handles acquiring new credentials using keytabs or using existing
> valid credentials from a standard ccache pre-populated by the user.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


-- 
Simo Sorce * Red Hat, Inc * New York



From klarmstrong2 at liberty.edu  Mon Jul 15 18:30:11 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 15 Jul 2013 18:30:11 +0000
Subject: [Freeipa-users] [freeipa-users] errors when trying to add
 public SSH key to user
In-Reply-To: <CAGkb5vdd7YQx4vdbAQu4AWdXE0+fSuwzmKy5Bzwdmw8nab6rcA@mail.gmail.com>
References: <1373899219.7679.4.camel@localhost.localdomain>
	<1817691.vSVl8LXMzj@thinkpad7.brq.redhat.com>
	<1373902606.16869.3.camel@localhost.localdomain>
	<2713317.Xc6b775qVC@thinkpad7.brq.redhat.com>
	<1373902971.16869.4.camel@localhost.localdomain>
	<CAGkb5vdd7YQx4vdbAQu4AWdXE0+fSuwzmKy5Bzwdmw8nab6rcA@mail.gmail.com>
Message-ID: <1373913012.16869.5.camel@localhost.localdomain>

On Mon, 2013-07-15 at 18:25 +0100, James Hogarth wrote:



ipa-server-2.2.0-17.el6_3.1.x86_64







Think I see the problem here ....


From the 3.0 release notes:

  *   SSH public key format has been changed to OpenSSH-style public keys.


http://www.freeipa.org/page/IPAv3_300_ga



You really ought to get those servers updated to RHEL 6.4 with IPA 3.0 (which is part of 6.4) ...



Ok, we'll go through an upgrade first then try it again.  Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/53c6639e/attachment.htm>

From sakodak at gmail.com  Mon Jul 15 20:04:21 2013
From: sakodak at gmail.com (KodaK)
Date: Mon, 15 Jul 2013 15:04:21 -0500
Subject: [Freeipa-users] deleting password history?
Message-ID: <CAA9J0ZGYryAyLq2WpaVNdufMRZjViHZoZb1trVje8tmAV5CDkw@mail.gmail.com>

I'm probably missing something obvious, but I've searched the mailing list
in gmail and tried to google it:

If I want to remove the password history for a user, how do I do it?

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/4bb002ec/attachment.htm>

From james.hogarth at gmail.com  Mon Jul 15 20:12:22 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Mon, 15 Jul 2013 21:12:22 +0100
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
Message-ID: <CAGkb5veCYSYi_F-ConcBWDpjeJWNCWT0Y6Z4ad_m6X1AqYeR6w@mail.gmail.com>

>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the
IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/7df6dee7/attachment.htm>

From MTovey at go2uti.com  Mon Jul 15 22:54:43 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Mon, 15 Jul 2013 22:54:43 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>



    I checked that and it is set correctly:

[user1 at host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a host group, it fails:

[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$


    So something isn't lining up correctly with host groups in sudo rules somewhere.  I just haven't been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/821de12d/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon Jul 15 23:14:45 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 15 Jul 2013 23:14:45 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

This is a known issue Ive suffered a long time with.  What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?



    I checked that and it is set correctly:

[user1 at host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a host group, it fails:

[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$


    So something isn?t lining up correctly with host groups in sudo rules somewhere.  I just haven?t been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/11633c43/attachment.htm>

From MTovey at go2uti.com  Mon Jul 15 23:34:18 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Mon, 15 Jul 2013 23:34:18 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>


    That didn't work either.  I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd.  New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
Sent: Monday, July 15, 2013 4:15 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users at redhat.com
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

Hi,

This is a known issue Ive suffered a long time with.  What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


    I checked that and it is set correctly:

[user1 at host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a host group, it fails:

[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$


    So something isn't lining up correctly with host groups in sudo rules somewhere.  I just haven't been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/2dd6c697/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon Jul 15 23:43:51 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 15 Jul 2013 23:43:51 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>

option b) delete the rule totally and redo it from scratch.

I label rules like this,

hb-xxxx   for a hbac rule

su-xxxx for a sudo rule

sc-xxxx for a sudo command group

ug-xxxx for a user group

hg-xxxx for a host groups

etc

etc

It makes the logic easier when you go into command line which I find easier to trace with than the gui at time.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 11:34 a.m.
To: Steven Jones; James Hogarth
Cc: Freeipa-users at redhat.com
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?


    That didn?t work either.  I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd.  New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
Sent: Monday, July 15, 2013 4:15 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users at redhat.com
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

Hi,

This is a known issue Ive suffered a long time with.  What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


    I checked that and it is set correctly:

[user1 at host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a host group, it fails:

[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$


    So something isn?t lining up correctly with host groups in sudo rules somewhere.  I just haven?t been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/9d771255/attachment.htm>

From dpal at redhat.com  Mon Jul 15 23:50:31 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 15 Jul 2013 19:50:31 -0400
Subject: [Freeipa-users] Error uninstalling ipa-client
In-Reply-To: <25882.200.220.180.66.1373907431.squirrel@www.primeinformatica.com.br>
References: <25882.200.220.180.66.1373907431.squirrel@www.primeinformatica.com.br>
Message-ID: <51E48AC7.9020509@redhat.com>

On 07/15/2013 12:57 PM, diaulasacn at primeinformatica.com.br wrote:
> Hi,
>
>   Im trying to "reinstall" a unsuccessful instalation...
>
>    ipa-client-install tells me to uninstall first
>
>    ipa-client-install --uninstall return that error:
>
> "  Failed to remove krb5/LDAP configuration: Command '/usr/sbin/authconfig
> --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap
> --disablesssdauth' returned non-zero exit status 6"

I think we already seen this and an authconfig bug has been filed.

>
>
>
> My enviroment:
>
>
> lsb_release -a
> LSB Version:   
> :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
> Distributor ID: RedHatEnterpriseServer
> Description:    Red Hat Enterprise Linux Server release 6.4 (Santiago)
> Release:        6.4
> Codename:       Santiago
>
>
> # rpm -qa ipa*
> ipa-client-3.0.0-26.el6_4.4.x86_64
> ipa-python-3.0.0-26.el6_4.4.x86_64
>
>
> All updates installed.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Tue Jul 16 00:04:17 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 15 Jul 2013 20:04:17 -0400
Subject: [Freeipa-users] deleting password history?
In-Reply-To: <CAA9J0ZGYryAyLq2WpaVNdufMRZjViHZoZb1trVje8tmAV5CDkw@mail.gmail.com>
References: <CAA9J0ZGYryAyLq2WpaVNdufMRZjViHZoZb1trVje8tmAV5CDkw@mail.gmail.com>
Message-ID: <51E48E01.3000705@redhat.com>

On 07/15/2013 04:04 PM, KodaK wrote:
> I'm probably missing something obvious, but I've searched the mailing
> list in gmail and tried to google it:
>
> If I want to remove the password history for a user, how do I do it?
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
You probably want to remove krbPwdHistory attribute and set
krbPwdHistoryLength to 0.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/be4ac459/attachment.htm>

From sakodak at gmail.com  Tue Jul 16 01:25:38 2013
From: sakodak at gmail.com (KodaK)
Date: Mon, 15 Jul 2013 20:25:38 -0500
Subject: [Freeipa-users] deleting password history?
In-Reply-To: <51E48E01.3000705@redhat.com>
References: <CAA9J0ZGYryAyLq2WpaVNdufMRZjViHZoZb1trVje8tmAV5CDkw@mail.gmail.com>
	<51E48E01.3000705@redhat.com>
Message-ID: <CAA9J0ZHAgxFHzBC9VM+RChBDvAc5DCP_tjGaqGNLgX6zAFfWjw@mail.gmail.com>

On Mon, Jul 15, 2013 at 7:04 PM, Dmitri Pal <dpal at redhat.com> wrote:

> You probably want to remove krbPwdHistory attribute and set
> krbPwdHistoryLength to 0.
>
>
> Just so I'm clear:  I only want to do a one-time erase for one user so he
can use a password he was using
earlier.  We changed it for testing and I don't think that should be held
against him. :)

I'm not sure if this disables password history for that user or just clears
it.

Thanks,

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/d69f66cc/attachment.htm>

From simo at redhat.com  Tue Jul 16 02:27:57 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 15 Jul 2013 22:27:57 -0400
Subject: [Freeipa-users] deleting password history?
In-Reply-To: <CAA9J0ZHAgxFHzBC9VM+RChBDvAc5DCP_tjGaqGNLgX6zAFfWjw@mail.gmail.com>
References: <CAA9J0ZGYryAyLq2WpaVNdufMRZjViHZoZb1trVje8tmAV5CDkw@mail.gmail.com>
	<51E48E01.3000705@redhat.com>
	<CAA9J0ZHAgxFHzBC9VM+RChBDvAc5DCP_tjGaqGNLgX6zAFfWjw@mail.gmail.com>
Message-ID: <1373941677.30537.404.camel@willson.li.ssimo.org>

On Mon, 2013-07-15 at 20:25 -0500, KodaK wrote:
> 
> 
> On Mon, Jul 15, 2013 at 7:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>         You probably want to remove krbPwdHistory attribute and set
>         krbPwdHistoryLength to 0.
>         
> Just so I'm clear:  I only want to do a one-time erase for one user so
> he can use a password he was using
> earlier.  We changed it for testing and I don't think that should be
> held against him. :)
> 
> 
> I'm not sure if this disables password history for that user or just
> clears it.

If you remove the krbPwdHistory attribute from the user's entry the user
will have no history.
That should be sufficient to allow you to change 'back' his password.

Other means are: change the password as many times as
krbPwdHistoryLength says and finally you'll be able to start again
setting the old password.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York



From MTovey at go2uti.com  Tue Jul 16 04:09:37 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 04:09:37 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>


    Okay, I stopped sssd on the client and deleted the cache files, removed the sudo rule, started sssd and verified that the rule was gone, stopped sssd and deleted the files again, added the rule back in, restarted sssd, and still it does not work.  One note, when I enter the hosts into the sudo rule in place of the host group, the effect is immediate; I do not need to restart sssd.  And the opposite is true too: if I put the host group back, the rule immediately stops working.  I don't think the issue is cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?

    I like your idea for the labels; they make sense.  Right now we are just evaluating this to see if we want to go this route.  So far we like it, but this could be a problem because we have a several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
Sent: Monday, July 15, 2013 4:44 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users at redhat.com
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

option b) delete the rule totally and redo it from scratch.

I label rules like this,

hb-xxxx   for a hbac rule

su-xxxx for a sudo rule

sc-xxxx for a sudo command group

ug-xxxx for a user group

hg-xxxx for a host groups

etc

etc

It makes the logic easier when you go into command line which I find easier to trace with than the gui at time.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 11:34 a.m.
To: Steven Jones; James Hogarth
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

    That didn't work either.  I set up the host group in my sudo rule, stopped sssd, renamed /var/lib/sss/db and created a new db directory, then restarted sssd.  New files were created in the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
Sent: Monday, July 15, 2013 4:15 PM
To: Tovey, Mark; James Hogarth
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: RE: [Freeipa-users] sudo rules user and host group bugs?

Hi,

This is a known issue Ive suffered a long time with.  What would be interesting is adding another host to the host group could well work fine, that will really make you bang your head against the wall..

2 possibilities, stop the sssd daemon on the problem host, delete its cache and start it, that might fix it.

Otherwise best to,

All RH support could come up with is delete the HBAC rule, sudo rule, user group and host group and re-do it, then it will probably work fine.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Tuesday, 16 July 2013 10:54 a.m.
To: James Hogarth
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


    I checked that and it is set correctly:

[user1 at host1 ~]$ nisdomainname
my_domain.com

    If I try to run a command with the hosts specified indirectly through a host group, it fails:

[user1 at host1 ~]$ sudo -i -u serv_account
LDAP Config Summary
===================
uri              ldap://ipa_server.my_domain.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=my_domain,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
bindpw           **********
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
===================
sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost '+hgroup1' ... not
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40
[sudo] password for user1:
Sorry, try again.
[sudo] password for user1:
sudo: 1 incorrect password attempt


    But if I remove the host group from the sudo rule and directly add the hosts that were in the host group, it works fine:

<snip>

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for user1:
[serv_account at host1 ~]$


    So something isn't lining up correctly with host groups in sudo rules somewhere.  I just haven't been able to track it down.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: James Hogarth [mailto:james.hogarth at gmail.com]
Sent: Monday, July 15, 2013 1:11 PM
To: Tovey, Mark
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?


>
>
>     Did anyone find a solution for this?  I am having the same experience.
>
>
>

Wow that was a mess...

To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/6a53b648/attachment.htm>

From mkosek at redhat.com  Tue Jul 16 07:00:47 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 16 Jul 2013 09:00:47 +0200
Subject: [Freeipa-users] Error uninstalling ipa-client
In-Reply-To: <51E48AC7.9020509@redhat.com>
References: <25882.200.220.180.66.1373907431.squirrel@www.primeinformatica.com.br>
	<51E48AC7.9020509@redhat.com>
Message-ID: <51E4EF9F.40805@redhat.com>

On 07/16/2013 01:50 AM, Dmitri Pal wrote:
> On 07/15/2013 12:57 PM, diaulasacn at primeinformatica.com.br wrote:
>> Hi,
>>
>>   Im trying to "reinstall" a unsuccessful instalation...
>>
>>    ipa-client-install tells me to uninstall first
>>
>>    ipa-client-install --uninstall return that error:
>>
>> "  Failed to remove krb5/LDAP configuration: Command '/usr/sbin/authconfig
>> --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap
>> --disablesssdauth' returned non-zero exit status 6"
> 
> I think we already seen this and an authconfig bug has been filed.

If you cannot find the bug, it would help if you post appropriate excerpt of
ipaclient-install.log with an actual error message from authconfig.

Martin



From mkosek at redhat.com  Tue Jul 16 07:33:36 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 16 Jul 2013 09:33:36 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
Message-ID: <51E4F750.9010103@redhat.com>

Just checking, did you try troubleshooting hints from JR I found at the top of
the thread? I did not find an information about that.

~~~~
Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?


Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or
/etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.
~~~~

For example, it would help to know that netgroup list (step 3) works or
domainname is set correctly (step 1).

Martin


On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>  
> 
>     Okay, I stopped sssd on the client and deleted the cache files, removed the
> sudo rule, started sssd and verified that the rule was gone, stopped sssd and
> deleted the files again, added the rule back in, restarted sssd, and still it
> does not work.  One note, when I enter the hosts into the sudo rule in place of
> the host group, the effect is immediate; I do not need to restart sssd.  And
> the opposite is true too: if I put the host group back, the rule immediately
> stops working.  I don?t think the issue is cache related; it seems to be
> something else.  The serv_account that we are accessing with the sudo rule is
> external.  I wouldn?t expect that to matter, but perhaps it does?
> 
>  
> 
>     I like your idea for the labels; they make sense.  Right now we are just
> evaluating this to see if we want to go this route.  So far we like it, but
> this could be a problem because we have a several hundred hosts that we need to
> manage.  Having to enter each one individually will be problematic.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> *Sent:* Monday, July 15, 2013 4:44 PM
> *To:* Tovey, Mark; James Hogarth
> *Cc:* Freeipa-users at redhat.com
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> option b) delete the rule totally and redo it from scratch.
> 
> I label rules like this,
> 
> hb-xxxx   for a hbac rule
> 
> su-xxxx for a sudo rule
> 
> sc-xxxx for a sudo command group
> 
> ug-xxxx for a user group
> 
> hg-xxxx for a host groups
> 
> etc
> 
> etc
> 
> It makes the logic easier when you go into command line which I find easier to
> trace with than the gui at time.
> 
>  
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> -------------------------------------------------------------------------------
> 
> *From:*Tovey, Mark [MTovey at go2uti.com]
> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> *To:* Steven Jones; James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
>     That didn?t work either.  I set up the host group in my sudo rule, stopped
> sssd, renamed /var/lib/sss/db and created a new db directory, then restarted
> sssd.  New files were created in the db directory, but it still refuses to work
> unless the hosts are directly specified in the sudo rule.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> *Sent:* Monday, July 15, 2013 4:15 PM
> *To:* Tovey, Mark; James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> Hi,
> 
> This is a known issue Ive suffered a long time with.  What would be interesting
> is adding another host to the host group could well work fine, that will really
> make you bang your head against the wall..
> 
> 2 possibilities, stop the sssd daemon on the problem host, delete its cache and
> start it, that might fix it.
> 
> Otherwise best to,
> 
> All RH support could come up with is delete the HBAC rule, sudo rule, user
> group and host group and re-do it, then it will probably work fine.
> 
>  
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> -------------------------------------------------------------------------------
> 
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com] on
> behalf of Tovey, Mark [MTovey at go2uti.com]
> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> *To:* James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
>  
> 
>     I checked that and it is set correctly:
> 
>  
> 
> [user1 at host1 ~]$ nisdomainname
> 
> my_domain.com
> 
>  
> 
>     If I try to run a command with the hosts specified indirectly through a
> host group, it fails:
> 
>  
> 
> [user1 at host1 ~]$ sudo -i -u serv_account
> 
> LDAP Config Summary
> 
> ===================
> 
> uri              ldap://ipa_server.my_domain.com
> 
> ldap_version     3
> 
> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> 
> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> 
> bindpw           **********
> 
> bind_timelimit   5000
> 
> timelimit        15
> 
> ssl              start_tls
> 
> tls_checkpeer    (yes)
> 
> tls_cacertfile   /etc/ipa/ca.crt
> 
> ===================
> 
> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> 
> sudo: ldap_set_option: debug -> 0
> 
> sudo: ldap_set_option: ldap_version -> 3
> 
> sudo: ldap_set_option: tls_checkpeer -> 1
> 
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> 
> sudo: ldap_set_option: timelimit -> 15
> 
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> 
>  
> 
> sudo: ldap_start_tls_s() ok
> 
> sudo: ldap_sasl_bind_s() ok
> 
> sudo: no default options found!
> 
> sudo: ldap search
> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> 
> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> 
> sudo: ldap sudoHost '+hgroup1' ... not
> 
> sudo: ldap search 'sudoUser=+*'
> 
> sudo: user_matches=1
> 
> sudo: host_matches=0
> 
> sudo: sudo_ldap_lookup(0)=0x40
> 
> [sudo] password for user1:
> 
> Sorry, try again.
> 
> [sudo] password for user1:
> 
> sudo: 1 incorrect password attempt
> 
>  
> 
>  
> 
>     But if I remove the host group from the sudo rule and directly add the
> hosts that were in the host group, it works fine:
> 
>  
> 
> <snip>
> 
>  
> 
> sudo: ldap_start_tls_s() ok
> 
> sudo: ldap_sasl_bind_s() ok
> 
> sudo: no default options found!
> 
> sudo: ldap search
> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> 
> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> 
> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> 
> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> 
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> 
> sudo: Command allowed
> 
> sudo: user_matches=1
> 
> sudo: host_matches=1
> 
> sudo: sudo_ldap_lookup(0)=0x02
> 
> [sudo] password for user1:
> 
> [serv_account at host1 ~]$
> 
>  
> 
>  
> 
>     So something isn?t lining up correctly with host groups in sudo rules
> somewhere.  I just haven?t been able to track it down.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> *Sent:* Monday, July 15, 2013 1:11 PM
> *To:* Tovey, Mark
> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> 
>>  
>>
>>     Did anyone find a solution for this?  I am having the same experience.
>>
>>  
>>
> 
> Wow that was a mess...
> 
> To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA
> domain.
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 



From pspacek at redhat.com  Tue Jul 16 16:25:02 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Tue, 16 Jul 2013 18:25:02 +0200
Subject: [Freeipa-users] Question about design of ldap dns
In-Reply-To: <51E408BD.4000608@redhat.com>
References: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>
	<51E408BD.4000608@redhat.com>
Message-ID: <51E573DE.3000008@redhat.com>

On 15.7.2013 16:35, Jan Cholasta wrote:
> On 15.7.2013 11:17, James Hogarth wrote:
>> I'm just picking up the nice to have ticket of configure the default TTL
>> as part of my general TTL refactor work seeing as the exposing and
>> modification of TTL in the UI is unlikely to be complete before 3.3
>> freeze (mostly working but a few bugs remaining) :

Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail. We 
need to coordinate, because bind-dyndb-ldap is undergoing heavy refactoring 
right now.

Also, remember that modification in bind-dyndb-ldap will require modification 
on FreeIPA side (CLI/WebUI/API).

>> https://fedorahosted.org/bind-dyndb-ldap/ticket/70
>>
>> https://fedorahosted.org/freeipa/ticket/2956
>>
>> The approach I'm considering is to make the record capable of an
>> individual TTL by just appending the TTL to the record so it would look
>> like:
>> dn: idnsName=bar, idnsName=example.com <http://example.com>, cn=dns,
>> dc=example, dc=com
>> idnsName: bar
>> ARecord: 192.168.1.100 7200
We can't do this, because definition of *Record attributes is outside of our 
control. Definitions of these attributes come from
http://drift.uninett.no/nett/ip-nett/dnsattributes.schema
and it is used by BIND DLZ LDAP driver.

>> This is an approach that matches how things like MX and SRV are dealt
>> with (except those have numbers at the front) and would require much
>> simpler modifications.
Could you post some real world examples, please? I would love to see some real 
world records with real TTLs and statistics.
How many names with different TTLs have you?
How many names and records have you in total?

>> Then there would be a precedence to the actual TTL used in this order:
>> 1) If a TTL is in the record data use that
>> 2) If a TTL is in the idnsName data (the current dnsTTL attribute) then
>> use that
>> 3) If a TTL is in the zone data (as per the ticket name to be decided)
>> then use that
>> 4) If a TTL is specified in the named.conf configuration for the
>> bind-dyndb-ldap plugin then use that.
>>
>> Although potentially not as nice as making each data entry a first class
>> citizen as an object in LDAP such as for an example:
>> dn: aRecord=192.168.1.100,idnsName=bar, idnsName=example.com
>> <http://example.com>, cn=dns, dc=example, dc=com
>> aRecordName: bar
>> aRecordData: 192.168.1.100
>> aRecordTTL: 7200
This could work, but it has significant overhead. At least indexes in LDAP 
server could grow rapidly.

The other problem is that you will lost the uniqueness-check on LDAP side. DNS 
doesn't allow one record with same name and data to appear multiple times and 
current attribute-based design prevents this 'for free'.

The other problem is that records in single RRset can't have multiple TTL 
values. I.e. (under single name) all A records have to have the same TTL, all 
AAAA records has to have same TTL etc.

Of course, all of these can be handled in bind-dyndb-ldap, but doing so on 
database side is much more elegant.

>> It'd require far less upheaval in terms of migrations and testing...
>>
>> What are your thoughts on this before I start digging into this part of
>> the code base?
>>
>> Cheers,
>>
>> James
>>
>
> There's a third option: group DNS records by both name and TTL, instead of
> just name, like this:
>
> dn: idnsName=bar+dNSTTL=7200,idnsName=example.com
> idnsName: bar
> dNSTTL: 7200
> aRecord: 1.2.3.4
>
> dn: idnsName=bar+dNSTTL=3600,idnsName=example.com
> idnsName: bar
> dNSTTL: 3600
> aRecord: 5.6.7.8
>
> This way you don't have to change the format of existing attributes nor add
> new attributes.

This one is my favourite, but again: It will require refactoring on FreeIPA 
side. Also, I'm not sure if this could work with BIND DLZ LDAP...

To summarize it: Is it worth to spend time on this? I would love to see some 
real numbers.

Thank you for your time and passion!

-- 
Petr^2 Spacek



From klarmstrong2 at liberty.edu  Tue Jul 16 17:24:17 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Tue, 16 Jul 2013 17:24:17 +0000
Subject: [Freeipa-users] new issue with ssh key in the interface
Message-ID: <1373995457.5023.2.camel@localhost.localdomain>

Hello all,

i have a new problem with the SSH Key bit in the web interface.  I created a new ssh key for a user, and pasted it into the web interface for the user.  Afterward, it said that the key was not set.  So I attempted again from the commandline, and it looks like it took it.  However, when I go back to the web interface, it doesn't show one set for the user.

I logged out of the interface and back in, but same story.

Running IPA server 3.0 on RHEL 6.4.

Any thoughts?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/08c4bd2d/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 18:11:43 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 18:11:43 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <51E4F750.9010103@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>


    My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
    The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
    But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Tuesday, July 16, 2013 12:34 AM
To: Tovey, Mark
Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel Brezina
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.

~~~~
Can you confirm that the output of the following commands:
1. $ domainname
* does it match your domain?
2. $ hostname
* does match match your fqdn?
3. $ getent netgroup esolutions-sandbox-hosts
* does this list your host?
4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?


Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):

At the top, add the line: sudoers_debug 2

Then try another sudo command. sudo -l for example.
~~~~

For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).

Martin


On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>  
> 
>     Okay, I stopped sssd on the client and deleted the cache files, 
> removed the sudo rule, started sssd and verified that the rule was 
> gone, stopped sssd and deleted the files again, added the rule back 
> in, restarted sssd, and still it does not work.  One note, when I 
> enter the hosts into the sudo rule in place of the host group, the 
> effect is immediate; I do not need to restart sssd.  And the opposite 
> is true too: if I put the host group back, the rule immediately stops 
> working.  I don't think the issue is cache related; it seems to be 
> something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
> 
>  
> 
>     I like your idea for the labels; they make sense.  Right now we 
> are just evaluating this to see if we want to go this route.  So far 
> we like it, but this could be a problem because we have a several 
> hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> *Sent:* Monday, July 15, 2013 4:44 PM
> *To:* Tovey, Mark; James Hogarth
> *Cc:* Freeipa-users at redhat.com
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> option b) delete the rule totally and redo it from scratch.
> 
> I label rules like this,
> 
> hb-xxxx   for a hbac rule
> 
> su-xxxx for a sudo rule
> 
> sc-xxxx for a sudo command group
> 
> ug-xxxx for a user group
> 
> hg-xxxx for a host groups
> 
> etc
> 
> etc
> 
> It makes the logic easier when you go into command line which I find 
> easier to trace with than the gui at time.
> 
>  
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> ----------------------------------------------------------------------
> ---------
> 
> *From:*Tovey, Mark [MTovey at go2uti.com]
> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> *To:* Steven Jones; James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
>     That didn't work either.  I set up the host group in my sudo rule, 
> stopped sssd, renamed /var/lib/sss/db and created a new db directory, 
> then restarted sssd.  New files were created in the db directory, but 
> it still refuses to work unless the hosts are directly specified in the sudo rule.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> *Sent:* Monday, July 15, 2013 4:15 PM
> *To:* Tovey, Mark; James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> Hi,
> 
> This is a known issue Ive suffered a long time with.  What would be 
> interesting is adding another host to the host group could well work 
> fine, that will really make you bang your head against the wall..
> 
> 2 possibilities, stop the sssd daemon on the problem host, delete its 
> cache and start it, that might fix it.
> 
> Otherwise best to,
> 
> All RH support could come up with is delete the HBAC rule, sudo rule, 
> user group and host group and re-do it, then it will probably work fine.
> 
>  
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> ----------------------------------------------------------------------
> ---------
> 
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com> 
> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> [MTovey at go2uti.com]
> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> *To:* James Hogarth
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
>  
> 
>     I checked that and it is set correctly:
> 
>  
> 
> [user1 at host1 ~]$ nisdomainname
> 
> my_domain.com
> 
>  
> 
>     If I try to run a command with the hosts specified indirectly 
> through a host group, it fails:
> 
>  
> 
> [user1 at host1 ~]$ sudo -i -u serv_account
> 
> LDAP Config Summary
> 
> ===================
> 
> uri              ldap://ipa_server.my_domain.com
> 
> ldap_version     3
> 
> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> 
> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> 
> bindpw           **********
> 
> bind_timelimit   5000
> 
> timelimit        15
> 
> ssl              start_tls
> 
> tls_checkpeer    (yes)
> 
> tls_cacertfile   /etc/ipa/ca.crt
> 
> ===================
> 
> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> 
> sudo: ldap_set_option: debug -> 0
> 
> sudo: ldap_set_option: ldap_version -> 3
> 
> sudo: ldap_set_option: tls_checkpeer -> 1
> 
> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> 
> sudo: ldap_set_option: timelimit -> 15
> 
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> 
>  
> 
> sudo: ldap_start_tls_s() ok
> 
> sudo: ldap_sasl_bind_s() ok
> 
> sudo: no default options found!
> 
> sudo: ldap search
> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> 
> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> 
> sudo: ldap sudoHost '+hgroup1' ... not
> 
> sudo: ldap search 'sudoUser=+*'
> 
> sudo: user_matches=1
> 
> sudo: host_matches=0
> 
> sudo: sudo_ldap_lookup(0)=0x40
> 
> [sudo] password for user1:
> 
> Sorry, try again.
> 
> [sudo] password for user1:
> 
> sudo: 1 incorrect password attempt
> 
>  
> 
>  
> 
>     But if I remove the host group from the sudo rule and directly add 
> the hosts that were in the host group, it works fine:
> 
>  
> 
> <snip>
> 
>  
> 
> sudo: ldap_start_tls_s() ok
> 
> sudo: ldap_sasl_bind_s() ok
> 
> sudo: no default options found!
> 
> sudo: ldap search
> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> 
> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> 
> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> 
> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> 
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> 
> sudo: Command allowed
> 
> sudo: user_matches=1
> 
> sudo: host_matches=1
> 
> sudo: sudo_ldap_lookup(0)=0x02
> 
> [sudo] password for user1:
> 
> [serv_account at host1 ~]$
> 
>  
> 
>  
> 
>     So something isn't lining up correctly with host groups in sudo 
> rules somewhere.  I just haven't been able to track it down.
> 
>     Thanks,
> 
>     -Mark
> 
>  
> 
>  
> 
> * *
> 
> *________________________________________________________________*
> 
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> 
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon
> | 97204 | USA
> 
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> mark.tovey2
> 
>  
> 
> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> *Sent:* Monday, July 15, 2013 1:11 PM
> *To:* Tovey, Mark
> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> 
>  
> 
> 
>>  
>>
>>     Did anyone find a solution for this?  I am having the same experience.
>>
>>  
>>
> 
> Wow that was a mess...
> 
> To use hostgroups for sudo ensure nisdomainname is set on the hosts to 
> the IPA domain.
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 




From dpal at redhat.com  Tue Jul 16 19:42:43 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 16 Jul 2013 15:42:43 -0400
Subject: [Freeipa-users] new issue with ssh key in the interface
In-Reply-To: <1373995457.5023.2.camel@localhost.localdomain>
References: <1373995457.5023.2.camel@localhost.localdomain>
Message-ID: <51E5A233.4020105@redhat.com>

On 07/16/2013 01:24 PM, Armstrong, Kenneth Lawrence wrote:
> Hello all,
>
> i have a new problem with the SSH Key bit in the web interface.  I
> created a new ssh key for a user, and pasted it into the web interface
> for the user.  Afterward, it said that the key was not set.  So I
> attempted again from the commandline, and it looks like it took it. 
> However, when I go back to the web interface, it doesn't show one set
> for the user.
>
> I logged out of the interface and back in, but same story.
>
> Running IPA server 3.0 on RHEL 6.4.
>
> Any thoughts?

I suggest you create a ticket ad attach the key that does not work so
that we can try to reproduce it.


>
> -Kenny
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/aba657c7/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 19:48:05 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 19:48:05 +0000
Subject: [Freeipa-users] Limit password synchronization from Active Directory
Message-ID: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>


    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?
    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/fd36b433/attachment.htm>

From dpal at redhat.com  Tue Jul 16 19:51:18 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 16 Jul 2013 15:51:18 -0400
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
Message-ID: <51E5A436.5080403@redhat.com>

On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
>     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>     Thanks,
>     -Mark

So can it seems that the first thing you need to to do is to make sure
your netgroups work.
If domain and host are properly set then it might be the wrong base in
your LDAP search for the netgroups.
Are you using SSSD for netgroups or something else?
Can you please share your sssd.conf and area where it configures netgroups?
Also is sss in the nsswitch.conf for netgroups map?

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: Tuesday, July 16, 2013 12:34 AM
> To: Tovey, Mark
> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel Brezina
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>
> ~~~~
> Can you confirm that the output of the following commands:
> 1. $ domainname
> * does it match your domain?
> 2. $ hostname
> * does match match your fqdn?
> 3. $ getent netgroup esolutions-sandbox-hosts
> * does this list your host?
> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>
>
> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>
> At the top, add the line: sudoers_debug 2
>
> Then try another sudo command. sudo -l for example.
> ~~~~
>
> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>
> Martin
>
>
> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>  
>>
>>     Okay, I stopped sssd on the client and deleted the cache files, 
>> removed the sudo rule, started sssd and verified that the rule was 
>> gone, stopped sssd and deleted the files again, added the rule back 
>> in, restarted sssd, and still it does not work.  One note, when I 
>> enter the hosts into the sudo rule in place of the host group, the 
>> effect is immediate; I do not need to restart sssd.  And the opposite 
>> is true too: if I put the host group back, the rule immediately stops 
>> working.  I don't think the issue is cache related; it seems to be 
>> something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>
>>  
>>
>>     I like your idea for the labels; they make sense.  Right now we 
>> are just evaluating this to see if we want to go this route.  So far 
>> we like it, but this could be a problem because we have a several 
>> hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:44 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>> option b) delete the rule totally and redo it from scratch.
>>
>> I label rules like this,
>>
>> hb-xxxx   for a hbac rule
>>
>> su-xxxx for a sudo rule
>>
>> sc-xxxx for a sudo command group
>>
>> ug-xxxx for a user group
>>
>> hg-xxxx for a host groups
>>
>> etc
>>
>> etc
>>
>> It makes the logic easier when you go into command line which I find 
>> easier to trace with than the gui at time.
>>
>>  
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ----------------------------------------------------------------------
>> ---------
>>
>> *From:*Tovey, Mark [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>> *To:* Steven Jones; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>     That didn't work either.  I set up the host group in my sudo rule, 
>> stopped sssd, renamed /var/lib/sss/db and created a new db directory, 
>> then restarted sssd.  New files were created in the db directory, but 
>> it still refuses to work unless the hosts are directly specified in the sudo rule.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:15 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>> Hi,
>>
>> This is a known issue Ive suffered a long time with.  What would be 
>> interesting is adding another host to the host group could well work 
>> fine, that will really make you bang your head against the wall..
>>
>> 2 possibilities, stop the sssd daemon on the problem host, delete its 
>> cache and start it, that might fix it.
>>
>> Otherwise best to,
>>
>> All RH support could come up with is delete the HBAC rule, sudo rule, 
>> user group and host group and re-do it, then it will probably work fine.
>>
>>  
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ----------------------------------------------------------------------
>> ---------
>>
>> *From:*freeipa-users-bounces at redhat.com
>> <mailto:freeipa-users-bounces at redhat.com> 
>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
>> [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>> *To:* James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>  
>>
>>     I checked that and it is set correctly:
>>
>>  
>>
>> [user1 at host1 ~]$ nisdomainname
>>
>> my_domain.com
>>
>>  
>>
>>     If I try to run a command with the hosts specified indirectly 
>> through a host group, it fails:
>>
>>  
>>
>> [user1 at host1 ~]$ sudo -i -u serv_account
>>
>> LDAP Config Summary
>>
>> ===================
>>
>> uri              ldap://ipa_server.my_domain.com
>>
>> ldap_version     3
>>
>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>
>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>
>> bindpw           **********
>>
>> bind_timelimit   5000
>>
>> timelimit        15
>>
>> ssl              start_tls
>>
>> tls_checkpeer    (yes)
>>
>> tls_cacertfile   /etc/ipa/ca.crt
>>
>> ===================
>>
>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>
>> sudo: ldap_set_option: debug -> 0
>>
>> sudo: ldap_set_option: ldap_version -> 3
>>
>> sudo: ldap_set_option: tls_checkpeer -> 1
>>
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>
>> sudo: ldap_set_option: timelimit -> 15
>>
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>
>>  
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost '+hgroup1' ... not
>>
>> sudo: ldap search 'sudoUser=+*'
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=0
>>
>> sudo: sudo_ldap_lookup(0)=0x40
>>
>> [sudo] password for user1:
>>
>> Sorry, try again.
>>
>> [sudo] password for user1:
>>
>> sudo: 1 incorrect password attempt
>>
>>  
>>
>>  
>>
>>     But if I remove the host group from the sudo rule and directly add 
>> the hosts that were in the host group, it works fine:
>>
>>  
>>
>> <snip>
>>
>>  
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>
>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>
>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>
>> sudo: Command allowed
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=1
>>
>> sudo: sudo_ldap_lookup(0)=0x02
>>
>> [sudo] password for user1:
>>
>> [serv_account at host1 ~]$
>>
>>  
>>
>>  
>>
>>     So something isn't lining up correctly with host groups in sudo 
>> rules somewhere.  I just haven't been able to track it down.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>> *Sent:* Monday, July 15, 2013 1:11 PM
>> *To:* Tovey, Mark
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>
>>>  
>>>
>>>     Did anyone find a solution for this?  I am having the same experience.
>>>
>>>  
>>>
>> Wow that was a mess...
>>
>> To use hostgroups for sudo ensure nisdomainname is set on the hosts to 
>> the IPA domain.
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From rmeggins at redhat.com  Tue Jul 16 20:00:26 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 14:00:26 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
Message-ID: <51E5A65A.2080908@redhat.com>

On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>     Is there a way to limit what user accounts are synchronized from 
> Active Directory?  There are around 15,000 entries in our production 
> AD system, but probably only about 300 of those need to have an 
> account in the IPA system.  Can we set an attribute in the user 
> information in AD that would flag that this is a candidate for 
> replication, and lack of that attribute would cause an account to be 
> skipped?
>

No.  The only thing you can do is create a special container (cn=IPA 
users or ou=IPA users or something like that), move the users you want 
to sync into that container, and sync only that container.

>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/b121decf/attachment.htm>

From Steven.Jones at vuw.ac.nz  Tue Jul 16 21:12:24 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 16 Jul 2013 21:12:24 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A2FE503@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

No, I dont think so.  Ive asked this....you have to clean up AD / the contents of the container you are syncing.

We have 8000+ items at least 1/2 of which are not required, eg things like templates so when we sync we bring all of it across and it makes IPA a huge mess.  I'd like a rule to at least block something's eg anything called template*  which would help a lot.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Wednesday, 17 July 2013 7:48 a.m.
To: Freeipa-users at redhat.com
Subject: [Freeipa-users] Limit password synchronization from Active Directory


    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?
    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/e8226f84/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 21:13:00 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 21:13:00 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <51E5A436.5080403@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A6522CD@sinmpt10.corp.go2uti.com>
	<CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>,
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>



    We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:

[sssd]
config_file_version = 2
services = nss, pam

domains = my_domain.com
[nss]

[pam]

 [domain/my_domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = my_domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipa_server.my_domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 6


    And the nsswitch.conf file:

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files ldap
aliases:    files

sudoers:    files ldap

    Thanks,
    -Mark



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2


-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, July 16, 2013 12:51 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
>     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>     Thanks,
>     -Mark

So can it seems that the first thing you need to to do is to make sure your netgroups work.
If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
Are you using SSSD for netgroups or something else?
Can you please share your sssd.conf and area where it configures netgroups?
Also is sss in the nsswitch.conf for netgroups map?

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Tuesday, July 16, 2013 12:34 AM
> To: Tovey, Mark
> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
> Brezina
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>
> ~~~~
> Can you confirm that the output of the following commands:
> 1. $ domainname
> * does it match your domain?
> 2. $ hostname
> * does match match your fqdn?
> 3. $ getent netgroup esolutions-sandbox-hosts
> * does this list your host?
> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>
>
> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>
> At the top, add the line: sudoers_debug 2
>
> Then try another sudo command. sudo -l for example.
> ~~~~
>
> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>
> Martin
>
>
> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>  
>>
>>     Okay, I stopped sssd on the client and deleted the cache files, 
>> removed the sudo rule, started sssd and verified that the rule was 
>> gone, stopped sssd and deleted the files again, added the rule back 
>> in, restarted sssd, and still it does not work.  One note, when I 
>> enter the hosts into the sudo rule in place of the host group, the 
>> effect is immediate; I do not need to restart sssd.  And the opposite 
>> is true too: if I put the host group back, the rule immediately stops 
>> working.  I don't think the issue is cache related; it seems to be 
>> something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>
>>  
>>
>>     I like your idea for the labels; they make sense.  Right now we 
>> are just evaluating this to see if we want to go this route.  So far 
>> we like it, but this could be a problem because we have a several 
>> hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:44 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>> option b) delete the rule totally and redo it from scratch.
>>
>> I label rules like this,
>>
>> hb-xxxx   for a hbac rule
>>
>> su-xxxx for a sudo rule
>>
>> sc-xxxx for a sudo command group
>>
>> ug-xxxx for a user group
>>
>> hg-xxxx for a host groups
>>
>> etc
>>
>> etc
>>
>> It makes the logic easier when you go into command line which I find 
>> easier to trace with than the gui at time.
>>
>>  
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ---------------------------------------------------------------------
>> -
>> ---------
>>
>> *From:*Tovey, Mark [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>> *To:* Steven Jones; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>     That didn't work either.  I set up the host group in my sudo 
>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
>> directory, then restarted sssd.  New files were created in the db 
>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>> *Sent:* Monday, July 15, 2013 4:15 PM
>> *To:* Tovey, Mark; James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>> Hi,
>>
>> This is a known issue Ive suffered a long time with.  What would be 
>> interesting is adding another host to the host group could well work 
>> fine, that will really make you bang your head against the wall..
>>
>> 2 possibilities, stop the sssd daemon on the problem host, delete its 
>> cache and start it, that might fix it.
>>
>> Otherwise best to,
>>
>> All RH support could come up with is delete the HBAC rule, sudo rule, 
>> user group and host group and re-do it, then it will probably work fine.
>>
>>  
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ---------------------------------------------------------------------
>> -
>> ---------
>>
>> *From:*freeipa-users-bounces at redhat.com
>> <mailto:freeipa-users-bounces at redhat.com>
>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
>> [MTovey at go2uti.com]
>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>> *To:* James Hogarth
>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>  
>>
>>     I checked that and it is set correctly:
>>
>>  
>>
>> [user1 at host1 ~]$ nisdomainname
>>
>> my_domain.com
>>
>>  
>>
>>     If I try to run a command with the hosts specified indirectly 
>> through a host group, it fails:
>>
>>  
>>
>> [user1 at host1 ~]$ sudo -i -u serv_account
>>
>> LDAP Config Summary
>>
>> ===================
>>
>> uri              ldap://ipa_server.my_domain.com
>>
>> ldap_version     3
>>
>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>
>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>
>> bindpw           **********
>>
>> bind_timelimit   5000
>>
>> timelimit        15
>>
>> ssl              start_tls
>>
>> tls_checkpeer    (yes)
>>
>> tls_cacertfile   /etc/ipa/ca.crt
>>
>> ===================
>>
>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>
>> sudo: ldap_set_option: debug -> 0
>>
>> sudo: ldap_set_option: ldap_version -> 3
>>
>> sudo: ldap_set_option: tls_checkpeer -> 1
>>
>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>
>> sudo: ldap_set_option: timelimit -> 15
>>
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>
>>  
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost '+hgroup1' ... not
>>
>> sudo: ldap search 'sudoUser=+*'
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=0
>>
>> sudo: sudo_ldap_lookup(0)=0x40
>>
>> [sudo] password for user1:
>>
>> Sorry, try again.
>>
>> [sudo] password for user1:
>>
>> sudo: 1 incorrect password attempt
>>
>>  
>>
>>  
>>
>>     But if I remove the host group from the sudo rule and directly 
>> add the hosts that were in the host group, it works fine:
>>
>>  
>>
>> <snip>
>>
>>  
>>
>> sudo: ldap_start_tls_s() ok
>>
>> sudo: ldap_sasl_bind_s() ok
>>
>> sudo: no default options found!
>>
>> sudo: ldap search
>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>
>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>
>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>
>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>
>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>
>> sudo: Command allowed
>>
>> sudo: user_matches=1
>>
>> sudo: host_matches=1
>>
>> sudo: sudo_ldap_lookup(0)=0x02
>>
>> [sudo] password for user1:
>>
>> [serv_account at host1 ~]$
>>
>>  
>>
>>  
>>
>>     So something isn't lining up correctly with host groups in sudo 
>> rules somewhere.  I just haven't been able to track it down.
>>
>>     Thanks,
>>
>>     -Mark
>>
>>  
>>
>>  
>>
>> * *
>>
>> *________________________________________________________________*
>>
>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>
>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>> Portland
>> | Oregon
>> | 97204 | USA
>>
>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>> mark.tovey2
>>
>>  
>>
>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>> *Sent:* Monday, July 15, 2013 1:11 PM
>> *To:* Tovey, Mark
>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>  
>>
>>
>>>  
>>>
>>>     Did anyone find a solution for this?  I am having the same experience.
>>>
>>>  
>>>
>> Wow that was a mess...
>>
>> To use hostgroups for sudo ensure nisdomainname is set on the hosts 
>> to the IPA domain.
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From MTovey at go2uti.com  Tue Jul 16 22:06:07 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 22:06:07 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <51E5A65A.2080908@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>


    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don't want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.


    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2





_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/aa204c35/attachment.htm>

From rmeggins at redhat.com  Tue Jul 16 22:17:04 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 16:17:04 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
Message-ID: <51E5C660.9090003@redhat.com>

On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>     Ouch!   The AD admins have already expressed an unwillingness to 
> move some users into a separate container.  And I don't want to have 
> several thousand unnecessary entries in my IPA system. It looks like 
> password synchronization is not going to be an option.
>

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to 
sync, and at the same time add the attribute ntUserDomainID: username 
(corresponds to the AD user samAccountName attribute). This will "link" 
the IPA user entry to the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them 
separately, or if you are implying that they have to be used together - 
they do not.  You should be able to install PassSync on your domain 
controllers _without configuring a winsync agreement in IPA_.  PassSync 
should then just ignore password changes for users that it cannot find 
in IPA.


>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/3187f90e/attachment.htm>

From Steven.Jones at vuw.ac.nz  Tue Jul 16 22:28:55 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 16 Jul 2013 22:28:55 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>,
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

PS there is a difference between password sync and user (win)sync, they run independently.

So you can do password sync without winsync.  Password sync puts a msi on the AD box to intercept the password and send it on before its encrypted (as I understand it)....that might also give your AD admins kittens....

;]

We also run IPA admins (who can log into the web ui) as a seperate user ID unique in IPA, that way if AD gets hacked the hacker doesnt get to own IPA as well via a password change.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark [MTovey at go2uti.com]
Sent: Wednesday, 17 July 2013 10:06 a.m.
To: Rich Megginson
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory


    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don?t want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.


    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2





_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/847fa5b4/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 22:50:01 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 22:50:01 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <51E5C660.9090003@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>


    At the end of the day, all we really need is password and preferably account disabling synchronized.  The rest is not absolutely necessary.  I saw that part of the documentation, but did not fully understand it (in a hurry!).  Now that I see it in a different light, it becomes much clearer.  I will look into this.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don't want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute).  This will "link" the IPA user entry to the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not.  You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_.  PassSync should then just ignore password changes for users that it cannot find in IPA.



    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.



    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2






_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/b162147a/attachment.htm>

From rmeggins at redhat.com  Tue Jul 16 22:53:29 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 16:53:29 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
Message-ID: <51E5CEE9.20005@redhat.com>

On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
>     At the end of the day, all we really need is password
>

You can do this with just PassSync on AD and without the rest of winsync.

> and preferably account disabling synchronized.
>

You have to use winsync for that.

> The rest is not absolutely necessary.  I saw that part of the 
> documentation, but did not fully understand it (in a hurry!).  Now 
> that I see it in a different light, it becomes much clearer.  I will 
> look into this.
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>         Ouch! The AD admins have already expressed an unwillingness to
>     move some users into a separate container.  And I don't want to
>     have several thousand unnecessary entries in my IPA system.  It
>     looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to 
> sync, and at the same time add the attribute ntUserDomainID: username 
> (corresponds to the AD user samAccountName attribute).  This will 
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean 
> them separately, or if you are implying that they have to be used 
> together - they do not.  You should be able to install PassSync on 
> your domain controllers _without configuring a winsync agreement in 
> IPA_.  PassSync should then just ignore password changes for users 
> that it cannot find in IPA.
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/0528dff3/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 23:00:39 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 23:00:39 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <51E5CEE9.20005@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
	<51E5CEE9.20005@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>


    We can live with that.  We want to be able to disable an account in AD and have that flow out to our *nix servers.  If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

    At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.


and preferably account disabling synchronized.

You have to use winsync for that.


The rest is not absolutely necessary.  I saw that part of the documentation, but did not fully understand it (in a hurry!).  Now that I see it in a different light, it becomes much clearer.  I will look into this.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don't want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute).  This will "link" the IPA user entry to the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not.  You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_.  PassSync should then just ignore password changes for users that it cannot find in IPA.




    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.




    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2







_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/7f2a94f0/attachment.htm>

From rmeggins at redhat.com  Tue Jul 16 23:05:37 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 17:05:37 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
	<51E5CEE9.20005@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>
Message-ID: <51E5D1C1.9000902@redhat.com>

On 07/16/2013 05:00 PM, Tovey, Mark wrote:
>
>     We can live with that.  We want to be able to disable an account 
> in AD and have that flow out to our *nix servers.  If we make the 
> procedure to delete the password in AD, that should effectively 
> disable the account in IPA as well.
>

I don't think PassSync will sync password deletion events.

>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:53 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
>         At the end of the day, all we really need is password
>
>
> You can do this with just PassSync on AD and without the rest of winsync.
>
>
> and preferably account disabling synchronized.
>
>
> You have to use winsync for that.
>
>
> The rest is not absolutely necessary.  I saw that part of the 
> documentation, but did not fully understand it (in a hurry!).  Now 
> that I see it in a different light, it becomes much clearer.  I will 
> look into this.
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>         Ouch! The AD admins have already expressed an unwillingness to
>     move some users into a separate container.  And I don't want to
>     have several thousand unnecessary entries in my IPA system.  It
>     looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to 
> sync, and at the same time add the attribute ntUserDomainID: username 
> (corresponds to the AD user samAccountName attribute).  This will 
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean 
> them separately, or if you are implying that they have to be used 
> together - they do not.  You should be able to install PassSync on 
> your domain controllers _without configuring a winsync agreement in 
> IPA_.  PassSync should then just ignore password changes for users 
> that it cannot find in IPA.
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/af29b0af/attachment.htm>

From rmeggins at redhat.com  Tue Jul 16 23:07:26 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 17:07:26 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>,
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE5AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <51E5D22E.2080005@redhat.com>

On 07/16/2013 04:28 PM, Steven Jones wrote:
> Hi,
>
> PS there is a difference between password sync and user (win)sync, 
> they run independently.
>
> So you can do password sync without winsync.  Password sync puts a msi 
> on the AD box to intercept the password and send it on before its 
> encrypted (as I understand it)....
Correct.
> that might also give your AD admins kittens....
Also correct, which is why the preferred long term solution is cross 
domain trust.
>
> ;]
>
> We also run IPA admins (who can log into the web ui) as a seperate 
> user ID unique in IPA, that way if AD gets hacked the hacker doesnt 
> get to own IPA as well via a password change.
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com 
> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> [MTovey at go2uti.com]
> *Sent:* Wednesday, 17 July 2013 10:06 a.m.
> *To:* Rich Megginson
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> Ouch!   The AD admins have already expressed an unwillingness to move 
> some users into a separate container.  And I don't want to have 
> several thousand unnecessary entries in my IPA system.  It looks like 
> password synchronization is not going to be an option.
>
> Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory? There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/0f5c98d4/attachment.htm>

From MTovey at go2uti.com  Tue Jul 16 23:33:21 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Tue, 16 Jul 2013 23:33:21 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <51E5D1C1.9000902@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
	<51E5CEE9.20005@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>
	<51E5D1C1.9000902@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com>


    You make this difficult!  :)  But after explaining what we are trying to accomplish here to our AD Architect, he offered some flexibility with the subcontainer option.  My users may have to live with two accounts in AD (one for everyday functions like email, the other for extra access like *nix), but that will allow our User Account Management team to enable, disable, and reset accounts from within one tool.  Actual server access will still be managed by our Unix team through IPA.
    Thanks,
     -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 4:06 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 05:00 PM, Tovey, Mark wrote:

    We can live with that.  We want to be able to disable an account in AD and have that flow out to our *nix servers.  If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well.

I don't think PassSync will sync password deletion events.


    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

    At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.



and preferably account disabling synchronized.

You have to use winsync for that.



The rest is not absolutely necessary.  I saw that part of the documentation, but did not fully understand it (in a hurry!).  Now that I see it in a different light, it becomes much clearer.  I will look into this.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don't want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute).  This will "link" the IPA user entry to the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not.  You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_.  PassSync should then just ignore password changes for users that it cannot find in IPA.





    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.





    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2








_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/dcec5afd/attachment.htm>

From rmeggins at redhat.com  Wed Jul 17 00:43:30 2013
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 16 Jul 2013 18:43:30 -0600
Subject: [Freeipa-users] Limit password synchronization from Active
	Directory
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
	<51E5CEE9.20005@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>
	<51E5D1C1.9000902@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com>
Message-ID: <51E5E8B2.1030500@redhat.com>

On 07/16/2013 05:33 PM, Tovey, Mark wrote:
>
>     You make this difficult!J  But after explaining what we are trying 
> to accomplish here to our AD Architect, he offered some flexibility 
> with the subcontainer option.  My users may have to live with two 
> accounts in AD (one for everyday functions like email, the other for 
> extra access like *nix), but that will allow our User Account 
> Management team to enable, disable, and reset accounts from within one 
> tool. Actual server access will still be managed by our Unix team 
> through IPA.
>

You can't just disable sync of AD user creation?  And just add the sync 
attributes to the IPA entries you want to sync?

>     Thanks,
>
>      -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 4:06 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 05:00 PM, Tovey, Mark wrote:
>
>         We can live with that.  We want to be able to disable an
>     account in AD and have that flow out to our *nix servers.  If we
>     make the procedure to delete the password in AD, that should
>     effectively disable the account in IPA as well.
>
>
> I don't think PassSync will sync password deletion events.
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:53 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:50 PM, Tovey, Mark wrote:
>
>         At the end of the day, all we really need is password
>
>
> You can do this with just PassSync on AD and without the rest of winsync.
>
>
>
> and preferably account disabling synchronized.
>
>
> You have to use winsync for that.
>
>
>
> The rest is not absolutely necessary.  I saw that part of the 
> documentation, but did not fully understand it (in a hurry!).  Now 
> that I see it in a different light, it becomes much clearer.  I will 
> look into this.
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 3:17 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 04:06 PM, Tovey, Mark wrote:
>
>         Ouch! The AD admins have already expressed an unwillingness to
>     move some users into a separate container.  And I don't want to
>     have several thousand unnecessary entries in my IPA system.  It
>     looks like password synchronization is not going to be an option.
>
>
> With 389 it is possible to disable sync of AD user creation to DS.
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> 12.4.4.2. Configuring User Sync in the Command Line
>
> To disable user sync, set nsds7NewWinUserSyncEnabled: off
>
> Then, you will add the ntUser objectclass to each IPA user you want to 
> sync, and at the same time add the attribute ntUserDomainID: username 
> (corresponds to the AD user samAccountName attribute).  This will 
> "link" the IPA user entry to the corresponding AD user entry.
>
> You mention password sync and user sync - I'm not sure if you mean 
> them separately, or if you are implying that they have to be used 
> together - they do not.  You should be able to install PassSync on 
> your domain controllers _without configuring a winsync agreement in 
> IPA_.  PassSync should then just ignore password changes for users 
> that it cannot find in IPA.
>
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Tuesday, July 16, 2013 1:00 PM
> *To:* Tovey, Mark
> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Limit password synchronization from 
> Active Directory
>
> On 07/16/2013 01:48 PM, Tovey, Mark wrote:
>
>         Is there a way to limit what user accounts are synchronized
>     from Active Directory?  There are around 15,000 entries in our
>     production AD system, but probably only about 300 of those need to
>     have an account in the IPA system.  Can we set an attribute in the
>     user information in AD that would flag that this is a candidate
>     for replication, and lack of that attribute would cause an account
>     to be skipped?
>
>
> No.  The only thing you can do is create a special container (cn=IPA 
> users or ou=IPA users or something like that), move the users you want 
> to sync into that container, and sync only that container.
>
>
>
>
>
>     Thanks,
>
>     -Mark
>
> **
>
> *________________________________________________________________*
>
> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>
> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland 
> | Oregon | 97204 | USA
>
> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | 
> Skype: mark.tovey2
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130716/673a39c9/attachment.htm>

From MTovey at go2uti.com  Wed Jul 17 04:34:48 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Wed, 17 Jul 2013 04:34:48 +0000
Subject: [Freeipa-users] Limit password synchronization from Active
 Directory
In-Reply-To: <51E5E8B2.1030500@redhat.com>
References: <159018F515D5B14CA76C88F9C425325A65DDEF@sinmpt10.corp.go2uti.com>
	<51E5A65A.2080908@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E020@sinmpt10.corp.go2uti.com>
	<51E5C660.9090003@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E0C9@sinmpt10.corp.go2uti.com>
	<51E5CEE9.20005@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E122@sinmpt10.corp.go2uti.com>
	<51E5D1C1.9000902@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65E162@sinmpt10.corp.go2uti.com>
	<51E5E8B2.1030500@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A65F20F@sinmpt10.corp.go2uti.com>


    Okay, I can see that I am just going to have to fire this up and play with it until I better understand what I can do and can't do.  But it sounds like I have enough options available to me now that I can make something acceptable work.  The first step is going to be to get the AD admins to set up the replication on their end.  We probably should start with a subcontainer anyway just so that I don't end up with the entire AD system inadvertently being replicated over.  Once we are familiar with it, then we can work out what the best configuration will be for how we want to operate.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 5:44 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 05:33 PM, Tovey, Mark wrote:

    You make this difficult!:)  But after explaining what we are trying to accomplish here to our AD Architect, he offered some flexibility with the subcontainer option.  My users may have to live with two accounts in AD (one for everyday functions like email, the other for extra access like *nix), but that will allow our User Account Management team to enable, disable, and reset accounts from within one tool.  Actual server access will still be managed by our Unix team through IPA.

You can't just disable sync of AD user creation?  And just add the sync attributes to the IPA entries you want to sync?


    Thanks,
     -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 4:06 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 05:00 PM, Tovey, Mark wrote:

    We can live with that.  We want to be able to disable an account in AD and have that flow out to our *nix servers.  If we make the procedure to delete the password in AD, that should effectively disable the account in IPA as well.

I don't think PassSync will sync password deletion events.



    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:53 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:50 PM, Tovey, Mark wrote:

    At the end of the day, all we really need is password

You can do this with just PassSync on AD and without the rest of winsync.




and preferably account disabling synchronized.

You have to use winsync for that.




The rest is not absolutely necessary.  I saw that part of the documentation, but did not fully understand it (in a hurry!).  Now that I see it in a different light, it becomes much clearer.  I will look into this.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 3:17 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 04:06 PM, Tovey, Mark wrote:

    Ouch!   The AD admins have already expressed an unwillingness to move some users into a separate container.  And I don't want to have several thousand unnecessary entries in my IPA system.  It looks like password synchronization is not going to be an option.

With 389 it is possible to disable sync of AD user creation to DS.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html

12.4.4.2. Configuring User Sync in the Command Line

To disable user sync, set nsds7NewWinUserSyncEnabled: off

Then, you will add the ntUser objectclass to each IPA user you want to sync, and at the same time add the attribute ntUserDomainID: username (corresponds to the AD user samAccountName attribute).  This will "link" the IPA user entry to the corresponding AD user entry.

You mention password sync and user sync - I'm not sure if you mean them separately, or if you are implying that they have to be used together - they do not.  You should be able to install PassSync on your domain controllers _without configuring a winsync agreement in IPA_.  PassSync should then just ignore password changes for users that it cannot find in IPA.






    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2

From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Tuesday, July 16, 2013 1:00 PM
To: Tovey, Mark
Cc: Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Limit password synchronization from Active Directory

On 07/16/2013 01:48 PM, Tovey, Mark wrote:

    Is there a way to limit what user accounts are synchronized from Active Directory?  There are around 15,000 entries in our production AD system, but probably only about 300 of those need to have an account in the IPA system.  Can we set an attribute in the user information in AD that would flag that this is a candidate for replication, and lack of that attribute would cause an account to be skipped?

No.  The only thing you can do is create a special container (cn=IPA users or ou=IPA users or something like that), move the users you want to sync into that container, and sync only that container.






    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype: mark.tovey2









_______________________________________________

Freeipa-users mailing list

Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/155ff4b9/attachment.htm>

From rendhalver at gmail.com  Wed Jul 17 05:52:21 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Wed, 17 Jul 2013 15:52:21 +1000
Subject: [Freeipa-users] problem creating replica
Message-ID: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>

Hi everyone,

I am attempting to create a replica of my freeipa server.
I am following the docs but they are not working for me.
I am getting the vague impression I am missing a step that doesn't
seem to be documented.

For the record all the posts listed are open and it was a clean
install of Fedora 18.

I thought the server may need to be a client of the master before I
set it up as a replica but it just said I needed to uninstall the
client setup.

After running ipa-replica-prepare on the master and scping the file to
the new replica.
I ran this command on the new replica
ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
--forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
/var/lib/ipa/replica-info-ipa2.domain.com.gpg

The error I am seeing is from that command is this:
Cannot acquire Kerberos ticket: kinit: Cannot read password while
getting initial credentials

Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.

So I cleaned everything off (i think) and tried it with this command

ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
--forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
/var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg

This seems to actually start the install and setup process i remember
from installing the ipa server initially

This it fails with this output

WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password:

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: configuring uniqueness plugin
  [10/31]: configuring uuid plugin
  [11/31]: configuring modrdn plugin
  [12/31]: configuring DNS plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [23/31]: adding replication acis
  [24/31]: setting Auto Member configuration
  [25/31]: enabling S4U2Proxy delegation
  [26/31]: initializing group membership
  [27/31]: adding master entry
  [28/31]: configuring Posix uid/gid generation
  [29/31]: enabling compatibility plugin
  [30/31]: tuning directory server
  [31/31]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
  [1/17]: creating certificate server user
  [2/17]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

I even tried cleaning it again at that point and made sure all the
ports were open and still got the same error.

I also switched selinux to permissive mode cleaned up and rebooted but
that didn't help either

Can someone please point out what I need to do to get this working.

Thanks in advance.
Pete.



From jhrozek at redhat.com  Wed Jul 17 08:32:13 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 17 Jul 2013 10:32:13 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
References: <CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
Message-ID: <20130717083213.GK22079@hendrix.brq.redhat.com>

On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
> 
> 
>     We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:

Hi Mark,

you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and
by extension OEL) in 5.6. Are you running the version from EPEL? I'm not
sure if netgroups were even supported in that old version..

What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?

Does getent netgroup <netgroup-name> work?

> 
> [sssd]
> config_file_version = 2
> services = nss, pam
> 
> domains = my_domain.com
> [nss]
> 
> [pam]
> 
>  [domain/my_domain.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = my_domain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_server = _srv_, ipa_server.my_domain.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level = 6
> 
> 
>     And the nsswitch.conf file:
> 
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> 
> hosts:      files dns
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  files ldap
> aliases:    files
> 
> sudoers:    files ldap
> 
>     Thanks,
>     -Mark
> 
> 
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> 
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
> Sent: Tuesday, July 16, 2013 12:51 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> 
> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> >     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
> >     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
> >     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
> >     Thanks,
> >     -Mark
> 
> So can it seems that the first thing you need to to do is to make sure your netgroups work.
> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
> Are you using SSSD for netgroups or something else?
> Can you please share your sssd.conf and area where it configures netgroups?
> Also is sss in the nsswitch.conf for netgroups map?
> 
> >
> >
> > ________________________________________________________________
> > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> >
> > -----Original Message-----
> > From: Martin Kosek [mailto:mkosek at redhat.com]
> > Sent: Tuesday, July 16, 2013 12:34 AM
> > To: Tovey, Mark
> > Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
> > Brezina
> > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> >
> > Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
> >
> > ~~~~
> > Can you confirm that the output of the following commands:
> > 1. $ domainname
> > * does it match your domain?
> > 2. $ hostname
> > * does match match your fqdn?
> > 3. $ getent netgroup esolutions-sandbox-hosts
> > * does this list your host?
> > 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
> >
> >
> > Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
> >
> > At the top, add the line: sudoers_debug 2
> >
> > Then try another sudo command. sudo -l for example.
> > ~~~~
> >
> > For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
> >
> > Martin
> >
> >
> > On 07/16/2013 06:09 AM, Tovey, Mark wrote:
> >>  
> >>
> >>     Okay, I stopped sssd on the client and deleted the cache files, 
> >> removed the sudo rule, started sssd and verified that the rule was 
> >> gone, stopped sssd and deleted the files again, added the rule back 
> >> in, restarted sssd, and still it does not work.  One note, when I 
> >> enter the hosts into the sudo rule in place of the host group, the 
> >> effect is immediate; I do not need to restart sssd.  And the opposite 
> >> is true too: if I put the host group back, the rule immediately stops 
> >> working.  I don't think the issue is cache related; it seems to be 
> >> something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
> >>
> >>  
> >>
> >>     I like your idea for the labels; they make sense.  Right now we 
> >> are just evaluating this to see if we want to go this route.  So far 
> >> we like it, but this could be a problem because we have a several 
> >> hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> >> *Sent:* Monday, July 15, 2013 4:44 PM
> >> *To:* Tovey, Mark; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >> option b) delete the rule totally and redo it from scratch.
> >>
> >> I label rules like this,
> >>
> >> hb-xxxx   for a hbac rule
> >>
> >> su-xxxx for a sudo rule
> >>
> >> sc-xxxx for a sudo command group
> >>
> >> ug-xxxx for a user group
> >>
> >> hg-xxxx for a host groups
> >>
> >> etc
> >>
> >> etc
> >>
> >> It makes the logic easier when you go into command line which I find 
> >> easier to trace with than the gui at time.
> >>
> >>  
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> ---------
> >>
> >> *From:*Tovey, Mark [MTovey at go2uti.com]
> >> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> >> *To:* Steven Jones; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>     That didn't work either.  I set up the host group in my sudo 
> >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
> >> directory, then restarted sssd.  New files were created in the db 
> >> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> >> *Sent:* Monday, July 15, 2013 4:15 PM
> >> *To:* Tovey, Mark; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >> Hi,
> >>
> >> This is a known issue Ive suffered a long time with.  What would be 
> >> interesting is adding another host to the host group could well work 
> >> fine, that will really make you bang your head against the wall..
> >>
> >> 2 possibilities, stop the sssd daemon on the problem host, delete its 
> >> cache and start it, that might fix it.
> >>
> >> Otherwise best to,
> >>
> >> All RH support could come up with is delete the HBAC rule, sudo rule, 
> >> user group and host group and re-do it, then it will probably work fine.
> >>
> >>  
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> ---------
> >>
> >> *From:*freeipa-users-bounces at redhat.com
> >> <mailto:freeipa-users-bounces at redhat.com>
> >> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> >> [MTovey at go2uti.com]
> >> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> >> *To:* James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>  
> >>
> >>     I checked that and it is set correctly:
> >>
> >>  
> >>
> >> [user1 at host1 ~]$ nisdomainname
> >>
> >> my_domain.com
> >>
> >>  
> >>
> >>     If I try to run a command with the hosts specified indirectly 
> >> through a host group, it fails:
> >>
> >>  
> >>
> >> [user1 at host1 ~]$ sudo -i -u serv_account
> >>
> >> LDAP Config Summary
> >>
> >> ===================
> >>
> >> uri              ldap://ipa_server.my_domain.com
> >>
> >> ldap_version     3
> >>
> >> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> >>
> >> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> >>
> >> bindpw           **********
> >>
> >> bind_timelimit   5000
> >>
> >> timelimit        15
> >>
> >> ssl              start_tls
> >>
> >> tls_checkpeer    (yes)
> >>
> >> tls_cacertfile   /etc/ipa/ca.crt
> >>
> >> ===================
> >>
> >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> >>
> >> sudo: ldap_set_option: debug -> 0
> >>
> >> sudo: ldap_set_option: ldap_version -> 3
> >>
> >> sudo: ldap_set_option: tls_checkpeer -> 1
> >>
> >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> >>
> >> sudo: ldap_set_option: timelimit -> 15
> >>
> >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> >>
> >>  
> >>
> >> sudo: ldap_start_tls_s() ok
> >>
> >> sudo: ldap_sasl_bind_s() ok
> >>
> >> sudo: no default options found!
> >>
> >> sudo: ldap search
> >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> >>
> >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> >>
> >> sudo: ldap sudoHost '+hgroup1' ... not
> >>
> >> sudo: ldap search 'sudoUser=+*'
> >>
> >> sudo: user_matches=1
> >>
> >> sudo: host_matches=0
> >>
> >> sudo: sudo_ldap_lookup(0)=0x40
> >>
> >> [sudo] password for user1:
> >>
> >> Sorry, try again.
> >>
> >> [sudo] password for user1:
> >>
> >> sudo: 1 incorrect password attempt
> >>
> >>  
> >>
> >>  
> >>
> >>     But if I remove the host group from the sudo rule and directly 
> >> add the hosts that were in the host group, it works fine:
> >>
> >>  
> >>
> >> <snip>
> >>
> >>  
> >>
> >> sudo: ldap_start_tls_s() ok
> >>
> >> sudo: ldap_sasl_bind_s() ok
> >>
> >> sudo: no default options found!
> >>
> >> sudo: ldap search
> >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> >>
> >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> >>
> >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> >>
> >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> >>
> >> sudo: ldap sudoCommand 'ALL' ... MATCH!
> >>
> >> sudo: Command allowed
> >>
> >> sudo: user_matches=1
> >>
> >> sudo: host_matches=1
> >>
> >> sudo: sudo_ldap_lookup(0)=0x02
> >>
> >> [sudo] password for user1:
> >>
> >> [serv_account at host1 ~]$
> >>
> >>  
> >>
> >>  
> >>
> >>     So something isn't lining up correctly with host groups in sudo 
> >> rules somewhere.  I just haven't been able to track it down.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> >> *Sent:* Monday, July 15, 2013 1:11 PM
> >> *To:* Tovey, Mark
> >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>
> >>>  
> >>>
> >>>     Did anyone find a solution for this?  I am having the same experience.
> >>>
> >>>  
> >>>
> >> Wow that was a mess...
> >>
> >> To use hostgroups for sudo ensure nisdomainname is set on the hosts 
> >> to the IPA domain.
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From pvoborni at redhat.com  Wed Jul 17 08:33:43 2013
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 17 Jul 2013 10:33:43 +0200
Subject: [Freeipa-users] new issue with ssh key in the interface
In-Reply-To: <1373995457.5023.2.camel@localhost.localdomain>
References: <1373995457.5023.2.camel@localhost.localdomain>
Message-ID: <51E656E7.1060408@redhat.com>

On 07/16/2013 07:24 PM, Armstrong, Kenneth Lawrence wrote:
> Hello all,
>
> i have a new problem with the SSH Key bit in the web interface.  I created a new ssh key for a user, and pasted it into the web interface for the user.  Afterward, it said that the key was not set.  So I attempted again from the commandline, and it looks like it took it.  However, when I go back to the web interface, it doesn't show one set for the user.
>
> I logged out of the interface and back in, but same story.
>
> Running IPA server 3.0 on RHEL 6.4.
>
> Any thoughts?
>
> -Kenny
>

Hello Kenny,

When SSH Public keys field in Web UI displays: "New: key not set" it 
means that the key was not set in 'Show/Set key' dialog. In other words 
you did not paste anything into the textarea or you pressed 'Cancel' 
button instead of 'Set' button.

If something is pasted and confirmed by 'Set' button it displays: 'New: 
key set'. The last remaining step is to click on 'Update' button on the 
header part of the page to confirm and perform all the changes you made 
on the page.

When keys are set in LDAP you should see a line similar to following for 
each key:
"13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)"
Each fingerprint is followed by 'Show/Set key' and 'Delete' buttons.

I can't comment the CLI part without more information: key and exact 
command you used.

HTH
-- 
Petr Vobornik



From james.hogarth at gmail.com  Wed Jul 17 11:02:37 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Wed, 17 Jul 2013 12:02:37 +0100
Subject: [Freeipa-users] Question about design of ldap dns
In-Reply-To: <51E573DE.3000008@redhat.com>
References: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>
	<51E408BD.4000608@redhat.com> <51E573DE.3000008@redhat.com>
Message-ID: <CAGkb5vfHOza8g=nDDPYM4xp5eiPa2noGwC63w6q6AVGnw0fGdg@mail.gmail.com>

> Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail.
> We need to coordinate, because bind-dyndb-ldap is undergoing heavy
> refactoring right now.
>
> Also, remember that modification in bind-dyndb-ldap will require
> modification on FreeIPA side (CLI/WebUI/API).
>
>
Sure - I'm usually in #freeipa as JHogarth when I'm about ...

Yes indeed .. I've been doing quite a bit of work in dns.js the past week
or so to expose TTL in general anyway...


> We can't do this, because definition of *Record attributes is outside of
> our control. Definitions of these attributes come from
> http://drift.uninett.no/nett/**ip-nett/dnsattributes.schema<http://drift.uninett.no/nett/ip-nett/dnsattributes.schema>
> and it is used by BIND DLZ LDAP driver.
>
>
Ah that's a shame ... it would have been quite a smooth way to handle it
but compatibility is of course critical.


Could you post some real world examples, please? I would love to see some
> real world records with real TTLs and statistics.
> How many names with different TTLs have you?
> How many names and records have you in total?
>
>
As one example TXT record and SSHFP to describe a system (and it's
fingerprint) having a long TTL since they are unlikely to change and an A
record with a shorter TTL for a dynamic DNS scenario with a non-sticky
lease.

There was a specific issue I was bumping into with this in the past (but
not a major one) and became an itch to scratch... especially since BIND
zone files would support such a setup but the bind-dyndb-ldap won't ... the
disparity was something that niggled at me.

In all honesty this is an edge case and since I was planning to dive in
anyway I thought I might as well take a look given I have some free time at
the moment... The default TTL in bind-dyndb-ldap and the exposing/modifying
TTL in the Web UI is not dependent on such behaviour in any way.


This could work, but it has significant overhead. At least indexes in LDAP
> server could grow rapidly.
>
>
That is a legitimate concern for sure...


> The other problem is that you will lost the uniqueness-check on LDAP side.
> DNS doesn't allow one record with same name and data to appear multiple
> times and current attribute-based design prevents this 'for free'.
>
>
But you would still be limited to this since there could only be one
arecord, txtrecord, etc for a given idnsname with that structure.



> The other problem is that records in single RRset can't have multiple TTL
> values. I.e. (under single name) all A records have to have the same TTL,
> all AAAA records has to have same TTL etc.
>
>
Hmm I'll have to check BIND again but I thought that when doing round robin
A records (as an example) differing TTL was possible ... but admittedly
I've not verified this and this would be an inconsistency if so.


> Of course, all of these can be handled in bind-dyndb-ldap, but doing so on
> database side is much more elegant.
>
>
Agreed on this


>
>> dn: idnsName=bar+dNSTTL=3600,**idnsName=example.com
>> idnsName: bar
>> dNSTTL: 3600
>> aRecord: 5.6.7.8
>>
>> This way you don't have to change the format of existing attributes nor
>> add
>> new attributes.
>>
>
> This one is my favourite, but again: It will require refactoring on
> FreeIPA side. Also, I'm not sure if this could work with BIND DLZ LDAP...
>
>
I do like the compound RDN idea but it sounds like it would potentially be
a lot of upheaval...



> To summarize it: Is it worth to spend time on this? I would love to see
> some real numbers.
>
>
Good question! It's an itch I have a couple of weeks to scratch at the
moment so there's no 'cost' on my time right now associated with it
(although I recognise it increases complexity for the maintainers and QA of
course as an after-effect)... but the complexity is fairly high and could
potentially touch a lot of areas...

The more basic bit of work I was doing (just the exposure and modification
of TTL in the UI) would have a far improved cost-benefit ratio and only
touches dns.js and dns.py (the latter I propose exposing TTL by default
rather than needing --all for it in the API ... it makes the dns.js changes
cleaner).

Adding the ability to configure default TTL in bind-dyndb-ldap also doesn't
need any of the per RRtype stuff so avoids complexity there...


> Thank you for your time and passion!
>
>
Well it's about time the linux world had something like this (rather than
the old mish-mash of kerberos, openldap, etc and associated scripts to sort
of glue users together that was the previous situation) so I champion it
wherever I can!

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/f7ff173b/attachment.htm>

From klarmstrong2 at liberty.edu  Wed Jul 17 13:04:07 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Wed, 17 Jul 2013 13:04:07 +0000
Subject: [Freeipa-users] new issue with ssh key in the interface
In-Reply-To: <51E656E7.1060408@redhat.com>
References: <1373995457.5023.2.camel@localhost.localdomain>
	<51E656E7.1060408@redhat.com>
Message-ID: <1374066247.31709.1.camel@localhost.localdomain>

Thanks Petr,

I am 100% positive that I pressed 'Set' and not 'Cancel'.

Here are the exact steps and keys I used:

Generate an ssh public key (for user):

ssh-keygen -t rsa -C karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>

Cat out the key, paste into web interface for user:

cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>


Web interface says that the key is set

Click Update on web interface, get IPA Error 4202 "no modifications to be performed"


Skip the web interface, try from command line, appears to succeed:

[karmstrong at linuxclient<mailto:karmstrong at linuxclient> ~]$ ipa user-mod karmstrong --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>"
--------------------------
Modified user "karmstrong"
--------------------------
  User login: karmstrong
  First name: Kenneth
  Last name: Armstrong
  Home directory: /import/is/users/karmstrong
  Login shell: /bin/bash
  UID: 1838200001
  GID: 1838200001
  Account disabled: False
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew==
                  karmstrong at liberty.edu
  Password: True
  Member of groups: ipausers, linux_admin, gensys
  Member of Sudo rule: sudo-all
  Kerberos keys available: True
  SSH public key fingerprint: 51:B0:DC:AD:B3:33:5F:DE:39:6C:6E:4F:35:E1:A4:90 karmstrong at liberty.edu (ssh-rsa)



Double check the web interface, says that No Key is Set

Followed same procedure for a host, got the same exact results.

Tried to ssh as the user to the host that has keys set via command line, get the message that the keys could not be validated.

Thanks.

-Kenny

On Wed, 2013-07-17 at 10:33 +0200, Petr Vobornik wrote:


On 07/16/2013 07:24 PM, Armstrong, Kenneth Lawrence wrote:
> Hello all,
>
> i have a new problem with the SSH Key bit in the web interface.  I created a new ssh key for a user, and pasted it into the web interface for the user.  Afterward, it said that the key was not set.  So I attempted again from the commandline, and it looks like it took it.  However, when I go back to the web interface, it doesn't show one set for the user.
>
> I logged out of the interface and back in, but same story.
>
> Running IPA server 3.0 on RHEL 6.4.
>
> Any thoughts?
>
> -Kenny
>

Hello Kenny,

When SSH Public keys field in Web UI displays: "New: key not set" it
means that the key was not set in 'Show/Set key' dialog. In other words
you did not paste anything into the textarea or you pressed 'Cancel'
button instead of 'Set' button.

If something is pasted and confirmed by 'Set' button it displays: 'New:
key set'. The last remaining step is to click on 'Update' button on the
header part of the page to confirm and perform all the changes you made
on the page.

When keys are set in LDAP you should see a line similar to following for
each key:
"13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)"
Each fingerprint is followed by 'Show/Set key' and 'Delete' buttons.

I can't comment the CLI part without more information: key and exact
command you used.

HTH


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/fc90e204/attachment.htm>

From pspacek at redhat.com  Wed Jul 17 13:30:46 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Wed, 17 Jul 2013 15:30:46 +0200
Subject: [Freeipa-users] Question about design of ldap dns
In-Reply-To: <CAGkb5vfHOza8g=nDDPYM4xp5eiPa2noGwC63w6q6AVGnw0fGdg@mail.gmail.com>
References: <CAGkb5vfgmzUfRyeSkdJWzvn32NWhOuR6NY6JtL_-oL++3LeeWg@mail.gmail.com>
	<51E408BD.4000608@redhat.com> <51E573DE.3000008@redhat.com>
	<CAGkb5vfHOza8g=nDDPYM4xp5eiPa2noGwC63w6q6AVGnw0fGdg@mail.gmail.com>
Message-ID: <51E69C86.3020208@redhat.com>

On 17.7.2013 13:02, James Hogarth wrote:
> Could you post some real world examples, please? I would love to see some
>> real world records with real TTLs and statistics.
>> How many names with different TTLs have you?
>> How many names and records have you in total?
> As one example TXT record and SSHFP to describe a system (and it's
> fingerprint) having a long TTL since they are unlikely to change and an A
> record with a shorter TTL for a dynamic DNS scenario with a non-sticky
> lease.
>
> There was a specific issue I was bumping into with this in the past (but
> not a major one) and became an itch to scratch... especially since BIND
> zone files would support such a setup but the bind-dyndb-ldap won't ... the
> disparity was something that niggled at me.
I understand. Anyway, you can always set TTL in LDAP to the minimum value from 
all values in the original name/zone. Yes, the performance will be worse, but 
hopefully not so significantly.

> In all honesty this is an edge case and since I was planning to dive in
> anyway I thought I might as well take a look given I have some free time at
> the moment... The default TTL in bind-dyndb-ldap and the exposing/modifying
> TTL in the Web UI is not dependent on such behaviour in any way.
>
>> This could work, but it has significant overhead. At least indexes in LDAP
>> server could grow rapidly.
> That is a legitimate concern for sure...
>
>
>> The other problem is that you will lost the uniqueness-check on LDAP side.
>> DNS doesn't allow one record with same name and data to appear multiple
>> times and current attribute-based design prevents this 'for free'.
> But you would still be limited to this since there could only be one
> arecord, txtrecord, etc for a given idnsname with that structure.
Hmm... This reminds me another possibility ...

>> The other problem is that records in single RRset can't have multiple TTL
>> values. I.e. (under single name) all A records have to have the same TTL,
>> all AAAA records has to have same TTL etc.
> Hmm I'll have to check BIND again but I thought that when doing round robin
> A records (as an example) differing TTL was possible ... but admittedly
> I've not verified this and this would be an inconsistency if so.
See http://tools.ietf.org/html/rfc2181#section-5.2

E.g. content of file example.db is:
154 ipa-ca  555 IN  A  192.0.2.1
155 ipa-ca  324 IN  A  192.0.2.55

bind-9.9.3-3.P1.fc19.x86_64 complains about this problem:
example.db:155: TTL set to prior TTL (555)

The another way could be something like this:
dn: rrtype=a, idnsname=bar, idnsName=example.com
aRecord: 192.0.2.1
aRecord: 192.0.2.5
dnsTTL: 555

This structure clearly solves uniqueness && RRset TTL constrains at the same 
time. I can imagine solution like this on the implementation side, but still - 
is it worth? :-)

>> Of course, all of these can be handled in bind-dyndb-ldap, but doing so on
>> database side is much more elegant.
> Agreed on this
>
>>> dn: idnsName=bar+dNSTTL=3600,**idnsName=example.com
>>> idnsName: bar
>>> dNSTTL: 3600
>>> aRecord: 5.6.7.8
>>>
>>> This way you don't have to change the format of existing attributes nor
>>> add
>>> new attributes.
>> This one is my favourite, but again: It will require refactoring on
>> FreeIPA side. Also, I'm not sure if this could work with BIND DLZ LDAP...
> I do like the compound RDN idea but it sounds like it would potentially be
> a lot of upheaval...
I realized that this change heavily affects planed changes. I plan to heavily 
refactor bind-dyndb-ldap internals, but the whole proposal depends on 1:1 
mapping between objects in LDAP and *names* in DNS database. I will think 
about this problem, but this is going to be really complicated.

>> To summarize it: Is it worth to spend time on this? I would love to see
>> some real numbers.
>>
>>
> Good question! It's an itch I have a couple of weeks to scratch at the
> moment so there's no 'cost' on my time right now associated with it
> (although I recognise it increases complexity for the maintainers and QA of
> course as an after-effect)... but the complexity is fairly high and could
> potentially touch a lot of areas...
>
> The more basic bit of work I was doing (just the exposure and modification
> of TTL in the UI) would have a far improved cost-benefit ratio and only
> touches dns.js and dns.py (the latter I propose exposing TTL by default
> rather than needing --all for it in the API ... it makes the dns.js changes
> cleaner).
>
> Adding the ability to configure default TTL in bind-dyndb-ldap also doesn't
> need any of the per RRtype stuff so avoids complexity there...
I agree. https://fedorahosted.org/bind-dyndb-ldap/ticket/70 would be good 
starter :-)

Thank you for your time and passion!

-- 
Petr^2 Spacek



From pvoborni at redhat.com  Wed Jul 17 13:44:13 2013
From: pvoborni at redhat.com (Petr Vobornik)
Date: Wed, 17 Jul 2013 15:44:13 +0200
Subject: [Freeipa-users] new issue with ssh key in the interface
In-Reply-To: <1374066247.31709.1.camel@localhost.localdomain>
References: <1373995457.5023.2.camel@localhost.localdomain>
	<51E656E7.1060408@redhat.com>
	<1374066247.31709.1.camel@localhost.localdomain>
Message-ID: <51E69FAD.8070502@redhat.com>


I've tested your key on a fresh install of 
ipa-server-3.0.0-25.el6.x86_64 and it works for me. On the other hand, 
the description of the problem looks like a Web UI bug.

Is it possible, that you recently upgraded IPA server and Web browser 
still contains some old files in a cache? Please try reloading the UI 
with forced cache override, usual shortcut: Ctrl + F5 or Ctrl + Shift + R

Petr

On 07/17/2013 03:04 PM, Armstrong, Kenneth Lawrence wrote:
> Thanks Petr,
>
> I am 100% positive that I pressed 'Set' and not 'Cancel'.
>
> Here are the exact steps and keys I used:
>
> Generate an ssh public key (for user):
>
> ssh-keygen -t rsa -C karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>
>
> Cat out the key, paste into web interface for user:
>
> cat .ssh/id_rsa.pub
> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>
>
>
> Web interface says that the key is set
>
> Click Update on web interface, get IPA Error 4202 "no modifications to be performed"
>
>
> Skip the web interface, try from command line, appears to succeed:
>
> [karmstrong at linuxclient<mailto:karmstrong at linuxclient> ~]$ ipa user-mod karmstrong --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>"
> --------------------------
> Modified user "karmstrong"
> --------------------------
>    User login: karmstrong
>    First name: Kenneth
>    Last name: Armstrong
>    Home directory: /import/is/users/karmstrong
>    Login shell: /bin/bash
>    UID: 1838200001
>    GID: 1838200001
>    Account disabled: False
>    SSH public key: ssh-rsa
>                    AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew==
>                    karmstrong at liberty.edu
>    Password: True
>    Member of groups: ipausers, linux_admin, gensys
>    Member of Sudo rule: sudo-all
>    Kerberos keys available: True
>    SSH public key fingerprint: 51:B0:DC:AD:B3:33:5F:DE:39:6C:6E:4F:35:E1:A4:90 karmstrong at liberty.edu (ssh-rsa)
>
>
>
> Double check the web interface, says that No Key is Set
>
> Followed same procedure for a host, got the same exact results.
>
> Tried to ssh as the user to the host that has keys set via command line, get the message that the keys could not be validated.
>
> Thanks.
>
> -Kenny
>
> On Wed, 2013-07-17 at 10:33 +0200, Petr Vobornik wrote:
>
>
> On 07/16/2013 07:24 PM, Armstrong, Kenneth Lawrence wrote:
>> Hello all,
>>
>> i have a new problem with the SSH Key bit in the web interface.  I created a new ssh key for a user, and pasted it into the web interface for the user.  Afterward, it said that the key was not set.  So I attempted again from the commandline, and it looks like it took it.  However, when I go back to the web interface, it doesn't show one set for the user.
>>
>> I logged out of the interface and back in, but same story.
>>
>> Running IPA server 3.0 on RHEL 6.4.
>>
>> Any thoughts?
>>
>> -Kenny
>>
>
> Hello Kenny,
>
> When SSH Public keys field in Web UI displays: "New: key not set" it
> means that the key was not set in 'Show/Set key' dialog. In other words
> you did not paste anything into the textarea or you pressed 'Cancel'
> button instead of 'Set' button.
>
> If something is pasted and confirmed by 'Set' button it displays: 'New:
> key set'. The last remaining step is to click on 'Update' button on the
> header part of the page to confirm and perform all the changes you made
> on the page.
>
> When keys are set in LDAP you should see a line similar to following for
> each key:
> "13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)"
> Each fingerprint is followed by 'Show/Set key' and 'Delete' buttons.
>
> I can't comment the CLI part without more information: key and exact
> command you used.
>
> HTH
>
>


-- 
Petr Vobornik



From klarmstrong2 at liberty.edu  Wed Jul 17 13:49:02 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Wed, 17 Jul 2013 13:49:02 +0000
Subject: [Freeipa-users] new issue with ssh key in the interface
In-Reply-To: <51E69FAD.8070502@redhat.com>
References: <1373995457.5023.2.camel@localhost.localdomain>
	<51E656E7.1060408@redhat.com>
	<1374066247.31709.1.camel@localhost.localdomain>
	<51E69FAD.8070502@redhat.com>
Message-ID: <1374068942.31709.3.camel@localhost.localdomain>

I can't help but wonder if it is something with the browser cache, as after I posted my notes from yesterday to the mailing list, I logged into the web UI and see that my keys are now there.  And yes, I did recently upgrade this server, so the cache must have been trying to work with old data.

Thanks!

-Kenny

On Wed, 2013-07-17 at 15:44 +0200, Petr Vobornik wrote:


I've tested your key on a fresh install of
ipa-server-3.0.0-25.el6.x86_64 and it works for me. On the other hand,
the description of the problem looks like a Web UI bug.

Is it possible, that you recently upgraded IPA server and Web browser
still contains some old files in a cache? Please try reloading the UI
with forced cache override, usual shortcut: Ctrl + F5 or Ctrl + Shift + R

Petr

On 07/17/2013 03:04 PM, Armstrong, Kenneth Lawrence wrote:
> Thanks Petr,
>
> I am 100% positive that I pressed 'Set' and not 'Cancel'.
>
> Here are the exact steps and keys I used:
>
> Generate an ssh public key (for user):
>
> ssh-keygen -t rsa -C karmstrong at liberty.edu<mailto:karmstrong at liberty.edu><mailto:karmstrong at liberty.edu>
>
> Cat out the key, paste into web interface for user:
>
> cat .ssh/id_rsa.pub
> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu><mailto:karmstrong at liberty.edu>
>
>
> Web interface says that the key is set
>
> Click Update on web interface, get IPA Error 4202 "no modifications to be performed"
>
>
> Skip the web interface, try from command line, appears to succeed:
>
> [karmstrong at linuxclient<mailto:karmstrong at linuxclient> ~]$ ipa user-mod karmstrong --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew== karmstrong at liberty.edu<mailto:karmstrong at liberty.edu><mailto:karmstrong at liberty.edu>"
> --------------------------
> Modified user "karmstrong"
> --------------------------
>    User login: karmstrong
>    First name: Kenneth
>    Last name: Armstrong
>    Home directory: /import/is/users/karmstrong
>    Login shell: /bin/bash
>    UID: 1838200001
>    GID: 1838200001
>    Account disabled: False
>    SSH public key: ssh-rsa
>                    AAAAB3NzaC1yc2EAAAABIwAAAQEA8EDvuInIneXbzg9WrkLKBkVHB0O6bAPjNMF4dTyOqdwX2HDLtLVcW4VY7/03p6xOc014z3rio4GWXa3Othkf5/hqhpQR1C4CUGgSnnUVC7gw/aI9ZpFbp9UGQdEw7E6ii1qDmoyH80wA0pSMfp/Tg19mdm/3GKNqeNCtkpEyMQXyPBeNk0Xba4RXpGio98LOyOxONrYPi4/eR15vzoinBebDN4URAuUgNUxpRrrZp4cWV6W5Bu1zhKblPcAd6jP8qDv/Uty8Jew3GSRo7uZhxzPQQrw+0wBXrUSffPDEe5FH7gPy74J/EfHGtmhbThrrJQ5tmSuqiZnvbnxc3fv6ew==
>                    karmstrong at liberty.edu<mailto:karmstrong at liberty.edu>
>    Password: True
>    Member of groups: ipausers, linux_admin, gensys
>    Member of Sudo rule: sudo-all
>    Kerberos keys available: True
>    SSH public key fingerprint: 51:B0:DC:AD:B3:33:5F:DE:39:6C:6E:4F:35:E1:A4:90 karmstrong at liberty.edu<mailto:karmstrong at liberty.edu> (ssh-rsa)
>
>
>
> Double check the web interface, says that No Key is Set
>
> Followed same procedure for a host, got the same exact results.
>
> Tried to ssh as the user to the host that has keys set via command line, get the message that the keys could not be validated.
>
> Thanks.
>
> -Kenny
>
> On Wed, 2013-07-17 at 10:33 +0200, Petr Vobornik wrote:
>
>
> On 07/16/2013 07:24 PM, Armstrong, Kenneth Lawrence wrote:
>> Hello all,
>>
>> i have a new problem with the SSH Key bit in the web interface.  I created a new ssh key for a user, and pasted it into the web interface for the user.  Afterward, it said that the key was not set.  So I attempted again from the commandline, and it looks like it took it.  However, when I go back to the web interface, it doesn't show one set for the user.
>>
>> I logged out of the interface and back in, but same story.
>>
>> Running IPA server 3.0 on RHEL 6.4.
>>
>> Any thoughts?
>>
>> -Kenny
>>
>
> Hello Kenny,
>
> When SSH Public keys field in Web UI displays: "New: key not set" it
> means that the key was not set in 'Show/Set key' dialog. In other words
> you did not paste anything into the textarea or you pressed 'Cancel'
> button instead of 'Set' button.
>
> If something is pasted and confirmed by 'Set' button it displays: 'New:
> key set'. The last remaining step is to click on 'Update' button on the
> header part of the page to confirm and perform all the changes you made
> on the page.
>
> When keys are set in LDAP you should see a line similar to following for
> each key:
> "13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)"
> Each fingerprint is followed by 'Show/Set key' and 'Delete' buttons.
>
> I can't comment the CLI part without more information: key and exact
> command you used.
>
> HTH
>
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/9679cd2d/attachment.htm>

From klarmstrong2 at liberty.edu  Wed Jul 17 14:22:24 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Wed, 17 Jul 2013 14:22:24 +0000
Subject: [Freeipa-users] one last SSH question
Message-ID: <1374070945.31709.9.camel@localhost.localdomain>

Ok, hopefully my last SSH key question.

I've been following the instructions here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys

and here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html

I have my host's public key set, it shows up in the web UI, and I have these lines added to the end of the /etc/ssh/ssh_config file on the client machine (that is also a member of the IdM domain):

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d LINUXTEST.LIBERTY.EDU %h
UserKnownHostsFile2 .ssh/sss_known_hosts

I have reloaded the SSH service on the client.  I go to connect from my client to my linuxtest server (which happens to be my IdM server), and I get this:

[karmstrong at linuxclient<mailto:karmstrong at linuxclient> ~]$ ssh karmstrong at linuxtest.liberty.edu<mailto:karmstrong at linuxtest.liberty.edu>
The authenticity of host 'linuxtest.liberty.edu (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

The public key fingerprint matches what is set on the host's page in the IdM interface.

I do not have a known_hosts in the karmstrong .ssh directory.

I have also tried adding the FQDN, and FQDN,ip address into the SSH key on the IdM server through the Web UI, but I still get the bit about not finding an IP for the proxy command to use when it tries to authenticate the host.

I have also verified that there is a PTR record in DNS for the host itself, so I believe that it is not a name resolution error.

Am I missing something?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/c14ef35d/attachment.htm>

From jcholast at redhat.com  Wed Jul 17 14:46:23 2013
From: jcholast at redhat.com (Jan Cholasta)
Date: Wed, 17 Jul 2013 16:46:23 +0200
Subject: [Freeipa-users] one last SSH question
In-Reply-To: <1374070945.31709.9.camel@localhost.localdomain>
References: <1374070945.31709.9.camel@localhost.localdomain>
Message-ID: <51E6AE3F.9000201@redhat.com>

On 17.7.2013 16:22, Armstrong, Kenneth Lawrence wrote:
> Ok, hopefully my last SSH key question.
>
> I've been following the instructions here:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys
>
> and here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html
>
> I have my host's public key set, it shows up in the web UI, and I have
> these lines added to the end of the /etc/ssh/ssh_config file on the
> client machine (that is also a member of the IdM domain):
>
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d
> LINUXTEST.LIBERTY.EDU %h
> UserKnownHostsFile2 .ssh/sss_known_hosts
>
> I have reloaded the SSH service on the client.  I go to connect from my
> client to my linuxtest server (which happens to be my IdM server), and I
> get this:
>
> [karmstrong at linuxclient <mailto:karmstrong at linuxclient> ~]$ ssh
> karmstrong at linuxtest.liberty.edu <mailto:karmstrong at linuxtest.liberty.edu>
> The authenticity of host 'linuxtest.liberty.edu (<no hostip for proxy
> command>)' can't be established.
> RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1.
> Are you sure you want to continue connecting (yes/no)? no
> Host key verification failed.
>
> The public key fingerprint matches what is set on the host's page in the
> IdM interface.
>
> I do not have a known_hosts in the karmstrong .ssh directory.
>
> I have also tried adding the FQDN, and FQDN,ip address into the SSH key
> on the IdM server through the Web UI, but I still get the bit about not
> finding an IP for the proxy command to use when it tries to authenticate
> the host.
>
> I have also verified that there is a PTR record in DNS for the host
> itself, so I believe that it is not a name resolution error.
>
> Am I missing something?

No. The documentation is wrong for some reason. This is what you should 
have in ssh_config:

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Honza

-- 
Jan Cholasta



From klarmstrong2 at liberty.edu  Wed Jul 17 14:53:13 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Wed, 17 Jul 2013 14:53:13 +0000
Subject: [Freeipa-users] one last SSH question
In-Reply-To: <51E6AE3F.9000201@redhat.com>
References: <1374070945.31709.9.camel@localhost.localdomain>
	<51E6AE3F.9000201@redhat.com>
Message-ID: <1374072793.31709.10.camel@localhost.localdomain>

Thanks!  I changed that last line in my ssh_config, reloaded sshd, and was able to log in!

-Kenny

On Wed, 2013-07-17 at 16:46 +0200, Jan Cholasta wrote:


On 17.7.2013 16:22, Armstrong, Kenneth Lawrence wrote:
> Ok, hopefully my last SSH key question.
>
> I've been following the instructions here:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys
>
> and here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html
>
> I have my host's public key set, it shows up in the web UI, and I have
> these lines added to the end of the /etc/ssh/ssh_config file on the
> client machine (that is also a member of the IdM domain):
>
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d
> LINUXTEST.LIBERTY.EDU %h
> UserKnownHostsFile2 .ssh/sss_known_hosts
>
> I have reloaded the SSH service on the client.  I go to connect from my
> client to my linuxtest server (which happens to be my IdM server), and I
> get this:
>
> [karmstrong at linuxclient <mailto:karmstrong at linuxclient> ~]$ ssh
> karmstrong at linuxtest.liberty.edu<mailto:karmstrong at linuxtest.liberty.edu> <mailto:karmstrong at linuxtest.liberty.edu>
> The authenticity of host 'linuxtest.liberty.edu (<no hostip for proxy
> command>)' can't be established.
> RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1.
> Are you sure you want to continue connecting (yes/no)? no
> Host key verification failed.
>
> The public key fingerprint matches what is set on the host's page in the
> IdM interface.
>
> I do not have a known_hosts in the karmstrong .ssh directory.
>
> I have also tried adding the FQDN, and FQDN,ip address into the SSH key
> on the IdM server through the Web UI, but I still get the bit about not
> finding an IP for the proxy command to use when it tries to authenticate
> the host.
>
> I have also verified that there is a PTR record in DNS for the host
> itself, so I believe that it is not a name resolution error.
>
> Am I missing something?

No. The documentation is wrong for some reason. This is what you should
have in ssh_config:

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Honza



--

Kenny Armstrong
System Administrator
IS Operations

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]<http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg>

Training Champions for Christ since 1971
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/794b0df7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wordmark-for-email.jpg
Type: image/jpeg
Size: 4988 bytes
Desc: wordmark-for-email.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/794b0df7/attachment.jpg>

From paulojjs at gmail.com  Wed Jul 17 15:00:28 2013
From: paulojjs at gmail.com (Paulo Silva)
Date: Wed, 17 Jul 2013 16:00:28 +0100
Subject: [Freeipa-users] Problems creating trust between FreeIPA and AD
Message-ID: <CAHJdQrk5Qqx18q-NAi4ToZaRJN8vWNs+hNkSjqUASr-cDVBq7A@mail.gmail.com>

Hi,

I'm using FreeIPA 3.0.0 (from CentOS 6) to establish a trust with an
Windows 2008 AD using the procedure described in
http://www.freeipa.org/page/IPAv3_AD_trust

>From the Linux server everything seems to be working, I can login using
both AD and IPA users but on the AD I can't use IPA users. Any idea why
this is happening?

Thanks
-- 
Paulo Silva <paulojjs at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/436ee4c3/attachment.htm>

From MTovey at go2uti.com  Wed Jul 17 15:01:58 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Wed, 17 Jul 2013 15:01:58 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <20130717083213.GK22079@hendrix.brq.redhat.com>
References: <CAGkb5vePZkdMdiT-+HD9=jVFWzNzE5qWW9KP9OD-MWWQVjC5oQ@mail.gmail.com>
	<159018F515D5B14CA76C88F9C425325A6524F3@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>


    We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.  Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389


-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com] 
Sent: Wednesday, July 17, 2013 1:32 AM
To: Tovey, Mark
Cc: dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
> 
> 
>     We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:

Hi Mark,

you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..

What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?

Does getent netgroup <netgroup-name> work?

> 
> [sssd]
> config_file_version = 2
> services = nss, pam
> 
> domains = my_domain.com
> [nss]
> 
> [pam]
> 
>  [domain/my_domain.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = my_domain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = 
> /etc/ipa/ca.crt debug_level = 6
> 
> 
>     And the nsswitch.conf file:
> 
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> 
> hosts:      files dns
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> 
> netgroup:   files sss
> 
> publickey:  nisplus
> 
> automount:  files ldap
> aliases:    files
> 
> sudoers:    files ldap
> 
>     Thanks,
>     -Mark
> 
> 
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> 
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
> Sent: Tuesday, July 16, 2013 12:51 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> 
> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> >     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
> >     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
> >     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
> >     Thanks,
> >     -Mark
> 
> So can it seems that the first thing you need to to do is to make sure your netgroups work.
> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
> Are you using SSSD for netgroups or something else?
> Can you please share your sssd.conf and area where it configures netgroups?
> Also is sss in the nsswitch.conf for netgroups map?
> 
> >
> >
> > ________________________________________________________________
> > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> >
> > -----Original Message-----
> > From: Martin Kosek [mailto:mkosek at redhat.com]
> > Sent: Tuesday, July 16, 2013 12:34 AM
> > To: Tovey, Mark
> > Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
> > Brezina
> > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> >
> > Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
> >
> > ~~~~
> > Can you confirm that the output of the following commands:
> > 1. $ domainname
> > * does it match your domain?
> > 2. $ hostname
> > * does match match your fqdn?
> > 3. $ getent netgroup esolutions-sandbox-hosts
> > * does this list your host?
> > 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
> >
> >
> > Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
> >
> > At the top, add the line: sudoers_debug 2
> >
> > Then try another sudo command. sudo -l for example.
> > ~~~~
> >
> > For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
> >
> > Martin
> >
> >
> > On 07/16/2013 06:09 AM, Tovey, Mark wrote:
> >>  
> >>
> >>     Okay, I stopped sssd on the client and deleted the cache files, 
> >> removed the sudo rule, started sssd and verified that the rule was 
> >> gone, stopped sssd and deleted the files again, added the rule back 
> >> in, restarted sssd, and still it does not work.  One note, when I 
> >> enter the hosts into the sudo rule in place of the host group, the 
> >> effect is immediate; I do not need to restart sssd.  And the 
> >> opposite is true too: if I put the host group back, the rule 
> >> immediately stops working.  I don't think the issue is cache 
> >> related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
> >>
> >>  
> >>
> >>     I like your idea for the labels; they make sense.  Right now we 
> >> are just evaluating this to see if we want to go this route.  So 
> >> far we like it, but this could be a problem because we have a 
> >> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> >> *Sent:* Monday, July 15, 2013 4:44 PM
> >> *To:* Tovey, Mark; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >> option b) delete the rule totally and redo it from scratch.
> >>
> >> I label rules like this,
> >>
> >> hb-xxxx   for a hbac rule
> >>
> >> su-xxxx for a sudo rule
> >>
> >> sc-xxxx for a sudo command group
> >>
> >> ug-xxxx for a user group
> >>
> >> hg-xxxx for a host groups
> >>
> >> etc
> >>
> >> etc
> >>
> >> It makes the logic easier when you go into command line which I 
> >> find easier to trace with than the gui at time.
> >>
> >>  
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >> -------------------------------------------------------------------
> >> --
> >> -
> >> ---------
> >>
> >> *From:*Tovey, Mark [MTovey at go2uti.com]
> >> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> >> *To:* Steven Jones; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>     That didn't work either.  I set up the host group in my sudo 
> >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
> >> directory, then restarted sssd.  New files were created in the db 
> >> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> >> *Sent:* Monday, July 15, 2013 4:15 PM
> >> *To:* Tovey, Mark; James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >> Hi,
> >>
> >> This is a known issue Ive suffered a long time with.  What would be 
> >> interesting is adding another host to the host group could well 
> >> work fine, that will really make you bang your head against the wall..
> >>
> >> 2 possibilities, stop the sssd daemon on the problem host, delete 
> >> its cache and start it, that might fix it.
> >>
> >> Otherwise best to,
> >>
> >> All RH support could come up with is delete the HBAC rule, sudo 
> >> rule, user group and host group and re-do it, then it will probably work fine.
> >>
> >>  
> >>
> >> regards
> >>
> >> Steven Jones
> >>
> >> Technical Specialist - Linux RHCE
> >>
> >> Victoria University, Wellington, NZ
> >>
> >> 0064 4 463 6272
> >>
> >> -------------------------------------------------------------------
> >> --
> >> -
> >> ---------
> >>
> >> *From:*freeipa-users-bounces at redhat.com
> >> <mailto:freeipa-users-bounces at redhat.com>
> >> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> >> [MTovey at go2uti.com]
> >> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> >> *To:* James Hogarth
> >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>  
> >>
> >>     I checked that and it is set correctly:
> >>
> >>  
> >>
> >> [user1 at host1 ~]$ nisdomainname
> >>
> >> my_domain.com
> >>
> >>  
> >>
> >>     If I try to run a command with the hosts specified indirectly 
> >> through a host group, it fails:
> >>
> >>  
> >>
> >> [user1 at host1 ~]$ sudo -i -u serv_account
> >>
> >> LDAP Config Summary
> >>
> >> ===================
> >>
> >> uri              ldap://ipa_server.my_domain.com
> >>
> >> ldap_version     3
> >>
> >> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> >>
> >> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> >>
> >> bindpw           **********
> >>
> >> bind_timelimit   5000
> >>
> >> timelimit        15
> >>
> >> ssl              start_tls
> >>
> >> tls_checkpeer    (yes)
> >>
> >> tls_cacertfile   /etc/ipa/ca.crt
> >>
> >> ===================
> >>
> >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> >>
> >> sudo: ldap_set_option: debug -> 0
> >>
> >> sudo: ldap_set_option: ldap_version -> 3
> >>
> >> sudo: ldap_set_option: tls_checkpeer -> 1
> >>
> >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> >>
> >> sudo: ldap_set_option: timelimit -> 15
> >>
> >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> >>
> >>  
> >>
> >> sudo: ldap_start_tls_s() ok
> >>
> >> sudo: ldap_sasl_bind_s() ok
> >>
> >> sudo: no default options found!
> >>
> >> sudo: ldap search
> >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> >>
> >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> >>
> >> sudo: ldap sudoHost '+hgroup1' ... not
> >>
> >> sudo: ldap search 'sudoUser=+*'
> >>
> >> sudo: user_matches=1
> >>
> >> sudo: host_matches=0
> >>
> >> sudo: sudo_ldap_lookup(0)=0x40
> >>
> >> [sudo] password for user1:
> >>
> >> Sorry, try again.
> >>
> >> [sudo] password for user1:
> >>
> >> sudo: 1 incorrect password attempt
> >>
> >>  
> >>
> >>  
> >>
> >>     But if I remove the host group from the sudo rule and directly 
> >> add the hosts that were in the host group, it works fine:
> >>
> >>  
> >>
> >> <snip>
> >>
> >>  
> >>
> >> sudo: ldap_start_tls_s() ok
> >>
> >> sudo: ldap_sasl_bind_s() ok
> >>
> >> sudo: no default options found!
> >>
> >> sudo: ldap search
> >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> >>
> >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> >>
> >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> >>
> >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> >>
> >> sudo: ldap sudoCommand 'ALL' ... MATCH!
> >>
> >> sudo: Command allowed
> >>
> >> sudo: user_matches=1
> >>
> >> sudo: host_matches=1
> >>
> >> sudo: sudo_ldap_lookup(0)=0x02
> >>
> >> [sudo] password for user1:
> >>
> >> [serv_account at host1 ~]$
> >>
> >>  
> >>
> >>  
> >>
> >>     So something isn't lining up correctly with host groups in sudo 
> >> rules somewhere.  I just haven't been able to track it down.
> >>
> >>     Thanks,
> >>
> >>     -Mark
> >>
> >>  
> >>
> >>  
> >>
> >> * *
> >>
> >> *________________________________________________________________*
> >>
> >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> >>
> >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> >> Portland
> >> | Oregon
> >> | 97204 | USA
> >>
> >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> >> mark.tovey2
> >>
> >>  
> >>
> >> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> >> *Sent:* Monday, July 15, 2013 1:11 PM
> >> *To:* Tovey, Mark
> >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> >>
> >>  
> >>
> >>
> >>>  
> >>>
> >>>     Did anyone find a solution for this?  I am having the same experience.
> >>>
> >>>  
> >>>
> >> Wow that was a mess...
> >>
> >> To use hostgroups for sudo ensure nisdomainname is set on the hosts 
> >> to the IPA domain.
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Wed Jul 17 15:57:33 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 17 Jul 2013 17:57:33 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
Message-ID: <20130717155733.GD22079@hendrix.brq.redhat.com>

On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
> 
>     We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. 

OK, these are recent enough to support netgroups and the compat tree
should be configured automatically.

>Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.

Every hostgroup is automatically translated into a netgroup on the
server side. You said you have some host groups present, so does "getent
netgroup <name-of-hostgroup> return any netgroup data?

>     Thanks,
>     -Mark
> 

> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
> 
> 
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com] 
> Sent: Wednesday, July 17, 2013 1:32 AM
> To: Tovey, Mark
> Cc: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> 
> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
> > 
> > 
> >     We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
> 
> Hi Mark,
> 
> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
> 
> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
> 
> Does getent netgroup <netgroup-name> work?
> 
> > 
> > [sssd]
> > config_file_version = 2
> > services = nss, pam
> > 
> > domains = my_domain.com
> > [nss]
> > 
> > [pam]
> > 
> >  [domain/my_domain.com]
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = my_domain.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > chpass_provider = ipa
> > ipa_server = _srv_, ipa_server.my_domain.com ldap_tls_cacert = 
> > /etc/ipa/ca.crt debug_level = 6
> > 
> > 
> >     And the nsswitch.conf file:
> > 
> > passwd:     files sss
> > shadow:     files sss
> > group:      files sss
> > 
> > hosts:      files dns
> > 
> > bootparams: nisplus [NOTFOUND=return] files
> > 
> > ethers:     files
> > netmasks:   files
> > networks:   files
> > protocols:  files
> > rpc:        files
> > services:   files
> > 
> > netgroup:   files sss
> > 
> > publickey:  nisplus
> > 
> > automount:  files ldap
> > aliases:    files
> > 
> > sudoers:    files ldap
> > 
> >     Thanks,
> >     -Mark
> > 
> > 
> > 
> > ________________________________________________________________
> > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> > 
> > 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com 
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
> > Sent: Tuesday, July 16, 2013 12:51 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> > 
> > On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> > >     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
> > >     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
> > >     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
> > >     Thanks,
> > >     -Mark
> > 
> > So can it seems that the first thing you need to to do is to make sure your netgroups work.
> > If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
> > Are you using SSSD for netgroups or something else?
> > Can you please share your sssd.conf and area where it configures netgroups?
> > Also is sss in the nsswitch.conf for netgroups map?
> > 
> > >
> > >
> > > ________________________________________________________________
> > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> > > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> > >
> > > -----Original Message-----
> > > From: Martin Kosek [mailto:mkosek at redhat.com]
> > > Sent: Tuesday, July 16, 2013 12:34 AM
> > > To: Tovey, Mark
> > > Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
> > > Brezina
> > > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> > >
> > > Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
> > >
> > > ~~~~
> > > Can you confirm that the output of the following commands:
> > > 1. $ domainname
> > > * does it match your domain?
> > > 2. $ hostname
> > > * does match match your fqdn?
> > > 3. $ getent netgroup esolutions-sandbox-hosts
> > > * does this list your host?
> > > 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
> > >
> > >
> > > Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
> > >
> > > At the top, add the line: sudoers_debug 2
> > >
> > > Then try another sudo command. sudo -l for example.
> > > ~~~~
> > >
> > > For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
> > >
> > > Martin
> > >
> > >
> > > On 07/16/2013 06:09 AM, Tovey, Mark wrote:
> > >>  
> > >>
> > >>     Okay, I stopped sssd on the client and deleted the cache files, 
> > >> removed the sudo rule, started sssd and verified that the rule was 
> > >> gone, stopped sssd and deleted the files again, added the rule back 
> > >> in, restarted sssd, and still it does not work.  One note, when I 
> > >> enter the hosts into the sudo rule in place of the host group, the 
> > >> effect is immediate; I do not need to restart sssd.  And the 
> > >> opposite is true too: if I put the host group back, the rule 
> > >> immediately stops working.  I don't think the issue is cache 
> > >> related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
> > >>
> > >>  
> > >>
> > >>     I like your idea for the labels; they make sense.  Right now we 
> > >> are just evaluating this to see if we want to go this route.  So 
> > >> far we like it, but this could be a problem because we have a 
> > >> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________*
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> > >> *Sent:* Monday, July 15, 2013 4:44 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >> option b) delete the rule totally and redo it from scratch.
> > >>
> > >> I label rules like this,
> > >>
> > >> hb-xxxx   for a hbac rule
> > >>
> > >> su-xxxx for a sudo rule
> > >>
> > >> sc-xxxx for a sudo command group
> > >>
> > >> ug-xxxx for a user group
> > >>
> > >> hg-xxxx for a host groups
> > >>
> > >> etc
> > >>
> > >> etc
> > >>
> > >> It makes the logic easier when you go into command line which I 
> > >> find easier to trace with than the gui at time.
> > >>
> > >>  
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -------------------------------------------------------------------
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*Tovey, Mark [MTovey at go2uti.com]
> > >> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> > >> *To:* Steven Jones; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>     That didn't work either.  I set up the host group in my sudo 
> > >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
> > >> directory, then restarted sssd.  New files were created in the db 
> > >> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________*
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> > >> *Sent:* Monday, July 15, 2013 4:15 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >> Hi,
> > >>
> > >> This is a known issue Ive suffered a long time with.  What would be 
> > >> interesting is adding another host to the host group could well 
> > >> work fine, that will really make you bang your head against the wall..
> > >>
> > >> 2 possibilities, stop the sssd daemon on the problem host, delete 
> > >> its cache and start it, that might fix it.
> > >>
> > >> Otherwise best to,
> > >>
> > >> All RH support could come up with is delete the HBAC rule, sudo 
> > >> rule, user group and host group and re-do it, then it will probably work fine.
> > >>
> > >>  
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -------------------------------------------------------------------
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*freeipa-users-bounces at redhat.com
> > >> <mailto:freeipa-users-bounces at redhat.com>
> > >> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> > >> [MTovey at go2uti.com]
> > >> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> > >> *To:* James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     I checked that and it is set correctly:
> > >>
> > >>  
> > >>
> > >> [user1 at host1 ~]$ nisdomainname
> > >>
> > >> my_domain.com
> > >>
> > >>  
> > >>
> > >>     If I try to run a command with the hosts specified indirectly 
> > >> through a host group, it fails:
> > >>
> > >>  
> > >>
> > >> [user1 at host1 ~]$ sudo -i -u serv_account
> > >>
> > >> LDAP Config Summary
> > >>
> > >> ===================
> > >>
> > >> uri              ldap://ipa_server.my_domain.com
> > >>
> > >> ldap_version     3
> > >>
> > >> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> > >>
> > >> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> > >>
> > >> bindpw           **********
> > >>
> > >> bind_timelimit   5000
> > >>
> > >> timelimit        15
> > >>
> > >> ssl              start_tls
> > >>
> > >> tls_checkpeer    (yes)
> > >>
> > >> tls_cacertfile   /etc/ipa/ca.crt
> > >>
> > >> ===================
> > >>
> > >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> > >>
> > >> sudo: ldap_set_option: debug -> 0
> > >>
> > >> sudo: ldap_set_option: ldap_version -> 3
> > >>
> > >> sudo: ldap_set_option: tls_checkpeer -> 1
> > >>
> > >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> > >>
> > >> sudo: ldap_set_option: timelimit -> 15
> > >>
> > >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> > >>
> > >>  
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost '+hgroup1' ... not
> > >>
> > >> sudo: ldap search 'sudoUser=+*'
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=0
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x40
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> Sorry, try again.
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> sudo: 1 incorrect password attempt
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     But if I remove the host group from the sudo rule and directly 
> > >> add the hosts that were in the host group, it works fine:
> > >>
> > >>  
> > >>
> > >> <snip>
> > >>
> > >>  
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> > >>
> > >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> > >>
> > >> sudo: ldap sudoCommand 'ALL' ... MATCH!
> > >>
> > >> sudo: Command allowed
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=1
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x02
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> [serv_account at host1 ~]$
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     So something isn't lining up correctly with host groups in sudo 
> > >> rules somewhere.  I just haven't been able to track it down.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________*
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> > >> *Sent:* Monday, July 15, 2013 1:11 PM
> > >> *To:* Tovey, Mark
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>
> > >>>  
> > >>>
> > >>>     Did anyone find a solution for this?  I am having the same experience.
> > >>>
> > >>>  
> > >>>
> > >> Wow that was a mess...
> > >>
> > >> To use hostgroups for sudo ensure nisdomainname is set on the hosts 
> > >> to the IPA domain.
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > 
> > --
> > Thank you,
> > Dmitri Pal
> > 
> > Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> > 
> > 
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> > 
> > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users



From abokovoy at redhat.com  Wed Jul 17 16:04:22 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Wed, 17 Jul 2013 19:04:22 +0300
Subject: [Freeipa-users] Problems creating trust between FreeIPA and AD
In-Reply-To: <CAHJdQrk5Qqx18q-NAi4ToZaRJN8vWNs+hNkSjqUASr-cDVBq7A@mail.gmail.com>
References: <CAHJdQrk5Qqx18q-NAi4ToZaRJN8vWNs+hNkSjqUASr-cDVBq7A@mail.gmail.com>
Message-ID: <20130717160421.GO18587@redhat.com>

On Wed, 17 Jul 2013, Paulo Silva wrote:
>Hi,
>
>I'm using FreeIPA 3.0.0 (from CentOS 6) to establish a trust with an
>Windows 2008 AD using the procedure described in
>http://www.freeipa.org/page/IPAv3_AD_trust
>
>>From the Linux server everything seems to be working, I can login using
>both AD and IPA users but on the AD I can't use IPA users. Any idea why
>this is happening?
Because we haven't yet implemented the other direction.

We are planning to work on it for Fedora 20 time frame.

-- 
/ Alexander Bokovoy



From MTovey at go2uti.com  Wed Jul 17 16:39:32 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Wed, 17 Jul 2013 16:39:32 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <20130717155733.GD22079@hendrix.brq.redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>


    Okay, I get it (pardon my obtuseness).

    host1-> getent netgroup hgroup1
    hgroup1                   (host1.my_domain.com, -, my_domain.com)

    So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389


-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek at redhat.com] 
Sent: Wednesday, July 17, 2013 8:58 AM
To: Tovey, Mark
Cc: dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
> 
>     We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed. 

OK, these are recent enough to support netgroups and the compat tree should be configured automatically.

>Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.

Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?

>     Thanks,
>     -Mark
> 

> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
> 
> 
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Wednesday, July 17, 2013 1:32 AM
> To: Tovey, Mark
> Cc: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> 
> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
> > 
> > 
> >     We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
> 
> Hi Mark,
> 
> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
> 
> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
> 
> Does getent netgroup <netgroup-name> work?
> 
> > 
> > [sssd]
> > config_file_version = 2
> > services = nss, pam
> > 
> > domains = my_domain.com
> > [nss]
> > 
> > [pam]
> > 
> >  [domain/my_domain.com]
> > cache_credentials = True
> > krb5_store_password_if_offline = True ipa_domain = my_domain.com 
> > id_provider = ipa auth_provider = ipa access_provider = ipa 
> > chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com 
> > ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
> > 
> > 
> >     And the nsswitch.conf file:
> > 
> > passwd:     files sss
> > shadow:     files sss
> > group:      files sss
> > 
> > hosts:      files dns
> > 
> > bootparams: nisplus [NOTFOUND=return] files
> > 
> > ethers:     files
> > netmasks:   files
> > networks:   files
> > protocols:  files
> > rpc:        files
> > services:   files
> > 
> > netgroup:   files sss
> > 
> > publickey:  nisplus
> > 
> > automount:  files ldap
> > aliases:    files
> > 
> > sudoers:    files ldap
> > 
> >     Thanks,
> >     -Mark
> > 
> > 
> > 
> > ________________________________________________________________
> > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> > 
> > 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com 
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
> > Sent: Tuesday, July 16, 2013 12:51 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> > 
> > On 07/16/2013 02:11 PM, Tovey, Mark wrote:
> > >     My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
> > >     The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation. 
> > >     But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
> > >     Thanks,
> > >     -Mark
> > 
> > So can it seems that the first thing you need to to do is to make sure your netgroups work.
> > If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
> > Are you using SSSD for netgroups or something else?
> > Can you please share your sssd.conf and area where it configures netgroups?
> > Also is sss in the nsswitch.conf for netgroups map?
> > 
> > >
> > >
> > > ________________________________________________________________
> > > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 
> > > SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> > > MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
> > >
> > > -----Original Message-----
> > > From: Martin Kosek [mailto:mkosek at redhat.com]
> > > Sent: Tuesday, July 16, 2013 12:34 AM
> > > To: Tovey, Mark
> > > Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
> > > Brezina
> > > Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
> > >
> > > Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
> > >
> > > ~~~~
> > > Can you confirm that the output of the following commands:
> > > 1. $ domainname
> > > * does it match your domain?
> > > 2. $ hostname
> > > * does match match your fqdn?
> > > 3. $ getent netgroup esolutions-sandbox-hosts
> > > * does this list your host?
> > > 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
> > >
> > >
> > > Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
> > >
> > > At the top, add the line: sudoers_debug 2
> > >
> > > Then try another sudo command. sudo -l for example.
> > > ~~~~
> > >
> > > For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
> > >
> > > Martin
> > >
> > >
> > > On 07/16/2013 06:09 AM, Tovey, Mark wrote:
> > >>  
> > >>
> > >>     Okay, I stopped sssd on the client and deleted the cache 
> > >> files, removed the sudo rule, started sssd and verified that the 
> > >> rule was gone, stopped sssd and deleted the files again, added 
> > >> the rule back in, restarted sssd, and still it does not work.  
> > >> One note, when I enter the hosts into the sudo rule in place of 
> > >> the host group, the effect is immediate; I do not need to restart 
> > >> sssd.  And the opposite is true too: if I put the host group 
> > >> back, the rule immediately stops working.  I don't think the 
> > >> issue is cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
> > >>
> > >>  
> > >>
> > >>     I like your idea for the labels; they make sense.  Right now 
> > >> we are just evaluating this to see if we want to go this route.  
> > >> So far we like it, but this could be a problem because we have a 
> > >> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> > >> *Sent:* Monday, July 15, 2013 4:44 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >> option b) delete the rule totally and redo it from scratch.
> > >>
> > >> I label rules like this,
> > >>
> > >> hb-xxxx   for a hbac rule
> > >>
> > >> su-xxxx for a sudo rule
> > >>
> > >> sc-xxxx for a sudo command group
> > >>
> > >> ug-xxxx for a user group
> > >>
> > >> hg-xxxx for a host groups
> > >>
> > >> etc
> > >>
> > >> etc
> > >>
> > >> It makes the logic easier when you go into command line which I 
> > >> find easier to trace with than the gui at time.
> > >>
> > >>  
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -----------------------------------------------------------------
> > >> --
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*Tovey, Mark [MTovey at go2uti.com]
> > >> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
> > >> *To:* Steven Jones; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>     That didn't work either.  I set up the host group in my sudo 
> > >> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
> > >> directory, then restarted sssd.  New files were created in the db 
> > >> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
> > >> *Sent:* Monday, July 15, 2013 4:15 PM
> > >> *To:* Tovey, Mark; James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >> Hi,
> > >>
> > >> This is a known issue Ive suffered a long time with.  What would 
> > >> be interesting is adding another host to the host group could 
> > >> well work fine, that will really make you bang your head against the wall..
> > >>
> > >> 2 possibilities, stop the sssd daemon on the problem host, delete 
> > >> its cache and start it, that might fix it.
> > >>
> > >> Otherwise best to,
> > >>
> > >> All RH support could come up with is delete the HBAC rule, sudo 
> > >> rule, user group and host group and re-do it, then it will probably work fine.
> > >>
> > >>  
> > >>
> > >> regards
> > >>
> > >> Steven Jones
> > >>
> > >> Technical Specialist - Linux RHCE
> > >>
> > >> Victoria University, Wellington, NZ
> > >>
> > >> 0064 4 463 6272
> > >>
> > >> -----------------------------------------------------------------
> > >> --
> > >> --
> > >> -
> > >> ---------
> > >>
> > >> *From:*freeipa-users-bounces at redhat.com
> > >> <mailto:freeipa-users-bounces at redhat.com>
> > >> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
> > >> [MTovey at go2uti.com]
> > >> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
> > >> *To:* James Hogarth
> > >> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     I checked that and it is set correctly:
> > >>
> > >>  
> > >>
> > >> [user1 at host1 ~]$ nisdomainname
> > >>
> > >> my_domain.com
> > >>
> > >>  
> > >>
> > >>     If I try to run a command with the hosts specified indirectly 
> > >> through a host group, it fails:
> > >>
> > >>  
> > >>
> > >> [user1 at host1 ~]$ sudo -i -u serv_account
> > >>
> > >> LDAP Config Summary
> > >>
> > >> ===================
> > >>
> > >> uri              ldap://ipa_server.my_domain.com
> > >>
> > >> ldap_version     3
> > >>
> > >> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
> > >>
> > >> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
> > >>
> > >> bindpw           **********
> > >>
> > >> bind_timelimit   5000
> > >>
> > >> timelimit        15
> > >>
> > >> ssl              start_tls
> > >>
> > >> tls_checkpeer    (yes)
> > >>
> > >> tls_cacertfile   /etc/ipa/ca.crt
> > >>
> > >> ===================
> > >>
> > >> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
> > >>
> > >> sudo: ldap_set_option: debug -> 0
> > >>
> > >> sudo: ldap_set_option: ldap_version -> 3
> > >>
> > >> sudo: ldap_set_option: tls_checkpeer -> 1
> > >>
> > >> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
> > >>
> > >> sudo: ldap_set_option: timelimit -> 15
> > >>
> > >> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
> > >>
> > >>  
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost '+hgroup1' ... not
> > >>
> > >> sudo: ldap search 'sudoUser=+*'
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=0
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x40
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> Sorry, try again.
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> sudo: 1 incorrect password attempt
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     But if I remove the host group from the sudo rule and 
> > >> directly add the hosts that were in the host group, it works fine:
> > >>
> > >>  
> > >>
> > >> <snip>
> > >>
> > >>  
> > >>
> > >> sudo: ldap_start_tls_s() ok
> > >>
> > >> sudo: ldap_sasl_bind_s() ok
> > >>
> > >> sudo: no default options found!
> > >>
> > >> sudo: ldap search
> > >> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
> > >>
> > >> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
> > >>
> > >> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
> > >>
> > >> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
> > >>
> > >> sudo: ldap sudoCommand 'ALL' ... MATCH!
> > >>
> > >> sudo: Command allowed
> > >>
> > >> sudo: user_matches=1
> > >>
> > >> sudo: host_matches=1
> > >>
> > >> sudo: sudo_ldap_lookup(0)=0x02
> > >>
> > >> [sudo] password for user1:
> > >>
> > >> [serv_account at host1 ~]$
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >>     So something isn't lining up correctly with host groups in 
> > >> sudo rules somewhere.  I just haven't been able to track it down.
> > >>
> > >>     Thanks,
> > >>
> > >>     -Mark
> > >>
> > >>  
> > >>
> > >>  
> > >>
> > >> * *
> > >>
> > >> *________________________________________________________________
> > >> *
> > >>
> > >> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
> > >>
> > >> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
> > >> Portland
> > >> | Oregon
> > >> | 97204 | USA
> > >>
> > >> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
> > >> mark.tovey2
> > >>
> > >>  
> > >>
> > >> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
> > >> *Sent:* Monday, July 15, 2013 1:11 PM
> > >> *To:* Tovey, Mark
> > >> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
> > >>
> > >>  
> > >>
> > >>
> > >>>  
> > >>>
> > >>>     Did anyone find a solution for this?  I am having the same experience.
> > >>>
> > >>>  
> > >>>
> > >> Wow that was a mess...
> > >>
> > >> To use hostgroups for sudo ensure nisdomainname is set on the 
> > >> hosts to the IPA domain.
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > 
> > --
> > Thank you,
> > Dmitri Pal
> > 
> > Sr. Engineering Manager for IdM portfolio Red Hat Inc.
> > 
> > 
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> > 
> > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users



From mkosek at redhat.com  Wed Jul 17 16:47:59 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 17 Jul 2013 18:47:59 +0200
Subject: [Freeipa-users] Announcing FreeIPA 3.2.2
Message-ID: <51E6CABF.5080202@redhat.com>

The FreeIPA team is proud to announce FreeIPA v3.2.2.

It can be downloaded from http://www.freeipa.org/page/Downloads. The new
version has also been built for Fedora 19 and is on its way to updates-testing.

== Highlights in 3.2.2 ==

=== New features for 3.2.2 ===
* Significant improvement of performance with large number of users or groups.
Several LDAP server indexes were added for this purpose.
* freeipa-server-selinux package with custom FreeIPA SELinux policy is dropped,
all policy is now contained in system policy package

=== Bug fixes ===
* Removes systemd-related deadlock when a server with running FreeIPA services
is restarted
* Fixes ownership issues in CRL publishing directory (/var/lib/ipa/pki-ca/publish/)
* ipa-replica-prepare and ipa-replica-install now do not crash on system with
gnupg2 package only (without older gnupg package)
* CRL file can now be retrieved via plain http protocol without redirection to
https, as defined in certificates published by FreeIPA
* Entitlement plugin is removed from FreeIPA codebase as it was neither
supported nor tested
* Many bugfixes related to CA-less installation
* ... and many others stabilization fixes, see Detailed changelog for full details

== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.

Please note, that the performance improvements requires an extended set of
indexes to be configured. RPM update for an IPA server with a excessive number
of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected
that all servers will be upgraded in a relatively short period (days or weeks
not months). They should be able to co-exist peacefully but new features will
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to
re-enroll it. SSH keys for already installed clients are not uploaded, you will
have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel
on Freenode.

== Detailed Changelog since 3.2.1 ==
=== Ana Krivokapic (8): ===
* Fix displaying of success message
* Improve handling of options in ipa-client-install
* Do not display traceback to user
* Fix bug in adtrustinstance
* Use correct DS instance in ipactl status
* Avoid systemd service deadlock during shutdown
* Make sure replication works after DM password is changed
* Use --ignore-dependencies only when necessary

=== Jan Cholasta (16): ===
* Use the correct PKCS#12 file for HTTP server.
* Remove stray error condition in ipa-server-install.
* Handle exceptions gracefully when verifying PKCS#12 files.
* Skip empty lines when parsing pk12util output.
* Do not allow installing CA replicas in CA-less setup.
* Do not track DS certificate in CA-less setup.
* Fix CA-less check in ipa-replica-install and ipa-ca-install.
* Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns.
* Skip cert issuer validation in service and host commands in CA-less install.
* Check trust chain length in CA-less install.
* Use LDAP search instead of *group_show to check if a group exists.
* Use LDAP search instead of *group_show to check for a group objectclass.
* Use LDAP modify operation directly to add/remove group members.
* Add missing substring indices for attributes managed by the referint plugin.
* Add missing equality index for ipaUniqueId.
* Run gpg-agent explicitly when encrypting/decrypting files.

=== Lukas Slebodnik (1): ===
* Use pkg-config to detect cmocka

=== Martin Kosek (7): ===
* Remove entitlement support
* Enable SASL mapping fallback.
* Drop SELinux subpackage
* Drop redundant directory /var/cache/ipa/sessions
* Run server upgrade and restart in posttrans
* Require new selinux-policy replacing old server-selinux subpackage
* Become 3.2.2

=== Nathaniel McCallum (3): ===
* Fix client install exception if /etc/ssh is missing
* Permit reads to ipatokenRadiusProxyUser objects
* Fix for small syntax error in OTP schema

=== Petr Vobornik (5): ===
* Regression fix: rule table with ext. member support doesn't offer any items
* Fix default value selection in radio widget
* Do not redirect to https in /ipa/ui on non-HTML files
* Create Firefox configuration extension on CA-less install
* Disable checkboxes and radios for readonly attributes

=== Rob Crittenden (1): ===
* Return the correct Content-type on negotiated XML-RPC requests.

=== Sumit Bose (1): ===
* Fix type of printf argument

=== Tomas Babej (2): ===
* Do not redirect ipa/crl to HTTPS
* Change group ownership of CRL publish directory



From jhrozek at redhat.com  Wed Jul 17 16:53:40 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 17 Jul 2013 18:53:40 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
Message-ID: <20130717165340.GG22079@hendrix.brq.redhat.com>

On Wed, Jul 17, 2013 at 04:39:32PM +0000, Tovey, Mark wrote:
> 
>     Okay, I get it (pardon my obtuseness).
> 
>     host1-> getent netgroup hgroup1
>     hgroup1                   (host1.my_domain.com, -, my_domain.com)
> 
>     So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>     Thanks,
>     -Mark
> 

OK, good, thanks for checking.

Pavel, can you check the sudo output earlier in the thread if you spot
anything?



From matthew.joseph at lmco.com  Wed Jul 17 17:03:56 2013
From: matthew.joseph at lmco.com (Joseph, Matthew (EXP))
Date: Wed, 17 Jul 2013 13:03:56 -0400
Subject: [Freeipa-users] kinit admin password expired
Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0F48997A84@HCXMSP1.ca.lmco.com>

Hello,

I've seem to run into an issue with our admin account on our FreeIPA server.
Our password expired (I thought I disabled the password expiration for this account) and when I run kinit admin it prompts me for a new password.
I type in the old password and then the new one two times but then it states that kinit: Password has expired while getting initial credentials.
When I run kinit admin again on it the new password is actually set but it tells me that again I need to change the password.

Luckily that is not our only admin account for FreeIPA but can someone please explain what is happening here?

Thanks,

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/fd874fd0/attachment.htm>

From matthew.e.shapiro.ctr at mail.mil  Wed Jul 17 21:14:28 2013
From: matthew.e.shapiro.ctr at mail.mil (Shapiro, Matthew E CTR DODHRA DMDC (US))
Date: Wed, 17 Jul 2013 21:14:28 +0000
Subject: [Freeipa-users] help: ipa error 4301
Message-ID: <461B4ED817602845B051F04C0FB2A29102ADBCE8@UHILHPYJ.easf.csd.disa.mil>

Hi ,

While running the ipa-client-install script on a RHEL 6.4 server, I get the following output (please note the indicated line with the arrow):

[root@[hostname]]# ipa-client-install
Discovery was successful!
Hostname: [hostname]
Realm: example.com
DNS Domain: example.com
IPA Server: chtvm-389.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin example com:

Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
SSSD enabled
Kerberos 5 enabled
----->Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.

Also, please note that I've obfuscated the hostname, domain, and realm for security reasons.    I believe I've narrowed down the problem to certificate enrollment.  When I check my IPA Server Web UI, I have a notice in my host details that says "no valid certificate present."  I then checked my client host by running:

[root at hostname user]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20130717205230':
        status: CA_UNCONFIGURED
        ca-error: Error setting up ccache for local "host" service using default keytab: Resource temporarily unavailable.
        stuck: yes
        key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - hostname.example.com',token='NSS Certificate DB'
        certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - hostname.example.com '
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

I'm concerned about that "stuck" field, I have no idea what that means.
I have other RHEL 6.4 clients that have been able to join my IPA domain with no issue at all, but this one client baffles me.  Any thoughts??

----------------------------------------------------------------------
Matthew Shapiro
Systems Administrator

Trofholz Technologies, Inc.
Defense Personnel and Security Research Center (PERSEREC)
Defense Manpower Data Center (DMDC)
Office: 831.583.2828

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130717/402ddcbc/attachment.htm>

From rendhalver at gmail.com  Thu Jul 18 01:31:50 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Thu, 18 Jul 2013 11:31:50 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
Message-ID: <CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>

I opened all the ports that seemed to be listening n the master.
I also ran the setup again without disabling the connection check to
see what else needed fixing.
It seems after much investigation and log dredging it seems my admin
password had expired.
I wasn't aware that was possible.
I reset the password and it seemed to get further.
This for some reason not mentioned in the documentation the replica is
trying to ssh into the master as admin.
I managed to fix that by changing my setup and ssh config files.

Then it actually managed to start the setup process.
But again it fails at exactly the same point mentioned in my initial email.

After some further digging with reference to the log output below it
seems I have run into a bug that seems to have been fixed.
https://fedorahosted.org/freeipa/ticket/3213
As I mentioned I am running current Fedora 18 so freeipa is
3.1.5-1.fc18 is that fixed in my version?

It also seems the dogatg and IPA directories will be or have been merged?
Which version did this happen in and will it get applied to my server?

Can anyone suggest how I go about fixing this issue?
I wanted to create a replica so I could upgrade to fedora 19 and not
have to take my single instance of FreeIPA offline while that was
happening.
Will I need to upgrade to Fedora 19 to fix my issue?

For reference this is the point of failure in the
/var/log/ipareplica-install.log file

2013-07-18T01:06:16Z DEBUG Starting external process
2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
2013-07-18T01:08:16Z DEBUG Process finished, return code=1
2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
from /tmp/tmpFKBxMW.
ERROR:  Unable to access security domain: 503 Server Error: Service Unavailable

2013-07-18T01:08:16Z DEBUG stderr=
2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
status 1
2013-07-18T01:08:16Z INFO   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 619, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 652, in main
    (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1809, in install_replica_ca
    subject_base=config.subject_base)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 625, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 358, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 744, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed

On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
> Hi everyone,
>
> I am attempting to create a replica of my freeipa server.
> I am following the docs but they are not working for me.
> I am getting the vague impression I am missing a step that doesn't
> seem to be documented.
>
> For the record all the posts listed are open and it was a clean
> install of Fedora 18.
>
> I thought the server may need to be a client of the master before I
> set it up as a replica but it just said I needed to uninstall the
> client setup.
>
> After running ipa-replica-prepare on the master and scping the file to
> the new replica.
> I ran this command on the new replica
> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>
> The error I am seeing is from that command is this:
> Cannot acquire Kerberos ticket: kinit: Cannot read password while
> getting initial credentials
>
> Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with
> --skip-conncheck parameter.
>
> So I cleaned everything off (i think) and tried it with this command
>
> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>
> This seems to actually start the install and setup process i remember
> from installing the ipa server initially
>
> This it fails with this output
>
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Directory Manager (existing master) password:
>
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
>   [1/31]: creating directory server user
>   [2/31]: creating directory server instance
>   [3/31]: adding default schema
>   [4/31]: enabling memberof plugin
>   [5/31]: enabling winsync plugin
>   [6/31]: configuring replication version plugin
>   [7/31]: enabling IPA enrollment plugin
>   [8/31]: enabling ldapi
>   [9/31]: configuring uniqueness plugin
>   [10/31]: configuring uuid plugin
>   [11/31]: configuring modrdn plugin
>   [12/31]: configuring DNS plugin
>   [13/31]: enabling entryUSN plugin
>   [14/31]: configuring lockout plugin
>   [15/31]: creating indices
>   [16/31]: enabling referential integrity plugin
>   [17/31]: configuring ssl for ds instance
>   [18/31]: configuring certmap.conf
>   [19/31]: configure autobind for root
>   [20/31]: configure new location for managed entries
>   [21/31]: restarting directory server
>   [22/31]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress
> Update in progress
> Update in progress
> Update in progress
> Update succeeded
>   [23/31]: adding replication acis
>   [24/31]: setting Auto Member configuration
>   [25/31]: enabling S4U2Proxy delegation
>   [26/31]: initializing group membership
>   [27/31]: adding master entry
>   [28/31]: configuring Posix uid/gid generation
>   [29/31]: enabling compatibility plugin
>   [30/31]: tuning directory server
>   [31/31]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> 30 seconds
>   [1/17]: creating certificate server user
>   [2/17]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
> status 1
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
> I even tried cleaning it again at that point and made sure all the
> ports were open and still got the same error.
>
> I also switched selinux to permissive mode cleaned up and rebooted but
> that didn't help either
>
> Can someone please point out what I need to do to get this working.
>
> Thanks in advance.
> Pete.



From mkosek at redhat.com  Thu Jul 18 08:03:00 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 18 Jul 2013 10:03:00 +0200
Subject: [Freeipa-users] kinit admin password expired
In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0F48997A84@HCXMSP1.ca.lmco.com>
References: <543FB8F8BFD9A74298A96670DA2F2E7F0F48997A84@HCXMSP1.ca.lmco.com>
Message-ID: <51E7A134.8040807@redhat.com>

On 07/17/2013 07:03 PM, Joseph, Matthew (EXP) wrote:
> Hello,
> 
>  
> 
> I?ve seem to run into an issue with our admin account on our FreeIPA server.
> 
> Our password expired (I thought I disabled the password expiration for this
> account) and when I run kinit admin it prompts me for a new password.
> 
> I type in the old password and then the new one two times but then it states
> that kinit: Password has expired while getting initial credentials.
> 
> When I run kinit admin again on it the new password is actually set but it
> tells me that again I need to change the password.
> 
>  
> 
> Luckily that is not our only admin account for FreeIPA but can someone please
> explain what is happening here?

Can you check the krbpasswordexpiration attribute in the admin account after
the password change failed?

$ ipa user-show admin --all | grep krbpasswordexpiration

In the past, I saw a similar failure when somebody configured a password policy
(either global or for a group) to a too high value causing some timestamps in
KDC<->LDAP layer to overflow - but this should be already fixed in current
FreeIPA version (https://fedorahosted.org/freeipa/ticket/3312).

You can get the policy with:

$ ipa pwpolicy-show  # get the global policy
$ ipa pwpolicy-show admins # gets admins group policy (if you defined it)

Martin



From mkosek at redhat.com  Thu Jul 18 08:15:23 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 18 Jul 2013 10:15:23 +0200
Subject: [Freeipa-users] help: ipa error 4301
In-Reply-To: <461B4ED817602845B051F04C0FB2A29102ADBCE8@UHILHPYJ.easf.csd.disa.mil>
References: <461B4ED817602845B051F04C0FB2A29102ADBCE8@UHILHPYJ.easf.csd.disa.mil>
Message-ID: <51E7A41B.3030705@redhat.com>

On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> Hi ,
> 
>  
> 
> While running the ipa-client-install script on a RHEL 6.4 server, I get the
> following output (please note the indicated line with the arrow):
> 
>  
> 
> [root@[hostname]]# ipa-client-install
> 
> Discovery was successful!
> 
> Hostname: [hostname]
> 
> Realm: example.com
> 
> DNS Domain: example.com
> 
> IPA Server: chtvm-389.example.com
> 
> BaseDN: dc=example,dc=com
> 
>  
> 
> Continue to configure the system with these values? [no]: yes
> 
> User authorized to enroll computers: admin
> 
> Password for admin example com:
> 
>  
> 
> Enrolled in IPA realm example.com
> 
> Created /etc/ipa/default.conf
> 
> Configured /etc/sssd/sssd.conf
> 
> Configured /etc/krb5.conf for IPA realm example.com
> 
> SSSD enabled
> 
> Kerberos 5 enabled
> 
> ---?Unable to find 'admin' user with 'getent passwd admin'!
> 
> Recognized configuration: SSSD
> 
> NTP enabled
> 
> Client configuration complete.
> 
>  
> 
> Also, please note that I?ve obfuscated the hostname, domain, and realm for
> security reasons.    I believe I?ve narrowed down the problem to certificate
> enrollment.  When I check my IPA Server Web UI, I have a notice in my host
> details that says ?no valid certificate present.?  I then checked my client
> host by running:
> 
>  
> 
> [root at hostname user]# ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> 
> Request ID '20130717205230':
> 
>         status: CA_UNCONFIGURED
> 
>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.
> 
>         stuck: yes
> 
>         key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
> 
>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate - hostname.example.com '
> 
>         CA: IPA
> 
>         issuer:
> 
>         subject:
> 
>         expires: unknown
> 
>         pre-save command:
> 
>         post-save command:
> 
>         track: yes
> 
>         auto-renew: yes
> 
>  
> 
> I?m concerned about that ?stuck? field, I have no idea what that means.
> 
> I have other RHEL 6.4 clients that have been able to join my IPA domain with no
> issue at all, but this one client baffles me.  Any thoughts??
> 
>  
> 
> ----------------------------------------------------------------------
> 
> Matthew Shapiro
> 
> Systems Administrator
> 
>  
> 
> Trofholz Technologies, Inc.
> 
> Defense Personnel and Security Research Center (PERSEREC)
> 
> Defense Manpower Data Center (DMDC)
> 
> Office: 831.583.2828
> 
>  
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

There seems to be something wrong with the host keytab:

...

>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.

Can you check if the host principal in keytab are correct?

# klist -kt /etc/krb5.keytab

Are you able to kinit with the host principal?

# kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]


Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
is this still not working?

# getent passwd admin

Martin



From pviktori at redhat.com  Thu Jul 18 09:50:07 2013
From: pviktori at redhat.com (Petr Viktorin)
Date: Thu, 18 Jul 2013 11:50:07 +0200
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
Message-ID: <51E7BA4F.2060903@redhat.com>

On 07/18/2013 03:31 AM, Pete Brown wrote:
> I opened all the ports that seemed to be listening n the master.
> I also ran the setup again without disabling the connection check to
> see what else needed fixing.
> It seems after much investigation and log dredging it seems my admin
> password had expired.
> I wasn't aware that was possible.
> I reset the password and it seemed to get further.
> This for some reason not mentioned in the documentation the replica is
> trying to ssh into the master as admin.
> I managed to fix that by changing my setup and ssh config files.
>
> Then it actually managed to start the setup process.
> But again it fails at exactly the same point mentioned in my initial email.
>
> After some further digging with reference to the log output below it
> seems I have run into a bug that seems to have been fixed.
> https://fedorahosted.org/freeipa/ticket/3213
> As I mentioned I am running current Fedora 18 so freeipa is
> 3.1.5-1.fc18 is that fixed in my version?

Yes, that bug was fixed in 3.1.0.

> It also seems the dogatg and IPA directories will be or have been merged?
> Which version did this happen in and will it get applied to my server?

Also in 3.1.0; new servers installed using that version have merged 
databases.

> Can anyone suggest how I go about fixing this issue?

Well, ipa-server-uninstall can misbehave if CA installation goes wrong 
(ticket #2796).
So I would start by uninstalling, then running the following command to 
make sure CA is not left:
     sudo pkidestroy -s CA -i pki-tomcat
then installing again.

Can you also provide logs without the --skip-conncheck flag? 
Specifically the /var/log/ipareplica-conncheck.log should be interesting.

> I wanted to create a replica so I could upgrade to fedora 19 and not
> have to take my single instance of FreeIPA offline while that was
> happening.
> Will I need to upgrade to Fedora 19 to fix my issue?


> For reference this is the point of failure in the
> /var/log/ipareplica-install.log file
>
> 2013-07-18T01:06:16Z DEBUG Starting external process
> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
> from /tmp/tmpFKBxMW.
> ERROR:  Unable to access security domain: 503 Server Error: Service Unavailable

Please also check logs on the existing server. Is the CA available?
Does e.g. `ipa cert-show 1` work?

> 2013-07-18T01:08:16Z DEBUG stderr=
> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
> status 1
> 2013-07-18T01:08:16Z INFO   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 619, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-replica-install", line 652, in main
>      (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1809, in install_replica_ca
>      subject_base=config.subject_base)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 625, in configure_instance
>      self.start_creation(runtime=210)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
>      method()
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 744, in __spawn_instance
>      raise RuntimeError('Configuration of CA failed')
>
> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>> Hi everyone,
>>
>> I am attempting to create a replica of my freeipa server.
>> I am following the docs but they are not working for me.
>> I am getting the vague impression I am missing a step that doesn't
>> seem to be documented.
>>
>> For the record all the posts listed are open and it was a clean
>> install of Fedora 18.
>>
>> I thought the server may need to be a client of the master before I
>> set it up as a replica but it just said I needed to uninstall the
>> client setup.
>>
>> After running ipa-replica-prepare on the master and scping the file to
>> the new replica.
>> I ran this command on the new replica
>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>
>> The error I am seeing is from that command is this:
>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>> getting initial credentials
>>
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with
>> --skip-conncheck parameter.
>>
>> So I cleaned everything off (i think) and tried it with this command
>>
>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>
>> This seems to actually start the install and setup process i remember
>> from installing the ipa server initially
>>
>> This it fails with this output
>>
>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Directory Manager (existing master) password:
>>
>> Configuring NTP daemon (ntpd)
>>    [1/4]: stopping ntpd
>>    [2/4]: writing configuration
>>    [3/4]: configuring ntpd to start on boot
>>    [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>>    [1/31]: creating directory server user
>>    [2/31]: creating directory server instance
>>    [3/31]: adding default schema
>>    [4/31]: enabling memberof plugin
>>    [5/31]: enabling winsync plugin
>>    [6/31]: configuring replication version plugin
>>    [7/31]: enabling IPA enrollment plugin
>>    [8/31]: enabling ldapi
>>    [9/31]: configuring uniqueness plugin
>>    [10/31]: configuring uuid plugin
>>    [11/31]: configuring modrdn plugin
>>    [12/31]: configuring DNS plugin
>>    [13/31]: enabling entryUSN plugin
>>    [14/31]: configuring lockout plugin
>>    [15/31]: creating indices
>>    [16/31]: enabling referential integrity plugin
>>    [17/31]: configuring ssl for ds instance
>>    [18/31]: configuring certmap.conf
>>    [19/31]: configure autobind for root
>>    [20/31]: configure new location for managed entries
>>    [21/31]: restarting directory server
>>    [22/31]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update succeeded
>>    [23/31]: adding replication acis
>>    [24/31]: setting Auto Member configuration
>>    [25/31]: enabling S4U2Proxy delegation
>>    [26/31]: initializing group membership
>>    [27/31]: adding master entry
>>    [28/31]: configuring Posix uid/gid generation
>>    [29/31]: enabling compatibility plugin
>>    [30/31]: tuning directory server
>>    [31/31]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>>    [1/17]: creating certificate server user
>>    [2/17]: configuring certificate server instance
>> ipa         : CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>> status 1
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> Configuration of CA failed
>>
>> I even tried cleaning it again at that point and made sure all the
>> ports were open and still got the same error.
>>
>> I also switched selinux to permissive mode cleaned up and rebooted but
>> that didn't help either
>>
>> Can someone please point out what I need to do to get this working.
>>
>> Thanks in advance.
>> Pete.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 
Petr?



From pbrezina at redhat.com  Thu Jul 18 09:02:33 2013
From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=)
Date: Thu, 18 Jul 2013 11:02:33 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
Message-ID: <51E7AF29.4010006@redhat.com>

On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>
>      Okay, I get it (pardon my obtuseness).
>
>      host1-> getent netgroup hgroup1
>      hgroup1                   (host1.my_domain.com, -, my_domain.com)
>
>      So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>      Thanks,
>      -Mark

Hi,
can you also paste the output of following commands please?

$ nisdomainname
$ rpm -q sudo

Thanks,
Pavel.

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Wednesday, July 17, 2013 8:58 AM
> To: Tovey, Mark
> Cc: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>
>>      We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>
> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>
>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>
> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>
>>      Thanks,
>>      -Mark
>>
>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Wednesday, July 17, 2013 1:32 AM
>> To: Tovey, Mark
>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>
>>>
>>>      We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>
>> Hi Mark,
>>
>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>
>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>
>> Does getent netgroup <netgroup-name> work?
>>
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>>
>>> domains = my_domain.com
>>> [nss]
>>>
>>> [pam]
>>>
>>>   [domain/my_domain.com]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com
>>> id_provider = ipa auth_provider = ipa access_provider = ipa
>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>
>>>
>>>      And the nsswitch.conf file:
>>>
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> hosts:      files dns
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers:     files
>>> netmasks:   files
>>> networks:   files
>>> protocols:  files
>>> rpc:        files
>>> services:   files
>>>
>>> netgroup:   files sss
>>>
>>> publickey:  nisplus
>>>
>>> automount:  files ldap
>>> aliases:    files
>>>
>>> sudoers:    files ldap
>>>
>>>      Thanks,
>>>      -Mark
>>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>      My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>      The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>      But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>      Thanks,
>>>>      -Mark
>>>
>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>> Are you using SSSD for netgroups or something else?
>>> Can you please share your sssd.conf and area where it configures netgroups?
>>> Also is sss in the nsswitch.conf for netgroups map?
>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400
>>>> SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>> -----Original Message-----
>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>> To: Tovey, Mark
>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel
>>>> Brezina
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>
>>>> ~~~~
>>>> Can you confirm that the output of the following commands:
>>>> 1. $ domainname
>>>> * does it match your domain?
>>>> 2. $ hostname
>>>> * does match match your fqdn?
>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>> * does this list your host?
>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>
>>>>
>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>
>>>> At the top, add the line: sudoers_debug 2
>>>>
>>>> Then try another sudo command. sudo -l for example.
>>>> ~~~~
>>>>
>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>>      Okay, I stopped sssd on the client and deleted the cache
>>>>> files, removed the sudo rule, started sssd and verified that the
>>>>> rule was gone, stopped sssd and deleted the files again, added
>>>>> the rule back in, restarted sssd, and still it does not work.
>>>>> One note, when I enter the hosts into the sudo rule in place of
>>>>> the host group, the effect is immediate; I do not need to restart
>>>>> sssd.  And the opposite is true too: if I put the host group
>>>>> back, the rule immediately stops working.  I don't think the
>>>>> issue is cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>
>>>>>
>>>>>
>>>>>      I like your idea for the labels; they make sense.  Right now
>>>>> we are just evaluating this to see if we want to go this route.
>>>>> So far we like it, but this could be a problem because we have a
>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>
>>>>> I label rules like this,
>>>>>
>>>>> hb-xxxx   for a hbac rule
>>>>>
>>>>> su-xxxx for a sudo rule
>>>>>
>>>>> sc-xxxx for a sudo command group
>>>>>
>>>>> ug-xxxx for a user group
>>>>>
>>>>> hg-xxxx for a host groups
>>>>>
>>>>> etc
>>>>>
>>>>> etc
>>>>>
>>>>> It makes the logic easier when you go into command line which I
>>>>> find easier to trace with than the gui at time.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>> *To:* Steven Jones; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>      That didn't work either.  I set up the host group in my sudo
>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db
>>>>> directory, then restarted sssd.  New files were created in the db
>>>>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is a known issue Ive suffered a long time with.  What would
>>>>> be interesting is adding another host to the host group could
>>>>> well work fine, that will really make you bang your head against the wall..
>>>>>
>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete
>>>>> its cache and start it, that might fix it.
>>>>>
>>>>> Otherwise best to,
>>>>>
>>>>> All RH support could come up with is delete the HBAC rule, sudo
>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark
>>>>> [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>> *To:* James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      I checked that and it is set correctly:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>
>>>>> my_domain.com
>>>>>
>>>>>
>>>>>
>>>>>      If I try to run a command with the hosts specified indirectly
>>>>> through a host group, it fails:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>
>>>>> LDAP Config Summary
>>>>>
>>>>> ===================
>>>>>
>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>
>>>>> ldap_version     3
>>>>>
>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>
>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>
>>>>> bindpw           **********
>>>>>
>>>>> bind_timelimit   5000
>>>>>
>>>>> timelimit        15
>>>>>
>>>>> ssl              start_tls
>>>>>
>>>>> tls_checkpeer    (yes)
>>>>>
>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>
>>>>> ===================
>>>>>
>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>
>>>>> sudo: ldap_set_option: debug -> 0
>>>>>
>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>
>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>
>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>
>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>
>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>
>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=0
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> Sorry, try again.
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> sudo: 1 incorrect password attempt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      But if I remove the host group from the sudo rule and
>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>
>>>>>
>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>
>>>>> sudo: Command allowed
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=1
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> [serv_account at host1 ~]$
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      So something isn't lining up correctly with host groups in
>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>> *To:* Tovey, Mark
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>      Did anyone find a solution for this?  I am having the same experience.
>>>>>>
>>>>>>
>>>>>>
>>>>> Wow that was a mess...
>>>>>
>>>>> To use hostgroups for sudo ensure nisdomainname is set on the
>>>>> hosts to the IPA domain.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From pspacek at redhat.com  Thu Jul 18 10:27:16 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Thu, 18 Jul 2013 12:27:16 +0200
Subject: [Freeipa-users] Announcing bind-dyndb-ldap version 3.5
Message-ID: <51E7C304.3020407@redhat.com>

The FreeIPA team is proud to announce bind-dyndb-ldap version 3.5.

It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. 
The new version has also been built for Fedora 19 and and is on its way to 
updates-testing:
https://admin.fedoraproject.org/updates/bind-dyndb-ldap-3.5-1.fc19

This release *enables persistent search by default*. Other changes include 
minor fixes and changes in documentation.

== Changes in 3.5 ==

[1] Crash triggered by zone_refresh with broken connection to LDAP was fixed.

[2] Code was changed to not trigger false positives in Clang static analyzer.

[3] Persistent search is enabled by default.

[4] Options cache_ttl, psearch and zone_refresh were formally deprecated.

[5] Autotools should work on aarch64 (ARM64).


== Upgrading ==

An server can be upgraded simply by installing updated rpms. BIND has to be 
restarted manually after the RPM installation.

You will need to clean up configuration file /etc/named.conf if your 
configuration contains typos or other unsupported options.

Downgrading back to any 2.x version is supported under following conditions:
- new object class idnsForwardZone is not utilized
- record types not supported by 2.x versions are not utilized
- configured connection count is >= 3 (to prevent deadlocks in 2.x releases)


== Important change planned for 4.0 release ==

Configurations with and without persistent search are now deprecated. Support 
for 'zone_refresh' and 'psearch' options will be removed in 4.0 release.

Bind-dyndb-ldap 4.0 will require LDAP server with support for RFC 4533.

389 DS team is actively working on this feature:
https://fedorahosted.org/389/ticket/47388


== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-users mailing
list: http://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Petr Spacek
Software engineer
Red Hat



From matthew.e.shapiro.ctr at mail.mil  Thu Jul 18 16:09:45 2013
From: matthew.e.shapiro.ctr at mail.mil (Shapiro, Matthew E CTR DODHRA DMDC (US))
Date: Thu, 18 Jul 2013 16:09:45 +0000
Subject: [Freeipa-users] help: ipa error 4301
In-Reply-To: <51E7A41B.3030705@redhat.com>
References: <461B4ED817602845B051F04C0FB2A29102ADBCE8@UHILHPYJ.easf.csd.disa.mil>
	<51E7A41B.3030705@redhat.com>
Message-ID: <461B4ED817602845B051F04C0FB2A29102ADBD82@UHILHPYJ.easf.csd.disa.mil>

SOLUTION

Just to follow up, I found that SELinux was the problem.  Once I ran
"#setenforce 0"  the ipa-client-install script worked with no issue and my client got a valid certificate.  Thanks for looking!

Matthew Shapiro


-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Thursday, July 18, 2013 1:15 AM
To: Shapiro, Matthew E CTR DODHRA DMDC (US)
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] help: ipa error 4301

On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> Hi ,
> 
>  
> 
> While running the ipa-client-install script on a RHEL 6.4 server, I get the
> following output (please note the indicated line with the arrow):
> 
>  
> 
> [root@[hostname]]# ipa-client-install
> 
> Discovery was successful!
> 
> Hostname: [hostname]
> 
> Realm: example.com
> 
> DNS Domain: example.com
> 
> IPA Server: chtvm-389.example.com
> 
> BaseDN: dc=example,dc=com
> 
>  
> 
> Continue to configure the system with these values? [no]: yes
> 
> User authorized to enroll computers: admin
> 
> Password for admin example com:
> 
>  
> 
> Enrolled in IPA realm example.com
> 
> Created /etc/ipa/default.conf
> 
> Configured /etc/sssd/sssd.conf
> 
> Configured /etc/krb5.conf for IPA realm example.com
> 
> SSSD enabled
> 
> Kerberos 5 enabled
> 
> ---?Unable to find 'admin' user with 'getent passwd admin'!
> 
> Recognized configuration: SSSD
> 
> NTP enabled
> 
> Client configuration complete.
> 
>  
> 
> Also, please note that I've obfuscated the hostname, domain, and realm for
> security reasons.    I believe I've narrowed down the problem to certificate
> enrollment.  When I check my IPA Server Web UI, I have a notice in my host
> details that says "no valid certificate present."  I then checked my client
> host by running:
> 
>  
> 
> [root at hostname user]# ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> 
> Request ID '20130717205230':
> 
>         status: CA_UNCONFIGURED
> 
>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.
> 
>         stuck: yes
> 
>         key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
> 
>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate - hostname.example.com '
> 
>         CA: IPA
> 
>         issuer:
> 
>         subject:
> 
>         expires: unknown
> 
>         pre-save command:
> 
>         post-save command:
> 
>         track: yes
> 
>         auto-renew: yes
> 
>  
> 
> I'm concerned about that "stuck" field, I have no idea what that means.
> 
> I have other RHEL 6.4 clients that have been able to join my IPA domain with no
> issue at all, but this one client baffles me.  Any thoughts??
> 
>  
> 
> ----------------------------------------------------------------------
> 
> Matthew Shapiro
> 
> Systems Administrator
> 
>  
> 
> Trofholz Technologies, Inc.
> 
> Defense Personnel and Security Research Center (PERSEREC)
> 
> Defense Manpower Data Center (DMDC)
> 
> Office: 831.583.2828
> 
>  
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

There seems to be something wrong with the host keytab:

...

>         ca-error: Error setting up ccache for local "host" service using
> default keytab: Resource temporarily unavailable.

Can you check if the host principal in keytab are correct?

# klist -kt /etc/krb5.keytab

Are you able to kinit with the host principal?

# kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]


Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
is this still not working?

# getent passwd admin

Martin



From mkosek at redhat.com  Thu Jul 18 16:11:50 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 18 Jul 2013 18:11:50 +0200
Subject: [Freeipa-users] help: ipa error 4301
In-Reply-To: <461B4ED817602845B051F04C0FB2A29102ADBD82@UHILHPYJ.easf.csd.disa.mil>
References: <461B4ED817602845B051F04C0FB2A29102ADBCE8@UHILHPYJ.easf.csd.disa.mil>
	<51E7A41B.3030705@redhat.com>
	<461B4ED817602845B051F04C0FB2A29102ADBD82@UHILHPYJ.easf.csd.disa.mil>
Message-ID: <51E813C6.9010707@redhat.com>

I am glad to hear that.

Can you just please send me the respective AVCs from /var/log/audit/audit.log?
FreeIPA software is supposed to be run with SELinux enforced and we do our best
so that it really works with SELinux enforced.

Thanks,
Martin

On 07/18/2013 06:09 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
> SOLUTION
> 
> Just to follow up, I found that SELinux was the problem.  Once I ran
> "#setenforce 0"  the ipa-client-install script worked with no issue and my client got a valid certificate.  Thanks for looking!
> 
> Matthew Shapiro
> 
> 
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: Thursday, July 18, 2013 1:15 AM
> To: Shapiro, Matthew E CTR DODHRA DMDC (US)
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] help: ipa error 4301
> 
> On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
>> Hi ,
>>
>>  
>>
>> While running the ipa-client-install script on a RHEL 6.4 server, I get the
>> following output (please note the indicated line with the arrow):
>>
>>  
>>
>> [root@[hostname]]# ipa-client-install
>>
>> Discovery was successful!
>>
>> Hostname: [hostname]
>>
>> Realm: example.com
>>
>> DNS Domain: example.com
>>
>> IPA Server: chtvm-389.example.com
>>
>> BaseDN: dc=example,dc=com
>>
>>  
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> User authorized to enroll computers: admin
>>
>> Password for admin example com:
>>
>>  
>>
>> Enrolled in IPA realm example.com
>>
>> Created /etc/ipa/default.conf
>>
>> Configured /etc/sssd/sssd.conf
>>
>> Configured /etc/krb5.conf for IPA realm example.com
>>
>> SSSD enabled
>>
>> Kerberos 5 enabled
>>
>> ---?Unable to find 'admin' user with 'getent passwd admin'!
>>
>> Recognized configuration: SSSD
>>
>> NTP enabled
>>
>> Client configuration complete.
>>
>>  
>>
>> Also, please note that I've obfuscated the hostname, domain, and realm for
>> security reasons.    I believe I've narrowed down the problem to certificate
>> enrollment.  When I check my IPA Server Web UI, I have a notice in my host
>> details that says "no valid certificate present."  I then checked my client
>> host by running:
>>
>>  
>>
>> [root at hostname user]# ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>>
>> Request ID '20130717205230':
>>
>>         status: CA_UNCONFIGURED
>>
>>         ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
>>
>>         stuck: yes
>>
>>         key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - hostname.example.com',token='NSS Certificate DB'
>>
>>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - hostname.example.com '
>>
>>         CA: IPA
>>
>>         issuer:
>>
>>         subject:
>>
>>         expires: unknown
>>
>>         pre-save command:
>>
>>         post-save command:
>>
>>         track: yes
>>
>>         auto-renew: yes
>>
>>  
>>
>> I'm concerned about that "stuck" field, I have no idea what that means.
>>
>> I have other RHEL 6.4 clients that have been able to join my IPA domain with no
>> issue at all, but this one client baffles me.  Any thoughts??
>>
>>  
>>
>> ----------------------------------------------------------------------
>>
>> Matthew Shapiro
>>
>> Systems Administrator
>>
>>  
>>
>> Trofholz Technologies, Inc.
>>
>> Defense Personnel and Security Research Center (PERSEREC)
>>
>> Defense Manpower Data Center (DMDC)
>>
>> Office: 831.583.2828
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> 
> There seems to be something wrong with the host keytab:
> 
> ...
> 
>>         ca-error: Error setting up ccache for local "host" service using
>> default keytab: Resource temporarily unavailable.
> 
> Can you check if the host principal in keytab are correct?
> 
> # klist -kt /etc/krb5.keytab
> 
> Are you able to kinit with the host principal?
> 
> # kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]
> 
> 
> Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
> is this still not working?
> 
> # getent passwd admin
> 
> Martin
> 



From aellert at numeezy.com  Thu Jul 18 17:20:58 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Thu, 18 Jul 2013 19:20:58 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <51E39897.5080907@redhat.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<51E39897.5080907@redhat.com>
Message-ID: <514753AE-EB70-4497-897F-F80C08192FD8@numeezy.com>

I've made packages from Debian Wheezy (actually only amd64). The goal is ti have a full functional and compatible client with Centos/RHEL 6.4 freeipa server 3.0.0.
Actually join domain, ssh key upload, certificate enrollment and sudo integration works in my environment.

If you want to test, just add this to /etc/apt/sources.list :
deb http://apt.numeezy.fr wheezy main
deb-src http://apt.numeezy.fr wheezy main
and import my GPG key :
# wget -qO - http://apt.numeezy.fr/numeezy.asc | sudo apt-key add -
Then, install package named freeipa-client.
You can also download source using : apt-get source freeipa.

Feel free to contact me if you have any issue using this package.

PS : I've based my work on package done by Timo Aaltonen for Ubuntu. Thanks to him for his excellent work !

Alexandre

Le 15 juil. 2013 ? 08:37, Petr Spacek <pspacek at redhat.com> a ?crit :

> On 12.7.2013 19:57, Alexandre Ellert wrote:
>> Thanks for pointing that bug, compilation succeeded if adding "X-Python-Version: 2.7" to debian/control file.
>> Now, testing functionality...
>> I can give you some feedback if you want (i'm new here. Is there only RHEL/Fedora users on this mailing list ?)
> 
> This list is not Fedora/RHEL specific. We are glad to hear about ports to another distributions, please continue! :-)
> 
> -- 
> Petr^2 Spacek
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From arthur at deus.pro  Thu Jul 18 17:49:34 2013
From: arthur at deus.pro (Arthur)
Date: Thu, 18 Jul 2013 23:49:34 +0600
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
Message-ID: <20130718234934.40e7c364@oldcomp.soho.internal>

? Fri, 12 Jul 2013 19:57:09 +0200
Alexandre Ellert <aellert at numeezy.com> ?????:

> Thanks for pointing that bug, compilation succeeded if adding
> "X-Python-Version: 2.7" to debian/control file. Now, testing
> functionality... I can give you some feedback if you want (i'm new
> here. Is there only RHEL/Fedora users on this mailing list ?)
> 
> Le 12 juil. 2013 ? 19:36, Alexander Bokovoy <abokovoy at redhat.com> a
> ?crit :
> 
> > On Fri, 12 Jul 2013, Alexandre Ellert wrote:
> >> Hi,
> >> 
> >> I'm currently trying to get a functional .deb package working on
> >> Debian Wheezy. I have tried to recompile a package from Ubuntu
> >> Precise (https://launchpad.net/~freeipa/+archive/ppa) without
> >> success.
> >> 
> >> First error was about compiling ipa-join :
> >> ipa-join.c: In function ?callRPC?:
> >> ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no
> >> member named ?gssapi_delegation? => Fix : Add
> >> backport-gssapi-delegation.patch to package xmlrpc-c and then
> >> install resulting libxmlrpc-core-c3-dev.deb and
> >> libxmlrpc-core-c3.deb
> >> 
> >> Now, recompile again with new patched libxmlrpc-core-c3...
> >> compilation go further, but I'm stuck at the end of process of
> >> building .deb : dh_install --list-missing dh_install:
> >> usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp
> >> but is not installed to anywhere dh_install:
> >> usr/sbin/ipa-client-automount exists in debian/tmp but is not
> >> installed to anywhere make[1]: quittant le r?pertoire
> >> ? /root/freeipa-ppa/freeipa-3.2.0 ? dh_install dh_installdocs
> >> dh_installchangelogs dh_installexamples
> >>  dh_installman
> >>  dh_installcatalogs
> >>  dh_installcron
> >>  dh_installdebconf
> >>  dh_installemacsen
> >>  dh_installifupdown
> >>  dh_installinfo
> >>  dh_python2
> >> E: dh_python2:145: extension for python2.6 is missing. Build
> >> extensions for all supported Python versions (`pyversions -vr`) or
> >> adjust X-Python-Version field or pass --no-guessing-versions to
> >> dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur:
> >> debian/rules binary a produit une erreur de sortie de type 2
> >> 
> >> Any idea or me advice about how to backport freeipa-client to
> >> wheezy ?
> > Perhaps, you can fix it in a manner similar to
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
> > 
> > -- 
> > / Alexander Bokovoy
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

That is great! I have to use some debian servers. It would be good to
add them to IPA-domain :)



From MTovey at go2uti.com  Thu Jul 18 18:06:14 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Thu, 18 Jul 2013 18:06:14 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <51E7AF29.4010006@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
	<51E7AF29.4010006@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>



host1-> nisdomainname
my_domain.com

host1-> rpm -q sudo
sudo-1.7.2p1-6.el5_5

    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Pavel Brezina
Sent: Thursday, July 18, 2013 2:03 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>
>      Okay, I get it (pardon my obtuseness).
>
>      host1-> getent netgroup hgroup1
>      hgroup1                   (host1.my_domain.com, -, my_domain.com)
>
>      So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>      Thanks,
>      -Mark

Hi,
can you also paste the output of following commands please?

$ nisdomainname
$ rpm -q sudo

Thanks,
Pavel.

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Wednesday, July 17, 2013 8:58 AM
> To: Tovey, Mark
> Cc: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>
>>      We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>
> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>
>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>
> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>
>>      Thanks,
>>      -Mark
>>
>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Wednesday, July 17, 2013 1:32 AM
>> To: Tovey, Mark
>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>
>>>
>>>      We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>
>> Hi Mark,
>>
>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>
>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>
>> Does getent netgroup <netgroup-name> work?
>>
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>>
>>> domains = my_domain.com
>>> [nss]
>>>
>>> [pam]
>>>
>>>   [domain/my_domain.com]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com 
>>> id_provider = ipa auth_provider = ipa access_provider = ipa 
>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com 
>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>
>>>
>>>      And the nsswitch.conf file:
>>>
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> hosts:      files dns
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers:     files
>>> netmasks:   files
>>> networks:   files
>>> protocols:  files
>>> rpc:        files
>>> services:   files
>>>
>>> netgroup:   files sss
>>>
>>> publickey:  nisplus
>>>
>>> automount:  files ldap
>>> aliases:    files
>>>
>>> sudoers:    files ldap
>>>
>>>      Thanks,
>>>      -Mark
>>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com 
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>      My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>      The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>      But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>      Thanks,
>>>>      -Mark
>>>
>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>> Are you using SSSD for netgroups or something else?
>>> Can you please share your sssd.conf and area where it configures netgroups?
>>> Also is sss in the nsswitch.conf for netgroups map?
>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>> -----Original Message-----
>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>> To: Tovey, Mark
>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
>>>> Brezina
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>
>>>> ~~~~
>>>> Can you confirm that the output of the following commands:
>>>> 1. $ domainname
>>>> * does it match your domain?
>>>> 2. $ hostname
>>>> * does match match your fqdn?
>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>> * does this list your host?
>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>
>>>>
>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>
>>>> At the top, add the line: sudoers_debug 2
>>>>
>>>> Then try another sudo command. sudo -l for example.
>>>> ~~~~
>>>>
>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>>      Okay, I stopped sssd on the client and deleted the cache 
>>>>> files, removed the sudo rule, started sssd and verified that the 
>>>>> rule was gone, stopped sssd and deleted the files again, added the 
>>>>> rule back in, restarted sssd, and still it does not work.
>>>>> One note, when I enter the hosts into the sudo rule in place of 
>>>>> the host group, the effect is immediate; I do not need to restart 
>>>>> sssd.  And the opposite is true too: if I put the host group back, 
>>>>> the rule immediately stops working.  I don't think the issue is 
>>>>> cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>
>>>>>
>>>>>
>>>>>      I like your idea for the labels; they make sense.  Right now 
>>>>> we are just evaluating this to see if we want to go this route.
>>>>> So far we like it, but this could be a problem because we have a 
>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>
>>>>> I label rules like this,
>>>>>
>>>>> hb-xxxx   for a hbac rule
>>>>>
>>>>> su-xxxx for a sudo rule
>>>>>
>>>>> sc-xxxx for a sudo command group
>>>>>
>>>>> ug-xxxx for a user group
>>>>>
>>>>> hg-xxxx for a host groups
>>>>>
>>>>> etc
>>>>>
>>>>> etc
>>>>>
>>>>> It makes the logic easier when you go into command line which I 
>>>>> find easier to trace with than the gui at time.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>> *To:* Steven Jones; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>      That didn't work either.  I set up the host group in my sudo 
>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
>>>>> directory, then restarted sssd.  New files were created in the db 
>>>>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is a known issue Ive suffered a long time with.  What would 
>>>>> be interesting is adding another host to the host group could well 
>>>>> work fine, that will really make you bang your head against the wall..
>>>>>
>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete 
>>>>> its cache and start it, that might fix it.
>>>>>
>>>>> Otherwise best to,
>>>>>
>>>>> All RH support could come up with is delete the HBAC rule, sudo 
>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
>>>>> [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>> *To:* James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      I checked that and it is set correctly:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>
>>>>> my_domain.com
>>>>>
>>>>>
>>>>>
>>>>>      If I try to run a command with the hosts specified indirectly 
>>>>> through a host group, it fails:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>
>>>>> LDAP Config Summary
>>>>>
>>>>> ===================
>>>>>
>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>
>>>>> ldap_version     3
>>>>>
>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>
>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>
>>>>> bindpw           **********
>>>>>
>>>>> bind_timelimit   5000
>>>>>
>>>>> timelimit        15
>>>>>
>>>>> ssl              start_tls
>>>>>
>>>>> tls_checkpeer    (yes)
>>>>>
>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>
>>>>> ===================
>>>>>
>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>
>>>>> sudo: ldap_set_option: debug -> 0
>>>>>
>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>
>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>
>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>
>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>
>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>
>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=0
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> Sorry, try again.
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> sudo: 1 incorrect password attempt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      But if I remove the host group from the sudo rule and 
>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>
>>>>>
>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>
>>>>> sudo: Command allowed
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=1
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> [serv_account at host1 ~]$
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      So something isn't lining up correctly with host groups in 
>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>> *To:* Tovey, Mark
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>      Did anyone find a solution for this?  I am having the same experience.
>>>>>>
>>>>>>
>>>>>>
>>>>> Wow that was a mess...
>>>>>
>>>>> To use hostgroups for sudo ensure nisdomainname is set on the 
>>>>> hosts to the IPA domain.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From sakodak at gmail.com  Thu Jul 18 20:55:31 2013
From: sakodak at gmail.com (KodaK)
Date: Thu, 18 Jul 2013 15:55:31 -0500
Subject: [Freeipa-users] IPA + AD authentication in apache
Message-ID: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>

Another off the wall one from me, but I just want to know if this is worth
pursuing.

I have a series of internal web applications that authenticate variously to
AD or IPA via prompted credentials.

I'd like to use Kerberos tickets (and fall back to LDAP) instead.

I have an IPA connected apache server that most of this stuff runs on.

Is it possible to use both?

I'm going to try following this example to get my feet wet:

http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/

but that's just talking about mutilple AD realms.  I'd like to know if
there was any special considerations for IPA

Thanks again,

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130718/5618508a/attachment.htm>

From sigbjorn at nixtra.com  Thu Jul 18 21:43:49 2013
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Thu, 18 Jul 2013 23:43:49 +0200
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
Message-ID: <c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>

Hi.

I've done the kerberos part with several Apache Web servers with success. I've not done the fallback to ldap basic auth.  

Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one from IPA in the same keytab file. Reference this keytab file in httpd.conf.



Regards
Siggi


KodaK <sakodak at gmail.com> wrote:

>Another off the wall one from me, but I just want to know if this is
>worth
>pursuing.
>
>I have a series of internal web applications that authenticate
>variously to
>AD or IPA via prompted credentials.
>
>I'd like to use Kerberos tickets (and fall back to LDAP) instead.
>
>I have an IPA connected apache server that most of this stuff runs on.
>
>Is it possible to use both?
>
>I'm going to try following this example to get my feet wet:
>
>http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/
>
>but that's just talking about mutilple AD realms.  I'd like to know if
>there was any special considerations for IPA
>
>Thanks again,
>
>--Jason
>
>-- 
>The government is going to read our mail anyway, might as well make it
>tough for them.  GPG Public key ID:  B6A1A7C6
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130718/20243b59/attachment.htm>

From aellert at numeezy.com  Fri Jul 19 00:59:39 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 02:59:39 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <20130718234934.40e7c364@oldcomp.soho.internal>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
Message-ID: <6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>

Hi,

I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):

=> certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
There is no such file even on RHEL 6. What is this file ?
=> host_mod: KerbTransport instance has no attribute '_conn'
What does that mean ?
=> Failed to upload host SSH public keys.
This is strange because SSH key are correctly uploaded !

Here is the complete stack trace :
Server :
ipa host-add test1.numeezy.fr --platform="VMware, Inc." --os="Debian GNU/Linux 7.1 (wheezy)" --password= OTP_password

Client  :
# ipa-client-install --server=inf-ipa.numeezy.fr --hostname=test1.numeezy.fr --domain=numeezy.fr --realm=NUMEEZY.FR --password=OTP_password --no-ntp --unattended 
Hostname: test1.numeezy.fr
Realm: NUMEEZY.FR
DNS Domain: numeezy.fr
IPA Server: inf-ipa.numeezy.fr
BaseDN: dc=numeezy,dc=fr
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Enrolled in IPA realm NUMEEZY.FR
Created /etc/ipa/default.conf
Domain numeezy.fr is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm NUMEEZY.FR
trying https://inf-ipa.numeezy.fr/ipa/xml
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
host_mod: KerbTransport instance has no attribute '_conn'
Failed to upload host SSH public keys.

Please let me know if more information is needed and thanks in advance for your help.

Regards,

Alexandre
 
Le 18 juil. 2013 ? 19:49, Arthur <arthur at deus.pro> a ?crit :

> ? Fri, 12 Jul 2013 19:57:09 +0200
> Alexandre Ellert <aellert at numeezy.com> ?????:
> 
>> Thanks for pointing that bug, compilation succeeded if adding
>> "X-Python-Version: 2.7" to debian/control file. Now, testing
>> functionality... I can give you some feedback if you want (i'm new
>> here. Is there only RHEL/Fedora users on this mailing list ?)
>> 
>> Le 12 juil. 2013 ? 19:36, Alexander Bokovoy <abokovoy at redhat.com> a
>> ?crit :
>> 
>>> On Fri, 12 Jul 2013, Alexandre Ellert wrote:
>>>> Hi,
>>>> 
>>>> I'm currently trying to get a functional .deb package working on
>>>> Debian Wheezy. I have tried to recompile a package from Ubuntu
>>>> Precise (https://launchpad.net/~freeipa/+archive/ppa) without
>>>> success.
>>>> 
>>>> First error was about compiling ipa-join :
>>>> ipa-join.c: In function ?callRPC?:
>>>> ipa-join.c:174:20: error: ?struct xmlrpc_curl_xportparms? has no
>>>> member named ?gssapi_delegation? => Fix : Add
>>>> backport-gssapi-delegation.patch to package xmlrpc-c and then
>>>> install resulting libxmlrpc-core-c3-dev.deb and
>>>> libxmlrpc-core-c3.deb
>>>> 
>>>> Now, recompile again with new patched libxmlrpc-core-c3...
>>>> compilation go further, but I'm stuck at the end of process of
>>>> building .deb : dh_install --list-missing dh_install:
>>>> usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp
>>>> but is not installed to anywhere dh_install:
>>>> usr/sbin/ipa-client-automount exists in debian/tmp but is not
>>>> installed to anywhere make[1]: quittant le r?pertoire
>>>> ? /root/freeipa-ppa/freeipa-3.2.0 ? dh_install dh_installdocs
>>>> dh_installchangelogs dh_installexamples
>>>> dh_installman
>>>> dh_installcatalogs
>>>> dh_installcron
>>>> dh_installdebconf
>>>> dh_installemacsen
>>>> dh_installifupdown
>>>> dh_installinfo
>>>> dh_python2
>>>> E: dh_python2:145: extension for python2.6 is missing. Build
>>>> extensions for all supported Python versions (`pyversions -vr`) or
>>>> adjust X-Python-Version field or pass --no-guessing-versions to
>>>> dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur:
>>>> debian/rules binary a produit une erreur de sortie de type 2
>>>> 
>>>> Any idea or me advice about how to backport freeipa-client to
>>>> wheezy ?
>>> Perhaps, you can fix it in a manner similar to
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
>>> 
>>> -- 
>>> / Alexander Bokovoy
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> That is great! I have to use some debian servers. It would be good to
> add them to IPA-domain :)
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From craig.freeipa at noboost.org  Fri Jul 19 01:27:09 2013
From: craig.freeipa at noboost.org (craig.freeipa at noboost.org)
Date: Fri, 19 Jul 2013 11:27:09 +1000
Subject: [Freeipa-users] Redhat IPA as a SSL CA
Message-ID: <20130719012709.GA28052@noboost.org>

Hi,

I've been using Redhat IPA 2.2 as our internal CA quite successfully
for a while and managing in it from the IPA management website. 

I'm struggling to find precise information about the SSL certs and
management at a CLI level.

1) Can I submit SSL CSR via cli?
2) Where are the approved client SSL certs kept in IPA?


cya

Craig



From rendhalver at gmail.com  Fri Jul 19 02:46:50 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Fri, 19 Jul 2013 12:46:50 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <51E7BA4F.2060903@redhat.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
Message-ID: <CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>

On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
> On 07/18/2013 03:31 AM, Pete Brown wrote:
>>
>> I opened all the ports that seemed to be listening n the master.
>> I also ran the setup again without disabling the connection check to
>> see what else needed fixing.
>> It seems after much investigation and log dredging it seems my admin
>> password had expired.
>> I wasn't aware that was possible.
>> I reset the password and it seemed to get further.
>> This for some reason not mentioned in the documentation the replica is
>> trying to ssh into the master as admin.
>> I managed to fix that by changing my setup and ssh config files.
>>
>> Then it actually managed to start the setup process.
>> But again it fails at exactly the same point mentioned in my initial
>> email.
>>
>> After some further digging with reference to the log output below it
>> seems I have run into a bug that seems to have been fixed.
>> https://fedorahosted.org/freeipa/ticket/3213
>> As I mentioned I am running current Fedora 18 so freeipa is
>> 3.1.5-1.fc18 is that fixed in my version?
>
>
> Yes, that bug was fixed in 3.1.0.

Well the script is still complaining about not being able to find
dogtag_master_ds_port and the option still appears in my version of
the script.
Which from the bug seems to be what was causing the issue and the
ipareplica-install log I included below says this is the case.
It seems a bit odd because this is a fresh install of 3.1.5.



>> It also seems the dogatg and IPA directories will be or have been merged?
>> Which version did this happen in and will it get applied to my server?
>
>
> Also in 3.1.0; new servers installed using that version have merged
> databases.

I still seem to have split instances.
I did the install before Fedora 18 was released because I wanted ipa 3
and that was the only way I could get it.
Will they get merged at some point or can I do it manually?

>
>> Can anyone suggest how I go about fixing this issue?
>
>
> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
> (ticket #2796).
> So I would start by uninstalling, then running the following command to make
> sure CA is not left:
>     sudo pkidestroy -s CA -i pki-tomcat
> then installing again.

Ran that on my replica after the install and before the clean and it said this.
That would make sense because it fails during the ca creation stage.

root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!


>
> Can you also provide logs without the --skip-conncheck flag? Specifically
> the /var/log/ipareplica-conncheck.log should be interesting.

>From what I can tell all the tests in the connection check passed.

>
>
>> I wanted to create a replica so I could upgrade to fedora 19 and not
>> have to take my single instance of FreeIPA offline while that was
>> happening.
>> Will I need to upgrade to Fedora 19 to fix my issue?
>
>
>
>> For reference this is the point of failure in the
>> /var/log/ipareplica-install.log file
>>
>> 2013-07-18T01:06:16Z DEBUG Starting external process
>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>> from /tmp/tmpFKBxMW.
>> ERROR:  Unable to access security domain: 503 Server Error: Service
>> Unavailable
>
>
> Please also check logs on the existing server. Is the CA available?
> Does e.g. `ipa cert-show 1` work?
>
>> 2013-07-18T01:08:16Z DEBUG stderr=
>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>> status 1
>> 2013-07-18T01:08:16Z INFO   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 619, in run_script
>>      return_value = main_function()
>>
>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>>      (CA, cs) = cainstance.install_replica_ca(config,
>> dogtag_master_ds_port)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 1809, in install_replica_ca
>>      subject_base=config.subject_base)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 625, in configure_instance
>>      self.start_creation(runtime=210)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 358, in start_creation
>>      method()
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 744, in __spawn_instance
>>      raise RuntimeError('Configuration of CA failed')
>>
>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>> exception: RuntimeError: Configuration of CA failed
>>
>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>>>
>>> Hi everyone,
>>>
>>> I am attempting to create a replica of my freeipa server.
>>> I am following the docs but they are not working for me.
>>> I am getting the vague impression I am missing a step that doesn't
>>> seem to be documented.
>>>
>>> For the record all the posts listed are open and it was a clean
>>> install of Fedora 18.
>>>
>>> I thought the server may need to be a client of the master before I
>>> set it up as a replica but it just said I needed to uninstall the
>>> client setup.
>>>
>>> After running ipa-replica-prepare on the master and scping the file to
>>> the new replica.
>>> I ran this command on the new replica
>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>>
>>> The error I am seeing is from that command is this:
>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>>> getting initial credentials
>>>
>>> Connection check failed!
>>> Please fix your network settings according to error messages above.
>>> If the check results are not valid it can be skipped with
>>> --skip-conncheck parameter.
>>>
>>> So I cleaned everything off (i think) and tried it with this command
>>>
>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>>
>>> This seems to actually start the install and setup process i remember
>>> from installing the ipa server initially
>>>
>>> This it fails with this output
>>>
>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>> be disabled in favor of ntpd
>>>
>>> Directory Manager (existing master) password:
>>>
>>> Configuring NTP daemon (ntpd)
>>>    [1/4]: stopping ntpd
>>>    [2/4]: writing configuration
>>>    [3/4]: configuring ntpd to start on boot
>>>    [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>    [1/31]: creating directory server user
>>>    [2/31]: creating directory server instance
>>>    [3/31]: adding default schema
>>>    [4/31]: enabling memberof plugin
>>>    [5/31]: enabling winsync plugin
>>>    [6/31]: configuring replication version plugin
>>>    [7/31]: enabling IPA enrollment plugin
>>>    [8/31]: enabling ldapi
>>>    [9/31]: configuring uniqueness plugin
>>>    [10/31]: configuring uuid plugin
>>>    [11/31]: configuring modrdn plugin
>>>    [12/31]: configuring DNS plugin
>>>    [13/31]: enabling entryUSN plugin
>>>    [14/31]: configuring lockout plugin
>>>    [15/31]: creating indices
>>>    [16/31]: enabling referential integrity plugin
>>>    [17/31]: configuring ssl for ds instance
>>>    [18/31]: configuring certmap.conf
>>>    [19/31]: configure autobind for root
>>>    [20/31]: configure new location for managed entries
>>>    [21/31]: restarting directory server
>>>    [22/31]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update in progress
>>> Update succeeded
>>>    [23/31]: adding replication acis
>>>    [24/31]: setting Auto Member configuration
>>>    [25/31]: enabling S4U2Proxy delegation
>>>    [26/31]: initializing group membership
>>>    [27/31]: adding master entry
>>>    [28/31]: configuring Posix uid/gid generation
>>>    [29/31]: enabling compatibility plugin
>>>    [30/31]: tuning directory server
>>>    [31/31]: configuring directory to start on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>> 30 seconds
>>>    [1/17]: creating certificate server user
>>>    [2/17]: configuring certificate server instance
>>> ipa         : CRITICAL failed to configure ca instance Command
>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>>> status 1
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> Configuration of CA failed
>>>
>>> I even tried cleaning it again at that point and made sure all the
>>> ports were open and still got the same error.
>>>
>>> I also switched selinux to permissive mode cleaned up and rebooted but
>>> that didn't help either
>>>
>>> Can someone please point out what I need to do to get this working.
>>>
>>> Thanks in advance.
>>> Pete.
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
> Petr?



From rendhalver at gmail.com  Fri Jul 19 04:14:30 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Fri, 19 Jul 2013 14:14:30 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
Message-ID: <CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>

I was just trying this again and noticed there is a
/var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
is the logging for the attempt to create the pki.
right at the end is this entry.

2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
security domain through REST interface.  Trying old interface. 503
Server Error: Service Unavailable

Does anyone know what that means and how to fix it?


On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
> On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
>> On 07/18/2013 03:31 AM, Pete Brown wrote:
>>>
>>> I opened all the ports that seemed to be listening n the master.
>>> I also ran the setup again without disabling the connection check to
>>> see what else needed fixing.
>>> It seems after much investigation and log dredging it seems my admin
>>> password had expired.
>>> I wasn't aware that was possible.
>>> I reset the password and it seemed to get further.
>>> This for some reason not mentioned in the documentation the replica is
>>> trying to ssh into the master as admin.
>>> I managed to fix that by changing my setup and ssh config files.
>>>
>>> Then it actually managed to start the setup process.
>>> But again it fails at exactly the same point mentioned in my initial
>>> email.
>>>
>>> After some further digging with reference to the log output below it
>>> seems I have run into a bug that seems to have been fixed.
>>> https://fedorahosted.org/freeipa/ticket/3213
>>> As I mentioned I am running current Fedora 18 so freeipa is
>>> 3.1.5-1.fc18 is that fixed in my version?
>>
>>
>> Yes, that bug was fixed in 3.1.0.
>
> Well the script is still complaining about not being able to find
> dogtag_master_ds_port and the option still appears in my version of
> the script.
> Which from the bug seems to be what was causing the issue and the
> ipareplica-install log I included below says this is the case.
> It seems a bit odd because this is a fresh install of 3.1.5.
>
>
>
>>> It also seems the dogatg and IPA directories will be or have been merged?
>>> Which version did this happen in and will it get applied to my server?
>>
>>
>> Also in 3.1.0; new servers installed using that version have merged
>> databases.
>
> I still seem to have split instances.
> I did the install before Fedora 18 was released because I wanted ipa 3
> and that was the only way I could get it.
> Will they get merged at some point or can I do it manually?
>
>>
>>> Can anyone suggest how I go about fixing this issue?
>>
>>
>> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>> (ticket #2796).
>> So I would start by uninstalling, then running the following command to make
>> sure CA is not left:
>>     sudo pkidestroy -s CA -i pki-tomcat
>> then installing again.
>
> Ran that on my replica after the install and before the clean and it said this.
> That would make sense because it fails during the ca creation stage.
>
> root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
> ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>
>
>>
>> Can you also provide logs without the --skip-conncheck flag? Specifically
>> the /var/log/ipareplica-conncheck.log should be interesting.
>
> From what I can tell all the tests in the connection check passed.
>
>>
>>
>>> I wanted to create a replica so I could upgrade to fedora 19 and not
>>> have to take my single instance of FreeIPA offline while that was
>>> happening.
>>> Will I need to upgrade to Fedora 19 to fix my issue?
>>
>>
>>
>>> For reference this is the point of failure in the
>>> /var/log/ipareplica-install.log file
>>>
>>> 2013-07-18T01:06:16Z DEBUG Starting external process
>>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>>> from /tmp/tmpFKBxMW.
>>> ERROR:  Unable to access security domain: 503 Server Error: Service
>>> Unavailable
>>
>>
>> Please also check logs on the existing server. Is the CA available?
>> Does e.g. `ipa cert-show 1` work?
>>
>>> 2013-07-18T01:08:16Z DEBUG stderr=
>>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>>> status 1
>>> 2013-07-18T01:08:16Z INFO   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 619, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>>>      (CA, cs) = cainstance.install_replica_ca(config,
>>> dogtag_master_ds_port)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 1809, in install_replica_ca
>>>      subject_base=config.subject_base)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 625, in configure_instance
>>>      self.start_creation(runtime=210)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 358, in start_creation
>>>      method()
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 744, in __spawn_instance
>>>      raise RuntimeError('Configuration of CA failed')
>>>
>>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>>> exception: RuntimeError: Configuration of CA failed
>>>
>>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>> I am attempting to create a replica of my freeipa server.
>>>> I am following the docs but they are not working for me.
>>>> I am getting the vague impression I am missing a step that doesn't
>>>> seem to be documented.
>>>>
>>>> For the record all the posts listed are open and it was a clean
>>>> install of Fedora 18.
>>>>
>>>> I thought the server may need to be a client of the master before I
>>>> set it up as a replica but it just said I needed to uninstall the
>>>> client setup.
>>>>
>>>> After running ipa-replica-prepare on the master and scping the file to
>>>> the new replica.
>>>> I ran this command on the new replica
>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>>>
>>>> The error I am seeing is from that command is this:
>>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>>>> getting initial credentials
>>>>
>>>> Connection check failed!
>>>> Please fix your network settings according to error messages above.
>>>> If the check results are not valid it can be skipped with
>>>> --skip-conncheck parameter.
>>>>
>>>> So I cleaned everything off (i think) and tried it with this command
>>>>
>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>>>
>>>> This seems to actually start the install and setup process i remember
>>>> from installing the ipa server initially
>>>>
>>>> This it fails with this output
>>>>
>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>> be disabled in favor of ntpd
>>>>
>>>> Directory Manager (existing master) password:
>>>>
>>>> Configuring NTP daemon (ntpd)
>>>>    [1/4]: stopping ntpd
>>>>    [2/4]: writing configuration
>>>>    [3/4]: configuring ntpd to start on boot
>>>>    [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>    [1/31]: creating directory server user
>>>>    [2/31]: creating directory server instance
>>>>    [3/31]: adding default schema
>>>>    [4/31]: enabling memberof plugin
>>>>    [5/31]: enabling winsync plugin
>>>>    [6/31]: configuring replication version plugin
>>>>    [7/31]: enabling IPA enrollment plugin
>>>>    [8/31]: enabling ldapi
>>>>    [9/31]: configuring uniqueness plugin
>>>>    [10/31]: configuring uuid plugin
>>>>    [11/31]: configuring modrdn plugin
>>>>    [12/31]: configuring DNS plugin
>>>>    [13/31]: enabling entryUSN plugin
>>>>    [14/31]: configuring lockout plugin
>>>>    [15/31]: creating indices
>>>>    [16/31]: enabling referential integrity plugin
>>>>    [17/31]: configuring ssl for ds instance
>>>>    [18/31]: configuring certmap.conf
>>>>    [19/31]: configure autobind for root
>>>>    [20/31]: configure new location for managed entries
>>>>    [21/31]: restarting directory server
>>>>    [22/31]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update succeeded
>>>>    [23/31]: adding replication acis
>>>>    [24/31]: setting Auto Member configuration
>>>>    [25/31]: enabling S4U2Proxy delegation
>>>>    [26/31]: initializing group membership
>>>>    [27/31]: adding master entry
>>>>    [28/31]: configuring Posix uid/gid generation
>>>>    [29/31]: enabling compatibility plugin
>>>>    [30/31]: tuning directory server
>>>>    [31/31]: configuring directory to start on boot
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>> 30 seconds
>>>>    [1/17]: creating certificate server user
>>>>    [2/17]: configuring certificate server instance
>>>> ipa         : CRITICAL failed to configure ca instance Command
>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>>>> status 1
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Configuration of CA failed
>>>>
>>>> I even tried cleaning it again at that point and made sure all the
>>>> ports were open and still got the same error.
>>>>
>>>> I also switched selinux to permissive mode cleaned up and rebooted but
>>>> that didn't help either
>>>>
>>>> Can someone please point out what I need to do to get this working.
>>>>
>>>> Thanks in advance.
>>>> Pete.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>> --
>> Petr?



From Matt_Rivet at Archway.com  Fri Jul 19 04:17:59 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Fri, 19 Jul 2013 04:17:59 +0000
Subject: [Freeipa-users] Host certificate issue problem
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>

When I check the host certificate I see a ca-error saying it cannot find a suitable key.

# ipa-getcert list

Number of certificates and requests being tracked: 1.
Request ID '20130719035440':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

When I check my keytab
# kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
No error
If I list my keytab,

# klist -kt /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
   2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
   1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM

My /etc/krb5.conf file looks like:

[libdefaults]
 default_keytab_name = FILE:/etc/krb5.keytab
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = det-ldmpl01.sub.example.com:88
    master_kdc = det-ldmpl01.sub.example.com:88
    admin_server = det-ldmpl01.sub.example.com:749
    default_domain = example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  .sub.example.com = EXAMPLE.COM
  sub.example.com = EXAMPLE.COM

It seems the error from ipa-getcert list shows:

ca-error: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .

where it is trunking the hostname and not including the realm name after @ seems to be the problem, but I cannot figure out why.  If I run `hostname` on this host it prints det-webdl01.sub.example.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130719/4d10f192/attachment.htm>

From mrniranjan at redhat.com  Fri Jul 19 05:26:27 2013
From: mrniranjan at redhat.com (M.R Niranjan )
Date: Fri, 19 Jul 2013 10:56:27 +0530
Subject: [Freeipa-users] Redhat IPA as a SSL CA
In-Reply-To: <20130719012709.GA28052@noboost.org>
References: <20130719012709.GA28052@noboost.org>
Message-ID: <51E8CE03.80007@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 06:57 AM, craig.freeipa at noboost.org wrote:
> Hi,
> 
> I've been using Redhat IPA 2.2 as our internal CA quite successfully
> for a while and managing in it from the IPA management website. 
> 
> I'm struggling to find precise information about the SSL certs and
> management at a CLI level.
> 
> 1) Can I submit SSL CSR via cli?
Yes, you could using ipa cert-request command

Example:

1. Add the host for which you are generating request.

# ipa host-add webserver1.example.org

2. Create a CSR (i.e private key and certificate request using openssl
command)

	A. Generate private key:

	[root at test1 certs]# openssl genrsa 1024 > server.key

	B. Generate CSR:

	[root at test1 certs]#  openssl req -new -key server.key -out server.csr

3. Submit the certificate request:

# ipa cert-request /etc/pki/tls/certs/server.csr

4. Get the signed Certificate out using ipa cert-show command

Example:
[root at test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt

> 2) Where are the approved client SSL certs kept in IPA?
> 

They are stored in Directory Server in 2 places

1. Domain Suffix tree
dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org

2. CA store in DS. Certificate system of IPA stores certificate in it's
ldap store (ou=certificateRepository,ou=ca,o=ipaca)


> 
> cya
> 
> Craig
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


- -- 
Regards
M.R.Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHozgMACgkQLu3FX2BHx8cE7gCfSWDTA24R0VGSuwpd49RIgXsH
5eAAn3sQS5eXdfNu2kPbo5YueM3gScyt
=BCXd
-----END PGP SIGNATURE-----



From mrniranjan at redhat.com  Fri Jul 19 05:46:50 2013
From: mrniranjan at redhat.com (M.R Niranjan )
Date: Fri, 19 Jul 2013 11:16:50 +0530
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
Message-ID: <51E8D2CA.7090200@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 09:47 AM, Rivet, Matt wrote:
Hi,


> When I check the host certificate I see a ca-error saying it cannot find
> a suitable key.
> 
> # ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> Request ID '20130719035440':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 

What is the version of ipa-server , is the above error on ipa client ,
if so what is the version of ipa-client


There was similar bug in earlier versions, I would suggest you to update
the ipa server and clients to ipa-3.0


> When I check my keytab
> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
> No error
> If I list my keytab,
> 
> # klist -kt /etc/krb5.keytab
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
> 
> My /etc/krb5.conf file looks like:
> 
> [libdefaults]
>  default_keytab_name = FILE:/etc/krb5.keytab
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     kdc = det-ldmpl01.sub.example.com:88
>     master_kdc = det-ldmpl01.sub.example.com:88
>     admin_server = det-ldmpl01.sub.example.com:749
>     default_domain = example.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
>   .sub.example.com = EXAMPLE.COM
>   sub.example.com = EXAMPLE.COM
> 
> It seems the error from ipa-getcert list shows:
> 
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
> 
> where it is trunking the hostname and not including the realm name after
> @ seems to be the problem, but I cannot figure out why.  If I run
> `hostname` on this host it prints det-webdl01.sub.example.com. 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


- -- 
Regards
M.R.Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0
MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m
=J4fC
-----END PGP SIGNATURE-----



From Matt_Rivet at Archway.com  Fri Jul 19 06:10:19 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Fri, 19 Jul 2013 06:10:19 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <51E8D2CA.7090200@redhat.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>


> When I check the host certificate I see a ca-error saying it cannot find
> a suitable key.
>
> # ipa-getcert list
>
> Number of certificates and requests being tracked: 1.
> Request ID '20130719035440':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>

What is the version of ipa-server , is the above error on ipa client ,
if so what is the version of ipa-client

Both client and server are version 3.0; the error is on the client

There was similar bug in earlier versions, I would suggest you to update
the ipa server and clients to ipa-3.0

Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
I have double checked to see if the workaround applies after the bug fix, it does not

> When I check my keytab
> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
> No error
> If I list my keytab,
>
> # klist -kt /etc/krb5.keytab
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>
> My /etc/krb5.conf file looks like:
>
> [libdefaults]
>  default_keytab_name = FILE:/etc/krb5.keytab
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [realms]
>   EXAMPLE.COM = {
>     kdc = det-ldmpl01.sub.example.com:88
>     master_kdc = det-ldmpl01.sub.example.com:88
>     admin_server = det-ldmpl01.sub.example.com:749
>     default_domain = example.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
>
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
>   .sub.example.com = EXAMPLE.COM
>   sub.example.com = EXAMPLE.COM
>
> It seems the error from ipa-getcert list shows:
>
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>
> where it is trunking the hostname and not including the realm name after
> @ seems to be the problem, but I cannot figure out why.  If I run
> `hostname` on this host it prints det-webdl01.sub.example.com.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


- --
Regards
M.R.Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0
MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m
=J4fC
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From pviktori at redhat.com  Fri Jul 19 07:54:23 2013
From: pviktori at redhat.com (Petr Viktorin)
Date: Fri, 19 Jul 2013 09:54:23 +0200
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
Message-ID: <51E8F0AF.6050500@redhat.com>

On 07/19/2013 06:14 AM, Pete Brown wrote:
> I was just trying this again and noticed there is a
> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
> is the logging for the attempt to create the pki.
> right at the end is this entry.
>
> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
> security domain through REST interface.  Trying old interface. 503
> Server Error: Service Unavailable
>
> Does anyone know what that means and how to fix it?

Adding Ade, he should know more about the Dogtag side of things.

> On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
>> On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
>>> On 07/18/2013 03:31 AM, Pete Brown wrote:
>>>>
>>>> I opened all the ports that seemed to be listening n the master.
>>>> I also ran the setup again without disabling the connection check to
>>>> see what else needed fixing.
>>>> It seems after much investigation and log dredging it seems my admin
>>>> password had expired.
>>>> I wasn't aware that was possible.
>>>> I reset the password and it seemed to get further.
>>>> This for some reason not mentioned in the documentation the replica is
>>>> trying to ssh into the master as admin.
>>>> I managed to fix that by changing my setup and ssh config files.
>>>>
>>>> Then it actually managed to start the setup process.
>>>> But again it fails at exactly the same point mentioned in my initial
>>>> email.
>>>>
>>>> After some further digging with reference to the log output below it
>>>> seems I have run into a bug that seems to have been fixed.
>>>> https://fedorahosted.org/freeipa/ticket/3213
>>>> As I mentioned I am running current Fedora 18 so freeipa is
>>>> 3.1.5-1.fc18 is that fixed in my version?
>>>
>>>
>>> Yes, that bug was fixed in 3.1.0.
>>
>> Well the script is still complaining about not being able to find
>> dogtag_master_ds_port and the option still appears in my version of
>> the script.
>> Which from the bug seems to be what was causing the issue and the
>> ipareplica-install log I included below says this is the case.
>> It seems a bit odd because this is a fresh install of 3.1.5.
>>
>>
>>
>>>> It also seems the dogatg and IPA directories will be or have been merged?
>>>> Which version did this happen in and will it get applied to my server?
>>>
>>>
>>> Also in 3.1.0; new servers installed using that version have merged
>>> databases.
>>
>> I still seem to have split instances.
>> I did the install before Fedora 18 was released because I wanted ipa 3
>> and that was the only way I could get it.
>> Will they get merged at some point or can I do it manually?
>>
>>>
>>>> Can anyone suggest how I go about fixing this issue?
>>>
>>>
>>> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>>> (ticket #2796).
>>> So I would start by uninstalling, then running the following command to make
>>> sure CA is not left:
>>>      sudo pkidestroy -s CA -i pki-tomcat
>>> then installing again.
>>
>> Ran that on my replica after the install and before the clean and it said this.
>> That would make sense because it fails during the ca creation stage.
>>
>> root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
>> ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>>
>>
>>>
>>> Can you also provide logs without the --skip-conncheck flag? Specifically
>>> the /var/log/ipareplica-conncheck.log should be interesting.
>>
>>  From what I can tell all the tests in the connection check passed.
>>
>>>
>>>
>>>> I wanted to create a replica so I could upgrade to fedora 19 and not
>>>> have to take my single instance of FreeIPA offline while that was
>>>> happening.
>>>> Will I need to upgrade to Fedora 19 to fix my issue?
>>>
>>>
>>>
>>>> For reference this is the point of failure in the
>>>> /var/log/ipareplica-install.log file
>>>>
>>>> 2013-07-18T01:06:16Z DEBUG Starting external process
>>>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>>>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>>>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>>>> from /tmp/tmpFKBxMW.
>>>> ERROR:  Unable to access security domain: 503 Server Error: Service
>>>> Unavailable
>>>
>>>
>>> Please also check logs on the existing server. Is the CA available?
>>> Does e.g. `ipa cert-show 1` work?
>>>
>>>> 2013-07-18T01:08:16Z DEBUG stderr=
>>>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>>>> status 1
>>>> 2013-07-18T01:08:16Z INFO   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 619, in run_script
>>>>       return_value = main_function()
>>>>
>>>>     File "/usr/sbin/ipa-replica-install", line 652, in main
>>>>       (CA, cs) = cainstance.install_replica_ca(config,
>>>> dogtag_master_ds_port)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 1809, in install_replica_ca
>>>>       subject_base=config.subject_base)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 625, in configure_instance
>>>>       self.start_creation(runtime=210)
>>>>
>>>>     File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 358, in start_creation
>>>>       method()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 744, in __spawn_instance
>>>>       raise RuntimeError('Configuration of CA failed')
>>>>
>>>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>>>> exception: RuntimeError: Configuration of CA failed
>>>>
>>>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I am attempting to create a replica of my freeipa server.
>>>>> I am following the docs but they are not working for me.
>>>>> I am getting the vague impression I am missing a step that doesn't
>>>>> seem to be documented.
>>>>>
>>>>> For the record all the posts listed are open and it was a clean
>>>>> install of Fedora 18.
>>>>>
>>>>> I thought the server may need to be a client of the master before I
>>>>> set it up as a replica but it just said I needed to uninstall the
>>>>> client setup.
>>>>>
>>>>> After running ipa-replica-prepare on the master and scping the file to
>>>>> the new replica.
>>>>> I ran this command on the new replica
>>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>>>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>>>>
>>>>> The error I am seeing is from that command is this:
>>>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>>>>> getting initial credentials
>>>>>
>>>>> Connection check failed!
>>>>> Please fix your network settings according to error messages above.
>>>>> If the check results are not valid it can be skipped with
>>>>> --skip-conncheck parameter.
>>>>>
>>>>> So I cleaned everything off (i think) and tried it with this command
>>>>>
>>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>>>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>>>>
>>>>> This seems to actually start the install and setup process i remember
>>>>> from installing the ipa server initially
>>>>>
>>>>> This it fails with this output
>>>>>
>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>>> be disabled in favor of ntpd
>>>>>
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> Configuring NTP daemon (ntpd)
>>>>>     [1/4]: stopping ntpd
>>>>>     [2/4]: writing configuration
>>>>>     [3/4]: configuring ntpd to start on boot
>>>>>     [4/4]: starting ntpd
>>>>> Done configuring NTP daemon (ntpd).
>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>>     [1/31]: creating directory server user
>>>>>     [2/31]: creating directory server instance
>>>>>     [3/31]: adding default schema
>>>>>     [4/31]: enabling memberof plugin
>>>>>     [5/31]: enabling winsync plugin
>>>>>     [6/31]: configuring replication version plugin
>>>>>     [7/31]: enabling IPA enrollment plugin
>>>>>     [8/31]: enabling ldapi
>>>>>     [9/31]: configuring uniqueness plugin
>>>>>     [10/31]: configuring uuid plugin
>>>>>     [11/31]: configuring modrdn plugin
>>>>>     [12/31]: configuring DNS plugin
>>>>>     [13/31]: enabling entryUSN plugin
>>>>>     [14/31]: configuring lockout plugin
>>>>>     [15/31]: creating indices
>>>>>     [16/31]: enabling referential integrity plugin
>>>>>     [17/31]: configuring ssl for ds instance
>>>>>     [18/31]: configuring certmap.conf
>>>>>     [19/31]: configure autobind for root
>>>>>     [20/31]: configure new location for managed entries
>>>>>     [21/31]: restarting directory server
>>>>>     [22/31]: setting up initial replication
>>>>> Starting replication, please wait until this has completed.
>>>>> Update in progress
>>>>> Update in progress
>>>>> Update in progress
>>>>> Update in progress
>>>>> Update succeeded
>>>>>     [23/31]: adding replication acis
>>>>>     [24/31]: setting Auto Member configuration
>>>>>     [25/31]: enabling S4U2Proxy delegation
>>>>>     [26/31]: initializing group membership
>>>>>     [27/31]: adding master entry
>>>>>     [28/31]: configuring Posix uid/gid generation
>>>>>     [29/31]: enabling compatibility plugin
>>>>>     [30/31]: tuning directory server
>>>>>     [31/31]: configuring directory to start on boot
>>>>> Done configuring directory server (dirsrv).
>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>>> 30 seconds
>>>>>     [1/17]: creating certificate server user
>>>>>     [2/17]: configuring certificate server instance
>>>>> ipa         : CRITICAL failed to configure ca instance Command
>>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>>>>> status 1
>>>>>
>>>>> Your system may be partly configured.
>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>
>>>>> Configuration of CA failed
>>>>>
>>>>> I even tried cleaning it again at that point and made sure all the
>>>>> ports were open and still got the same error.
>>>>>
>>>>> I also switched selinux to permissive mode cleaned up and rebooted but
>>>>> that didn't help either
>>>>>
>>>>> Can someone please point out what I need to do to get this working.
>>>>>
>>>>> Thanks in advance.
>>>>> Pete.
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>> --
>>> Petr3


-- 
Petr?



From mkosek at redhat.com  Fri Jul 19 08:20:25 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 19 Jul 2013 10:20:25 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
Message-ID: <51E8F6C9.7030800@redhat.com>

On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
> Hi,
> 
> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
> 
> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
> There is no such file even on RHEL 6. What is this file ?

This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
/var/run/ipa/ directory is there (or update debian platform file to override
PlatformService class in ipapython/platform/base/__init__.py).

> => host_mod: KerbTransport instance has no attribute '_conn'
> What does that mean ?

This means that there was some issue with XMLRPC call to IPA server (the error
message is indeed unfortunate) - does ipaclient-install.log contain more details?

> => Failed to upload host SSH public keys.
> This is strange because SSH key are correctly uploaded !
> 
> Here is the complete stack trace :
...

HTH,
Martin



From mkosek at redhat.com  Fri Jul 19 08:41:03 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 19 Jul 2013 10:41:03 +0200
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
Message-ID: <51E8FB9F.50008@redhat.com>

On 07/19/2013 08:10 AM, Rivet, Matt wrote:
> 
>> When I check the host certificate I see a ca-error saying it cannot find
>> a suitable key.
>>
>> # ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>> Request ID '20130719035440':
>> status: CA_UNCONFIGURED
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>> Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
> 
> What is the version of ipa-server , is the above error on ipa client ,
> if so what is the version of ipa-client
> 
> Both client and server are version 3.0; the error is on the client
> 
> There was similar bug in earlier versions, I would suggest you to update
> the ipa server and clients to ipa-3.0
> 
> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
> I have double checked to see if the workaround applies after the bug fix, it does not
> 
>> When I check my keytab
>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>> No error
>> If I list my keytab,
>>
>> # klist -kt /etc/krb5.keytab
>>
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>
>> My /etc/krb5.conf file looks like:
>>
>> [libdefaults]
>>  default_keytab_name = FILE:/etc/krb5.keytab
>>  default_realm = EXAMPLE.COM
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   EXAMPLE.COM = {
>>     kdc = det-ldmpl01.sub.example.com:88
>>     master_kdc = det-ldmpl01.sub.example.com:88
>>     admin_server = det-ldmpl01.sub.example.com:749
>>     default_domain = example.com
>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .example.com = EXAMPLE.COM
>>   example.com = EXAMPLE.COM
>>   .sub.example.com = EXAMPLE.COM
>>   sub.example.com = EXAMPLE.COM
>>
>> It seems the error from ipa-getcert list shows:
>>
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>
>> where it is trunking the hostname and not including the realm name after
>> @ seems to be the problem, but I cannot figure out why.  If I run
>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>

Can you please check respective certmonger request in
/var/lib/certmonger/requests/ and see if the principal is not misconfigured
there from the time when request was created?

I also think you should be able to override the bad principal with following
command:

# ipa-getcert start-tracking -i 20130719035440 -K
"host/det-webdl01.sub.example.com at EXAMPLE.COM"

HTH,
Martin



From diaulasacn at primeinformatica.com.br  Fri Jul 19 12:46:10 2013
From: diaulasacn at primeinformatica.com.br (diaulasacn at primeinformatica.com.br)
Date: Fri, 19 Jul 2013 09:46:10 -0300 (BRT)
Subject: [Freeipa-users] Error uninstalling ipa-client
In-Reply-To: <51E4EF9F.40805@redhat.com>
References: <25882.200.220.180.66.1373907431.squirrel@www.primeinformatica.com.br>
	<51E48AC7.9020509@redhat.com> <51E4EF9F.40805@redhat.com>
Message-ID: <11508.189.16.65.100.1374237970.squirrel@www.primeinformatica.com.br>


> On 07/16/2013 01:50 AM, Dmitri Pal wrote:
>> On 07/15/2013 12:57 PM, diaulasacn at primeinformatica.com.br wrote:
>>> Hi,
>>>
>>>   Im trying to "reinstall" a unsuccessful instalation...
>>>
>>>    ipa-client-install tells me to uninstall first
>>>
>>>    ipa-client-install --uninstall return that error:
>>>
>>> "  Failed to remove krb5/LDAP configuration: Command '/usr/sbin/authconfig
>>> --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap
>>> --disablesssdauth' returned non-zero exit status 6"
>>
>> I think we already seen this and an authconfig bug has been filed.
>
> If you cannot find the bug, it would help if you post appropriate excerpt of
> ipaclient-install.log with an actual error message from authconfig.
>
> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

Sorry for my late reply.

  Created ticket with RHEL Support, will update here.
  About that bug I cant find, before posting here I "googled" that error and
authconfig return-codes too.

Martin,
  ipaclient-install.log show the same error about authconfig returning non-zero.




From sakodak at gmail.com  Fri Jul 19 13:23:46 2013
From: sakodak at gmail.com (KodaK)
Date: Fri, 19 Jul 2013 08:23:46 -0500
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
	<c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
Message-ID: <CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>

On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:
>
> Hi.
>
> I've done the kerberos part with several Apache Web servers with success. I've not done the fallback to ldap basic auth.
>
> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one from IPA in the same keytab file. Reference this keytab file in httpd.conf.


Thanks for the tips.

You wouldn't happen to know how to coax a keytab out of AD when the
box you're using doesn't have the the same domain name, do you?

For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
UNIX.COMPANY.COM.

When I try to get the keytab with:

net ads keytab add HTTP -U myusername

I get:

 libads/kerberos_keytab.c:326: unable to determine machine account's
dns name in AD!

I realize this is diverging wildly from the subject of IPA -- I can
take this off list if anyone is annoyed, just let me know.

Thanks,

--Jason



From aellert at numeezy.com  Fri Jul 19 13:28:01 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 15:28:01 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <51E8F6C9.7030800@redhat.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
Message-ID: <2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>


Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :

> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>> Hi,
>> 
>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>> 
>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>> There is no such file even on RHEL 6. What is this file ?
> 
> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
> /var/run/ipa/ directory is there (or update debian platform file to override
> PlatformService class in ipapython/platform/base/__init__.py).

I managed to fix that and will update soon my repo with a new package version. Thanks for the information.

> 
>> => host_mod: KerbTransport instance has no attribute '_conn'
>> What does that mean ?
> 
> This means that there was some issue with XMLRPC call to IPA server (the error
> message is indeed unfortunate) - does ipaclient-install.log contain more details?

Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
Is there any way to get more debug log ?
In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.

> 
>> => Failed to upload host SSH public keys.
>> This is strange because SSH key are correctly uploaded !
>> 
>> Here is the complete stack trace :
> ...
> 
> HTH,
> Martin
> 




From sigbjorn at nixtra.com  Fri Jul 19 14:09:02 2013
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Fri, 19 Jul 2013 16:09:02 +0200 (CEST)
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
	<c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
	<CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>
Message-ID: <25219.213.225.75.97.1374242942.squirrel@www.nixtra.com>




On Fri, July 19, 2013 15:23, KodaK wrote:
> On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:
>
>>
>> Hi.
>>
>>
>> I've done the kerberos part with several Apache Web servers with success. I've not done the
>> fallback to ldap basic auth.
>>
>> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one
>> from IPA in the same keytab file. Reference this keytab file in httpd.conf.
>
>
> Thanks for the tips.
>
>
> You wouldn't happen to know how to coax a keytab out of AD when the
> box you're using doesn't have the the same domain name, do you?
>
> For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
> UNIX.COMPANY.COM.
>
>
> When I try to get the keytab with:
>
>
> net ads keytab add HTTP -U myusername
>
> I get:
>
>
> libads/kerberos_keytab.c:326: unable to determine machine account's
> dns name in AD!
>
> I realize this is diverging wildly from the subject of IPA -- I can
> take this off list if anyone is annoyed, just let me know.
>

Hi,

Please see below my notes for how to create a combined keytab file.


Retreive a keytab from IPA:

Make sure you have a valid kerberos TGT:
$ klist
Check to see if the service exists in IPA:
$ ipa service-find HTTP/webserver.ipa.domain

If it does not exist, create it with ipa service-add.

Retreive the keytab:
$ ipa-getkeytab -s ipa01 -p HTTP/webserver.ipa.domain -k /etc/httpd/HTTP.keytab-IPA



Retreive a keytab from AD:

> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass /mapuser WINDOMAIN\webserver$
-crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab

The Windows admin will choose if they want to use a Computer Account or a User Account to bind the
keytab to.
Copy this keytab into /etc/httpd/HTTP.keytab-AD


Combine the keytabs using ktutil:
If an existing keytab exists, delete this keytab. /etc/httpd/HTTP.keytab
Failure to do so wll append the keytabs merging old and new keytabs into a single filre. THIS WILL
MAKE AUTHENTCATION FAIL!!

Fire up ktutil
$ ktutil

Read the IPA keytab
rkt /etc/httpd/HTTP.keytab-IPA

Read the MAIN keytab
rkt /etc/httpd/HTTP.keytab-AD

List the principals and verify that they look OK
list

Write them back to a combined keytab:
wkt /etc/httpd/HTTP.keytab

Quit:
q


Regards,
Siggi




From mkosek at redhat.com  Fri Jul 19 14:24:20 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 19 Jul 2013 16:24:20 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
Message-ID: <51E94C14.5000507@redhat.com>

On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
> 
> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
> 
>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>> Hi,
>>>
>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>
>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>> There is no such file even on RHEL 6. What is this file ?
>>
>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>> /var/run/ipa/ directory is there (or update debian platform file to override
>> PlatformService class in ipapython/platform/base/__init__.py).
> 
> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
> 
>>
>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>> What does that mean ?
>>
>> This means that there was some issue with XMLRPC call to IPA server (the error
>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
> 
> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
> Is there any way to get more debug log ?
> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
> 

Are you sure the SSH keys aren't there from previous installation attempt or
similar? The _conn generally means there was some problem with the connection
to server in the xmlrpclib python library.

We need to find out what and why triggers it, a change in ipa-client-install
script like below may shed more light on what is the source of the error:


diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index 280edd7..f82b9f6 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
         pass
     except StandardError, e:
         root_logger.info("host_mod: %s", str(e))
+        import traceback
+        traceback.print_exc()
         root_logger.warning("Failed to upload host SSH public keys.")
         return


Martin



From aellert at numeezy.com  Fri Jul 19 14:30:24 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 16:30:24 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <51E94C14.5000507@redhat.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
	<51E94C14.5000507@redhat.com>
Message-ID: <9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>


Le 19 juil. 2013 ? 16:24, Martin Kosek <mkosek at redhat.com> a ?crit :

> On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
>> 
>> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
>> 
>>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>>> Hi,
>>>> 
>>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>> 
>>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>>> There is no such file even on RHEL 6. What is this file ?
>>> 
>>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>>> /var/run/ipa/ directory is there (or update debian platform file to override
>>> PlatformService class in ipapython/platform/base/__init__.py).
>> 
>> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
>> 
>>> 
>>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>>> What does that mean ?
>>> 
>>> This means that there was some issue with XMLRPC call to IPA server (the error
>>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
>> 
>> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
>> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
>> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
>> Is there any way to get more debug log ?
>> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
>> 
> 
> Are you sure the SSH keys aren't there from previous installation attempt or
> similar? The _conn generally means there was some problem with the connection
> to server in the xmlrpclib python library.

I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian.
To be sure, I will create a new VM and try an ipa-client-install with modifications you give me.

> 
> We need to find out what and why triggers it, a change in ipa-client-install
> script like below may shed more light on what is the source of the error:
> 
> 
> diff --git a/ipa-client/ipa-install/ipa-client-install
> b/ipa-client/ipa-install/ipa-client-install
> index 280edd7..f82b9f6 100755
> --- a/ipa-client/ipa-install/ipa-client-install
> +++ b/ipa-client/ipa-install/ipa-client-install
> @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
>         pass
>     except StandardError, e:
>         root_logger.info("host_mod: %s", str(e))
> +        import traceback
> +        traceback.print_exc()
>         root_logger.warning("Failed to upload host SSH public keys.")
>         return
> 
> 
> Martin

Thanks
Alexandre




From natxo.asenjo at gmail.com  Fri Jul 19 14:55:01 2013
From: natxo.asenjo at gmail.com (natxo asenjo)
Date: Fri, 19 Jul 2013 16:55:01 +0200
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <25219.213.225.75.97.1374242942.squirrel@www.nixtra.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
	<c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
	<CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>
	<25219.213.225.75.97.1374242942.squirrel@www.nixtra.com>
Message-ID: <51E95345.5070204@gmail.com>

On 07/19/2013 04:09 PM, Sigbjorn Lie wrote:
>
> Retreive a keytab from AD:
>
>> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass /mapuser WINDOMAIN\webserver$
> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab
>
> The Windows admin will choose if they want to use a Computer Account or a User Account to bind the
> keytab to.
> Copy this keytab into /etc/httpd/HTTP.keytab-AD

just filling in (just in case this was not clear): ktpass.exe is a
windows tool you run in the domain controller (or in a workstation with
the admins tool installed).

-- 
groet,
natxo



From aellert at numeezy.com  Fri Jul 19 15:03:21 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 17:03:21 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
	<51E94C14.5000507@redhat.com>
	<9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>
Message-ID: <2DBF0216-CBEB-42BC-A5C8-F731DB35E031@numeezy.com>

Here is the traceback :
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
host_mod: KerbTransport instance has no attribute '_conn'
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1234, in update_ssh_keys
    updatedns=False
  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 748, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 769, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 748, in forward
    response = command(*xml_wrap(params))
  File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 490, in request
    self.close()
  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 457, in close
    self._conn.close()
AttributeError: KerbTransport instance has no attribute '_conn'
Failed to upload host SSH public keys.

-> Key are correctly uploaded on the new VM.

Le 19 juil. 2013 ? 16:30, Alexandre Ellert <aellert at numeezy.com> a ?crit :

> 
> Le 19 juil. 2013 ? 16:24, Martin Kosek <mkosek at redhat.com> a ?crit :
> 
>> On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
>>> 
>>> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
>>> 
>>>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>>>> Hi,
>>>>> 
>>>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>>> 
>>>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>>>> There is no such file even on RHEL 6. What is this file ?
>>>> 
>>>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>>>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>>>> /var/run/ipa/ directory is there (or update debian platform file to override
>>>> PlatformService class in ipapython/platform/base/__init__.py).
>>> 
>>> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
>>> 
>>>> 
>>>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>>>> What does that mean ?
>>>> 
>>>> This means that there was some issue with XMLRPC call to IPA server (the error
>>>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
>>> 
>>> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
>>> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
>>> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
>>> Is there any way to get more debug log ?
>>> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
>>> 
>> 
>> Are you sure the SSH keys aren't there from previous installation attempt or
>> similar? The _conn generally means there was some problem with the connection
>> to server in the xmlrpclib python library.
> 
> I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian.
> To be sure, I will create a new VM and try an ipa-client-install with modifications you give me.
> 
>> 
>> We need to find out what and why triggers it, a change in ipa-client-install
>> script like below may shed more light on what is the source of the error:
>> 
>> 
>> diff --git a/ipa-client/ipa-install/ipa-client-install
>> b/ipa-client/ipa-install/ipa-client-install
>> index 280edd7..f82b9f6 100755
>> --- a/ipa-client/ipa-install/ipa-client-install
>> +++ b/ipa-client/ipa-install/ipa-client-install
>> @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
>>        pass
>>    except StandardError, e:
>>        root_logger.info("host_mod: %s", str(e))
>> +        import traceback
>> +        traceback.print_exc()
>>        root_logger.warning("Failed to upload host SSH public keys.")
>>        return
>> 
>> 
>> Martin
> 
> Thanks
> Alexandre
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From mkosek at redhat.com  Fri Jul 19 15:08:22 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 19 Jul 2013 17:08:22 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <2DBF0216-CBEB-42BC-A5C8-F731DB35E031@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
	<51E94C14.5000507@redhat.com>
	<9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>
	<2DBF0216-CBEB-42BC-A5C8-F731DB35E031@numeezy.com>
Message-ID: <51E95666.6050700@redhat.com>

Thanks, this should help. Maybe the IPA just tries to close the connection
twice _after_ keys were uploaded to the server.

Anyway, what version of IPA software is the Debian package based on? I cannot
find line "self._conn.close()" in ipalib/rpc.py in any of our active branches.

Martin

On 07/19/2013 05:03 PM, Alexandre Ellert wrote:
> Here is the traceback :
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
> host_mod: KerbTransport instance has no attribute '_conn'
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1234, in update_ssh_keys
>     updatedns=False
>   File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 435, in __call__
>     ret = self.run(*args, **options)
>   File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 748, in run
>     return self.forward(*args, **options)
>   File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 769, in forward
>     return self.Backend.xmlclient.forward(self.name, *args, **kw)
>   File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 748, in forward
>     response = command(*xml_wrap(params))
>   File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
>     return self.__send(self.__name, args)
>   File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
>     verbose=self.__verbose
>   File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 490, in request
>     self.close()
>   File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 457, in close
>     self._conn.close()
> AttributeError: KerbTransport instance has no attribute '_conn'
> Failed to upload host SSH public keys.
> 
> -> Key are correctly uploaded on the new VM.
> 
> Le 19 juil. 2013 ? 16:30, Alexandre Ellert <aellert at numeezy.com> a ?crit :
> 
>>
>> Le 19 juil. 2013 ? 16:24, Martin Kosek <mkosek at redhat.com> a ?crit :
>>
>>> On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
>>>>
>>>> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
>>>>
>>>>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>>>>
>>>>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>>>>> There is no such file even on RHEL 6. What is this file ?
>>>>>
>>>>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>>>>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>>>>> /var/run/ipa/ directory is there (or update debian platform file to override
>>>>> PlatformService class in ipapython/platform/base/__init__.py).
>>>>
>>>> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
>>>>
>>>>>
>>>>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>>>>> What does that mean ?
>>>>>
>>>>> This means that there was some issue with XMLRPC call to IPA server (the error
>>>>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
>>>>
>>>> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
>>>> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
>>>> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
>>>> Is there any way to get more debug log ?
>>>> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
>>>>
>>>
>>> Are you sure the SSH keys aren't there from previous installation attempt or
>>> similar? The _conn generally means there was some problem with the connection
>>> to server in the xmlrpclib python library.
>>
>> I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian.
>> To be sure, I will create a new VM and try an ipa-client-install with modifications you give me.
>>
>>>
>>> We need to find out what and why triggers it, a change in ipa-client-install
>>> script like below may shed more light on what is the source of the error:
>>>
>>>
>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>> b/ipa-client/ipa-install/ipa-client-install
>>> index 280edd7..f82b9f6 100755
>>> --- a/ipa-client/ipa-install/ipa-client-install
>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>> @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
>>>        pass
>>>    except StandardError, e:
>>>        root_logger.info("host_mod: %s", str(e))
>>> +        import traceback
>>> +        traceback.print_exc()
>>>        root_logger.warning("Failed to upload host SSH public keys.")
>>>        return
>>>
>>>
>>> Martin
>>
>> Thanks
>> Alexandre
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 



From Matt_Rivet at Archway.com  Fri Jul 19 15:25:22 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Fri, 19 Jul 2013 15:25:22 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <51E8FB9F.50008@redhat.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>,
	<51E8FB9F.50008@redhat.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>



On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>
>> When I check the host certificate I see a ca-error saying it cannot find
>> a suitable key.
>>
>> # ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>> Request ID '20130719035440':
>> status: CA_UNCONFIGURED
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>> Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>
> What is the version of ipa-server , is the above error on ipa client ,
> if so what is the version of ipa-client
>
> Both client and server are version 3.0; the error is on the client
>
> There was similar bug in earlier versions, I would suggest you to update
> the ipa server and clients to ipa-3.0
>
> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
> I have double checked to see if the workaround applies after the bug fix, it does not
>
>> When I check my keytab
>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>> No error
>> If I list my keytab,
>>
>> # klist -kt /etc/krb5.keytab
>>
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>
>> My /etc/krb5.conf file looks like:
>>
>> [libdefaults]
>>  default_keytab_name = FILE:/etc/krb5.keytab
>>  default_realm = EXAMPLE.COM
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   EXAMPLE.COM = {
>>     kdc = det-ldmpl01.sub.example.com:88
>>     master_kdc = det-ldmpl01.sub.example.com:88
>>     admin_server = det-ldmpl01.sub.example.com:749
>>     default_domain = example.com
>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .example.com = EXAMPLE.COM
>>   example.com = EXAMPLE.COM
>>   .sub.example.com = EXAMPLE.COM
>>   sub.example.com = EXAMPLE.COM
>>
>> It seems the error from ipa-getcert list shows:
>>
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>
>> where it is trunking the hostname and not including the realm name after
>> @ seems to be the problem, but I cannot figure out why.  If I run
>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>

Can you please check respective certmonger request in
/var/lib/certmonger/requests/ and see if the principal is not misconfigured
there from the time when request was created?

I also think you should be able to override the bad principal with following
command:

# ipa-getcert start-tracking -i 20130719035440 -K
"host/det-webdl01.sub.example.com at EXAMPLE.COM"

HTH,
Martin



Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=det-webdl01.sub.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
..
..
..
                    4a:57
                Exponent: 65537 (0x10001)
        Attributes:
            friendlyName             :Server-Cer
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:det-webdl01.sub.example.com, othername:<unsupported>, othername:<unsupported>
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
...
...
...

The request also looks like this 

state=HAVE_CSR
autorenew=1
monitor=1
ca_name=IPA
submitted=20130719035440
ca_error=Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .

Does IPA need to be in my host file or dns?



From aellert at numeezy.com  Fri Jul 19 15:53:00 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 17:53:00 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <51E95666.6050700@redhat.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
	<51E94C14.5000507@redhat.com>
	<9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>
	<2DBF0216-CBEB-42BC-A5C8-F731DB35E031@numeezy.com>
	<51E95666.6050700@redhat.com>
Message-ID: <245B19A3-5DF4-4150-9919-F3561BE3A6C3@numeezy.com>

It's based on 3.0.2 with 1011-xmlrpc_response.patch (found in ipa-3.0.0-26.el6_4.4.src.rpm) and self._conn.close() is added by this patch. 
I included it because it correct this problem :
unable to parse cookie header 'ipa_session=83701130bf434d20cf8c5a3fe2a0ac56; Domain=inf-ipa.numeezy.fr; Path=/ipa; Expires=Fri, 19 Jul 2013 16:08:31 GMT; Secure; HttpOnly': unable to parse expires datetime 'Fri, 19 Jul 2013 16:08:31'


Le 19 juil. 2013 ? 17:08, Martin Kosek <mkosek at redhat.com> a ?crit :

> Thanks, this should help. Maybe the IPA just tries to close the connection
> twice _after_ keys were uploaded to the server.
> 
> Anyway, what version of IPA software is the Debian package based on? I cannot
> find line "self._conn.close()" in ipalib/rpc.py in any of our active branches.
> 
> Martin
> 
> On 07/19/2013 05:03 PM, Alexandre Ellert wrote:
>> Here is the traceback :
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
>> Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
>> host_mod: KerbTransport instance has no attribute '_conn'
>> Traceback (most recent call last):
>>  File "/usr/sbin/ipa-client-install", line 1234, in update_ssh_keys
>>    updatedns=False
>>  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 435, in __call__
>>    ret = self.run(*args, **options)
>>  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 748, in run
>>    return self.forward(*args, **options)
>>  File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 769, in forward
>>    return self.Backend.xmlclient.forward(self.name, *args, **kw)
>>  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 748, in forward
>>    response = command(*xml_wrap(params))
>>  File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
>>    return self.__send(self.__name, args)
>>  File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
>>    verbose=self.__verbose
>>  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 490, in request
>>    self.close()
>>  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 457, in close
>>    self._conn.close()
>> AttributeError: KerbTransport instance has no attribute '_conn'
>> Failed to upload host SSH public keys.
>> 
>> -> Key are correctly uploaded on the new VM.
>> 
>> Le 19 juil. 2013 ? 16:30, Alexandre Ellert <aellert at numeezy.com> a ?crit :
>> 
>>> 
>>> Le 19 juil. 2013 ? 16:24, Martin Kosek <mkosek at redhat.com> a ?crit :
>>> 
>>>> On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
>>>>> 
>>>>> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
>>>>> 
>>>>>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>>>>> 
>>>>>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>>>>>> There is no such file even on RHEL 6. What is this file ?
>>>>>> 
>>>>>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>>>>>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>>>>>> /var/run/ipa/ directory is there (or update debian platform file to override
>>>>>> PlatformService class in ipapython/platform/base/__init__.py).
>>>>> 
>>>>> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
>>>>> 
>>>>>> 
>>>>>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>>>>>> What does that mean ?
>>>>>> 
>>>>>> This means that there was some issue with XMLRPC call to IPA server (the error
>>>>>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
>>>>> 
>>>>> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
>>>>> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
>>>>> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
>>>>> Is there any way to get more debug log ?
>>>>> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
>>>>> 
>>>> 
>>>> Are you sure the SSH keys aren't there from previous installation attempt or
>>>> similar? The _conn generally means there was some problem with the connection
>>>> to server in the xmlrpclib python library.
>>> 
>>> I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian.
>>> To be sure, I will create a new VM and try an ipa-client-install with modifications you give me.
>>> 
>>>> 
>>>> We need to find out what and why triggers it, a change in ipa-client-install
>>>> script like below may shed more light on what is the source of the error:
>>>> 
>>>> 
>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>> b/ipa-client/ipa-install/ipa-client-install
>>>> index 280edd7..f82b9f6 100755
>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>> @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
>>>>       pass
>>>>   except StandardError, e:
>>>>       root_logger.info("host_mod: %s", str(e))
>>>> +        import traceback
>>>> +        traceback.print_exc()
>>>>       root_logger.warning("Failed to upload host SSH public keys.")
>>>>       return
>>>> 
>>>> 
>>>> Martin
>>> 
>>> Thanks
>>> Alexandre
>>> 
>>> 
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 




From aellert at numeezy.com  Fri Jul 19 16:07:30 2013
From: aellert at numeezy.com (Alexandre Ellert)
Date: Fri, 19 Jul 2013 18:07:30 +0200
Subject: [Freeipa-users] freeipa-client on Debian Wheezy
In-Reply-To: <245B19A3-5DF4-4150-9919-F3561BE3A6C3@numeezy.com>
References: <6351F8CF-6D73-48B7-89FB-0D243969AEE9@numeezy.com>
	<20130712173610.GY18587@redhat.com>
	<77440F51-D592-4248-A0C0-65DA05CF69B8@numeezy.com>
	<20130718234934.40e7c364@oldcomp.soho.internal>
	<6F5AF221-07C8-4EEC-BD5C-71B2B2A8383A@numeezy.com>
	<51E8F6C9.7030800@redhat.com>
	<2AC26350-B39A-410A-A73A-7E99AE27830C@numeezy.com>
	<51E94C14.5000507@redhat.com>
	<9FF24085-5BC1-4C95-B54F-735B8C0E8A41@numeezy.com>
	<2DBF0216-CBEB-42BC-A5C8-F731DB35E031@numeezy.com>
	<51E95666.6050700@redhat.com>
	<245B19A3-5DF4-4150-9919-F3561BE3A6C3@numeezy.com>
Message-ID: <A3AA7D86-C7D6-4A22-92EA-BEC789E2E946@numeezy.com>

Sorry, mistake from me.
I remove all patch from RHEL and just keep 0053-Cookie-Expires-date-should-be-locale-insensitive.patch.
Everything seems fine now.
I'm going to test.

Thanks for you help


Le 19 juil. 2013 ? 17:53, Alexandre Ellert <aellert at numeezy.com> a ?crit :

> It's based on 3.0.2 with 1011-xmlrpc_response.patch (found in ipa-3.0.0-26.el6_4.4.src.rpm) and self._conn.close() is added by this patch. 
> I included it because it correct this problem :
> unable to parse cookie header 'ipa_session=83701130bf434d20cf8c5a3fe2a0ac56; Domain=inf-ipa.numeezy.fr; Path=/ipa; Expires=Fri, 19 Jul 2013 16:08:31 GMT; Secure; HttpOnly': unable to parse expires datetime 'Fri, 19 Jul 2013 16:08:31'
> 
> 
> Le 19 juil. 2013 ? 17:08, Martin Kosek <mkosek at redhat.com> a ?crit :
> 
>> Thanks, this should help. Maybe the IPA just tries to close the connection
>> twice _after_ keys were uploaded to the server.
>> 
>> Anyway, what version of IPA software is the Debian package based on? I cannot
>> find line "self._conn.close()" in ipalib/rpc.py in any of our active branches.
>> 
>> Martin
>> 
>> On 07/19/2013 05:03 PM, Alexandre Ellert wrote:
>>> Here is the traceback :
>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
>>> Forwarding 'host_mod' to server u'https://inf-ipa.numeezy.fr/ipa/xml'
>>> host_mod: KerbTransport instance has no attribute '_conn'
>>> Traceback (most recent call last):
>>> File "/usr/sbin/ipa-client-install", line 1234, in update_ssh_keys
>>>   updatedns=False
>>> File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 435, in __call__
>>>   ret = self.run(*args, **options)
>>> File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 748, in run
>>>   return self.forward(*args, **options)
>>> File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 769, in forward
>>>   return self.Backend.xmlclient.forward(self.name, *args, **kw)
>>> File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 748, in forward
>>>   response = command(*xml_wrap(params))
>>> File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
>>>   return self.__send(self.__name, args)
>>> File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
>>>   verbose=self.__verbose
>>> File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 490, in request
>>>   self.close()
>>> File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 457, in close
>>>   self._conn.close()
>>> AttributeError: KerbTransport instance has no attribute '_conn'
>>> Failed to upload host SSH public keys.
>>> 
>>> -> Key are correctly uploaded on the new VM.
>>> 
>>> Le 19 juil. 2013 ? 16:30, Alexandre Ellert <aellert at numeezy.com> a ?crit :
>>> 
>>>> 
>>>> Le 19 juil. 2013 ? 16:24, Martin Kosek <mkosek at redhat.com> a ?crit :
>>>> 
>>>>> On 07/19/2013 03:28 PM, Alexandre Ellert wrote:
>>>>>> 
>>>>>> Le 19 juil. 2013 ? 10:20, Martin Kosek <mkosek at redhat.com> a ?crit :
>>>>>> 
>>>>>>> On 07/19/2013 02:59 AM, Alexandre Ellert wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> I have these 3 errors/warnings message when I join a Debian client to a RHEL 6.4 server (ipa-server-3.0.0-26.el6_4.4.x86_64):
>>>>>>>> 
>>>>>>>> => certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
>>>>>>>> There is no such file even on RHEL 6. What is this file ?
>>>>>>> 
>>>>>>> This was added in IPA 3.0.1 to fix a systemd hang so it does not exist in
>>>>>>> RHEL-6.4 which contains IPA 3.0. The deb package should just make sure the
>>>>>>> /var/run/ipa/ directory is there (or update debian platform file to override
>>>>>>> PlatformService class in ipapython/platform/base/__init__.py).
>>>>>> 
>>>>>> I managed to fix that and will update soon my repo with a new package version. Thanks for the information.
>>>>>> 
>>>>>>> 
>>>>>>>> => host_mod: KerbTransport instance has no attribute '_conn'
>>>>>>>> What does that mean ?
>>>>>>> 
>>>>>>> This means that there was some issue with XMLRPC call to IPA server (the error
>>>>>>> message is indeed unfortunate) - does ipaclient-install.log contain more details?
>>>>>> 
>>>>>> Unfortunately there is no more details in ipaclient-install.log, here is the relevant part :
>>>>>> 2013-07-19T13:06:26Z INFO host_mod: KerbTransport instance has no attribute '_conn'
>>>>>> 2013-07-19T13:06:26Z WARNING Failed to upload host SSH public keys.
>>>>>> Is there any way to get more debug log ?
>>>>>> In my opinion, warning about ssh keys should not trigger here, because I can see them on my IPA server.
>>>>>> 
>>>>> 
>>>>> Are you sure the SSH keys aren't there from previous installation attempt or
>>>>> similar? The _conn generally means there was some problem with the connection
>>>>> to server in the xmlrpclib python library.
>>>> 
>>>> I can confirm you that SSH key upload is successful. I've done tests with a fresh install of Debian.
>>>> To be sure, I will create a new VM and try an ipa-client-install with modifications you give me.
>>>> 
>>>>> 
>>>>> We need to find out what and why triggers it, a change in ipa-client-install
>>>>> script like below may shed more light on what is the source of the error:
>>>>> 
>>>>> 
>>>>> diff --git a/ipa-client/ipa-install/ipa-client-install
>>>>> b/ipa-client/ipa-install/ipa-client-install
>>>>> index 280edd7..f82b9f6 100755
>>>>> --- a/ipa-client/ipa-install/ipa-client-install
>>>>> +++ b/ipa-client/ipa-install/ipa-client-install
>>>>> @@ -1450,6 +1450,8 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
>>>>>      pass
>>>>>  except StandardError, e:
>>>>>      root_logger.info("host_mod: %s", str(e))
>>>>> +        import traceback
>>>>> +        traceback.print_exc()
>>>>>      root_logger.warning("Failed to upload host SSH public keys.")
>>>>>      return
>>>>> 
>>>>> 
>>>>> Martin
>>>> 
>>>> Thanks
>>>> Alexandre
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> 
>> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From MTovey at go2uti.com  Fri Jul 19 16:49:47 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Fri, 19 Jul 2013 16:49:47 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
	<51E7AF29.4010006@redhat.com>
	<159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A012172E3@sinmpt10.corp.go2uti.com>


    Does anyone have any other suggestions for this or need any additional information?
    Thanks,
    -Mark
 

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tovey, Mark
Sent: Thursday, July 18, 2013 11:06 AM
To: Pavel B?ezina; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?



host1-> nisdomainname
my_domain.com

host1-> rpm -q sudo
sudo-1.7.2p1-6.el5_5

    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Pavel Brezina
Sent: Thursday, July 18, 2013 2:03 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>
>      Okay, I get it (pardon my obtuseness).
>
>      host1-> getent netgroup hgroup1
>      hgroup1                   (host1.my_domain.com, -, my_domain.com)
>
>      So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>      Thanks,
>      -Mark

Hi,
can you also paste the output of following commands please?

$ nisdomainname
$ rpm -q sudo

Thanks,
Pavel.

>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Wednesday, July 17, 2013 8:58 AM
> To: Tovey, Mark
> Cc: dpal at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>
>>      We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>
> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>
>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>
> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>
>>      Thanks,
>>      -Mark
>>
>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Wednesday, July 17, 2013 1:32 AM
>> To: Tovey, Mark
>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>
>>>
>>>      We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>
>> Hi Mark,
>>
>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>
>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>
>> Does getent netgroup <netgroup-name> work?
>>
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>>
>>> domains = my_domain.com
>>> [nss]
>>>
>>> [pam]
>>>
>>>   [domain/my_domain.com]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com 
>>> id_provider = ipa auth_provider = ipa access_provider = ipa 
>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com 
>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>
>>>
>>>      And the nsswitch.conf file:
>>>
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> hosts:      files dns
>>>
>>> bootparams: nisplus [NOTFOUND=return] files
>>>
>>> ethers:     files
>>> netmasks:   files
>>> networks:   files
>>> protocols:  files
>>> rpc:        files
>>> services:   files
>>>
>>> netgroup:   files sss
>>>
>>> publickey:  nisplus
>>>
>>> automount:  files ldap
>>> aliases:    files
>>>
>>> sudoers:    files ldap
>>>
>>>      Thanks,
>>>      -Mark
>>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com 
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>      My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>      The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>      But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>      Thanks,
>>>>      -Mark
>>>
>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>> Are you using SSSD for netgroups or something else?
>>> Can you please share your sssd.conf and area where it configures netgroups?
>>> Also is sss in the nsswitch.conf for netgroups map?
>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>> -----Original Message-----
>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>> To: Tovey, Mark
>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
>>>> Brezina
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>
>>>> ~~~~
>>>> Can you confirm that the output of the following commands:
>>>> 1. $ domainname
>>>> * does it match your domain?
>>>> 2. $ hostname
>>>> * does match match your fqdn?
>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>> * does this list your host?
>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>
>>>>
>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>
>>>> At the top, add the line: sudoers_debug 2
>>>>
>>>> Then try another sudo command. sudo -l for example.
>>>> ~~~~
>>>>
>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>
>>>> Martin
>>>>
>>>>
>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>>      Okay, I stopped sssd on the client and deleted the cache 
>>>>> files, removed the sudo rule, started sssd and verified that the 
>>>>> rule was gone, stopped sssd and deleted the files again, added the 
>>>>> rule back in, restarted sssd, and still it does not work.
>>>>> One note, when I enter the hosts into the sudo rule in place of 
>>>>> the host group, the effect is immediate; I do not need to restart 
>>>>> sssd.  And the opposite is true too: if I put the host group back, 
>>>>> the rule immediately stops working.  I don't think the issue is 
>>>>> cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>
>>>>>
>>>>>
>>>>>      I like your idea for the labels; they make sense.  Right now 
>>>>> we are just evaluating this to see if we want to go this route.
>>>>> So far we like it, but this could be a problem because we have a 
>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>
>>>>> I label rules like this,
>>>>>
>>>>> hb-xxxx   for a hbac rule
>>>>>
>>>>> su-xxxx for a sudo rule
>>>>>
>>>>> sc-xxxx for a sudo command group
>>>>>
>>>>> ug-xxxx for a user group
>>>>>
>>>>> hg-xxxx for a host groups
>>>>>
>>>>> etc
>>>>>
>>>>> etc
>>>>>
>>>>> It makes the logic easier when you go into command line which I 
>>>>> find easier to trace with than the gui at time.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>> *To:* Steven Jones; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>      That didn't work either.  I set up the host group in my sudo 
>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db 
>>>>> directory, then restarted sssd.  New files were created in the db 
>>>>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>> *To:* Tovey, Mark; James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is a known issue Ive suffered a long time with.  What would 
>>>>> be interesting is adding another host to the host group could well 
>>>>> work fine, that will really make you bang your head against the wall..
>>>>>
>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete 
>>>>> its cache and start it, that might fix it.
>>>>>
>>>>> Otherwise best to,
>>>>>
>>>>> All RH support could come up with is delete the HBAC rule, sudo 
>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>
>>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> -----------------------------------------------------------------
>>>>> --
>>>>> --
>>>>> -
>>>>> ---------
>>>>>
>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
>>>>> [MTovey at go2uti.com]
>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>> *To:* James Hogarth
>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      I checked that and it is set correctly:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>
>>>>> my_domain.com
>>>>>
>>>>>
>>>>>
>>>>>      If I try to run a command with the hosts specified indirectly 
>>>>> through a host group, it fails:
>>>>>
>>>>>
>>>>>
>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>
>>>>> LDAP Config Summary
>>>>>
>>>>> ===================
>>>>>
>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>
>>>>> ldap_version     3
>>>>>
>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>
>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>
>>>>> bindpw           **********
>>>>>
>>>>> bind_timelimit   5000
>>>>>
>>>>> timelimit        15
>>>>>
>>>>> ssl              start_tls
>>>>>
>>>>> tls_checkpeer    (yes)
>>>>>
>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>
>>>>> ===================
>>>>>
>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>
>>>>> sudo: ldap_set_option: debug -> 0
>>>>>
>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>
>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>
>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>
>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>
>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>
>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=0
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> Sorry, try again.
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> sudo: 1 incorrect password attempt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      But if I remove the host group from the sudo rule and 
>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>
>>>>>
>>>>>
>>>>> <snip>
>>>>>
>>>>>
>>>>>
>>>>> sudo: ldap_start_tls_s() ok
>>>>>
>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>
>>>>> sudo: no default options found!
>>>>>
>>>>> sudo: ldap search
>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>
>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>
>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>
>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>
>>>>> sudo: Command allowed
>>>>>
>>>>> sudo: user_matches=1
>>>>>
>>>>> sudo: host_matches=1
>>>>>
>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>
>>>>> [sudo] password for user1:
>>>>>
>>>>> [serv_account at host1 ~]$
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>      So something isn't lining up correctly with host groups in 
>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>
>>>>>      Thanks,
>>>>>
>>>>>      -Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * *
>>>>>
>>>>> *________________________________________________________________
>>>>> *
>>>>>
>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>
>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>> Portland
>>>>> | Oregon
>>>>> | 97204 | USA
>>>>>
>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>> mark.tovey2
>>>>>
>>>>>
>>>>>
>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>> *To:* Tovey, Mark
>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>      Did anyone find a solution for this?  I am having the same experience.
>>>>>>
>>>>>>
>>>>>>
>>>>> Wow that was a mess...
>>>>>
>>>>> To use hostgroups for sudo ensure nisdomainname is set on the 
>>>>> hosts to the IPA domain.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From klarmstrong2 at liberty.edu  Fri Jul 19 17:11:36 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 19 Jul 2013 17:11:36 +0000
Subject: [Freeipa-users] external CA install problem
Message-ID: <1374253896.4930.4.camel@localhost.localdomain>

I'm trying to install an IPA server using an external CA.

I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.

So then I go back to install using my certs:

ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer


I get this for output:

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
Configuration of CA failed


[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
Configuration of CA failed
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
    raise RuntimeError('Configuration of CA failed')



2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed

Any thoughts on what I can do to troubleshoot this?

Thanks.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130719/e4ed739c/attachment.htm>

From pbrezina at redhat.com  Fri Jul 19 18:01:16 2013
From: pbrezina at redhat.com (=?ISO-8859-2?Q?Pavel_B=F8ezina?=)
Date: Fri, 19 Jul 2013 20:01:16 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A012172E3@sinmpt10.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
	<51E7AF29.4010006@redhat.com>
	<159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>
	<159018F515D5B14CA76C88F9C425325A012172E3@sinmpt10.corp.go2uti.com>
Message-ID: <51E97EEC.3000304@redhat.com>

Hi,
hostname command outputs "host1.my_domain.com", right? This version of 
sudo is very old, I'll check the code and eventually consult with sudo 
maintainer.

On 07/19/2013 06:49 PM, Tovey, Mark wrote:
>
>      Does anyone have any other suggestions for this or need any additional information?
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tovey, Mark
> Sent: Thursday, July 18, 2013 11:06 AM
> To: Pavel B?ezina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
>
>
> host1-> nisdomainname
> my_domain.com
>
> host1-> rpm -q sudo
> sudo-1.7.2p1-6.el5_5
>
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Pavel Brezina
> Sent: Thursday, July 18, 2013 2:03 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>>
>>       Okay, I get it (pardon my obtuseness).
>>
>>       host1-> getent netgroup hgroup1
>>       hgroup1                   (host1.my_domain.com, -, my_domain.com)
>>
>>       So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>>       Thanks,
>>       -Mark
>
> Hi,
> can you also paste the output of following commands please?
>
> $ nisdomainname
> $ rpm -q sudo
>
> Thanks,
> Pavel.
>
>>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Wednesday, July 17, 2013 8:58 AM
>> To: Tovey, Mark
>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>>
>>>       We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>>
>> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>>
>>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>>
>> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>>
>>>       Thanks,
>>>       -Mark
>>>
>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>> MTovey at go2uti.com | O / C +1 503 953-1389
>>>
>>>
>>> -----Original Message-----
>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>>> Sent: Wednesday, July 17, 2013 1:32 AM
>>> To: Tovey, Mark
>>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>>
>>>>
>>>>       We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>>
>>> Hi Mark,
>>>
>>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>>
>>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>>
>>> Does getent netgroup <netgroup-name> work?
>>>
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> services = nss, pam
>>>>
>>>> domains = my_domain.com
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>>    [domain/my_domain.com]
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com
>>>> id_provider = ipa auth_provider = ipa access_provider = ipa
>>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
>>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>>
>>>>
>>>>       And the nsswitch.conf file:
>>>>
>>>> passwd:     files sss
>>>> shadow:     files sss
>>>> group:      files sss
>>>>
>>>> hosts:      files dns
>>>>
>>>> bootparams: nisplus [NOTFOUND=return] files
>>>>
>>>> ethers:     files
>>>> netmasks:   files
>>>> networks:   files
>>>> protocols:  files
>>>> rpc:        files
>>>> services:   files
>>>>
>>>> netgroup:   files sss
>>>>
>>>> publickey:  nisplus
>>>>
>>>> automount:  files ldap
>>>> aliases:    files
>>>>
>>>> sudoers:    files ldap
>>>>
>>>>       Thanks,
>>>>       -Mark
>>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>>       My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>>       The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>>       But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>>       Thanks,
>>>>>       -Mark
>>>>
>>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>>> Are you using SSSD for netgroups or something else?
>>>> Can you please share your sssd.conf and area where it configures netgroups?
>>>> Also is sss in the nsswitch.conf for netgroups map?
>>>>
>>>>>
>>>>>
>>>>> ________________________________________________________________
>>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>>
>>>>> -----Original Message-----
>>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>>> To: Tovey, Mark
>>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel
>>>>> Brezina
>>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>>
>>>>> ~~~~
>>>>> Can you confirm that the output of the following commands:
>>>>> 1. $ domainname
>>>>> * does it match your domain?
>>>>> 2. $ hostname
>>>>> * does match match your fqdn?
>>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>>> * does this list your host?
>>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>>
>>>>>
>>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>>
>>>>> At the top, add the line: sudoers_debug 2
>>>>>
>>>>> Then try another sudo command. sudo -l for example.
>>>>> ~~~~
>>>>>
>>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>>
>>>>>>
>>>>>>       Okay, I stopped sssd on the client and deleted the cache
>>>>>> files, removed the sudo rule, started sssd and verified that the
>>>>>> rule was gone, stopped sssd and deleted the files again, added the
>>>>>> rule back in, restarted sssd, and still it does not work.
>>>>>> One note, when I enter the hosts into the sudo rule in place of
>>>>>> the host group, the effect is immediate; I do not need to restart
>>>>>> sssd.  And the opposite is true too: if I put the host group back,
>>>>>> the rule immediately stops working.  I don't think the issue is
>>>>>> cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>>
>>>>>>
>>>>>>
>>>>>>       I like your idea for the labels; they make sense.  Right now
>>>>>> we are just evaluating this to see if we want to go this route.
>>>>>> So far we like it, but this could be a problem because we have a
>>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>>
>>>>>> I label rules like this,
>>>>>>
>>>>>> hb-xxxx   for a hbac rule
>>>>>>
>>>>>> su-xxxx for a sudo rule
>>>>>>
>>>>>> sc-xxxx for a sudo command group
>>>>>>
>>>>>> ug-xxxx for a user group
>>>>>>
>>>>>> hg-xxxx for a host groups
>>>>>>
>>>>>> etc
>>>>>>
>>>>>> etc
>>>>>>
>>>>>> It makes the logic easier when you go into command line which I
>>>>>> find easier to trace with than the gui at time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> --
>>>>>> -
>>>>>> ---------
>>>>>>
>>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>>> *To:* Steven Jones; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>       That didn't work either.  I set up the host group in my sudo
>>>>>> rule, stopped sssd, renamed /var/lib/sss/db and created a new db
>>>>>> directory, then restarted sssd.  New files were created in the db
>>>>>> directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This is a known issue Ive suffered a long time with.  What would
>>>>>> be interesting is adding another host to the host group could well
>>>>>> work fine, that will really make you bang your head against the wall..
>>>>>>
>>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete
>>>>>> its cache and start it, that might fix it.
>>>>>>
>>>>>> Otherwise best to,
>>>>>>
>>>>>> All RH support could come up with is delete the HBAC rule, sudo
>>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> --
>>>>>> -
>>>>>> ---------
>>>>>>
>>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark
>>>>>> [MTovey at go2uti.com]
>>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>>> *To:* James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       I checked that and it is set correctly:
>>>>>>
>>>>>>
>>>>>>
>>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>>
>>>>>> my_domain.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>       If I try to run a command with the hosts specified indirectly
>>>>>> through a host group, it fails:
>>>>>>
>>>>>>
>>>>>>
>>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>>
>>>>>> LDAP Config Summary
>>>>>>
>>>>>> ===================
>>>>>>
>>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>>
>>>>>> ldap_version     3
>>>>>>
>>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>>
>>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>>
>>>>>> bindpw           **********
>>>>>>
>>>>>> bind_timelimit   5000
>>>>>>
>>>>>> timelimit        15
>>>>>>
>>>>>> ssl              start_tls
>>>>>>
>>>>>> tls_checkpeer    (yes)
>>>>>>
>>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>>
>>>>>> ===================
>>>>>>
>>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>>
>>>>>> sudo: ldap_set_option: debug -> 0
>>>>>>
>>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>>
>>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>>
>>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>>
>>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>>
>>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>
>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>
>>>>>> sudo: no default options found!
>>>>>>
>>>>>> sudo: ldap search
>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>
>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>
>>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>>
>>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>>
>>>>>> sudo: user_matches=1
>>>>>>
>>>>>> sudo: host_matches=0
>>>>>>
>>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> Sorry, try again.
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> sudo: 1 incorrect password attempt
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       But if I remove the host group from the sudo rule and
>>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>>
>>>>>>
>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>
>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>
>>>>>> sudo: no default options found!
>>>>>>
>>>>>> sudo: ldap search
>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>
>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>
>>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>>
>>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>>
>>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>>
>>>>>> sudo: Command allowed
>>>>>>
>>>>>> sudo: user_matches=1
>>>>>>
>>>>>> sudo: host_matches=1
>>>>>>
>>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> [serv_account at host1 ~]$
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       So something isn't lining up correctly with host groups in
>>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>>> *To:* Tovey, Mark
>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>       Did anyone find a solution for this?  I am having the same experience.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Wow that was a mess...
>>>>>>
>>>>>> To use hostgroups for sudo ensure nisdomainname is set on the
>>>>>> hosts to the IPA domain.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>>
>>>>
>>>> -------------------------------
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From alee at redhat.com  Fri Jul 19 18:07:22 2013
From: alee at redhat.com (Ade Lee)
Date: Fri, 19 Jul 2013 14:07:22 -0400
Subject: [Freeipa-users] F18 -> F19 upgrade
In-Reply-To: <51E4198C.40305@redhat.com>
References: <51E0C973.8010801@amiga-hardware.com> <51E4198C.40305@redhat.com>
Message-ID: <1374257242.2951.33.camel@aleeredhat.laptop>

Ian, 

Sorry for the late response.  Just saw this email.

I'm surprised that you were able to update your machine to F19.  We
explicitly put in spec file logic to do a pre-trans check to see if you
had dogtag 9 system instances before updating to f19.  This was to
prevent people from getting into a situation where there installation
was broken.

The issue is that dogtag 9 instances use tomcat 6, and tomcat 6 is no
longer in fedora 19.  Dogtag 10 instances, on the other hand, use tomcat
7.  The two instance types are therefore incompatible.

The suggestion therefore would have been to create a replica of the ipa
master prior to doing the upgrade to F19.  In fact, you could have just
installed a brand new f19 machine and then created a replica (and then
shut down the old machine).

Seeing as you have somehow upgraded your machine to F19, we need to try
and get your system back up.  For that, you need to follow the
instructions in "Workaround" ie. installing tomcat6 and downgrading
tomcatjss to the version in f18.  That will hopefully get your CA up and
running.  At that point, it is highly recommended that you use ipa
utilities to create a replica and use that instead.

Ade

On Mon, 2013-07-15 at 17:47 +0200, Martin Kosek wrote:
> On 07/13/2013 05:28 AM, Ian Chapman wrote:
> > Hi,
> > 
> > I've just recently upgrade my F18 server to F19 and IPA is failing to start:
> > 
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Aborting ipactl
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting Directory Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting krb5kdc Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting kadmin Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting ipa_memcached Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting httpd Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting pki-cad Service
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: ipa.service: main process exited,
> > code=exited, status=1/FAILURE
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: Failed to start Identity, Policy,
> > Audit.
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: Unit ipa.service entered failed state.
> > 
> > 
> > 
> > It seems that the pki-cad service fails to start. Is that in relation to dogtag
> > upgrade of 9 to 10 or possibly another problem?
> > 
> > There is of course this page:
> > 
> > http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10
> > 
> > but frankly I don't really understand it. Well I get that the idea is to create
> > a new pki cloned instance which would be dogtag 10 compatible and then delete
> > the old one - I'm really don't know what I'm supposed to put in the
> > configuration file. Has anybody else done this? Is there some more examples?
> > Thanks.
> > 
> > 
> > The status of pki-cad is:
> > 
> > systemctl status pki-cad at pki-ca.service
> > pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
> >    Loaded: loaded (/usr/lib/systemd/system/pki-cad at .service; enabled)
> >    Active: failed (Result: exit-code) since Sat 2013-07-13 10:54:23 WST; 30min ago
> >   Process: 98170 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited,
> > status=1/FAILURE)
> > 
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Starting PKI Certificate Authority
> > Server pki-ca...
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: WARNING:  Symbolic link
> > '/var/lib/pki-ca/pki-ca' does NOT exist!
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: INFO:  Attempting to create
> > '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' . . .
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: ERROR:  Failed making
> > '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' since target '/usr/sb...T
> > exist!
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: pki-cad at pki-ca.service: control
> > process exited, code=exited status=1
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Failed to start PKI Certificate
> > Authority Server pki-ca.
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Unit pki-cad at pki-ca.service entered
> > failed state.
> >
> 
> Adding PKI/Dogtag developers to CC to advise.
> 
> Martin




From alee at redhat.com  Fri Jul 19 18:20:10 2013
From: alee at redhat.com (Ade Lee)
Date: Fri, 19 Jul 2013 14:20:10 -0400
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
Message-ID: <1374258010.2951.38.camel@aleeredhat.laptop>


On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
> I was just trying this again and noticed there is a
> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
> is the logging for the attempt to create the pki.
> right at the end is this entry.
> 
> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
> security domain through REST interface.  Trying old interface. 503
> Server Error: Service Unavailable
> 
> Does anyone know what that means and how to fix it?
> 

This means that the dogtag CA is trying to contact the dogtag master -
and is failing to do so.  It may be trying to access the wrong port.

What version do you have for :
rpm -q pki-ca ?

Please attach the logs for the replica CA.
/var/log/pki/pki-tomcat/*

You are also exactly correct in creating a replica before upgrading to
F19.  Much older dogtag instances (based on dogtag 9) will not work in
f19 due to tomcat6 not being available in f19.

Ade
> 
> On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
> > On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
> >> On 07/18/2013 03:31 AM, Pete Brown wrote:
> >>>
> >>> I opened all the ports that seemed to be listening n the master.
> >>> I also ran the setup again without disabling the connection check to
> >>> see what else needed fixing.
> >>> It seems after much investigation and log dredging it seems my admin
> >>> password had expired.
> >>> I wasn't aware that was possible.
> >>> I reset the password and it seemed to get further.
> >>> This for some reason not mentioned in the documentation the replica is
> >>> trying to ssh into the master as admin.
> >>> I managed to fix that by changing my setup and ssh config files.
> >>>
> >>> Then it actually managed to start the setup process.
> >>> But again it fails at exactly the same point mentioned in my initial
> >>> email.
> >>>
> >>> After some further digging with reference to the log output below it
> >>> seems I have run into a bug that seems to have been fixed.
> >>> https://fedorahosted.org/freeipa/ticket/3213
> >>> As I mentioned I am running current Fedora 18 so freeipa is
> >>> 3.1.5-1.fc18 is that fixed in my version?
> >>
> >>
> >> Yes, that bug was fixed in 3.1.0.
> >
> > Well the script is still complaining about not being able to find
> > dogtag_master_ds_port and the option still appears in my version of
> > the script.
> > Which from the bug seems to be what was causing the issue and the
> > ipareplica-install log I included below says this is the case.
> > It seems a bit odd because this is a fresh install of 3.1.5.
> >
> >
> >
> >>> It also seems the dogatg and IPA directories will be or have been merged?
> >>> Which version did this happen in and will it get applied to my server?
> >>
> >>
> >> Also in 3.1.0; new servers installed using that version have merged
> >> databases.
> >
> > I still seem to have split instances.
> > I did the install before Fedora 18 was released because I wanted ipa 3
> > and that was the only way I could get it.
> > Will they get merged at some point or can I do it manually?
> >
> >>
> >>> Can anyone suggest how I go about fixing this issue?
> >>
> >>
> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
> >> (ticket #2796).
> >> So I would start by uninstalling, then running the following command to make
> >> sure CA is not left:
> >>     sudo pkidestroy -s CA -i pki-tomcat
> >> then installing again.
> >
> > Ran that on my replica after the install and before the clean and it said this.
> > That would make sense because it fails during the ca creation stage.
> >
> > root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
> > ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
> >
> >
> >>
> >> Can you also provide logs without the --skip-conncheck flag? Specifically
> >> the /var/log/ipareplica-conncheck.log should be interesting.
> >
> > From what I can tell all the tests in the connection check passed.
> >
> >>
> >>
> >>> I wanted to create a replica so I could upgrade to fedora 19 and not
> >>> have to take my single instance of FreeIPA offline while that was
> >>> happening.
> >>> Will I need to upgrade to Fedora 19 to fix my issue?
> >>
> >>
> >>
> >>> For reference this is the point of failure in the
> >>> /var/log/ipareplica-install.log file
> >>>
> >>> 2013-07-18T01:06:16Z DEBUG Starting external process
> >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
> >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
> >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
> >>> from /tmp/tmpFKBxMW.
> >>> ERROR:  Unable to access security domain: 503 Server Error: Service
> >>> Unavailable
> >>
> >>
> >> Please also check logs on the existing server. Is the CA available?
> >> Does e.g. `ipa cert-show 1` work?
> >>
> >>> 2013-07-18T01:08:16Z DEBUG stderr=
> >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
> >>> status 1
> >>> 2013-07-18T01:08:16Z INFO   File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> >>> line 619, in run_script
> >>>      return_value = main_function()
> >>>
> >>>    File "/usr/sbin/ipa-replica-install", line 652, in main
> >>>      (CA, cs) = cainstance.install_replica_ca(config,
> >>> dogtag_master_ds_port)
> >>>
> >>>    File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> line 1809, in install_replica_ca
> >>>      subject_base=config.subject_base)
> >>>
> >>>    File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> line 625, in configure_instance
> >>>      self.start_creation(runtime=210)
> >>>
> >>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>> line 358, in start_creation
> >>>      method()
> >>>
> >>>    File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> line 744, in __spawn_instance
> >>>      raise RuntimeError('Configuration of CA failed')
> >>>
> >>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
> >>> exception: RuntimeError: Configuration of CA failed
> >>>
> >>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
> >>>>
> >>>> Hi everyone,
> >>>>
> >>>> I am attempting to create a replica of my freeipa server.
> >>>> I am following the docs but they are not working for me.
> >>>> I am getting the vague impression I am missing a step that doesn't
> >>>> seem to be documented.
> >>>>
> >>>> For the record all the posts listed are open and it was a clean
> >>>> install of Fedora 18.
> >>>>
> >>>> I thought the server may need to be a client of the master before I
> >>>> set it up as a replica but it just said I needed to uninstall the
> >>>> client setup.
> >>>>
> >>>> After running ipa-replica-prepare on the master and scping the file to
> >>>> the new replica.
> >>>> I ran this command on the new replica
> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> >>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
> >>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
> >>>>
> >>>> The error I am seeing is from that command is this:
> >>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
> >>>> getting initial credentials
> >>>>
> >>>> Connection check failed!
> >>>> Please fix your network settings according to error messages above.
> >>>> If the check results are not valid it can be skipped with
> >>>> --skip-conncheck parameter.
> >>>>
> >>>> So I cleaned everything off (i think) and tried it with this command
> >>>>
> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> >>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
> >>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
> >>>>
> >>>> This seems to actually start the install and setup process i remember
> >>>> from installing the ipa server initially
> >>>>
> >>>> This it fails with this output
> >>>>
> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
> >>>> be disabled in favor of ntpd
> >>>>
> >>>> Directory Manager (existing master) password:
> >>>>
> >>>> Configuring NTP daemon (ntpd)
> >>>>    [1/4]: stopping ntpd
> >>>>    [2/4]: writing configuration
> >>>>    [3/4]: configuring ntpd to start on boot
> >>>>    [4/4]: starting ntpd
> >>>> Done configuring NTP daemon (ntpd).
> >>>> Configuring directory server (dirsrv): Estimated time 1 minute
> >>>>    [1/31]: creating directory server user
> >>>>    [2/31]: creating directory server instance
> >>>>    [3/31]: adding default schema
> >>>>    [4/31]: enabling memberof plugin
> >>>>    [5/31]: enabling winsync plugin
> >>>>    [6/31]: configuring replication version plugin
> >>>>    [7/31]: enabling IPA enrollment plugin
> >>>>    [8/31]: enabling ldapi
> >>>>    [9/31]: configuring uniqueness plugin
> >>>>    [10/31]: configuring uuid plugin
> >>>>    [11/31]: configuring modrdn plugin
> >>>>    [12/31]: configuring DNS plugin
> >>>>    [13/31]: enabling entryUSN plugin
> >>>>    [14/31]: configuring lockout plugin
> >>>>    [15/31]: creating indices
> >>>>    [16/31]: enabling referential integrity plugin
> >>>>    [17/31]: configuring ssl for ds instance
> >>>>    [18/31]: configuring certmap.conf
> >>>>    [19/31]: configure autobind for root
> >>>>    [20/31]: configure new location for managed entries
> >>>>    [21/31]: restarting directory server
> >>>>    [22/31]: setting up initial replication
> >>>> Starting replication, please wait until this has completed.
> >>>> Update in progress
> >>>> Update in progress
> >>>> Update in progress
> >>>> Update in progress
> >>>> Update succeeded
> >>>>    [23/31]: adding replication acis
> >>>>    [24/31]: setting Auto Member configuration
> >>>>    [25/31]: enabling S4U2Proxy delegation
> >>>>    [26/31]: initializing group membership
> >>>>    [27/31]: adding master entry
> >>>>    [28/31]: configuring Posix uid/gid generation
> >>>>    [29/31]: enabling compatibility plugin
> >>>>    [30/31]: tuning directory server
> >>>>    [31/31]: configuring directory to start on boot
> >>>> Done configuring directory server (dirsrv).
> >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> >>>> 30 seconds
> >>>>    [1/17]: creating certificate server user
> >>>>    [2/17]: configuring certificate server instance
> >>>> ipa         : CRITICAL failed to configure ca instance Command
> >>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
> >>>> status 1
> >>>>
> >>>> Your system may be partly configured.
> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>>
> >>>> Configuration of CA failed
> >>>>
> >>>> I even tried cleaning it again at that point and made sure all the
> >>>> ports were open and still got the same error.
> >>>>
> >>>> I also switched selinux to permissive mode cleaned up and rebooted but
> >>>> that didn't help either
> >>>>
> >>>> Can someone please point out what I need to do to get this working.
> >>>>
> >>>> Thanks in advance.
> >>>> Pete.
> >>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
> >>
> >>
> >> --
> >> Petr?
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From MTovey at go2uti.com  Fri Jul 19 19:47:33 2013
From: MTovey at go2uti.com (Tovey, Mark)
Date: Fri, 19 Jul 2013 19:47:33 +0000
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <51E97EEC.3000304@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
	<51E7AF29.4010006@redhat.com>
	<159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>
	<159018F515D5B14CA76C88F9C425325A012172E3@sinmpt10.corp.go2uti.com>
	<51E97EEC.3000304@redhat.com>
Message-ID: <159018F515D5B14CA76C88F9C425325A0121962B@sinmpt10.corp.go2uti.com>


    That is correct:

host1-> hostname
host1.my_domain.com

    I was beginning to suspect that it is in sudo.  I checked the documentation for that version of sudo and it does include support for netgroups.  Perhaps I need something extra in the sudoers file, or an additional option.
    Thanks,
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389


-----Original Message-----
From: Pavel B?ezina [mailto:pbrezina at redhat.com] 
Sent: Friday, July 19, 2013 11:01 AM
To: Tovey, Mark
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo rules user and host group bugs?

Hi,
hostname command outputs "host1.my_domain.com", right? This version of sudo is very old, I'll check the code and eventually consult with sudo maintainer.

On 07/19/2013 06:49 PM, Tovey, Mark wrote:
>
>      Does anyone have any other suggestions for this or need any additional information?
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tovey, Mark
> Sent: Thursday, July 18, 2013 11:06 AM
> To: Pavel B?ezina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
>
>
> host1-> nisdomainname
> my_domain.com
>
> host1-> rpm -q sudo
> sudo-1.7.2p1-6.el5_5
>
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Pavel Brezina
> Sent: Thursday, July 18, 2013 2:03 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>>
>>       Okay, I get it (pardon my obtuseness).
>>
>>       host1-> getent netgroup hgroup1
>>       hgroup1                   (host1.my_domain.com, -, my_domain.com)
>>
>>       So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>>       Thanks,
>>       -Mark
>
> Hi,
> can you also paste the output of following commands please?
>
> $ nisdomainname
> $ rpm -q sudo
>
> Thanks,
> Pavel.
>
>>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>>
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Wednesday, July 17, 2013 8:58 AM
>> To: Tovey, Mark
>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>>
>>>       We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>>
>> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>>
>>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>>
>> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>>
>>>       Thanks,
>>>       -Mark
>>>
>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>> MTovey at go2uti.com | O / C +1 503 953-1389
>>>
>>>
>>> -----Original Message-----
>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>>> Sent: Wednesday, July 17, 2013 1:32 AM
>>> To: Tovey, Mark
>>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>>
>>>>
>>>>       We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>>
>>> Hi Mark,
>>>
>>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>>
>>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>>
>>> Does getent netgroup <netgroup-name> work?
>>>
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> services = nss, pam
>>>>
>>>> domains = my_domain.com
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>>    [domain/my_domain.com]
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com 
>>>> id_provider = ipa auth_provider = ipa access_provider = ipa 
>>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com 
>>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>>
>>>>
>>>>       And the nsswitch.conf file:
>>>>
>>>> passwd:     files sss
>>>> shadow:     files sss
>>>> group:      files sss
>>>>
>>>> hosts:      files dns
>>>>
>>>> bootparams: nisplus [NOTFOUND=return] files
>>>>
>>>> ethers:     files
>>>> netmasks:   files
>>>> networks:   files
>>>> protocols:  files
>>>> rpc:        files
>>>> services:   files
>>>>
>>>> netgroup:   files sss
>>>>
>>>> publickey:  nisplus
>>>>
>>>> automount:  files ldap
>>>> aliases:    files
>>>>
>>>> sudoers:    files ldap
>>>>
>>>>       Thanks,
>>>>       -Mark
>>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com 
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>>       My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>>       The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>>       But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>>       Thanks,
>>>>>       -Mark
>>>>
>>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>>> Are you using SSSD for netgroups or something else?
>>>> Can you please share your sssd.conf and area where it configures netgroups?
>>>> Also is sss in the nsswitch.conf for netgroups map?
>>>>
>>>>>
>>>>>
>>>>> ________________________________________________________________
>>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 
>>>>> SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
>>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>>
>>>>> -----Original Message-----
>>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>>> To: Tovey, Mark
>>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel 
>>>>> Brezina
>>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>>
>>>>> ~~~~
>>>>> Can you confirm that the output of the following commands:
>>>>> 1. $ domainname
>>>>> * does it match your domain?
>>>>> 2. $ hostname
>>>>> * does match match your fqdn?
>>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>>> * does this list your host?
>>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>>
>>>>>
>>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>>
>>>>> At the top, add the line: sudoers_debug 2
>>>>>
>>>>> Then try another sudo command. sudo -l for example.
>>>>> ~~~~
>>>>>
>>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>>
>>>>>>
>>>>>>       Okay, I stopped sssd on the client and deleted the cache 
>>>>>> files, removed the sudo rule, started sssd and verified that the 
>>>>>> rule was gone, stopped sssd and deleted the files again, added 
>>>>>> the rule back in, restarted sssd, and still it does not work.
>>>>>> One note, when I enter the hosts into the sudo rule in place of 
>>>>>> the host group, the effect is immediate; I do not need to restart 
>>>>>> sssd.  And the opposite is true too: if I put the host group 
>>>>>> back, the rule immediately stops working.  I don't think the 
>>>>>> issue is cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>>
>>>>>>
>>>>>>
>>>>>>       I like your idea for the labels; they make sense.  Right 
>>>>>> now we are just evaluating this to see if we want to go this route.
>>>>>> So far we like it, but this could be a problem because we have a 
>>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>>
>>>>>> I label rules like this,
>>>>>>
>>>>>> hb-xxxx   for a hbac rule
>>>>>>
>>>>>> su-xxxx for a sudo rule
>>>>>>
>>>>>> sc-xxxx for a sudo command group
>>>>>>
>>>>>> ug-xxxx for a user group
>>>>>>
>>>>>> hg-xxxx for a host groups
>>>>>>
>>>>>> etc
>>>>>>
>>>>>> etc
>>>>>>
>>>>>> It makes the logic easier when you go into command line which I 
>>>>>> find easier to trace with than the gui at time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> --
>>>>>> -
>>>>>> ---------
>>>>>>
>>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>>> *To:* Steven Jones; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>       That didn't work either.  I set up the host group in my 
>>>>>> sudo rule, stopped sssd, renamed /var/lib/sss/db and created a 
>>>>>> new db directory, then restarted sssd.  New files were created in 
>>>>>> the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This is a known issue Ive suffered a long time with.  What would 
>>>>>> be interesting is adding another host to the host group could 
>>>>>> well work fine, that will really make you bang your head against the wall..
>>>>>>
>>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete 
>>>>>> its cache and start it, that might fix it.
>>>>>>
>>>>>> Otherwise best to,
>>>>>>
>>>>>> All RH support could come up with is delete the HBAC rule, sudo 
>>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> --
>>>>>> --
>>>>>> -
>>>>>> ---------
>>>>>>
>>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark 
>>>>>> [MTovey at go2uti.com]
>>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>>> *To:* James Hogarth
>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       I checked that and it is set correctly:
>>>>>>
>>>>>>
>>>>>>
>>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>>
>>>>>> my_domain.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>       If I try to run a command with the hosts specified 
>>>>>> indirectly through a host group, it fails:
>>>>>>
>>>>>>
>>>>>>
>>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>>
>>>>>> LDAP Config Summary
>>>>>>
>>>>>> ===================
>>>>>>
>>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>>
>>>>>> ldap_version     3
>>>>>>
>>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>>
>>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>>
>>>>>> bindpw           **********
>>>>>>
>>>>>> bind_timelimit   5000
>>>>>>
>>>>>> timelimit        15
>>>>>>
>>>>>> ssl              start_tls
>>>>>>
>>>>>> tls_checkpeer    (yes)
>>>>>>
>>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>>
>>>>>> ===================
>>>>>>
>>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>>
>>>>>> sudo: ldap_set_option: debug -> 0
>>>>>>
>>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>>
>>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>>
>>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>>
>>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>>
>>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>
>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>
>>>>>> sudo: no default options found!
>>>>>>
>>>>>> sudo: ldap search
>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>
>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>
>>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>>
>>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>>
>>>>>> sudo: user_matches=1
>>>>>>
>>>>>> sudo: host_matches=0
>>>>>>
>>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> Sorry, try again.
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> sudo: 1 incorrect password attempt
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       But if I remove the host group from the sudo rule and 
>>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>>
>>>>>>
>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>
>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>
>>>>>> sudo: no default options found!
>>>>>>
>>>>>> sudo: ldap search
>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>
>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>
>>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>>
>>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>>
>>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>>
>>>>>> sudo: Command allowed
>>>>>>
>>>>>> sudo: user_matches=1
>>>>>>
>>>>>> sudo: host_matches=1
>>>>>>
>>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>>
>>>>>> [sudo] password for user1:
>>>>>>
>>>>>> [serv_account at host1 ~]$
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       So something isn't lining up correctly with host groups in 
>>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>>
>>>>>>       Thanks,
>>>>>>
>>>>>>       -Mark
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> * *
>>>>>>
>>>>>> *________________________________________________________________
>>>>>> *
>>>>>>
>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>
>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | 
>>>>>> Portland
>>>>>> | Oregon
>>>>>> | 97204 | USA
>>>>>>
>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>> mark.tovey2
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>>> *To:* Tovey, Mark
>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>       Did anyone find a solution for this?  I am having the same experience.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Wow that was a mess...
>>>>>>
>>>>>> To use hostgroups for sudo ensure nisdomainname is set on the 
>>>>>> hosts to the IPA domain.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>>
>>>>
>>>> -------------------------------
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>




From sakodak at gmail.com  Fri Jul 19 20:54:52 2013
From: sakodak at gmail.com (KodaK)
Date: Fri, 19 Jul 2013 15:54:52 -0500
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <51E95345.5070204@gmail.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
	<c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
	<CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>
	<25219.213.225.75.97.1374242942.squirrel@www.nixtra.com>
	<51E95345.5070204@gmail.com>
Message-ID: <CAA9J0ZHw=3myDnmYb3ug7v6fGm87LOAR5Xo-7dNirdqANfpYFQ@mail.gmail.com>

On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo <natxo.asenjo at gmail.com> wrote:
> On 07/19/2013 04:09 PM, Sigbjorn Lie wrote:
>>
>>
>> Retreive a keytab from AD:
>>
>>> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass /mapuser
>>> WINDOMAIN\webserver$
>>
>> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab
>>
>> The Windows admin will choose if they want to use a Computer Account or a
>> User Account to bind the
>> keytab to.
>> Copy this keytab into /etc/httpd/HTTP.keytab-AD
>
>
> just filling in (just in case this was not clear): ktpass.exe is a
> windows tool you run in the domain controller (or in a workstation with
> the admins tool installed).

Thanks, everyone.

I'm still waiting for a Windows admin to help me out with this.
Unfortunately I'm not a domain admin, so I can't do this myself. :/

--Jason



From dpal at redhat.com  Fri Jul 19 21:44:41 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 19 Jul 2013 17:44:41 -0400
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <1374253896.4930.4.camel@localhost.localdomain>
References: <1374253896.4930.4.camel@localhost.localdomain>
Message-ID: <51E9B349.5060706@redhat.com>

On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
> I'm trying to install an IPA server using an external CA.
>
> I ran the ipa-server-install --external-ca command, and got my cert
> signed by our on-site CA.
>
> So then I go back to install using my certs:
>
> ipa-server-install --external_cert_file=/root/ipa.cer
> --external_ca_file=/root/CACert.cer
>
>
> I get this for output:
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir
> /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin
> nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email
> root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host
> lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name
> CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name
> CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU
> -ca_server_cert_subject_name
> CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU
> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name
> CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true
> -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file
> /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# tail
> /var/log/ipaserver-install.log
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 617, in configure_instanceConfiguring certificate server
> (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir
> /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin
> nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email
> root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host
> lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name
> CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name
> CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU
> -ca_server_cert_subject_name
> CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU
> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name
> CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true
> -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file
> /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# tail
> /var/log/ipaserver-install.log
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 617, in configure_instance
>     self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>     method()
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>     self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>     method()
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
>
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> Any thoughts on what I can do to troubleshoot this?
>
> Thanks.
>
> -Kenny
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Several questions:
1) package and os version/distro?
2) what is in httpd logs?
3) what is in pki logs?

The names and locations of the logs partially depend on the answer to
the first question.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130719/033b48b6/attachment.htm>

From dpal at redhat.com  Fri Jul 19 21:56:15 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 19 Jul 2013 17:56:15 -0400
Subject: [Freeipa-users] FreeIPA AD Trust improvements, Fedora 19 Test Day,
	July 25th
Message-ID: <51E9B5FF.7020306@redhat.com>

Hello,

The FreeIPA team is happy to welcome you to a Fedora Test Day that is
being held on Thursday, July 25th.

We would like to invite you to take part in testing of the upcoming FreeIPA 3.3
release containing 2 major improvements for easier deployment of FreeIPA Active
Directory Trust feature to existing environments:

1) Use POSIX attributes defined in Active Directory [1]

With previous FreeIPA releases, users coming from Active Directory to FreeIPA
managed machines were always assigned POSIX attributes (UID and GID) by
algorithmic mapping.

However, in some deployments, Active Directory users and groups already have
defined custom POSIX attribute values (UID and GID), which may then be
leveraged on Linux machines via other 3rd party Active Directory integration
solutions. Administrator may choose to keep the values to not disrupt file
ownerships.

With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these
attributes when Active Directory user authenticates to Linux machines.


2) Expose POSIX data on legacy systems without recent SSSD

Administrators may have a deployment of machines which cannot use the recent
SSSD with Active Directory Trust support but would still like to be able to
authenticate with Active Directory user to these machines. This may affect for
example older Linux machines, UNIX machines.

With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which
will contain identities of the Active Directory users to the legacy systems.
These systems may then leverage standard LDAP authentication in this tree
allowing selected Active Directory users to authenticate.


To read more about the Test Day and suggested tests, see the following link:

https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients

Thank you for your help and participation!

The FreeIPA team

[1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
[2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts

[IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq
Identity Management SME Team on Docspace
https://url.corp.redhat.com/sme-idm
Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech




From sigbjorn at nixtra.com  Fri Jul 19 22:00:06 2013
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Sat, 20 Jul 2013 00:00:06 +0200
Subject: [Freeipa-users] IPA + AD authentication in apache
In-Reply-To: <CAA9J0ZHw=3myDnmYb3ug7v6fGm87LOAR5Xo-7dNirdqANfpYFQ@mail.gmail.com>
References: <CAA9J0ZF00x6iRuX5vLAfV4gbfQYF5fP460EkErsRvMoUxV0i2A@mail.gmail.com>
	<c8d55c08-c4ba-4b4a-8456-ae3acd52fd0e@email.android.com>
	<CAA9J0ZFZqc-5LjQZoZv-AUYY+4HCkzEWcM1EnTgd79Y7dXPcyg@mail.gmail.com>
	<25219.213.225.75.97.1374242942.squirrel@www.nixtra.com>
	<51E95345.5070204@gmail.com>
	<CAA9J0ZHw=3myDnmYb3ug7v6fGm87LOAR5Xo-7dNirdqANfpYFQ@mail.gmail.com>
Message-ID: <4ef00f1d-67e2-4af2-ab10-533ecb481ec3@email.android.com>

You definitely don't need domain admin. I do not have much rights with my active directory account, still I can retrieve keytabs from ad. Sorry, I'm not at work so I can't figure out exactly what my access level is. 

Regards
Siggi

KodaK <sakodak at gmail.com> wrote:

>On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo <natxo.asenjo at gmail.com>
>wrote:
>> On 07/19/2013 04:09 PM, Sigbjorn Lie wrote:
>>>
>>>
>>> Retreive a keytab from AD:
>>>
>>>> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass
>/mapuser
>>>> WINDOMAIN\webserver$
>>>
>>> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab
>>>
>>> The Windows admin will choose if they want to use a Computer Account
>or a
>>> User Account to bind the
>>> keytab to.
>>> Copy this keytab into /etc/httpd/HTTP.keytab-AD
>>
>>
>> just filling in (just in case this was not clear): ktpass.exe is a
>> windows tool you run in the domain controller (or in a workstation
>with
>> the admins tool installed).
>
>Thanks, everyone.
>
>I'm still waiting for a Windows admin to help me out with this.
>Unfortunately I'm not a domain admin, so I can't do this myself. :/
>
>--Jason
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130720/730008e0/attachment.htm>

From sbingram at gmail.com  Sat Jul 20 00:51:24 2013
From: sbingram at gmail.com (Stephen Ingram)
Date: Fri, 19 Jul 2013 17:51:24 -0700
Subject: [Freeipa-users] disable forms-based login
Message-ID: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>

Is there a way to disable the forms-based login to the WebUI and require a
Kerberos ticket?

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130719/f9b63e09/attachment.htm>

From aly.khimji at gmail.com  Sat Jul 20 03:51:02 2013
From: aly.khimji at gmail.com (Aly Khimji)
Date: Fri, 19 Jul 2013 23:51:02 -0400
Subject: [Freeipa-users] FreeIPA AD Trust improvements,
 Fedora 19 Test Day, July 25th
In-Reply-To: <51E9B5FF.7020306@redhat.com>
References: <51E9B5FF.7020306@redhat.com>
Message-ID: <CAJMZt_buPXh_L21dX2w1Uy6hK6zae=YoGO10+sFgVQwwaOPe+w@mail.gmail.com>

Wow..  These sound like some amazing additions and enhancements, great
work! keep up the good job guys!

Aly
On Jul 19, 2013 5:57 PM, "Dmitri Pal" <dpal at redhat.com> wrote:

> Hello,
>
> The FreeIPA team is happy to welcome you to a Fedora Test Day that is
> being held on Thursday, July 25th.
>
> We would like to invite you to take part in testing of the upcoming
> FreeIPA 3.3
> release containing 2 major improvements for easier deployment of FreeIPA
> Active
> Directory Trust feature to existing environments:
>
> 1) Use POSIX attributes defined in Active Directory [1]
>
> With previous FreeIPA releases, users coming from Active Directory to
> FreeIPA
> managed machines were always assigned POSIX attributes (UID and GID) by
> algorithmic mapping.
>
> However, in some deployments, Active Directory users and groups already
> have
> defined custom POSIX attribute values (UID and GID), which may then be
> leveraged on Linux machines via other 3rd party Active Directory
> integration
> solutions. Administrator may choose to keep the values to not disrupt file
> ownerships.
>
> With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use
> these
> attributes when Active Directory user authenticates to Linux machines.
>
>
> 2) Expose POSIX data on legacy systems without recent SSSD
>
> Administrators may have a deployment of machines which cannot use the
> recent
> SSSD with Active Directory Trust support but would still like to be able to
> authenticate with Active Directory user to these machines. This may affect
> for
> example older Linux machines, UNIX machines.
>
> With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree
> which
> will contain identities of the Active Directory users to the legacy
> systems.
> These systems may then leverage standard LDAP authentication in this tree
> allowing selected Active Directory users to authenticate.
>
>
> To read more about the Test Day and suggested tests, see the following
> link:
>
>
> https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients
>
> Thank you for your help and participation!
>
> The FreeIPA team
>
> [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
> [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts
>
> [IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq
> Identity Management SME Team on Docspace
> https://url.corp.redhat.com/sme-idm
> Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130719/2d8ddfa2/attachment.htm>

From rendhalver at gmail.com  Mon Jul 22 01:45:54 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Mon, 22 Jul 2013 11:45:54 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <1374258010.2951.38.camel@aleeredhat.laptop>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
	<1374258010.2951.38.camel@aleeredhat.laptop>
Message-ID: <CAJ8DPF7S2CwMTtedyWqT26Vq5BK=bLXgqNJdv=+NDz4CpAKbqg@mail.gmail.com>

On 20 July 2013 04:20, Ade Lee <alee at redhat.com> wrote:
>
> On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
>> I was just trying this again and noticed there is a
>> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
>> is the logging for the attempt to create the pki.
>> right at the end is this entry.
>>
>> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
>> security domain through REST interface.  Trying old interface. 503
>> Server Error: Service Unavailable
>>
>> Does anyone know what that means and how to fix it?
>>
>
> This means that the dogtag CA is trying to contact the dogtag master -
> and is failing to do so.  It may be trying to access the wrong port.
>
> What version do you have for :
> rpm -q pki-ca ?

on my master server.
pki-ca-10.0.3-2.fc18.noarch

> Please attach the logs for the replica CA.
> /var/log/pki/pki-tomcat/*

I just tried doing the replica install again and was tailing the
catalina.out while is was running and I think I have discovered the
problem.
The jre it seems to have been upgraded and it is still using the old path.
I shall try and work out how to fix that and will let you know if I get stuck.

> You are also exactly correct in creating a replica before upgrading to
> F19.  Much older dogtag instances (based on dogtag 9) will not work in
> f19 due to tomcat6 not being available in f19.

Ahh.
Did that prompt the amalgamation of the ldap trees?

>
> Ade
>>
>> On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
>> > On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
>> >> On 07/18/2013 03:31 AM, Pete Brown wrote:
>> >>>
>> >>> I opened all the ports that seemed to be listening n the master.
>> >>> I also ran the setup again without disabling the connection check to
>> >>> see what else needed fixing.
>> >>> It seems after much investigation and log dredging it seems my admin
>> >>> password had expired.
>> >>> I wasn't aware that was possible.
>> >>> I reset the password and it seemed to get further.
>> >>> This for some reason not mentioned in the documentation the replica is
>> >>> trying to ssh into the master as admin.
>> >>> I managed to fix that by changing my setup and ssh config files.
>> >>>
>> >>> Then it actually managed to start the setup process.
>> >>> But again it fails at exactly the same point mentioned in my initial
>> >>> email.
>> >>>
>> >>> After some further digging with reference to the log output below it
>> >>> seems I have run into a bug that seems to have been fixed.
>> >>> https://fedorahosted.org/freeipa/ticket/3213
>> >>> As I mentioned I am running current Fedora 18 so freeipa is
>> >>> 3.1.5-1.fc18 is that fixed in my version?
>> >>
>> >>
>> >> Yes, that bug was fixed in 3.1.0.
>> >
>> > Well the script is still complaining about not being able to find
>> > dogtag_master_ds_port and the option still appears in my version of
>> > the script.
>> > Which from the bug seems to be what was causing the issue and the
>> > ipareplica-install log I included below says this is the case.
>> > It seems a bit odd because this is a fresh install of 3.1.5.
>> >
>> >
>> >
>> >>> It also seems the dogatg and IPA directories will be or have been merged?
>> >>> Which version did this happen in and will it get applied to my server?
>> >>
>> >>
>> >> Also in 3.1.0; new servers installed using that version have merged
>> >> databases.
>> >
>> > I still seem to have split instances.
>> > I did the install before Fedora 18 was released because I wanted ipa 3
>> > and that was the only way I could get it.
>> > Will they get merged at some point or can I do it manually?
>> >
>> >>
>> >>> Can anyone suggest how I go about fixing this issue?
>> >>
>> >>
>> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>> >> (ticket #2796).
>> >> So I would start by uninstalling, then running the following command to make
>> >> sure CA is not left:
>> >>     sudo pkidestroy -s CA -i pki-tomcat
>> >> then installing again.
>> >
>> > Ran that on my replica after the install and before the clean and it said this.
>> > That would make sense because it fails during the ca creation stage.
>> >
>> > root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
>> > ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>> >
>> >
>> >>
>> >> Can you also provide logs without the --skip-conncheck flag? Specifically
>> >> the /var/log/ipareplica-conncheck.log should be interesting.
>> >
>> > From what I can tell all the tests in the connection check passed.
>> >
>> >>
>> >>
>> >>> I wanted to create a replica so I could upgrade to fedora 19 and not
>> >>> have to take my single instance of FreeIPA offline while that was
>> >>> happening.
>> >>> Will I need to upgrade to Fedora 19 to fix my issue?
>> >>
>> >>
>> >>
>> >>> For reference this is the point of failure in the
>> >>> /var/log/ipareplica-install.log file
>> >>>
>> >>> 2013-07-18T01:06:16Z DEBUG Starting external process
>> >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>> >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>> >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>> >>> from /tmp/tmpFKBxMW.
>> >>> ERROR:  Unable to access security domain: 503 Server Error: Service
>> >>> Unavailable
>> >>
>> >>
>> >> Please also check logs on the existing server. Is the CA available?
>> >> Does e.g. `ipa cert-show 1` work?
>> >>
>> >>> 2013-07-18T01:08:16Z DEBUG stderr=
>> >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>> >>> status 1
>> >>> 2013-07-18T01:08:16Z INFO   File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> >>> line 619, in run_script
>> >>>      return_value = main_function()
>> >>>
>> >>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>> >>>      (CA, cs) = cainstance.install_replica_ca(config,
>> >>> dogtag_master_ds_port)
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 1809, in install_replica_ca
>> >>>      subject_base=config.subject_base)
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 625, in configure_instance
>> >>>      self.start_creation(runtime=210)
>> >>>
>> >>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> >>> line 358, in start_creation
>> >>>      method()
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 744, in __spawn_instance
>> >>>      raise RuntimeError('Configuration of CA failed')
>> >>>
>> >>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>> >>> exception: RuntimeError: Configuration of CA failed
>> >>>
>> >>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>> >>>>
>> >>>> Hi everyone,
>> >>>>
>> >>>> I am attempting to create a replica of my freeipa server.
>> >>>> I am following the docs but they are not working for me.
>> >>>> I am getting the vague impression I am missing a step that doesn't
>> >>>> seem to be documented.
>> >>>>
>> >>>> For the record all the posts listed are open and it was a clean
>> >>>> install of Fedora 18.
>> >>>>
>> >>>> I thought the server may need to be a client of the master before I
>> >>>> set it up as a replica but it just said I needed to uninstall the
>> >>>> client setup.
>> >>>>
>> >>>> After running ipa-replica-prepare on the master and scping the file to
>> >>>> the new replica.
>> >>>> I ran this command on the new replica
>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> >>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>> >>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>> >>>>
>> >>>> The error I am seeing is from that command is this:
>> >>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>> >>>> getting initial credentials
>> >>>>
>> >>>> Connection check failed!
>> >>>> Please fix your network settings according to error messages above.
>> >>>> If the check results are not valid it can be skipped with
>> >>>> --skip-conncheck parameter.
>> >>>>
>> >>>> So I cleaned everything off (i think) and tried it with this command
>> >>>>
>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> >>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>> >>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>> >>>>
>> >>>> This seems to actually start the install and setup process i remember
>> >>>> from installing the ipa server initially
>> >>>>
>> >>>> This it fails with this output
>> >>>>
>> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> >>>> be disabled in favor of ntpd
>> >>>>
>> >>>> Directory Manager (existing master) password:
>> >>>>
>> >>>> Configuring NTP daemon (ntpd)
>> >>>>    [1/4]: stopping ntpd
>> >>>>    [2/4]: writing configuration
>> >>>>    [3/4]: configuring ntpd to start on boot
>> >>>>    [4/4]: starting ntpd
>> >>>> Done configuring NTP daemon (ntpd).
>> >>>> Configuring directory server (dirsrv): Estimated time 1 minute
>> >>>>    [1/31]: creating directory server user
>> >>>>    [2/31]: creating directory server instance
>> >>>>    [3/31]: adding default schema
>> >>>>    [4/31]: enabling memberof plugin
>> >>>>    [5/31]: enabling winsync plugin
>> >>>>    [6/31]: configuring replication version plugin
>> >>>>    [7/31]: enabling IPA enrollment plugin
>> >>>>    [8/31]: enabling ldapi
>> >>>>    [9/31]: configuring uniqueness plugin
>> >>>>    [10/31]: configuring uuid plugin
>> >>>>    [11/31]: configuring modrdn plugin
>> >>>>    [12/31]: configuring DNS plugin
>> >>>>    [13/31]: enabling entryUSN plugin
>> >>>>    [14/31]: configuring lockout plugin
>> >>>>    [15/31]: creating indices
>> >>>>    [16/31]: enabling referential integrity plugin
>> >>>>    [17/31]: configuring ssl for ds instance
>> >>>>    [18/31]: configuring certmap.conf
>> >>>>    [19/31]: configure autobind for root
>> >>>>    [20/31]: configure new location for managed entries
>> >>>>    [21/31]: restarting directory server
>> >>>>    [22/31]: setting up initial replication
>> >>>> Starting replication, please wait until this has completed.
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update succeeded
>> >>>>    [23/31]: adding replication acis
>> >>>>    [24/31]: setting Auto Member configuration
>> >>>>    [25/31]: enabling S4U2Proxy delegation
>> >>>>    [26/31]: initializing group membership
>> >>>>    [27/31]: adding master entry
>> >>>>    [28/31]: configuring Posix uid/gid generation
>> >>>>    [29/31]: enabling compatibility plugin
>> >>>>    [30/31]: tuning directory server
>> >>>>    [31/31]: configuring directory to start on boot
>> >>>> Done configuring directory server (dirsrv).
>> >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> >>>> 30 seconds
>> >>>>    [1/17]: creating certificate server user
>> >>>>    [2/17]: configuring certificate server instance
>> >>>> ipa         : CRITICAL failed to configure ca instance Command
>> >>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>> >>>> status 1
>> >>>>
>> >>>> Your system may be partly configured.
>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> >>>>
>> >>>> Configuration of CA failed
>> >>>>
>> >>>> I even tried cleaning it again at that point and made sure all the
>> >>>> ports were open and still got the same error.
>> >>>>
>> >>>> I also switched selinux to permissive mode cleaned up and rebooted but
>> >>>> that didn't help either
>> >>>>
>> >>>> Can someone please point out what I need to do to get this working.
>> >>>>
>> >>>> Thanks in advance.
>> >>>> Pete.
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Freeipa-users mailing list
>> >>> Freeipa-users at redhat.com
>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>>
>> >>
>> >>
>> >> --
>> >> Petr?
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>



From rendhalver at gmail.com  Mon Jul 22 02:05:36 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Mon, 22 Jul 2013 12:05:36 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF7S2CwMTtedyWqT26Vq5BK=bLXgqNJdv=+NDz4CpAKbqg@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
	<1374258010.2951.38.camel@aleeredhat.laptop>
	<CAJ8DPF7S2CwMTtedyWqT26Vq5BK=bLXgqNJdv=+NDz4CpAKbqg@mail.gmail.com>
Message-ID: <CAJ8DPF5OzaRTz-OaWu1a51D_TT=KW7=C8UwQnN3GNKLHeGZRPA@mail.gmail.com>

On 22 July 2013 11:45, Pete Brown <rendhalver at gmail.com> wrote:
> On 20 July 2013 04:20, Ade Lee <alee at redhat.com> wrote:
>>
>> On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
>>> I was just trying this again and noticed there is a
>>> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
>>> is the logging for the attempt to create the pki.
>>> right at the end is this entry.
>>>
>>> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
>>> security domain through REST interface.  Trying old interface. 503
>>> Server Error: Service Unavailable
>>>
>>> Does anyone know what that means and how to fix it?
>>>
>>
>> This means that the dogtag CA is trying to contact the dogtag master -
>> and is failing to do so.  It may be trying to access the wrong port.
>>
>> What version do you have for :
>> rpm -q pki-ca ?
>
> on my master server.
> pki-ca-10.0.3-2.fc18.noarch
>
>> Please attach the logs for the replica CA.
>> /var/log/pki/pki-tomcat/*
>
> I just tried doing the replica install again and was tailing the
> catalina.out while is was running and I think I have discovered the
> problem.
> The jre it seems to have been upgraded and it is still using the old path.
> I shall try and work out how to fix that and will let you know if I get stuck.

What you mentioned assisted with further debugging.

this is the tail end of catalina.out from my last run

Jul 22, 2013 11:54:39 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ROOT
Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jul 22, 2013 11:54:39 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 9498 ms
11:57:15,198  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
- Deploying javax.ws.rs.core.Application: class
com.netscape.ca.CertificateAuthorityApplication
11:57:15,218  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
- Adding singleton provider
com.netscape.certsrv.authentication.AuthMethodInterceptor from
Application javax.ws.rs.core.Application
11:57:15,224  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
- Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor
from Application javax.ws.rs.core.Application
11:57:15,448 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60)
- PathInfo: /securityDomain/domainInfo
AuthInterceptor: SecurityDomainResource.getDomainInfo()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
11:57:15,798 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60)
- PathInfo: /account/login
AuthInterceptor: AccountResource.login()
AuthInterceptor: mapping name: account
AuthInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
AuthInterceptor: anonymous access not allowed

my guess would be the replica creation is attempting an anonymous bind.
I have those disabled for security reasons.
Is there any way around that without turning on anonymous  binds?


>> You are also exactly correct in creating a replica before upgrading to
>> F19.  Much older dogtag instances (based on dogtag 9) will not work in
>> f19 due to tomcat6 not being available in f19.
>
> Ahh.
> Did that prompt the amalgamation of the ldap trees?
>
>>
>> Ade
>>>
>>> On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
>>> > On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
>>> >> On 07/18/2013 03:31 AM, Pete Brown wrote:
>>> >>>
>>> >>> I opened all the ports that seemed to be listening n the master.
>>> >>> I also ran the setup again without disabling the connection check to
>>> >>> see what else needed fixing.
>>> >>> It seems after much investigation and log dredging it seems my admin
>>> >>> password had expired.
>>> >>> I wasn't aware that was possible.
>>> >>> I reset the password and it seemed to get further.
>>> >>> This for some reason not mentioned in the documentation the replica is
>>> >>> trying to ssh into the master as admin.
>>> >>> I managed to fix that by changing my setup and ssh config files.
>>> >>>
>>> >>> Then it actually managed to start the setup process.
>>> >>> But again it fails at exactly the same point mentioned in my initial
>>> >>> email.
>>> >>>
>>> >>> After some further digging with reference to the log output below it
>>> >>> seems I have run into a bug that seems to have been fixed.
>>> >>> https://fedorahosted.org/freeipa/ticket/3213
>>> >>> As I mentioned I am running current Fedora 18 so freeipa is
>>> >>> 3.1.5-1.fc18 is that fixed in my version?
>>> >>
>>> >>
>>> >> Yes, that bug was fixed in 3.1.0.
>>> >
>>> > Well the script is still complaining about not being able to find
>>> > dogtag_master_ds_port and the option still appears in my version of
>>> > the script.
>>> > Which from the bug seems to be what was causing the issue and the
>>> > ipareplica-install log I included below says this is the case.
>>> > It seems a bit odd because this is a fresh install of 3.1.5.
>>> >
>>> >
>>> >
>>> >>> It also seems the dogatg and IPA directories will be or have been merged?
>>> >>> Which version did this happen in and will it get applied to my server?
>>> >>
>>> >>
>>> >> Also in 3.1.0; new servers installed using that version have merged
>>> >> databases.
>>> >
>>> > I still seem to have split instances.
>>> > I did the install before Fedora 18 was released because I wanted ipa 3
>>> > and that was the only way I could get it.
>>> > Will they get merged at some point or can I do it manually?
>>> >
>>> >>
>>> >>> Can anyone suggest how I go about fixing this issue?
>>> >>
>>> >>
>>> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>>> >> (ticket #2796).
>>> >> So I would start by uninstalling, then running the following command to make
>>> >> sure CA is not left:
>>> >>     sudo pkidestroy -s CA -i pki-tomcat
>>> >> then installing again.
>>> >
>>> > Ran that on my replica after the install and before the clean and it said this.
>>> > That would make sense because it fails during the ca creation stage.
>>> >
>>> > root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
>>> > ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>>> >
>>> >
>>> >>
>>> >> Can you also provide logs without the --skip-conncheck flag? Specifically
>>> >> the /var/log/ipareplica-conncheck.log should be interesting.
>>> >
>>> > From what I can tell all the tests in the connection check passed.
>>> >
>>> >>
>>> >>
>>> >>> I wanted to create a replica so I could upgrade to fedora 19 and not
>>> >>> have to take my single instance of FreeIPA offline while that was
>>> >>> happening.
>>> >>> Will I need to upgrade to Fedora 19 to fix my issue?
>>> >>
>>> >>
>>> >>
>>> >>> For reference this is the point of failure in the
>>> >>> /var/log/ipareplica-install.log file
>>> >>>
>>> >>> 2013-07-18T01:06:16Z DEBUG Starting external process
>>> >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>>> >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>>> >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>>> >>> from /tmp/tmpFKBxMW.
>>> >>> ERROR:  Unable to access security domain: 503 Server Error: Service
>>> >>> Unavailable
>>> >>
>>> >>
>>> >> Please also check logs on the existing server. Is the CA available?
>>> >> Does e.g. `ipa cert-show 1` work?
>>> >>
>>> >>> 2013-07-18T01:08:16Z DEBUG stderr=
>>> >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>>> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>>> >>> status 1
>>> >>> 2013-07-18T01:08:16Z INFO   File
>>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> >>> line 619, in run_script
>>> >>>      return_value = main_function()
>>> >>>
>>> >>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>>> >>>      (CA, cs) = cainstance.install_replica_ca(config,
>>> >>> dogtag_master_ds_port)
>>> >>>
>>> >>>    File
>>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> >>> line 1809, in install_replica_ca
>>> >>>      subject_base=config.subject_base)
>>> >>>
>>> >>>    File
>>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> >>> line 625, in configure_instance
>>> >>>      self.start_creation(runtime=210)
>>> >>>
>>> >>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> >>> line 358, in start_creation
>>> >>>      method()
>>> >>>
>>> >>>    File
>>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> >>> line 744, in __spawn_instance
>>> >>>      raise RuntimeError('Configuration of CA failed')
>>> >>>
>>> >>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>>> >>> exception: RuntimeError: Configuration of CA failed
>>> >>>
>>> >>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>>> >>>>
>>> >>>> Hi everyone,
>>> >>>>
>>> >>>> I am attempting to create a replica of my freeipa server.
>>> >>>> I am following the docs but they are not working for me.
>>> >>>> I am getting the vague impression I am missing a step that doesn't
>>> >>>> seem to be documented.
>>> >>>>
>>> >>>> For the record all the posts listed are open and it was a clean
>>> >>>> install of Fedora 18.
>>> >>>>
>>> >>>> I thought the server may need to be a client of the master before I
>>> >>>> set it up as a replica but it just said I needed to uninstall the
>>> >>>> client setup.
>>> >>>>
>>> >>>> After running ipa-replica-prepare on the master and scping the file to
>>> >>>> the new replica.
>>> >>>> I ran this command on the new replica
>>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>> >>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>>> >>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>> >>>>
>>> >>>> The error I am seeing is from that command is this:
>>> >>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>>> >>>> getting initial credentials
>>> >>>>
>>> >>>> Connection check failed!
>>> >>>> Please fix your network settings according to error messages above.
>>> >>>> If the check results are not valid it can be skipped with
>>> >>>> --skip-conncheck parameter.
>>> >>>>
>>> >>>> So I cleaned everything off (i think) and tried it with this command
>>> >>>>
>>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>> >>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>>> >>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>> >>>>
>>> >>>> This seems to actually start the install and setup process i remember
>>> >>>> from installing the ipa server initially
>>> >>>>
>>> >>>> This it fails with this output
>>> >>>>
>>> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>> >>>> be disabled in favor of ntpd
>>> >>>>
>>> >>>> Directory Manager (existing master) password:
>>> >>>>
>>> >>>> Configuring NTP daemon (ntpd)
>>> >>>>    [1/4]: stopping ntpd
>>> >>>>    [2/4]: writing configuration
>>> >>>>    [3/4]: configuring ntpd to start on boot
>>> >>>>    [4/4]: starting ntpd
>>> >>>> Done configuring NTP daemon (ntpd).
>>> >>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>> >>>>    [1/31]: creating directory server user
>>> >>>>    [2/31]: creating directory server instance
>>> >>>>    [3/31]: adding default schema
>>> >>>>    [4/31]: enabling memberof plugin
>>> >>>>    [5/31]: enabling winsync plugin
>>> >>>>    [6/31]: configuring replication version plugin
>>> >>>>    [7/31]: enabling IPA enrollment plugin
>>> >>>>    [8/31]: enabling ldapi
>>> >>>>    [9/31]: configuring uniqueness plugin
>>> >>>>    [10/31]: configuring uuid plugin
>>> >>>>    [11/31]: configuring modrdn plugin
>>> >>>>    [12/31]: configuring DNS plugin
>>> >>>>    [13/31]: enabling entryUSN plugin
>>> >>>>    [14/31]: configuring lockout plugin
>>> >>>>    [15/31]: creating indices
>>> >>>>    [16/31]: enabling referential integrity plugin
>>> >>>>    [17/31]: configuring ssl for ds instance
>>> >>>>    [18/31]: configuring certmap.conf
>>> >>>>    [19/31]: configure autobind for root
>>> >>>>    [20/31]: configure new location for managed entries
>>> >>>>    [21/31]: restarting directory server
>>> >>>>    [22/31]: setting up initial replication
>>> >>>> Starting replication, please wait until this has completed.
>>> >>>> Update in progress
>>> >>>> Update in progress
>>> >>>> Update in progress
>>> >>>> Update in progress
>>> >>>> Update succeeded
>>> >>>>    [23/31]: adding replication acis
>>> >>>>    [24/31]: setting Auto Member configuration
>>> >>>>    [25/31]: enabling S4U2Proxy delegation
>>> >>>>    [26/31]: initializing group membership
>>> >>>>    [27/31]: adding master entry
>>> >>>>    [28/31]: configuring Posix uid/gid generation
>>> >>>>    [29/31]: enabling compatibility plugin
>>> >>>>    [30/31]: tuning directory server
>>> >>>>    [31/31]: configuring directory to start on boot
>>> >>>> Done configuring directory server (dirsrv).
>>> >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>> >>>> 30 seconds
>>> >>>>    [1/17]: creating certificate server user
>>> >>>>    [2/17]: configuring certificate server instance
>>> >>>> ipa         : CRITICAL failed to configure ca instance Command
>>> >>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>>> >>>> status 1
>>> >>>>
>>> >>>> Your system may be partly configured.
>>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>> >>>>
>>> >>>> Configuration of CA failed
>>> >>>>
>>> >>>> I even tried cleaning it again at that point and made sure all the
>>> >>>> ports were open and still got the same error.
>>> >>>>
>>> >>>> I also switched selinux to permissive mode cleaned up and rebooted but
>>> >>>> that didn't help either
>>> >>>>
>>> >>>> Can someone please point out what I need to do to get this working.
>>> >>>>
>>> >>>> Thanks in advance.
>>> >>>> Pete.
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Freeipa-users mailing list
>>> >>> Freeipa-users at redhat.com
>>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Petr?
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>



From justin.brown at fandingo.org  Mon Jul 22 03:41:56 2013
From: justin.brown at fandingo.org (Justin Brown)
Date: Sun, 21 Jul 2013 22:41:56 -0500
Subject: [Freeipa-users] Exporting a PEM Certificate for OpenStack Keystone
Message-ID: <CAKZK7uxvgbCit9fXqMdUpXBhxO_p-Tp6kmsamVZvxzrW8yTX3w@mail.gmail.com>

Hi,

I'm having some trouble understanding certificates in general and service
certificates in FreeIPA.

Keystone if the authentication layer for OpenStack, and I'm trying to get
it setup to integrate with the certificates in my FreeIPA domain.

By default, Keystone setups up a self-signed CA based on settings an
openssl.conf.

I would like to use a FreeIPA service certificate to sign tokens for
Keystone.

I have Keystone at keystone.cloud.fandingo.org and install with the FreeIPA
client.

I setup a service, HTTP/keystone.cloud.fandingo.org. Then, I create a CSR
and private key using OpenSSL. Lastly, I copy  the CSR into FreeIPA and
generate the certificate.

 I just need to get the signed certificate out of FreeIPA in some way.
However, I can't for the life of me figure out what format the certificate
is. It's not PEM or any of the PKCS versions that I'm familiar with because
there are no header or footer lines. It doesn't appear to be DER because
OpenSSL refuses to process it as such.

What is the format of this certificate?

Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130721/bd3b30ac/attachment.htm>

From mkosek at redhat.com  Mon Jul 22 07:18:48 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 22 Jul 2013 09:18:48 +0200
Subject: [Freeipa-users] disable forms-based login
In-Reply-To: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
References: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
Message-ID: <51ECDCD8.5010002@redhat.com>

On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> Is there a way to disable the forms-based login to the WebUI and require a
> Kerberos ticket?
> 
> Steve

Hello,

No, this is currently not possible. Stephen, can you please describe your use
case why you want it to be off? This would allow us to consider this as an
enhancement for future.

Petr, would it be possible to achieve this via Web UI plugin system introduced
in FreeIPA 3.2?

Thanks,
Martin



From pvoborni at redhat.com  Mon Jul 22 07:55:31 2013
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 22 Jul 2013 09:55:31 +0200
Subject: [Freeipa-users] disable forms-based login
In-Reply-To: <51ECDCD8.5010002@redhat.com>
References: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
	<51ECDCD8.5010002@redhat.com>
Message-ID: <51ECE573.9020908@redhat.com>

On 07/22/2013 09:18 AM, Martin Kosek wrote:
> On 07/20/2013 02:51 AM, Stephen Ingram wrote:
>> Is there a way to disable the forms-based login to the WebUI and require a
>> Kerberos ticket?
>>
>> Steve
>
> Hello,
>
> No, this is currently not possible. Stephen, can you please describe your use
> case why you want it to be off? This would allow us to consider this as an
> enhancement for future.
>
> Petr, would it be possible to achieve this via Web UI plugin system introduced
> in FreeIPA 3.2?

The login form can be removed by replacing IPA.unauthorized_dialog by 
different implementation. But it only hides the interface, the login 
feature itself (/ipa/session/login_password) won't be affected. So user 
can still send a HTTP POST with his credentials to log in. It's how the 
separate login page (/ipa/ui/login.html) works.

So the steps to disable forms-based login are:
  1. deny access to /ipa/session/login_password
  2. create UI plugin to change Web UI unauthorized_dialog
  3. deny access to /ipa/ui/login.html

#1 is sufficient if one does not care about UX.

>
> Thanks,
> Martin
>
-- 
Petr Vobornik



From pbrezina at redhat.com  Mon Jul 22 10:02:31 2013
From: pbrezina at redhat.com (=?ISO-8859-2?Q?Pavel_B=F8ezina?=)
Date: Mon, 22 Jul 2013 12:02:31 +0200
Subject: [Freeipa-users] sudo rules user and host group bugs?
In-Reply-To: <159018F515D5B14CA76C88F9C425325A0121962B@sinmpt10.corp.go2uti.com>
References: <833D8E48405E064EBC54C84EC6B36E407A2FE074@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A6525DC@sinmpt10.corp.go2uti.com>
	<833D8E48405E064EBC54C84EC6B36E407A2FE094@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<159018F515D5B14CA76C88F9C425325A65268C@sinmpt10.corp.go2uti.com>
	<51E4F750.9010103@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65D4B0@sinmpt10.corp.go2uti.com>
	<51E5A436.5080403@redhat.com>
	<159018F515D5B14CA76C88F9C425325A65DEBF@sinmpt10.corp.go2uti.com>
	<20130717083213.GK22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A66247F@sinmpt10.corp.go2uti.com>
	<20130717155733.GD22079@hendrix.brq.redhat.com>
	<159018F515D5B14CA76C88F9C425325A0120217A@sinmpt11.corp.go2uti.com>
	<51E7AF29.4010006@redhat.com>
	<159018F515D5B14CA76C88F9C425325A012169F0@sinmpt10.corp.go2uti.com>
	<159018F515D5B14CA76C88F9C425325A012172E3@sinmpt10.corp.go2uti.com>
	<51E97EEC.3000304@redhat.com>
	<159018F515D5B14CA76C88F9C425325A0121962B@sinmpt10.corp.go2uti.com>
Message-ID: <51ED0337.7010402@redhat.com>

Hi,
the code says it should work. I don't see any problem with the 
configuration. Since the netgroup is resolved correctly I do not think 
the problem resides in IPA.

Can you rerun sudo with -D 9? That may yield some more information. 
Also, you can try asking on sudo-users list. Todd (sudo author) may have 
some more ideas.

On 07/19/2013 09:47 PM, Tovey, Mark wrote:
>
>      That is correct:
>
> host1-> hostname
> host1.my_domain.com
>
>      I was beginning to suspect that it is in sudo.  I checked the documentation for that version of sudo and it does include support for netgroups.  Perhaps I need something extra in the sudoers file, or an additional option.
>      Thanks,
>      -Mark
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
>
>
> -----Original Message-----
> From: Pavel B?ezina [mailto:pbrezina at redhat.com]
> Sent: Friday, July 19, 2013 11:01 AM
> To: Tovey, Mark
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>
> Hi,
> hostname command outputs "host1.my_domain.com", right? This version of sudo is very old, I'll check the code and eventually consult with sudo maintainer.
>
> On 07/19/2013 06:49 PM, Tovey, Mark wrote:
>>
>>       Does anyone have any other suggestions for this or need any additional information?
>>       Thanks,
>>       -Mark
>>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Tovey, Mark
>> Sent: Thursday, July 18, 2013 11:06 AM
>> To: Pavel B?ezina; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>>
>>
>> host1-> nisdomainname
>> my_domain.com
>>
>> host1-> rpm -q sudo
>> sudo-1.7.2p1-6.el5_5
>>
>>       Thanks,
>>       -Mark
>>
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Pavel Brezina
>> Sent: Thursday, July 18, 2013 2:03 AM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>
>> On 07/17/2013 06:39 PM, Tovey, Mark wrote:
>>>
>>>        Okay, I get it (pardon my obtuseness).
>>>
>>>        host1-> getent netgroup hgroup1
>>>        hgroup1                   (host1.my_domain.com, -, my_domain.com)
>>>
>>>        So netgroups are working.  The host group is defined in IPA and getent is able to access that information.
>>>        Thanks,
>>>        -Mark
>>
>> Hi,
>> can you also paste the output of following commands please?
>>
>> $ nisdomainname
>> $ rpm -q sudo
>>
>> Thanks,
>> Pavel.
>>
>>>
>>>
>>> ________________________________________________________________
>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>> MTovey at go2uti.com | O / C +1 503 953-1389
>>>
>>>
>>> -----Original Message-----
>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>>> Sent: Wednesday, July 17, 2013 8:58 AM
>>> To: Tovey, Mark
>>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>
>>> On Wed, Jul 17, 2013 at 03:01:58PM +0000, Tovey, Mark wrote:
>>>>
>>>>        We have sssd-1.5.1-58.el5 and ipa-client-2.1.3-5.el5_9.2 installed.
>>>
>>> OK, these are recent enough to support netgroups and the compat tree should be configured automatically.
>>>
>>>> Those came out of the 'latest' repository.  We do not have any netgroups defined (there is no /etc/netgroup file), so getent does not return anything.
>>>
>>> Every hostgroup is automatically translated into a netgroup on the server side. You said you have some host groups present, so does "getent netgroup <name-of-hostgroup> return any netgroup data?
>>>
>>>>        Thanks,
>>>>        -Mark
>>>>
>>>
>>>>
>>>> ________________________________________________________________
>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>> MTovey at go2uti.com | O / C +1 503 953-1389
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>>>> Sent: Wednesday, July 17, 2013 1:32 AM
>>>> To: Tovey, Mark
>>>> Cc: dpal at redhat.com; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>
>>>> On Tue, Jul 16, 2013 at 09:13:00PM +0000, Tovey, Mark wrote:
>>>>>
>>>>>
>>>>>        We are using sssd. The sssd.conf file is mostly unchanged from how it was installed by the ipa-client-install script:
>>>>
>>>> Hi Mark,
>>>>
>>>> you said your client is OEL *5.5* ? The SSSD first appeared in RHEL (and by extension OEL) in 5.6. Are you running the version from EPEL? I'm not sure if netgroups were even supported in that old version..
>>>>
>>>> What is the output of "rpm -q sssd" and "rpm -q ipa-client" ?
>>>>
>>>> Does getent netgroup <netgroup-name> work?
>>>>
>>>>>
>>>>> [sssd]
>>>>> config_file_version = 2
>>>>> services = nss, pam
>>>>>
>>>>> domains = my_domain.com
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>>     [domain/my_domain.com]
>>>>> cache_credentials = True
>>>>> krb5_store_password_if_offline = True ipa_domain = my_domain.com
>>>>> id_provider = ipa auth_provider = ipa access_provider = ipa
>>>>> chpass_provider = ipa ipa_server = _srv_, ipa_server.my_domain.com
>>>>> ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 6
>>>>>
>>>>>
>>>>>        And the nsswitch.conf file:
>>>>>
>>>>> passwd:     files sss
>>>>> shadow:     files sss
>>>>> group:      files sss
>>>>>
>>>>> hosts:      files dns
>>>>>
>>>>> bootparams: nisplus [NOTFOUND=return] files
>>>>>
>>>>> ethers:     files
>>>>> netmasks:   files
>>>>> networks:   files
>>>>> protocols:  files
>>>>> rpc:        files
>>>>> services:   files
>>>>>
>>>>> netgroup:   files sss
>>>>>
>>>>> publickey:  nisplus
>>>>>
>>>>> automount:  files ldap
>>>>> aliases:    files
>>>>>
>>>>> sudoers:    files ldap
>>>>>
>>>>>        Thanks,
>>>>>        -Mark
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________________________________
>>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>>>>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: freeipa-users-bounces at redhat.com
>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>>>>> Sent: Tuesday, July 16, 2013 12:51 PM
>>>>> To: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>
>>>>> On 07/16/2013 02:11 PM, Tovey, Mark wrote:
>>>>>>        My environment consists of OEL 5.5 clients with ipa-client-2.1.3 and the server is OEL 6.4 with ipa-server-3.0.0.  We chose these because we were able to find RPM packages for them.  We would prefer to go with the latest versions, but we did not want to spend the time building installation packages just yet.  Again, we are just evaluating at this point.  So far, so good, except for this one point.
>>>>>>        The doman name, host name, and nsswitch.conf files are all properly configured.  But I do not have any netgroups defined (the getent command doesn't return anything and there is no /etc/netgroup file).  After you asked about that, I started looking into the documentation on netgroups.  The IPA documentation for sudo states that "Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats."  But when I look in the Netgroups area, I do not see any netgroups defined.  I used Apache Directory Studio to look around the Directory Server, and I can see "cn=hgroup1,cn=ng,cn=alt,dc=my_domain,dc=com", along with "cn=hgroup1,cn=hostgroups,cn=accounts,dc=my_domain,dc=com".  This seems to reflect what was stated in the documentation.
>>>>>>        But I am still stumped.  I cannot get sudo to work with host groups; I have to directly add each server to the sudo rule.
>>>>>>        Thanks,
>>>>>>        -Mark
>>>>>
>>>>> So can it seems that the first thing you need to to do is to make sure your netgroups work.
>>>>> If domain and host are properly set then it might be the wrong base in your LDAP search for the netgroups.
>>>>> Are you using SSSD for netgroups or something else?
>>>>> Can you please share your sssd.conf and area where it configures netgroups?
>>>>> Also is sss in the nsswitch.conf for netgroups map?
>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________________________________
>>>>>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400
>>>>>> SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>>>>>> MTovey at go2uti.com | O / C +1 503 953-1389 | Skype: mark.tovey2
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>>>>> Sent: Tuesday, July 16, 2013 12:34 AM
>>>>>> To: Tovey, Mark
>>>>>> Cc: Steven Jones; James Hogarth; Freeipa-users at redhat.com; Pavel
>>>>>> Brezina
>>>>>> Subject: Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>
>>>>>> Just checking, did you try troubleshooting hints from JR I found at the top of the thread? I did not find an information about that.
>>>>>>
>>>>>> ~~~~
>>>>>> Can you confirm that the output of the following commands:
>>>>>> 1. $ domainname
>>>>>> * does it match your domain?
>>>>>> 2. $ hostname
>>>>>> * does match match your fqdn?
>>>>>> 3. $ getent netgroup esolutions-sandbox-hosts
>>>>>> * does this list your host?
>>>>>> 4. Does /etc/nsswitch.conf contain the line: "netgroup:   files sss"?
>>>>>>
>>>>>>
>>>>>> Another important Sudo Troubleshooting step is to edit: /etc/sudo-ldap.conf (or /etc/ldap.conf, depending on what version of RHEL/Sudo you're running):
>>>>>>
>>>>>> At the top, add the line: sudoers_debug 2
>>>>>>
>>>>>> Then try another sudo command. sudo -l for example.
>>>>>> ~~~~
>>>>>>
>>>>>> For example, it would help to know that netgroup list (step 3) works or domainname is set correctly (step 1).
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>>
>>>>>> On 07/16/2013 06:09 AM, Tovey, Mark wrote:
>>>>>>>
>>>>>>>
>>>>>>>        Okay, I stopped sssd on the client and deleted the cache
>>>>>>> files, removed the sudo rule, started sssd and verified that the
>>>>>>> rule was gone, stopped sssd and deleted the files again, added
>>>>>>> the rule back in, restarted sssd, and still it does not work.
>>>>>>> One note, when I enter the hosts into the sudo rule in place of
>>>>>>> the host group, the effect is immediate; I do not need to restart
>>>>>>> sssd.  And the opposite is true too: if I put the host group
>>>>>>> back, the rule immediately stops working.  I don't think the
>>>>>>> issue is cache related; it seems to be something else.  The serv_account that we are accessing with the sudo rule is external.  I wouldn't expect that to matter, but perhaps it does?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        I like your idea for the labels; they make sense.  Right
>>>>>>> now we are just evaluating this to see if we want to go this route.
>>>>>>> So far we like it, but this could be a problem because we have a
>>>>>>> several hundred hosts that we need to manage.  Having to enter each one individually will be problematic.
>>>>>>>
>>>>>>>        Thanks,
>>>>>>>
>>>>>>>        -Mark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> * *
>>>>>>>
>>>>>>> *________________________________________________________________
>>>>>>> *
>>>>>>>
>>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>>
>>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>>> Portland
>>>>>>> | Oregon
>>>>>>> | 97204 | USA
>>>>>>>
>>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>>> mark.tovey2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>>> *Sent:* Monday, July 15, 2013 4:44 PM
>>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>>> *Cc:* Freeipa-users at redhat.com
>>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> option b) delete the rule totally and redo it from scratch.
>>>>>>>
>>>>>>> I label rules like this,
>>>>>>>
>>>>>>> hb-xxxx   for a hbac rule
>>>>>>>
>>>>>>> su-xxxx for a sudo rule
>>>>>>>
>>>>>>> sc-xxxx for a sudo command group
>>>>>>>
>>>>>>> ug-xxxx for a user group
>>>>>>>
>>>>>>> hg-xxxx for a host groups
>>>>>>>
>>>>>>> etc
>>>>>>>
>>>>>>> etc
>>>>>>>
>>>>>>> It makes the logic easier when you go into command line which I
>>>>>>> find easier to trace with than the gui at time.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> --
>>>>>>> --
>>>>>>> -
>>>>>>> ---------
>>>>>>>
>>>>>>> *From:*Tovey, Mark [MTovey at go2uti.com]
>>>>>>> *Sent:* Tuesday, 16 July 2013 11:34 a.m.
>>>>>>> *To:* Steven Jones; James Hogarth
>>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        That didn't work either.  I set up the host group in my
>>>>>>> sudo rule, stopped sssd, renamed /var/lib/sss/db and created a
>>>>>>> new db directory, then restarted sssd.  New files were created in
>>>>>>> the db directory, but it still refuses to work unless the hosts are directly specified in the sudo rule.
>>>>>>>
>>>>>>>        Thanks,
>>>>>>>
>>>>>>>        -Mark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> * *
>>>>>>>
>>>>>>> *________________________________________________________________
>>>>>>> *
>>>>>>>
>>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>>
>>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>>> Portland
>>>>>>> | Oregon
>>>>>>> | 97204 | USA
>>>>>>>
>>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>>> mark.tovey2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:*Steven Jones [mailto:Steven.Jones at vuw.ac.nz]
>>>>>>> *Sent:* Monday, July 15, 2013 4:15 PM
>>>>>>> *To:* Tovey, Mark; James Hogarth
>>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>>> *Subject:* RE: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> This is a known issue Ive suffered a long time with.  What would
>>>>>>> be interesting is adding another host to the host group could
>>>>>>> well work fine, that will really make you bang your head against the wall..
>>>>>>>
>>>>>>> 2 possibilities, stop the sssd daemon on the problem host, delete
>>>>>>> its cache and start it, that might fix it.
>>>>>>>
>>>>>>> Otherwise best to,
>>>>>>>
>>>>>>> All RH support could come up with is delete the HBAC rule, sudo
>>>>>>> rule, user group and host group and re-do it, then it will probably work fine.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> --
>>>>>>> --
>>>>>>> -
>>>>>>> ---------
>>>>>>>
>>>>>>> *From:*freeipa-users-bounces at redhat.com
>>>>>>> <mailto:freeipa-users-bounces at redhat.com>
>>>>>>> [freeipa-users-bounces at redhat.com] on behalf of Tovey, Mark
>>>>>>> [MTovey at go2uti.com]
>>>>>>> *Sent:* Tuesday, 16 July 2013 10:54 a.m.
>>>>>>> *To:* James Hogarth
>>>>>>> *Cc:* Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        I checked that and it is set correctly:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [user1 at host1 ~]$ nisdomainname
>>>>>>>
>>>>>>> my_domain.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        If I try to run a command with the hosts specified
>>>>>>> indirectly through a host group, it fails:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [user1 at host1 ~]$ sudo -i -u serv_account
>>>>>>>
>>>>>>> LDAP Config Summary
>>>>>>>
>>>>>>> ===================
>>>>>>>
>>>>>>> uri              ldap://ipa_server.my_domain.com
>>>>>>>
>>>>>>> ldap_version     3
>>>>>>>
>>>>>>> sudoers_base     ou=SUDOers,dc=my_domain,dc=com
>>>>>>>
>>>>>>> binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
>>>>>>>
>>>>>>> bindpw           **********
>>>>>>>
>>>>>>> bind_timelimit   5000
>>>>>>>
>>>>>>> timelimit        15
>>>>>>>
>>>>>>> ssl              start_tls
>>>>>>>
>>>>>>> tls_checkpeer    (yes)
>>>>>>>
>>>>>>> tls_cacertfile   /etc/ipa/ca.crt
>>>>>>>
>>>>>>> ===================
>>>>>>>
>>>>>>> sudo: ldap_initialize(ld, ldap://ipa_server.my_domain.com)
>>>>>>>
>>>>>>> sudo: ldap_set_option: debug -> 0
>>>>>>>
>>>>>>> sudo: ldap_set_option: ldap_version -> 3
>>>>>>>
>>>>>>> sudo: ldap_set_option: tls_checkpeer -> 1
>>>>>>>
>>>>>>> sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
>>>>>>>
>>>>>>> sudo: ldap_set_option: timelimit -> 15
>>>>>>>
>>>>>>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>>
>>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>>
>>>>>>> sudo: no default options found!
>>>>>>>
>>>>>>> sudo: ldap search
>>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>>
>>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>>
>>>>>>> sudo: ldap sudoHost '+hgroup1' ... not
>>>>>>>
>>>>>>> sudo: ldap search 'sudoUser=+*'
>>>>>>>
>>>>>>> sudo: user_matches=1
>>>>>>>
>>>>>>> sudo: host_matches=0
>>>>>>>
>>>>>>> sudo: sudo_ldap_lookup(0)=0x40
>>>>>>>
>>>>>>> [sudo] password for user1:
>>>>>>>
>>>>>>> Sorry, try again.
>>>>>>>
>>>>>>> [sudo] password for user1:
>>>>>>>
>>>>>>> sudo: 1 incorrect password attempt
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        But if I remove the host group from the sudo rule and
>>>>>>> directly add the hosts that were in the host group, it works fine:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <snip>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> sudo: ldap_start_tls_s() ok
>>>>>>>
>>>>>>> sudo: ldap_sasl_bind_s() ok
>>>>>>>
>>>>>>> sudo: no default options found!
>>>>>>>
>>>>>>> sudo: ldap search
>>>>>>> '(|(sudoUser=user1)(sudoUser=%user1)(sudoUser=%user1s)(sudoUser=ALL))'
>>>>>>>
>>>>>>> sudo: found:cn=my_sudo_rule,ou=sudoers,dc=my_domain,dc=com
>>>>>>>
>>>>>>> sudo: ldap sudoHost 'host1.my_domain.com' ... MATCH!
>>>>>>>
>>>>>>> sudo: ldap sudoRunAsUser 'serv_account' ... MATCH!
>>>>>>>
>>>>>>> sudo: ldap sudoCommand 'ALL' ... MATCH!
>>>>>>>
>>>>>>> sudo: Command allowed
>>>>>>>
>>>>>>> sudo: user_matches=1
>>>>>>>
>>>>>>> sudo: host_matches=1
>>>>>>>
>>>>>>> sudo: sudo_ldap_lookup(0)=0x02
>>>>>>>
>>>>>>> [sudo] password for user1:
>>>>>>>
>>>>>>> [serv_account at host1 ~]$
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>        So something isn't lining up correctly with host groups in
>>>>>>> sudo rules somewhere.  I just haven't been able to track it down.
>>>>>>>
>>>>>>>        Thanks,
>>>>>>>
>>>>>>>        -Mark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> * *
>>>>>>>
>>>>>>> *________________________________________________________________
>>>>>>> *
>>>>>>>
>>>>>>> *Mark Tovey - UNIX Engineer | Service Strategy & Design*
>>>>>>>
>>>>>>> UTi <http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 |
>>>>>>> Portland
>>>>>>> | Oregon
>>>>>>> | 97204 | USA
>>>>>>>
>>>>>>> MTovey at go2uti.com <mailto:MTovey at go2uti.com> | O / C +1 503 953-1389 | Skype:
>>>>>>> mark.tovey2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:*James Hogarth [mailto:james.hogarth at gmail.com]
>>>>>>> *Sent:* Monday, July 15, 2013 1:11 PM
>>>>>>> *To:* Tovey, Mark
>>>>>>> *Subject:* Re: [Freeipa-users] sudo rules user and host group bugs?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>        Did anyone find a solution for this?  I am having the same experience.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Wow that was a mess...
>>>>>>>
>>>>>>> To use hostgroups for sudo ensure nisdomainname is set on the
>>>>>>> hosts to the IPA domain.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>>>
>>>>>
>>>>> -------------------------------
>>>>> Looking to carve out IT costs?
>>>>> www.redhat.com/carveoutcosts/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>



From pviktori at redhat.com  Mon Jul 22 10:23:58 2013
From: pviktori at redhat.com (Petr Viktorin)
Date: Mon, 22 Jul 2013 12:23:58 +0200
Subject: [Freeipa-users] Exporting a PEM Certificate for OpenStack
	Keystone
In-Reply-To: <CAKZK7uxvgbCit9fXqMdUpXBhxO_p-Tp6kmsamVZvxzrW8yTX3w@mail.gmail.com>
References: <CAKZK7uxvgbCit9fXqMdUpXBhxO_p-Tp6kmsamVZvxzrW8yTX3w@mail.gmail.com>
Message-ID: <51ED083E.6010801@redhat.com>

On 07/22/2013 05:41 AM, Justin Brown wrote:
> Hi,
>
> I'm having some trouble understanding certificates in general and
> service certificates in FreeIPA.
>
> Keystone if the authentication layer for OpenStack, and I'm trying to
> get it setup to integrate with the certificates in my FreeIPA domain.
>
> By default, Keystone setups up a self-signed CA based on settings an
> openssl.conf.
>
> I would like to use a FreeIPA service certificate to sign tokens for
> Keystone.
>
> I have Keystone at keystone.cloud.fandingo.org
> <http://keystone.cloud.fandingo.org> and install with the FreeIPA client.
>
> I setup a service, HTTP/keystone.cloud.fandingo.org
> <http://keystone.cloud.fandingo.org>. Then, I create a CSR and private
> key using OpenSSL. Lastly, I copy  the CSR into FreeIPA and generate the
> certificate.
>
>   I just need to get the signed certificate out of FreeIPA in some way.
> However, I can't for the life of me figure out what format the
> certificate is. It's not PEM or any of the PKCS versions that I'm
> familiar with because there are no header or footer lines. It doesn't
> appear to be DER because OpenSSL refuses to process it as such.

Hello,
What command did you use to display the certificate?
IPA stores certificates in DER form, and the tools (ipa service-show, 
ipa cert-show, ldapsearch, etc.) display that in base64-encoded form.

You can use `ipa service-show HTTP/keystone.cloud.fandingo.org --out 
servicecert.pem` to write the cert to file servicecert.pem.

(Alternatively, you can take the data cert-show displays and either use 
`base64 -d` command to convert to binary DER, or add the PEM header and 
footer to get PEM.)

-- 
Petr?



From Amy.Murtha at hp.com  Mon Jul 15 16:42:11 2013
From: Amy.Murtha at hp.com (Murtha, Amy)
Date: Mon, 15 Jul 2013 16:42:11 +0000
Subject: [Freeipa-users] customizing the web UI
Message-ID: <150516527A3D9C48A804A7E216230D237D001A9F@G4W3222.americas.hpqcorp.net>

Hi,

We are looking for help or advice on how to customize the web UI to add or remove fields in the user configuration. For example, the default schema comes with a "car license" field in the Misc. Information section, which isn't very useful to us. Im told that particular info is in the "inetOrgPerson" schema; the suggestion was to create a local copy of that schema to modify, rather than modifying the base schema. In any case, we don't know exactly how to go about this. Any advice or suggestions how to customize the web UI?

Thanks,
Amy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130715/79a6bcd2/attachment.htm>

From alee at redhat.com  Mon Jul 22 13:39:50 2013
From: alee at redhat.com (Ade Lee)
Date: Mon, 22 Jul 2013 09:39:50 -0400
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <CAJ8DPF5OzaRTz-OaWu1a51D_TT=KW7=C8UwQnN3GNKLHeGZRPA@mail.gmail.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
	<1374258010.2951.38.camel@aleeredhat.laptop>
	<CAJ8DPF7S2CwMTtedyWqT26Vq5BK=bLXgqNJdv=+NDz4CpAKbqg@mail.gmail.com>
	<CAJ8DPF5OzaRTz-OaWu1a51D_TT=KW7=C8UwQnN3GNKLHeGZRPA@mail.gmail.com>
Message-ID: <1374500390.2951.47.camel@aleeredhat.laptop>

On Mon, 2013-07-22 at 12:05 +1000, Pete Brown wrote:
> On 22 July 2013 11:45, Pete Brown <rendhalver at gmail.com> wrote:
> > On 20 July 2013 04:20, Ade Lee <alee at redhat.com> wrote:
> >>
> >> On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
> >>> I was just trying this again and noticed there is a
> >>> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
> >>> is the logging for the attempt to create the pki.
> >>> right at the end is this entry.
> >>>
> >>> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
> >>> security domain through REST interface.  Trying old interface. 503
> >>> Server Error: Service Unavailable
> >>>
> >>> Does anyone know what that means and how to fix it?
> >>>
> >>
> >> This means that the dogtag CA is trying to contact the dogtag master -
> >> and is failing to do so.  It may be trying to access the wrong port.
> >>
> >> What version do you have for :
> >> rpm -q pki-ca ?
> >
> > on my master server.
> > pki-ca-10.0.3-2.fc18.noarch
> >
> >> Please attach the logs for the replica CA.
> >> /var/log/pki/pki-tomcat/*
> >
> > I just tried doing the replica install again and was tailing the
> > catalina.out while is was running and I think I have discovered the
> > problem.
> > The jre it seems to have been upgraded and it is still using the old path.
> > I shall try and work out how to fix that and will let you know if I get stuck.
> 
> What you mentioned assisted with further debugging.
> 
> this is the tail end of catalina.out from my last run
> 
> Jul 22, 2013 11:54:39 AM org.apache.catalina.startup.HostConfig deployDirectory
> INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ROOT
> Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8080"]
> Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8443"]
> Jul 22, 2013 11:54:39 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["ajp-bio-8009"]
> Jul 22, 2013 11:54:39 AM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 9498 ms
> 11:57:15,198  INFO
> (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
> - Deploying javax.ws.rs.core.Application: class
> com.netscape.ca.CertificateAuthorityApplication
> 11:57:15,218  INFO
> (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
> - Adding singleton provider
> com.netscape.certsrv.authentication.AuthMethodInterceptor from
> Application javax.ws.rs.core.Application
> 11:57:15,224  INFO
> (org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
> - Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor
> from Application javax.ws.rs.core.Application
> 11:57:15,448 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60)
> - PathInfo: /securityDomain/domainInfo
> AuthInterceptor: SecurityDomainResource.getDomainInfo()
> AuthInterceptor: mapping name: default
> AuthInterceptor: required auth methods: [*]
> AuthInterceptor: anonymous access allowed
> 11:57:15,798 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60)
> - PathInfo: /account/login
> AuthInterceptor: AccountResource.login()
> AuthInterceptor: mapping name: account
> AuthInterceptor: required auth methods: [passwdUserDBAuthMgr, certUserDBAuthMgr]
> AuthInterceptor: anonymous access not allowed
> 
> my guess would be the replica creation is attempting an anonymous bind.
> I have those disabled for security reasons.
> Is there any way around that without turning on anonymous  binds?
> 
I'm assuming the above is on the master.  The above messages detail two
different interactions between the clone CA and the master CA.  That is
- the clone contacts the master to ask for its domain
info /securityDomain/domainInfo (which requires no auth).  The auth here
is CA -> CA.  It has nothing to do with the database.  It then tries to
login and the above message indicates that it needs a password or a
client auth certificate.  So there is nothing in the above that
indicates the error.

I really need to see the catalina.out / debug logs on both the replica
and master to understand where it is failing.

> 
> >> You are also exactly correct in creating a replica before upgrading to
> >> F19.  Much older dogtag instances (based on dogtag 9) will not work in
> >> f19 due to tomcat6 not being available in f19.
> >
> > Ahh.
> > Did that prompt the amalgamation of the ldap trees?
> >
> >>
> >> Ade
> >>>
> >>> On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
> >>> > On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
> >>> >> On 07/18/2013 03:31 AM, Pete Brown wrote:
> >>> >>>
> >>> >>> I opened all the ports that seemed to be listening n the master.
> >>> >>> I also ran the setup again without disabling the connection check to
> >>> >>> see what else needed fixing.
> >>> >>> It seems after much investigation and log dredging it seems my admin
> >>> >>> password had expired.
> >>> >>> I wasn't aware that was possible.
> >>> >>> I reset the password and it seemed to get further.
> >>> >>> This for some reason not mentioned in the documentation the replica is
> >>> >>> trying to ssh into the master as admin.
> >>> >>> I managed to fix that by changing my setup and ssh config files.
> >>> >>>
> >>> >>> Then it actually managed to start the setup process.
> >>> >>> But again it fails at exactly the same point mentioned in my initial
> >>> >>> email.
> >>> >>>
> >>> >>> After some further digging with reference to the log output below it
> >>> >>> seems I have run into a bug that seems to have been fixed.
> >>> >>> https://fedorahosted.org/freeipa/ticket/3213
> >>> >>> As I mentioned I am running current Fedora 18 so freeipa is
> >>> >>> 3.1.5-1.fc18 is that fixed in my version?
> >>> >>
> >>> >>
> >>> >> Yes, that bug was fixed in 3.1.0.
> >>> >
> >>> > Well the script is still complaining about not being able to find
> >>> > dogtag_master_ds_port and the option still appears in my version of
> >>> > the script.
> >>> > Which from the bug seems to be what was causing the issue and the
> >>> > ipareplica-install log I included below says this is the case.
> >>> > It seems a bit odd because this is a fresh install of 3.1.5.
> >>> >
> >>> >
> >>> >
> >>> >>> It also seems the dogatg and IPA directories will be or have been merged?
> >>> >>> Which version did this happen in and will it get applied to my server?
> >>> >>
> >>> >>
> >>> >> Also in 3.1.0; new servers installed using that version have merged
> >>> >> databases.
> >>> >
> >>> > I still seem to have split instances.
> >>> > I did the install before Fedora 18 was released because I wanted ipa 3
> >>> > and that was the only way I could get it.
> >>> > Will they get merged at some point or can I do it manually?
> >>> >
> >>> >>
> >>> >>> Can anyone suggest how I go about fixing this issue?
> >>> >>
> >>> >>
> >>> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
> >>> >> (ticket #2796).
> >>> >> So I would start by uninstalling, then running the following command to make
> >>> >> sure CA is not left:
> >>> >>     sudo pkidestroy -s CA -i pki-tomcat
> >>> >> then installing again.
> >>> >
> >>> > Ran that on my replica after the install and before the clean and it said this.
> >>> > That would make sense because it fails during the ca creation stage.
> >>> >
> >>> > root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
> >>> > ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
> >>> >
> >>> >
> >>> >>
> >>> >> Can you also provide logs without the --skip-conncheck flag? Specifically
> >>> >> the /var/log/ipareplica-conncheck.log should be interesting.
> >>> >
> >>> > From what I can tell all the tests in the connection check passed.
> >>> >
> >>> >>
> >>> >>
> >>> >>> I wanted to create a replica so I could upgrade to fedora 19 and not
> >>> >>> have to take my single instance of FreeIPA offline while that was
> >>> >>> happening.
> >>> >>> Will I need to upgrade to Fedora 19 to fix my issue?
> >>> >>
> >>> >>
> >>> >>
> >>> >>> For reference this is the point of failure in the
> >>> >>> /var/log/ipareplica-install.log file
> >>> >>>
> >>> >>> 2013-07-18T01:06:16Z DEBUG Starting external process
> >>> >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
> >>> >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
> >>> >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
> >>> >>> from /tmp/tmpFKBxMW.
> >>> >>> ERROR:  Unable to access security domain: 503 Server Error: Service
> >>> >>> Unavailable
> >>> >>
> >>> >>
> >>> >> Please also check logs on the existing server. Is the CA available?
> >>> >> Does e.g. `ipa cert-show 1` work?
> >>> >>
> >>> >>> 2013-07-18T01:08:16Z DEBUG stderr=
> >>> >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
> >>> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
> >>> >>> status 1
> >>> >>> 2013-07-18T01:08:16Z INFO   File
> >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> >>> >>> line 619, in run_script
> >>> >>>      return_value = main_function()
> >>> >>>
> >>> >>>    File "/usr/sbin/ipa-replica-install", line 652, in main
> >>> >>>      (CA, cs) = cainstance.install_replica_ca(config,
> >>> >>> dogtag_master_ds_port)
> >>> >>>
> >>> >>>    File
> >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> >>> line 1809, in install_replica_ca
> >>> >>>      subject_base=config.subject_base)
> >>> >>>
> >>> >>>    File
> >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> >>> line 625, in configure_instance
> >>> >>>      self.start_creation(runtime=210)
> >>> >>>
> >>> >>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>> >>> line 358, in start_creation
> >>> >>>      method()
> >>> >>>
> >>> >>>    File
> >>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> >>> line 744, in __spawn_instance
> >>> >>>      raise RuntimeError('Configuration of CA failed')
> >>> >>>
> >>> >>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
> >>> >>> exception: RuntimeError: Configuration of CA failed
> >>> >>>
> >>> >>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
> >>> >>>>
> >>> >>>> Hi everyone,
> >>> >>>>
> >>> >>>> I am attempting to create a replica of my freeipa server.
> >>> >>>> I am following the docs but they are not working for me.
> >>> >>>> I am getting the vague impression I am missing a step that doesn't
> >>> >>>> seem to be documented.
> >>> >>>>
> >>> >>>> For the record all the posts listed are open and it was a clean
> >>> >>>> install of Fedora 18.
> >>> >>>>
> >>> >>>> I thought the server may need to be a client of the master before I
> >>> >>>> set it up as a replica but it just said I needed to uninstall the
> >>> >>>> client setup.
> >>> >>>>
> >>> >>>> After running ipa-replica-prepare on the master and scping the file to
> >>> >>>> the new replica.
> >>> >>>> I ran this command on the new replica
> >>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> >>> >>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
> >>> >>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
> >>> >>>>
> >>> >>>> The error I am seeing is from that command is this:
> >>> >>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
> >>> >>>> getting initial credentials
> >>> >>>>
> >>> >>>> Connection check failed!
> >>> >>>> Please fix your network settings according to error messages above.
> >>> >>>> If the check results are not valid it can be skipped with
> >>> >>>> --skip-conncheck parameter.
> >>> >>>>
> >>> >>>> So I cleaned everything off (i think) and tried it with this command
> >>> >>>>
> >>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
> >>> >>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
> >>> >>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
> >>> >>>>
> >>> >>>> This seems to actually start the install and setup process i remember
> >>> >>>> from installing the ipa server initially
> >>> >>>>
> >>> >>>> This it fails with this output
> >>> >>>>
> >>> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
> >>> >>>> be disabled in favor of ntpd
> >>> >>>>
> >>> >>>> Directory Manager (existing master) password:
> >>> >>>>
> >>> >>>> Configuring NTP daemon (ntpd)
> >>> >>>>    [1/4]: stopping ntpd
> >>> >>>>    [2/4]: writing configuration
> >>> >>>>    [3/4]: configuring ntpd to start on boot
> >>> >>>>    [4/4]: starting ntpd
> >>> >>>> Done configuring NTP daemon (ntpd).
> >>> >>>> Configuring directory server (dirsrv): Estimated time 1 minute
> >>> >>>>    [1/31]: creating directory server user
> >>> >>>>    [2/31]: creating directory server instance
> >>> >>>>    [3/31]: adding default schema
> >>> >>>>    [4/31]: enabling memberof plugin
> >>> >>>>    [5/31]: enabling winsync plugin
> >>> >>>>    [6/31]: configuring replication version plugin
> >>> >>>>    [7/31]: enabling IPA enrollment plugin
> >>> >>>>    [8/31]: enabling ldapi
> >>> >>>>    [9/31]: configuring uniqueness plugin
> >>> >>>>    [10/31]: configuring uuid plugin
> >>> >>>>    [11/31]: configuring modrdn plugin
> >>> >>>>    [12/31]: configuring DNS plugin
> >>> >>>>    [13/31]: enabling entryUSN plugin
> >>> >>>>    [14/31]: configuring lockout plugin
> >>> >>>>    [15/31]: creating indices
> >>> >>>>    [16/31]: enabling referential integrity plugin
> >>> >>>>    [17/31]: configuring ssl for ds instance
> >>> >>>>    [18/31]: configuring certmap.conf
> >>> >>>>    [19/31]: configure autobind for root
> >>> >>>>    [20/31]: configure new location for managed entries
> >>> >>>>    [21/31]: restarting directory server
> >>> >>>>    [22/31]: setting up initial replication
> >>> >>>> Starting replication, please wait until this has completed.
> >>> >>>> Update in progress
> >>> >>>> Update in progress
> >>> >>>> Update in progress
> >>> >>>> Update in progress
> >>> >>>> Update succeeded
> >>> >>>>    [23/31]: adding replication acis
> >>> >>>>    [24/31]: setting Auto Member configuration
> >>> >>>>    [25/31]: enabling S4U2Proxy delegation
> >>> >>>>    [26/31]: initializing group membership
> >>> >>>>    [27/31]: adding master entry
> >>> >>>>    [28/31]: configuring Posix uid/gid generation
> >>> >>>>    [29/31]: enabling compatibility plugin
> >>> >>>>    [30/31]: tuning directory server
> >>> >>>>    [31/31]: configuring directory to start on boot
> >>> >>>> Done configuring directory server (dirsrv).
> >>> >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> >>> >>>> 30 seconds
> >>> >>>>    [1/17]: creating certificate server user
> >>> >>>>    [2/17]: configuring certificate server instance
> >>> >>>> ipa         : CRITICAL failed to configure ca instance Command
> >>> >>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
> >>> >>>> status 1
> >>> >>>>
> >>> >>>> Your system may be partly configured.
> >>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>> >>>>
> >>> >>>> Configuration of CA failed
> >>> >>>>
> >>> >>>> I even tried cleaning it again at that point and made sure all the
> >>> >>>> ports were open and still got the same error.
> >>> >>>>
> >>> >>>> I also switched selinux to permissive mode cleaned up and rebooted but
> >>> >>>> that didn't help either
> >>> >>>>
> >>> >>>> Can someone please point out what I need to do to get this working.
> >>> >>>>
> >>> >>>> Thanks in advance.
> >>> >>>> Pete.
> >>> >>>
> >>> >>>
> >>> >>> _______________________________________________
> >>> >>> Freeipa-users mailing list
> >>> >>> Freeipa-users at redhat.com
> >>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Petr?
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>




From Matt_Rivet at Archway.com  Mon Jul 22 13:41:14 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Mon, 22 Jul 2013 13:41:14 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>,
	<51E8FB9F.50008@redhat.com>,
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>

On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>
>> When I check the host certificate I see a ca-error saying it cannot find
>> a suitable key.
>>
>> # ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>> Request ID '20130719035440':
>> status: CA_UNCONFIGURED
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>> Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>
> What is the version of ipa-server , is the above error on ipa client ,
> if so what is the version of ipa-client
>
> Both client and server are version 3.0; the error is on the client
>
> There was similar bug in earlier versions, I would suggest you to update
> the ipa server and clients to ipa-3.0
>
> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
> I have double checked to see if the workaround applies after the bug fix, it does not
>
>> When I check my keytab
>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>> No error
>> If I list my keytab,
>>
>> # klist -kt /etc/krb5.keytab
>>
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>
>> My /etc/krb5.conf file looks like:
>>
>> [libdefaults]
>>  default_keytab_name = FILE:/etc/krb5.keytab
>>  default_realm = EXAMPLE.COM
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   EXAMPLE.COM = {
>>     kdc = det-ldmpl01.sub.example.com:88
>>     master_kdc = det-ldmpl01.sub.example.com:88
>>     admin_server = det-ldmpl01.sub.example.com:749
>>     default_domain = example.com
>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .example.com = EXAMPLE.COM
>>   example.com = EXAMPLE.COM
>>   .sub.example.com = EXAMPLE.COM
>>   sub.example.com = EXAMPLE.COM
>>
>> It seems the error from ipa-getcert list shows:
>>
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>
>> where it is trunking the hostname and not including the realm name after
>> @ seems to be the problem, but I cannot figure out why.  If I run
>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>

Can you please check respective certmonger request in
/var/lib/certmonger/requests/ and see if the principal is not misconfigured
there from the time when request was created?

I also think you should be able to override the bad principal with following
command:

# ipa-getcert start-tracking -i 20130719035440 -K
"host/det-webdl01.sub.example.com at EXAMPLE.COM"

HTH,
Martin



Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=det-webdl01.sub.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
..
..
..
                    4a:57
                Exponent: 65537 (0x10001)
        Attributes:
            friendlyName             :Server-Cer
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:det-webdl01.sub.example.com, othername:<unsupported>, othername:<unsupported>
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
...
...
...

The request also looks like this

state=HAVE_CSR
autorenew=1
monitor=1
ca_name=IPA
submitted=20130719035440
ca_error=Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .

Does IPA need to be in my host file or dns?

Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From pvoborni at redhat.com  Mon Jul 22 13:48:43 2013
From: pvoborni at redhat.com (Petr Vobornik)
Date: Mon, 22 Jul 2013 15:48:43 +0200
Subject: [Freeipa-users] customizing the web UI
In-Reply-To: <150516527A3D9C48A804A7E216230D237D001A9F@G4W3222.americas.hpqcorp.net>
References: <150516527A3D9C48A804A7E216230D237D001A9F@G4W3222.americas.hpqcorp.net>
Message-ID: <51ED383B.70809@redhat.com>

On 07/15/2013 06:42 PM, Murtha, Amy wrote:
> Hi,
>
> We are looking for help or advice on how to customize the web UI to add or remove fields in the user configuration. For example, the default schema comes with a "car license" field in the Misc. Information section, which isn't very useful to us. Im told that particular info is in the "inetOrgPerson" schema; the suggestion was to create a local copy of that schema to modify, rather than modifying the base schema. In any case, we don't know exactly how to go about this. Any advice or suggestions how to customize the web UI?
>
> Thanks,
> Amy


Hello Amy,

Current possibilities of Web UI alternation are described at 
https://www.redhat.com/archives/freeipa-users/2013-June/msg00189.html .

What do you want to do with the 'inetOrgPerson' and 'car license' exactly?
-- 
Petr Vobornik



From mkosek at redhat.com  Mon Jul 22 13:54:14 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 22 Jul 2013 15:54:14 +0200
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>,
	<51E8FB9F.50008@redhat.com>,
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>
Message-ID: <51ED3986.3020607@redhat.com>

On 07/22/2013 03:41 PM, Rivet, Matt wrote:
> On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>>
>>> When I check the host certificate I see a ca-error saying it cannot find
>>> a suitable key.
>>>
>>> # ipa-getcert list
>>>
>>> Number of certificates and requests being tracked: 1.
>>> Request ID '20130719035440':
>>> status: CA_UNCONFIGURED
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>>> Certificate DB'
>>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>
>> What is the version of ipa-server , is the above error on ipa client ,
>> if so what is the version of ipa-client
>>
>> Both client and server are version 3.0; the error is on the client
>>
>> There was similar bug in earlier versions, I would suggest you to update
>> the ipa server and clients to ipa-3.0
>>
>> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
>> I have double checked to see if the workaround applies after the bug fix, it does not
>>
>>> When I check my keytab
>>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>>> No error
>>> If I list my keytab,
>>>
>>> # klist -kt /etc/krb5.keytab
>>>
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>
>>> My /etc/krb5.conf file looks like:
>>>
>>> [libdefaults]
>>>  default_keytab_name = FILE:/etc/krb5.keytab
>>>  default_realm = EXAMPLE.COM
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>   rdns = false
>>>   ticket_lifetime = 24h
>>>   forwardable = yes
>>>
>>> [realms]
>>>   EXAMPLE.COM = {
>>>     kdc = det-ldmpl01.sub.example.com:88
>>>     master_kdc = det-ldmpl01.sub.example.com:88
>>>     admin_server = det-ldmpl01.sub.example.com:749
>>>     default_domain = example.com
>>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>   }
>>>
>>> [domain_realm]
>>>   .example.com = EXAMPLE.COM
>>>   example.com = EXAMPLE.COM
>>>   .sub.example.com = EXAMPLE.COM
>>>   sub.example.com = EXAMPLE.COM
>>>
>>> It seems the error from ipa-getcert list shows:
>>>
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>>
>>> where it is trunking the hostname and not including the realm name after
>>> @ seems to be the problem, but I cannot figure out why.  If I run
>>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>>
> 
> Can you please check respective certmonger request in
> /var/lib/certmonger/requests/ and see if the principal is not misconfigured
> there from the time when request was created?
> 
> I also think you should be able to override the bad principal with following
> command:
> 
> # ipa-getcert start-tracking -i 20130719035440 -K
> "host/det-webdl01.sub.example.com at EXAMPLE.COM"
> 
> HTH,
> Martin
> 
> 
> 
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=det-webdl01.sub.example.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
> ..
> ..
> ..
>                     4a:57
>                 Exponent: 65537 (0x10001)
>         Attributes:
>             friendlyName             :Server-Cer
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 DNS:det-webdl01.sub.example.com, othername:<unsupported>, othername:<unsupported>
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
> ...
> ...
> ...
> 
> The request also looks like this
> 
> state=HAVE_CSR
> autorenew=1
> monitor=1
> ca_name=IPA
> submitted=20130719035440
> ca_error=Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .
> 
> Does IPA need to be in my host file or dns?

I am not just thinking, could this be caused by reverse DNS resolution for this
host being broken?

Does "host $IP_ADDRESS_OF_YOUR_HOST" return "det-webdl01.sub.example.com." or
just "det-webdl01."?

> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?

Also adding Nalin in the loop (he is the certmonger developer) to see if this
error sounds familiar for him.

Martin



From Matt_Rivet at Archway.com  Mon Jul 22 13:59:50 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Mon, 22 Jul 2013 13:59:50 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <51ED3986.3020607@redhat.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>,
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>,
	<51E8FB9F.50008@redhat.com>,
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>,
	<51ED3986.3020607@redhat.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188C098F@DETEX03.trade.archway.com>

On 07/22/2013 03:41 PM, Rivet, Matt wrote:
> On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>>
>>> When I check the host certificate I see a ca-error saying it cannot find
>>> a suitable key.
>>>
>>> # ipa-getcert list
>>>
>>> Number of certificates and requests being tracked: 1.
>>> Request ID '20130719035440':
>>> status: CA_UNCONFIGURED
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>>> Certificate DB'
>>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>
>> What is the version of ipa-server , is the above error on ipa client ,
>> if so what is the version of ipa-client
>>
>> Both client and server are version 3.0; the error is on the client
>>
>> There was similar bug in earlier versions, I would suggest you to update
>> the ipa server and clients to ipa-3.0
>>
>> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
>> I have double checked to see if the workaround applies after the bug fix, it does not
>>
>>> When I check my keytab
>>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>>> No error
>>> If I list my keytab,
>>>
>>> # klist -kt /etc/krb5.keytab
>>>
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>>
>>> My /etc/krb5.conf file looks like:
>>>
>>> [libdefaults]
>>>  default_keytab_name = FILE:/etc/krb5.keytab
>>>  default_realm = EXAMPLE.COM
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>   rdns = false
>>>   ticket_lifetime = 24h
>>>   forwardable = yes
>>>
>>> [realms]
>>>   EXAMPLE.COM = {
>>>     kdc = det-ldmpl01.sub.example.com:88
>>>     master_kdc = det-ldmpl01.sub.example.com:88
>>>     admin_server = det-ldmpl01.sub.example.com:749
>>>     default_domain = example.com
>>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>   }
>>>
>>> [domain_realm]
>>>   .example.com = EXAMPLE.COM
>>>   example.com = EXAMPLE.COM
>>>   .sub.example.com = EXAMPLE.COM
>>>   sub.example.com = EXAMPLE.COM
>>>
>>> It seems the error from ipa-getcert list shows:
>>>
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>>
>>> where it is trunking the hostname and not including the realm name after
>>> @ seems to be the problem, but I cannot figure out why.  If I run
>>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>>
>
> Can you please check respective certmonger request in
> /var/lib/certmonger/requests/ and see if the principal is not misconfigured
> there from the time when request was created?
>
> I also think you should be able to override the bad principal with following
> command:
>
> # ipa-getcert start-tracking -i 20130719035440 -K
> "host/det-webdl01.sub.example.com at EXAMPLE.COM"
>
> HTH,
> Martin
>
>
>
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=det-webdl01.sub.example.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
> ..
> ..
> ..
>                     4a:57
>                 Exponent: 65537 (0x10001)
>         Attributes:
>             friendlyName             :Server-Cer
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 DNS:det-webdl01.sub.example.com, othername:<unsupported>, othername:<unsupported>
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
> ...
> ...
> ...
>
> The request also looks like this
>
> state=HAVE_CSR
> autorenew=1
> monitor=1
> ca_name=IPA
> submitted=20130719035440
> ca_error=Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>
> Does IPA need to be in my host file or dns?

I am not just thinking, could this be caused by reverse DNS resolution for this
host being broken?

Does "host $IP_ADDRESS_OF_YOUR_HOST" return "det-webdl01.sub.example.com." or
just "det-webdl01."?

> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?

Also adding Nalin in the loop (he is the certmonger developer) to see if this
error sounds familiar for him.

Martin


[mattr at det-webdl01 ~]$ host det-webdl01
det-webdl01.sub.example.com has address 10.1.1.2
[mattr at det-webdl01 ~]$ host 10.1.1.2
Host 2.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)

Looks like I dont have a PTR record setup.  I will set up one for this host and resubmit/regenerate the csr.

Matt





From nalin at redhat.com  Mon Jul 22 14:20:55 2013
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Mon, 22 Jul 2013 10:20:55 -0400
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
	<51E8FB9F.50008@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>
Message-ID: <20130722142055.GA16560@redhat.com>

On Mon, Jul 22, 2013 at 01:41:14PM +0000, Rivet, Matt wrote:
> Does IPA need to be in my host file or dns?
> 
> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?

In order to authenticate to the IPA server, the client software needs
credentials.  In order to obtain those credentials, it needs to figure
out the client system's principal name.  The function it uses to do this
derives that principal name by doing a lookup to discover the client
host's canonical name, and in this case that appears to be returning the
shorter name.

I'd check the result of running 'getent hosts `hostname`', and if
/etc/hosts has an entry for the hostname that lists the short version
first.

HTH,

Nalin



From Matt_Rivet at Archway.com  Mon Jul 22 14:26:14 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Mon, 22 Jul 2013 14:26:14 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <20130722142055.GA16560@redhat.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
	<51E8FB9F.50008@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>,
	<20130722142055.GA16560@redhat.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188C1A0E@DETEX03.trade.archway.com>


> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?

In order to authenticate to the IPA server, the client software needs
credentials.  In order to obtain those credentials, it needs to figure
out the client system's principal name.  The function it uses to do this
derives that principal name by doing a lookup to discover the client
host's canonical name, and in this case that appears to be returning the
shorter name.

I'd check the result of running 'getent hosts `hostname`', and if
/etc/hosts has an entry for the hostname that lists the short version
first.

HTH,

Nalin


/etc/hosts has both sort and FQDN.  I removed the sort and and resubmitted the certificate.  That resolved my issue.  should I completely remove the short name or is there a way to work around this?



From mkosek at redhat.com  Mon Jul 22 14:33:49 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 22 Jul 2013 16:33:49 +0200
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <67B1E3A6D1E57E43B43AE145212A16F4188C1A0E@DETEX03.trade.archway.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
	<51E8FB9F.50008@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>,
	<20130722142055.GA16560@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C1A0E@DETEX03.trade.archway.com>
Message-ID: <51ED42CD.9080407@redhat.com>

On 07/22/2013 04:26 PM, Rivet, Matt wrote:
> 
>> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?
> 
> In order to authenticate to the IPA server, the client software needs
> credentials.  In order to obtain those credentials, it needs to figure
> out the client system's principal name.  The function it uses to do this
> derives that principal name by doing a lookup to discover the client
> host's canonical name, and in this case that appears to be returning the
> shorter name.
> 
> I'd check the result of running 'getent hosts `hostname`', and if
> /etc/hosts has an entry for the hostname that lists the short version
> first.
> 
> HTH,
> 
> Nalin
> 
> 
> /etc/hosts has both sort and FQDN.  I removed the sort and and resubmitted the certificate.  That resolved my issue.  should I completely remove the short name or is there a way to work around this?
> 

/etc/hosts can have the short form, it just need to be specified _after_ the
FQDN one, i.e.:

10.0.0.1  ipa.example.com ipa

HTH,
Martin



From Matt_Rivet at Archway.com  Mon Jul 22 14:41:28 2013
From: Matt_Rivet at Archway.com (Rivet, Matt)
Date: Mon, 22 Jul 2013 14:41:28 +0000
Subject: [Freeipa-users] Host certificate issue problem
In-Reply-To: <51ED42CD.9080407@redhat.com>
References: <67B1E3A6D1E57E43B43AE145212A16F4188B368C@DETEX03.trade.archway.com>
	<51E8D2CA.7090200@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B36BB@DETEX03.trade.archway.com>
	<51E8FB9F.50008@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188B37BB@DETEX03.trade.archway.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C0865@DETEX03.trade.archway.com>,
	<20130722142055.GA16560@redhat.com>
	<67B1E3A6D1E57E43B43AE145212A16F4188C1A0E@DETEX03.trade.archway.com>,
	<51ED42CD.9080407@redhat.com>
Message-ID: <67B1E3A6D1E57E43B43AE145212A16F4188C2A29@DETEX03.trade.archway.com>


On 07/22/2013 04:26 PM, Rivet, Matt wrote:
>
>> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?
>
> In order to authenticate to the IPA server, the client software needs
> credentials.  In order to obtain those credentials, it needs to figure
> out the client system's principal name.  The function it uses to do this
> derives that principal name by doing a lookup to discover the client
> host's canonical name, and in this case that appears to be returning the
> shorter name.
>
> I'd check the result of running 'getent hosts `hostname`', and if
> /etc/hosts has an entry for the hostname that lists the short version
> first.
>
> HTH,
>
> Nalin
>
>
> /etc/hosts has both sort and FQDN.  I removed the sort and and resubmitted the certificate.  That resolved my issue.  should I completely remove the short name or is there a way to work around this?
>

/etc/hosts can have the short form, it just need to be specified _after_ the
FQDN one, i.e.:

10.0.0.1  ipa.example.com ipa

This works! thanks - I realized this after I checked out the ipa-server config.

HTH,
Martin



From sbingram at gmail.com  Mon Jul 22 16:23:56 2013
From: sbingram at gmail.com (Stephen Ingram)
Date: Mon, 22 Jul 2013 09:23:56 -0700
Subject: [Freeipa-users] disable forms-based login
In-Reply-To: <51ECDCD8.5010002@redhat.com>
References: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
	<51ECDCD8.5010002@redhat.com>
Message-ID: <CAPsaoBcr79LQVZ+4Se7yW2_chFDxg8o=n93wTiGhQy1JbNknng@mail.gmail.com>

On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> > Is there a way to disable the forms-based login to the WebUI and require
> a
> > Kerberos ticket?
> >
> > Steve
>
> Hello,
>
> No, this is currently not possible. Stephen, can you please describe your
> use
> case why you want it to be off? This would allow us to consider this as an
> enhancement for future.
>

I certainly understand why the feature was added as many devices do not
have the capability of acquiring a Kerberos ticket. If we want to restrict
access to devices that *can* acquire a ticket, this would prevent
credentials from being sent over the wire (even if over a secure link),
and, thus, provide for increased security. If I'm correct about how this
form works, it only requires credentials to be sent once and then it
requests a ticket on the user's behalf. While this is better than sending
them with each request, it still presents an opportunity where credentials
can be intercepted, no?

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/6609b33e/attachment.htm>

From simo at redhat.com  Mon Jul 22 16:29:35 2013
From: simo at redhat.com (Simo Sorce)
Date: Mon, 22 Jul 2013 12:29:35 -0400
Subject: [Freeipa-users] disable forms-based login
In-Reply-To: <CAPsaoBcr79LQVZ+4Se7yW2_chFDxg8o=n93wTiGhQy1JbNknng@mail.gmail.com>
References: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
	<51ECDCD8.5010002@redhat.com>
	<CAPsaoBcr79LQVZ+4Se7yW2_chFDxg8o=n93wTiGhQy1JbNknng@mail.gmail.com>
Message-ID: <1374510575.32040.277.camel@willson.li.ssimo.org>

On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote:
> On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mkosek at redhat.com>
> wrote:
>         On 07/20/2013 02:51 AM, Stephen Ingram wrote:
>         > Is there a way to disable the forms-based login to the WebUI
>         and require a
>         > Kerberos ticket?
>         >
>         > Steve
>         
>         
>         Hello,
>         
>         No, this is currently not possible. Stephen, can you please
>         describe your use
>         case why you want it to be off? This would allow us to
>         consider this as an
>         enhancement for future.
> 
> 
> I certainly understand why the feature was added as many devices do
> not have the capability of acquiring a Kerberos ticket. If we want to
> restrict access to devices that *can* acquire a ticket, this would
> prevent credentials from being sent over the wire (even if over a
> secure link), and, thus, provide for increased security. If I'm
> correct about how this form works, it only requires credentials to be
> sent once and then it requests a ticket on the user's behalf. While
> this is better than sending them with each request, it still presents
> an opportunity where credentials can be intercepted, no?

Your's is a valid concern.
Please open a RFE ticket to make the form-based login page/mechanism
disableable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From klarmstrong2 at liberty.edu  Mon Jul 22 16:32:05 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 22 Jul 2013 16:32:05 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
Message-ID: <1374510726.4906.6.camel@localhost.localdomain>

Hi all,

I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5 and RHEL 4 clients as well, so I was going to test that out.

However, I can not get a RHEL 5.9 client to join the domain.

[root at r5-idmclient<mailto:root at r5-idmclient> ~]# ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
root        : ERROR    LDAP Error: Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Digging a little bit and I see that the ipa-client is an older version:

ipa-client-2.1.3-5.el5_9.2

Doing a yum update/upgrade doesn't show a newer version.

I was considering a manual installation, but the ipa-admintools don't appear to be available for RHEL 5.9?

Is there a way to make this work?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/06bd4c90/attachment.htm>

From rcritten at redhat.com  Mon Jul 22 17:41:31 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Jul 2013 13:41:31 -0400
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374510726.4906.6.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
Message-ID: <51ED6ECB.40208@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> Hi all,
>
> I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
> and RHEL 4 clients as well, so I was going to test that out.
>
> However, I can not get a RHEL 5.9 client to join the domain.
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Digging a little bit and I see that the ipa-client is an older version:
>
> ipa-client-2.1.3-5.el5_9.2
>
> Doing a yum update/upgrade doesn't show a newer version.
>
> I was considering a manual installation, but the ipa-admintools don't
> appear to be available for RHEL 5.9?
>
> Is there a way to make this work?

I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It 
should be possible to use the 2.1.3 client in EL 5 to enroll against a 
3.x server.

Otherwise we probably need more context from 
/var/log/ipaclient-install.log to see how the CA was retrieved.

rob



From klarmstrong2 at liberty.edu  Mon Jul 22 17:51:47 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 22 Jul 2013 17:51:47 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <51ED6ECB.40208@redhat.com>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
Message-ID: <1374515508.4906.8.camel@localhost.localdomain>

On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> Hi all,
>
> I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
> and RHEL 4 clients as well, so I was going to test that out.
>
> However, I can not get a RHEL 5.9 client to join the domain.
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Digging a little bit and I see that the ipa-client is an older version:
>
> ipa-client-2.1.3-5.el5_9.2
>
> Doing a yum update/upgrade doesn't show a newer version.
>
> I was considering a manual installation, but the ipa-admintools don't
> appear to be available for RHEL 5.9?
>
> Is there a way to make this work?

I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
should be possible to use the 2.1.3 client in EL 5 to enroll against a
3.x server.

Otherwise we probably need more context from
/var/log/ipaclient-install.log to see how the CA was retrieved.

rob



Thanks for the tip.  I tried it again, and it still failed.  End of the log:

[root at r5-idmclient<mailto:root at r5-idmclient> ~]# tail -20 /var/log/ipaclient-install.log
  lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU


2013-07-22 13:45:36,982 DEBUG args=kinit admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>
2013-07-22 13:45:36,983 DEBUG stdout=Password for admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>:

2013-07-22 13:45:36,983 DEBUG stderr=
2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from ldap://lnxrealmtest01.liberty.edu
2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
    Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
    Issuer:      /DC=edu/DC=liberty/CN=LUPKI01

2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
2013-07-22 13:45:37,345 DEBUG stdout=
2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the HTTP POST transaction.  SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2013-07-22 13:45:37,490 DEBUG args=kdestroy
2013-07-22 13:45:37,491 DEBUG stdout=
2013-07-22 13:45:37,491 DEBUG stderr=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/9dd01b67/attachment.htm>

From klarmstrong2 at liberty.edu  Mon Jul 22 20:28:39 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Mon, 22 Jul 2013 20:28:39 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374515508.4906.8.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
Message-ID: <1374524920.4906.11.camel@localhost.localdomain>

On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> Hi all,
>
> I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
> and RHEL 4 clients as well, so I was going to test that out.
>
> However, I can not get a RHEL 5.9 client to join the domain.
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Digging a little bit and I see that the ipa-client is an older version:
>
> ipa-client-2.1.3-5.el5_9.2
>
> Doing a yum update/upgrade doesn't show a newer version.
>
> I was considering a manual installation, but the ipa-admintools don't
> appear to be available for RHEL 5.9?
>
> Is there a way to make this work?

I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
should be possible to use the 2.1.3 client in EL 5 to enroll against a
3.x server.

Otherwise we probably need more context from
/var/log/ipaclient-install.log to see how the CA was retrieved.

rob



Thanks for the tip.  I tried it again, and it still failed.  End of the log:

[root at r5-idmclient<mailto:root at r5-idmclient> ~]# tail -20 /var/log/ipaclient-install.log
  lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU


2013-07-22 13:45:36,982 DEBUG args=kinit admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>
2013-07-22 13:45:36,983 DEBUG stdout=Password for admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>:

2013-07-22 13:45:36,983 DEBUG stderr=
2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from ldap://lnxrealmtest01.liberty.edu
2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
    Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
    Issuer:      /DC=edu/DC=liberty/CN=LUPKI01

2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
2013-07-22 13:45:37,345 DEBUG stdout=
2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the HTTP POST transaction.  SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2013-07-22 13:45:37,490 DEBUG args=kdestroy
2013-07-22 13:45:37,491 DEBUG stdout=
2013-07-22 13:45:37,491 DEBUG stderr=


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


I just stood up a brand new RHEL 6 client, and it works just fine, so there is something amiss with RHEL 5 on this.  The time on the RHEL 5 client and the RHEL 6 IdM server is the same, and the cert is valid, so I don't know why the RHEL 5 system does not like the cert.  Could it be something with the versions of packages installed on it?

libipa_hbac-1.5.1-58.el5
ipa-client-2.1.3-5.el5_9.2
curl-7.15.5-17.el5_9
openssl-0.9.8e-26.el5_9.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/ae2fbbf6/attachment.htm>

From rcritten at redhat.com  Mon Jul 22 21:49:22 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 22 Jul 2013 17:49:22 -0400
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374524920.4906.11.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
Message-ID: <51EDA8E2.4090702@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>> admin at LNXREALMTEST.LIBERTY.EDU <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>> admin at LNXREALMTEST.LIBERTY.EDU <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for 
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile 
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob



From aissa.brahimi at itsoninc.com  Mon Jul 22 23:31:42 2013
From: aissa.brahimi at itsoninc.com (Aissa Brahimi)
Date: Mon, 22 Jul 2013 16:31:42 -0700
Subject: [Freeipa-users] Replica server installation fail
Message-ID: <CAGLwJ8xUpCnfdBsvse+K0bbYvrJji2_W449Fyi1ZZbc6HLc_1Q@mail.gmail.com>

[abrahimi at ipa02 ipa]$ sudo ipa-replica-install --setup-dns
--forwarder=1.1.1.1 --no-reverse replica-info-ipa02.company.com gpg
--skip-conncheck
[sudo] password for abrahimi:
Directory Manager (existing master) password:


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
UnboundLocalError: local variable 'replman' referenced before assignment


-- 
Aissa Brahimi

IT Admin - Support
ItsOn, Inc. itsoninc.com

mobile: 408.858.0304
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/4806d19d/attachment.htm>

From sbingram at gmail.com  Tue Jul 23 00:27:13 2013
From: sbingram at gmail.com (Stephen Ingram)
Date: Mon, 22 Jul 2013 17:27:13 -0700
Subject: [Freeipa-users] disable forms-based login
In-Reply-To: <1374510575.32040.277.camel@willson.li.ssimo.org>
References: <CAPsaoBe0c-TkLnrXjw+2+vR6SuGGbP6Az2bm0BmptE+SNhrW9w@mail.gmail.com>
	<51ECDCD8.5010002@redhat.com>
	<CAPsaoBcr79LQVZ+4Se7yW2_chFDxg8o=n93wTiGhQy1JbNknng@mail.gmail.com>
	<1374510575.32040.277.camel@willson.li.ssimo.org>
Message-ID: <CAPsaoBePVhyrBRRYmRyOssCXpy4r3ShVouONy_f9-WJAoM4aPA@mail.gmail.com>

On Mon, Jul 22, 2013 at 9:29 AM, Simo Sorce <simo at redhat.com> wrote:

> On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote:
> > On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mkosek at redhat.com>
> > wrote:
> >         On 07/20/2013 02:51 AM, Stephen Ingram wrote:
> >         > Is there a way to disable the forms-based login to the WebUI
> >         and require a
> >         > Kerberos ticket?
> >         >
> >         > Steve
> >
> >
> >         Hello,
> >
> >         No, this is currently not possible. Stephen, can you please
> >         describe your use
> >         case why you want it to be off? This would allow us to
> >         consider this as an
> >         enhancement for future.
> >
> >
> > I certainly understand why the feature was added as many devices do
> > not have the capability of acquiring a Kerberos ticket. If we want to
> > restrict access to devices that *can* acquire a ticket, this would
> > prevent credentials from being sent over the wire (even if over a
> > secure link), and, thus, provide for increased security. If I'm
> > correct about how this form works, it only requires credentials to be
> > sent once and then it requests a ticket on the user's behalf. While
> > this is better than sending them with each request, it still presents
> > an opportunity where credentials can be intercepted, no?
>
> Your's is a valid concern.
> Please open a RFE ticket to make the form-based login page/mechanism
> disableable.
>

Done. Ticket #3810.

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130722/bf39b236/attachment.htm>

From mkosek at redhat.com  Tue Jul 23 07:13:27 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 23 Jul 2013 09:13:27 +0200
Subject: [Freeipa-users] Replica server installation fail
In-Reply-To: <CAGLwJ8xUpCnfdBsvse+K0bbYvrJji2_W449Fyi1ZZbc6HLc_1Q@mail.gmail.com>
References: <CAGLwJ8xUpCnfdBsvse+K0bbYvrJji2_W449Fyi1ZZbc6HLc_1Q@mail.gmail.com>
Message-ID: <51EE2D17.50004@redhat.com>

On 07/23/2013 01:31 AM, Aissa Brahimi wrote:
> [abrahimi at ipa02 ipa]$ sudo ipa-replica-install --setup-dns
> --forwarder=1.1.1.1 --no-reverse replica-info-ipa02.company.com gpg
> --skip-conncheck
> [sudo] password for abrahimi:
> Directory Manager (existing master) password:
> 
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> Unexpected error - see /var/log/ipareplica-install.log for details:
> UnboundLocalError: local variable 'replman' referenced before assignment
> 

Hello Aissa,

What version of FreeIPA are you running? On which OS?

I checked current FreeIPA code in git and it should not be capable of raising
this error message so there must have been some changes...

Martin



From mkosek at redhat.com  Tue Jul 23 08:18:38 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 23 Jul 2013 10:18:38 +0200
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <1374258010.2951.38.camel@aleeredhat.laptop>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
	<1374258010.2951.38.camel@aleeredhat.laptop>
Message-ID: <51EE3C5E.5060201@redhat.com>

On 07/19/2013 08:20 PM, Ade Lee wrote:
> 
> On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
>> I was just trying this again and noticed there is a
>> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
>> is the logging for the attempt to create the pki.
>> right at the end is this entry.
>>
>> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
>> security domain through REST interface.  Trying old interface. 503
>> Server Error: Service Unavailable
>>
>> Does anyone know what that means and how to fix it?
>>
> 
> This means that the dogtag CA is trying to contact the dogtag master -
> and is failing to do so.  It may be trying to access the wrong port.
> 
> What version do you have for :
> rpm -q pki-ca ?
> 
> Please attach the logs for the replica CA.
> /var/log/pki/pki-tomcat/*
> 
> You are also exactly correct in creating a replica before upgrading to
> F19.  Much older dogtag instances (based on dogtag 9) will not work in
> f19 due to tomcat6 not being available in f19.
> 
> Ade

Note that there is a related article also for FreeIPA with migration
instructions, see:

http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration

Martin



From mkosek at redhat.com  Tue Jul 23 08:33:54 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 23 Jul 2013 10:33:54 +0200
Subject: [Freeipa-users] IMPORTANT: Upgrading FreeIPA+CA to Fedora 19
Message-ID: <51EE3FF2.3020707@redhat.com>

Hello all,

Please note, that upgrading your FreeIPA servers to Fedora 19 may require
manual upgrade procedure due to Dogtag 10/Tomcat 7 based FreeIPA CAs being
incompatible with Dogtag 9/Tomcat 6 FreeIPA CAs. Tomcat 6 is no longer
supported nor deployed in Fedora 19. There is no automatic procedure to upgrade
these FreeIPA CA instances.

This affects all FreeIPA servers with CA installed prior to FreeIPA 3.1, i.e.
prior to Fedora 18. Other FreeIPA servers and clients may be automatically
upgraded as usual via RPM update.

To upgrade the affected systems, please follow a migration procedure described
on FreeIPA.org site:

http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration

We will answer any questions or comments.

Sorry for the inconvenience.

-- 
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.



From packages at amiga-hardware.com  Tue Jul 23 10:38:03 2013
From: packages at amiga-hardware.com (Ian Chapman)
Date: Tue, 23 Jul 2013 18:38:03 +0800
Subject: [Freeipa-users] F18 -> F19 upgrade
In-Reply-To: <1374257242.2951.33.camel@aleeredhat.laptop>
References: <51E0C973.8010801@amiga-hardware.com> <51E4198C.40305@redhat.com>
	<1374257242.2951.33.camel@aleeredhat.laptop>
Message-ID: <51EE5D0B.5010709@amiga-hardware.com>

On 20/07/13 02:07, Ade Lee wrote:

> Sorry for the late response.  Just saw this email.

No problem :-)

> I'm surprised that you were able to update your machine to F19.  We
> explicitly put in spec file logic to do a pre-trans check to see if you
> had dogtag 9 system instances before updating to f19.  This was to
> prevent people from getting into a situation where there installation
> was broken.

I updated through yum, which I know isn't "officially" supported but 
it's always worked well since the FC1 days. The RPM scripts did fail on 
the dogtag RPM I believe but it doesn't prevent the complete yum 
transaction from running, just that RPM fails to update.  I saw the 
error message in the output pointing to the wiki page I posted.

> The issue is that dogtag 9 instances use tomcat 6, and tomcat 6 is no
> longer in fedora 19.  Dogtag 10 instances, on the other hand, use tomcat
> 7.  The two instance types are therefore incompatible.

The Wiki page explained the reasons quite well, but I found the 
descriptions of what to do to fix the situation lacking in detail for 
somebody who's not an expert with IPA. Hence the post.

> The suggestion therefore would have been to create a replica of the ipa
> master prior to doing the upgrade to F19.  In fact, you could have just
> installed a brand new f19 machine and then created a replica (and then
> shut down the old machine).

True I could have done that, but as this is for home use the actual 
contents in the directory were small, so I just found it easier to blow 
away the current install and set it up again. Obviously I wouldn't do 
that in a production environment but I wouldn't be using/upgrading 
Fedora either. The server it's installed on does a lot more than FreeIPA 
anyway. I'm considering setting up a replica in a VM so that I can 
check/test updates in the future before touching the master.

> Seeing as you have somehow upgraded your machine to F19, we need to try
> and get your system back up.  For that, you need to follow the
> instructions in "Workaround" ie. installing tomcat6 and downgrading
> tomcatjss to the version in f18.  That will hopefully get your CA up and
> running.  At that point, it is highly recommended that you use ipa
> utilities to create a replica and use that instead.

Actually I believe tomcat6 remained installed from F18 - it wasn't 
upgraded or removed. Tomcatjss did get upgraded but I tried downgrading 
to the version from Fedora 18 and still had issues. A couple of days 
went by so I decided to reinstall it. Thanks for replying though Ade :-)

-- 
Ian Chapman.



From rendhalver at gmail.com  Tue Jul 23 13:08:26 2013
From: rendhalver at gmail.com (Pete Brown)
Date: Tue, 23 Jul 2013 23:08:26 +1000
Subject: [Freeipa-users] problem creating replica
In-Reply-To: <51EE3C5E.5060201@redhat.com>
References: <CAJ8DPF7-nAxu5+BbLt0t7Hb2reJrYg273v6r6kQq3j2gnsEeOA@mail.gmail.com>
	<CAJ8DPF4Fdeu5VBK4wdcm_cS1ATE3WR4b8-fE42m1ERTvP18u1A@mail.gmail.com>
	<51E7BA4F.2060903@redhat.com>
	<CAJ8DPF5DvkXeN5h3AOiO61cUppSKDRSuqPkZCnUF-6A582vfOw@mail.gmail.com>
	<CAJ8DPF5QSPsJoSQi4=miuvi2u8Ojx7cW6Cw8f8P+s=DS52tUFA@mail.gmail.com>
	<1374258010.2951.38.camel@aleeredhat.laptop>
	<51EE3C5E.5060201@redhat.com>
Message-ID: <CAJ8DPF5QZ6Bmogar2k8wN3jezqgKpQVszhReeon48p=pFKTYRQ@mail.gmail.com>

On 23/07/2013 6:18 PM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
> On 07/19/2013 08:20 PM, Ade Lee wrote:
> >
> > On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
> >> I was just trying this again and noticed there is a
> >> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
> >> is the logging for the attempt to create the pki.
> >> right at the end is this entry.
> >>
> >> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
> >> security domain through REST interface.  Trying old interface. 503
> >> Server Error: Service Unavailable
> >>
> >> Does anyone know what that means and how to fix it?
> >>
> >
> > This means that the dogtag CA is trying to contact the dogtag master -
> > and is failing to do so.  It may be trying to access the wrong port.
> >
> > What version do you have for :
> > rpm -q pki-ca ?
> >
> > Please attach the logs for the replica CA.
> > /var/log/pki/pki-tomcat/*
> >
> > You are also exactly correct in creating a replica before upgrading to
> > F19.  Much older dogtag instances (based on dogtag 9) will not work in
> > f19 due to tomcat6 not being available in f19.
> >
> > Ade
>
> Note that there is a related article also for FreeIPA with migration
> instructions, see:
>
> http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration
>
> Martin

Thanks martin.

I shall see if I can get that to work tomorrow at work.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130723/a4eff650/attachment.htm>

From klarmstrong2 at liberty.edu  Tue Jul 23 13:23:01 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Tue, 23 Jul 2013 13:23:01 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <51EDA8E2.4090702@redhat.com>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
	<51EDA8E2.4090702@redhat.com>
Message-ID: <1374585781.8235.1.camel@localhost.localdomain>

On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob


[klarmstrong2 at r6-idmclient<mailto:klarmstrong2 at r6-idmclient> ~]$ sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt
[sudo] password for klarmstrong2:
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374585629
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


So it doesn't like it, yet I can still add a RHEL 6 client?  Is there more stringent checking with the version of OpenSSL in RHEL 5?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130723/0d20915c/attachment.htm>

From john.moyer at digitalreasoning.com  Tue Jul 23 13:55:55 2013
From: john.moyer at digitalreasoning.com (John Moyer)
Date: Tue, 23 Jul 2013 09:55:55 -0400
Subject: [Freeipa-users] exporting ldap certificate
In-Reply-To: <CAJ8DPF5qcEN-3b9HtMa=9v_sMjUbB_DkVJno6X+91YszVCUMaQ@mail.gmail.com>
References: <CAJ8DPF5AE1jCzkBiJQck0bzp_ow60xAjp4=HzmnaQNP3r89njw@mail.gmail.com>
	<517A3B08.9060308@redhat.com>
	<CAJ8DPF7-D3ygK7B84PzO0kk-W-rCL9KVfPf5=aAQBeU7eozw7w@mail.gmail.com>
	<518756C4.2070506@redhat.com>
	<CAJ8DPF63T5ft-S=KOukAiDiDtovHxkgTLNG_iEPGjycaBzm5bQ@mail.gmail.com>
	<5188A432.30207@redhat.com>
	<CAJ8DPF5qcEN-3b9HtMa=9v_sMjUbB_DkVJno6X+91YszVCUMaQ@mail.gmail.com>
Message-ID: <DAD879AA-57E5-4B16-807C-2C42003E51BD@digitalreasoning.com>

Peter, 

Did you get this to work, I know this is an old thread, but where did you put those java parameters?  I am trying to get GADS to work for my IPA server and think this is my problem.

Thanks, 
_____________________________________________________
John Moyer

On May 7, 2013, at 4:37 AM, Peter Brown <rendhalver at gmail.com> wrote:

> On 7 May 2013 16:50, Martin Kosek <mkosek at redhat.com> wrote:
> On 05/07/2013 04:51 AM, Peter Brown wrote:
> > On 6 May 2013 17:07, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> >     I am glad you made it working. Just for the record, CRL and OCSP revocation
> >     URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that
> >     will make it working again.
> >
> >
> > Thanks for the heads up Martin.
> > I will likely upgrade to 3.2 once Fedora 19 is released.
> >
> > I am going to assume my 3.1 clients will be compatible?
> 
> Yes, this is a correct assumption. BTW we are just in a process of testing and
> releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain
> the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4
> when it is released is appreciated.
> 
> Awesome.
> I shall install them and let you know how I go.
> 
>  
> 
> Martin
> 
> >
> >
> >
> >     More information can be found out in FreeIPA.org wiki:
> >     http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs
> >
> >     Relevant upstream ticket:
> >     https://fedorahosted.org/freeipa/ticket/3552
> >
> >     Martin
> >
> >     On 04/29/2013 06:59 AM, Peter Brown wrote:
> >     > I finally got this to work.
> >     >
> >     > I managed to get an error message that told me it couldn't check the
> >     revocation
> >     > of the certificates against a crl.
> >     > I tried to find out how to tell java where to find that crl but I these
> >     > discovered these options instead to tell java to not check a crl.
> >     > -Dcom.sun.net.ssl.checkRevocation=false
> >     > -Dcom.sun.security.enableCRLDP=false
> >     >
> >     >
> >     > On 26 April 2013 18:30, Petr Viktorin <pviktori at redhat.com
> >     <mailto:pviktori at redhat.com>
> >     > <mailto:pviktori at redhat.com <mailto:pviktori at redhat.com>>> wrote:
> >     >
> >     >     Hello,
> >     >
> >     >
> >     >     On 04/26/2013 07:22 AM, Peter Brown wrote:
> >     >
> >     >         Hi everyone.
> >     >
> >     >         I am attempting to get Google Apps to sync with FreeIPA and I am
> >     having
> >     >         problems getting the sync utility to talk to freeipa.
> >     >         It complains about the ssl cert.
> >     >         I have it setup so it only accepts ssl or tls encrypted
> >     connections and
> >     >         I don't want to turn that off.
> >     >         I have imported the ca cert using the jre's keytool but it still
> >     refuses
> >     >         to connect.
> >     >         I am getting the impression I need to import the ssl cert for the
> >     ldap
> >     >         server into it as well.
> >     >
> >     >
> >     >     The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other
> >     >     certs. Make sure you import it with the right trust level (SSL
> >     certificate
> >     >     signing). Unfortunately I don't know about jre's keytool so I can't
> >     be more
> >     >     specific.
> >     >
> >     >
> >     >
> >     >         I have no idea which certificate that is and I have no idea how to
> >     >         export it.
> >     >
> >     >
> >     >     Do not do this. You should only explicitly trust the CA cert.
> >     >     For example, if you trust the certs explicitly you'd have to
> >     re-import them
> >     >     one by one when they are renewed.
> >     >
> >     >
> >     >         Can someone please tell me how to do this?
> >     >
> >     >
> >     >     If you really want to:
> >     >     There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one
> >     >     for the LDAP server.
> >     >     To export the httpd server certificate (to PEM):
> >     >     $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
> >     >     To export the directory server certificate (to PEM):
> >     >     $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a
> >     >     But again, you don't need this for what you're trying to do.
> >     >
> >     >     --
> >     >     Petr?
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > Freeipa-users mailing list
> >     > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >     > https://www.redhat.com/mailman/listinfo/freeipa-users
> >     >
> >
> >
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130723/4035bf6c/attachment.htm>

From klarmstrong2 at liberty.edu  Tue Jul 23 17:13:48 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Tue, 23 Jul 2013 17:13:48 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374585781.8235.1.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
	<51EDA8E2.4090702@redhat.com>
	<1374585781.8235.1.camel@localhost.localdomain>
Message-ID: <1374599628.8235.8.camel@localhost.localdomain>

On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob


[klarmstrong2 at r6-idmclient<mailto:klarmstrong2 at r6-idmclient> ~]$ sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt
[sudo] password for klarmstrong2:
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374585629
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


So it doesn't like it, yet I can still add a RHEL 6 client?  Is there more stringent checking with the version of OpenSSL in RHEL 5?

-Kenny


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Ok, I am having troubles making sense of this.

First, I checked the CA cert chain that I downloaded from our PKI server to see if it's cool:

[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598158
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

^C
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# ls
anaconda-ks.cfg  ca-agent.p12  CACert.cer  cacert.p12  CACert.p7b  install.log  install.log.syslog  ipa.cer  ipa.csr
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


Next, I check the cert that was issued by our local CA:


[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


So all that looks good, but I check the certificate against the IPA server, and it fails:




[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598420
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


So I get it that it would fail against the IPA server, since it didn't issue it.  But what I don't understand is that if the certificate is inherently ok, then why does it fail when I try to install the RHEL 5 client?


-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130723/a028e0b4/attachment.htm>

From klarmstrong2 at liberty.edu  Tue Jul 23 18:22:02 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Tue, 23 Jul 2013 18:22:02 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374599628.8235.8.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
	<51EDA8E2.4090702@redhat.com>
	<1374585781.8235.1.camel@localhost.localdomain>
	<1374599628.8235.8.camel@localhost.localdomain>
Message-ID: <1374603722.8235.11.camel@localhost.localdomain>

On Tue, 2013-07-23 at 17:13 +0000, Armstrong, Kenneth Lawrence wrote:
On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>> admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob


[klarmstrong2 at r6-idmclient<mailto:klarmstrong2 at r6-idmclient> ~]$ sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt
[sudo] password for klarmstrong2:
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374585629
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


So it doesn't like it, yet I can still add a RHEL 6 client?  Is there more stringent checking with the version of OpenSSL in RHEL 5?

-Kenny


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Ok, I am having troubles making sense of this.

First, I checked the CA cert chain that I downloaded from our PKI server to see if it's cool:

[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598158
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

^C
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# ls
anaconda-ks.cfg  ca-agent.p12  CACert.cer  cacert.p12  CACert.p7b  install.log  install.log.syslog  ipa.cer  ipa.csr
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


Next, I check the cert that was issued by our local CA:


[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


So all that looks good, but I check the certificate against the IPA server, and it fails:




[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598420
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


So I get it that it would fail against the IPA server, since it didn't issue it.  But what I don't understand is that if the certificate is inherently ok, then why does it fail when I try to install the RHEL 5 client?


-Kenny


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


I think that there is still something funky with the way RHEL 5 works with the SSL cert for IPA.

I tried the client install again, using the exact CA certificate that I used when setting up the original IdM server, and tried to force the installation:

[root at r5-idmclient<mailto:root at r5-idmclient> ~]# ipa-client-install --domain linuxrealm.liberty.edu --ca-cert-file=/root/CACert.cer --force
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): lnxrealmtest01.liberty.edu
root        : ERROR    LDAP Error: Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Force set so not rolling back changes.

It still looks like it tries to verify anyway, which of course fails.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130723/2321e7ed/attachment.htm>

From mkosek at redhat.com  Wed Jul 24 06:38:20 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 24 Jul 2013 08:38:20 +0200
Subject: [Freeipa-users] Replica server installation fail
In-Reply-To: <CAGLwJ8xQJC--rMa=ZAUvq1qtqkh0P-ZpViHLsBFApLvYvuRpkA@mail.gmail.com>
References: <CAGLwJ8xUpCnfdBsvse+K0bbYvrJji2_W449Fyi1ZZbc6HLc_1Q@mail.gmail.com>
	<51EE2D17.50004@redhat.com>
	<CAGLwJ8xQJC--rMa=ZAUvq1qtqkh0P-ZpViHLsBFApLvYvuRpkA@mail.gmail.com>
Message-ID: <51EF765C.2090500@redhat.com>

Ah, I see. I see an issue in this downstream version of IPA which prevents
ipa-replica-install to report correct error.

In your case, the problem will be that either:
1) "cn=Directory Manager"'s password is not correct
2) master cannot be reached with ldapsearch (I wonder why you run
ipa-replica-install with --skip-conncheck)

You can verify both with simple ldapsearch:

# ldapsearch -h fqdn.of.your.ipa.master -W -D "cn=Directory Manager" -x -b ""
-s base

This command will probably fail in your case - possibly because of too strict
firewall settings.

Martin

On 07/23/2013 11:27 PM, Aissa Brahimi wrote:
> Martin
> 
> My setting:
> 
> - CentOS 6.x
> - FreeIPA version: 3.0.0
> 
> 2 server, the master was installed and running as show bellow:
> 
> 
> [abrahimi at ipa01 publish]$ sudo /etc/init.d/ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> DNS Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> 
> Let me know
> 
> Regards,
> 
> AB
> 
> 
> On Tue, Jul 23, 2013 at 12:13 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> On 07/23/2013 01:31 AM, Aissa Brahimi wrote:
>>> [abrahimi at ipa02 ipa]$ sudo ipa-replica-install --setup-dns
>>> --forwarder=1.1.1.1 --no-reverse replica-info-ipa02.company.com gpg
>>> --skip-conncheck
>>> [sudo] password for abrahimi:
>>> Directory Manager (existing master) password:
>>>
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> Unexpected error - see /var/log/ipareplica-install.log for details:
>>> UnboundLocalError: local variable 'replman' referenced before assignment
>>>
>>
>> Hello Aissa,
>>
>> What version of FreeIPA are you running? On which OS?
>>
>> I checked current FreeIPA code in git and it should not be capable of
>> raising
>> this error message so there must have been some changes...
>>
>> Martin
>>
> 
> 
> 



From Amy.Murtha at hp.com  Wed Jul 24 07:03:45 2013
From: Amy.Murtha at hp.com (Murtha, Amy)
Date: Wed, 24 Jul 2013 07:03:45 +0000
Subject: [Freeipa-users] customizing the web UI
In-Reply-To: <51ED383B.70809@redhat.com>
References: <150516527A3D9C48A804A7E216230D237D001A9F@G4W3222.americas.hpqcorp.net>
	<51ED383B.70809@redhat.com>
Message-ID: <150516527A3D9C48A804A7E216230D237D00B968@G4W3222.americas.hpqcorp.net>

We have customized the web UI, not the schema, and verified the changes will need to be saved before upgrading the application, otherwise they may be lost. 
Thanks for you input.

Amy

-----Original Message-----
From: Petr Vobornik [mailto:pvoborni at redhat.com] 
Sent: Monday, July 22, 2013 2:49 PM
To: Murtha, Amy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] customizing the web UI

On 07/15/2013 06:42 PM, Murtha, Amy wrote:
> Hi,
>
> We are looking for help or advice on how to customize the web UI to add or remove fields in the user configuration. For example, the default schema comes with a "car license" field in the Misc. Information section, which isn't very useful to us. Im told that particular info is in the "inetOrgPerson" schema; the suggestion was to create a local copy of that schema to modify, rather than modifying the base schema. In any case, we don't know exactly how to go about this. Any advice or suggestions how to customize the web UI?
>
> Thanks,
> Amy


Hello Amy,

Current possibilities of Web UI alternation are described at 
https://www.redhat.com/archives/freeipa-users/2013-June/msg00189.html .

What do you want to do with the 'inetOrgPerson' and 'car license' exactly?
-- 
Petr Vobornik



From rcritten at redhat.com  Wed Jul 24 13:37:17 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 24 Jul 2013 09:37:17 -0400
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <1374603722.8235.11.camel@localhost.localdomain>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
	<51EDA8E2.4090702@redhat.com>
	<1374585781.8235.1.camel@localhost.localdomain>
	<1374599628.8235.8.camel@localhost.localdomain>
	<1374603722.8235.11.camel@localhost.localdomain>
Message-ID: <51EFD88D.9040304@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> On Tue, 2013-07-23 at 17:13 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
>>> On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:
>>>> Armstrong, Kenneth Lawrence wrote:
>>>> > On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>>>> >> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>>> >>> Armstrong, Kenneth Lawrence wrote:
>>>> >>> > Hi all,
>>>> >>> >
>>>> >>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>>> >>> > and RHEL 4 clients as well, so I was going to test that out.
>>>> >>> >
>>>> >>> > However, I can not get a RHEL 5.9 client to join the domain.
>>>> >>> >
>>>> >>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>>> >>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>>> >>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>>> >>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> >>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>>> >>> > This may mean that the remote server is not up or is not reachable
>>>> >>> > due to network or firewall settings.
>>>> >>> > Installation failed. Rolling back changes.
>>>> >>> > IPA client is not configured on this system.
>>>> >>> >
>>>> >>> >
>>>> >>> > Digging a little bit and I see that the ipa-client is an older version:
>>>> >>> >
>>>> >>> > ipa-client-2.1.3-5.el5_9.2
>>>> >>> >
>>>> >>> > Doing a yum update/upgrade doesn't show a newer version.
>>>> >>> >
>>>> >>> > I was considering a manual installation, but the ipa-admintools don't
>>>> >>> > appear to be available for RHEL 5.9?
>>>> >>> >
>>>> >>> > Is there a way to make this work?
>>>> >>>
>>>> >>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>>> >>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>>> >>> 3.x server.
>>>> >>>
>>>> >>> Otherwise we probably need more context from
>>>> >>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>> >>>
>>>> >>> rob
>>>> >>>
>>>> >>
>>>> >> Thanks for the tip.  I tried it again, and it still failed.  End of
>>>> >> the log:
>>>> >>
>>>> >> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>>>> >> /var/log/ipaclient-install.log
>>>> >>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>>> >>
>>>> >>
>>>> >> 2013-07-22 13:45:36,982 DEBUG args=kinit
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>>> >>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stderr=
>>>> >> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>>>> >> ldap://lnxrealmtest01.liberty.edu
>>>> >> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>>> >>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>>> >>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>>> >>
>>>> >> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>>>> >> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>>>> >> 2013-07-22 13:45:37,345 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>>>> >> HTTP POST transaction.  SSL certificate problem, verify that the CA
>>>> >> cert is OK. Details:
>>>> >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>> >> verify failed
>>>> >>
>>>> >> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>>>> >> 2013-07-22 13:45:37,491 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,491 DEBUG stderr=
>>>> >> _______________________________________________
>>>> >> Freeipa-users mailing list
>>>> >>Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com>
>>>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>>> > I just stood up a brand new RHEL 6 client, and it works just fine, so
>>>> > there is something amiss with RHEL 5 on this.  The time on the RHEL 5
>>>> > client and the RHEL 6 IdM server is the same, and the cert is valid, so
>>>> > I don't know why the RHEL 5 system does not like the cert.  Could it be
>>>> > something with the versions of packages installed on it?
>>>> >
>>>> > libipa_hbac-1.5.1-58.el5
>>>> > ipa-client-2.1.3-5.el5_9.2
>>>> > curl-7.15.5-17.el5_9
>>>> > openssl-0.9.8e-26.el5_9.1
>>>>
>>>> I have the feeling that OpenSSL doesn't like your CA certificate for
>>>> some reason.
>>>>
>>>> Can you try this:
>>>>
>>>> # openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
>>>> /etc/ipa/ca.crt
>>>>
>>>> Adding the -debug flag will add even more output.
>>>>
>>>> rob
>>>
>>> [klarmstrong2 at r6-idmclient <mailto:klarmstrong2 at r6-idmclient> ~]$
>>> sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443
>>> -CAfile /etc/ipa/ca.crt
>>> [sudo] password for klarmstrong2:
>>> CONNECTED(00000003)
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>>    i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> ...
>>> -----END CERTIFICATE-----
>>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2629 bytes and written 462 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES256-SHA
>>>     Session-ID:
>>> 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
>>>     Session-ID-ctx:
>>>     Master-Key: ...
>>>     Key-Arg   : None
>>>     Krb5 Principal: None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     Start Time: 1374585629
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 21 (unable to verify the first certificate)
>>>
>>>
>>> So it doesn't like it, yet I can still add a RHEL 6 client?  Is there
>>> more stringent checking with the version of OpenSSL in RHEL 5?
>>>
>>> -Kenny
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Ok, I am having troubles making sense of this.
>>
>> First, I checked the CA cert chain that I downloaded from our PKI
>> server to see if it's cool:
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598158
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>> ^C
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# ls
>> anaconda-ks.cfg  ca-agent.p12  CACert.cer  cacert.p12  CACert.p7b
>> install.log  install.log.syslog  ipa.cer  ipa.csr
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598365
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>>
>> Next, I check the cert that was issued by our local CA:
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598365
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>>
>> So all that looks good, but I check the certificate against the IPA
>> server, and it fails:
>>
>>
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>    i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2629 bytes and written 462 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES256-SHA
>>     Session-ID:
>> 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598420
>>     Timeout   : 300 (sec)
>>     Verify return code: 21 (unable to verify the first certificate)
>> ---
>>
>>
>> So I get it that it would fail against the IPA server, since it didn't
>> issue it.  But what I don't understand is that if the certificate is
>> inherently ok, then why does it fail when I try to install the RHEL 5
>> client?
>>
>>
>> -Kenny
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I think that there is still something funky with the way RHEL 5 works
> with the SSL cert for IPA.
>
> I tried the client install again, using the exact CA certificate that I
> used when setting up the original IdM server, and tried to force the
> installation:
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --domain linuxrealm.liberty.edu --ca-cert-file=/root/CACert.cer --force
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> lnxrealmtest01.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Force set so not rolling back changes.
>
> It still looks like it tries to verify anyway, which of course fails.
>
> -Kenny

--force doesn't cause it to skip SSL verification.

Comparing RHEL 5 to 6 is comparing apples to oranges since they use 
different crypto libraries (OpenSSL vs NSS). It is an interesting data 
point though.

Had you been using an older version of OpenSSL I would have suspected 
that was the problem, but since you're using the latest I'm not sure 
what the issue is.

Can you verify that the full chain is being sent? openssl s_client 
-showcerts

Is your IPA CA certificate signed by another authority (e.g. an external 
CA installation)?

rob



From klarmstrong2 at liberty.edu  Wed Jul 24 14:09:01 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Wed, 24 Jul 2013 14:09:01 +0000
Subject: [Freeipa-users] rhel 5 client in a rhel 6 domain?
In-Reply-To: <51EFD88D.9040304@redhat.com>
References: <1374510726.4906.6.camel@localhost.localdomain>
	<51ED6ECB.40208@redhat.com>
	<1374515508.4906.8.camel@localhost.localdomain>
	<1374524920.4906.11.camel@localhost.localdomain>
	<51EDA8E2.4090702@redhat.com>
	<1374585781.8235.1.camel@localhost.localdomain>
	<1374599628.8235.8.camel@localhost.localdomain>
	<1374603722.8235.11.camel@localhost.localdomain>
	<51EFD88D.9040304@redhat.com>
Message-ID: <1374674942.7479.1.camel@localhost.localdomain>

On Wed, 2013-07-24 at 09:37 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Tue, 2013-07-23 at 17:13 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
>>> On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:
>>>> Armstrong, Kenneth Lawrence wrote:
>>>> > On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>>>> >> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>>> >>> Armstrong, Kenneth Lawrence wrote:
>>>> >>> > Hi all,
>>>> >>> >
>>>> >>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>>> >>> > and RHEL 4 clients as well, so I was going to test that out.
>>>> >>> >
>>>> >>> > However, I can not get a RHEL 5.9 client to join the domain.
>>>> >>> >
>>>> >>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>>> >>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>>> >>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>>> >>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> >>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>>> >>> > This may mean that the remote server is not up or is not reachable
>>>> >>> > due to network or firewall settings.
>>>> >>> > Installation failed. Rolling back changes.
>>>> >>> > IPA client is not configured on this system.
>>>> >>> >
>>>> >>> >
>>>> >>> > Digging a little bit and I see that the ipa-client is an older version:
>>>> >>> >
>>>> >>> > ipa-client-2.1.3-5.el5_9.2
>>>> >>> >
>>>> >>> > Doing a yum update/upgrade doesn't show a newer version.
>>>> >>> >
>>>> >>> > I was considering a manual installation, but the ipa-admintools don't
>>>> >>> > appear to be available for RHEL 5.9?
>>>> >>> >
>>>> >>> > Is there a way to make this work?
>>>> >>>
>>>> >>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>>> >>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>>> >>> 3.x server.
>>>> >>>
>>>> >>> Otherwise we probably need more context from
>>>> >>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>> >>>
>>>> >>> rob
>>>> >>>
>>>> >>
>>>> >> Thanks for the tip.  I tried it again, and it still failed.  End of
>>>> >> the log:
>>>> >>
>>>> >> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>>>> >> /var/log/ipaclient-install.log
>>>> >>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>>> >>
>>>> >>
>>>> >> 2013-07-22 13:45:36,982 DEBUG args=kinit
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>  <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>>> >>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stderr=
>>>> >> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>>>> >> ldap://lnxrealmtest01.liberty.edu
>>>> >> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>>> >>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>>> >>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>>> >>
>>>> >> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>>>> >> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>>>> >> 2013-07-22 13:45:37,345 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>>>> >> HTTP POST transaction.  SSL certificate problem, verify that the CA
>>>> >> cert is OK. Details:
>>>> >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>> >> verify failed
>>>> >>
>>>> >> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>>>> >> 2013-07-22 13:45:37,491 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,491 DEBUG stderr=
>>>> >> _______________________________________________
>>>> >> Freeipa-users mailing list
>>>> >>Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com>
>>>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>>> > I just stood up a brand new RHEL 6 client, and it works just fine, so
>>>> > there is something amiss with RHEL 5 on this.  The time on the RHEL 5
>>>> > client and the RHEL 6 IdM server is the same, and the cert is valid, so
>>>> > I don't know why the RHEL 5 system does not like the cert.  Could it be
>>>> > something with the versions of packages installed on it?
>>>> >
>>>> > libipa_hbac-1.5.1-58.el5
>>>> > ipa-client-2.1.3-5.el5_9.2
>>>> > curl-7.15.5-17.el5_9
>>>> > openssl-0.9.8e-26.el5_9.1
>>>>
>>>> I have the feeling that OpenSSL doesn't like your CA certificate for
>>>> some reason.
>>>>
>>>> Can you try this:
>>>>
>>>> # openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
>>>> /etc/ipa/ca.crt
>>>>
>>>> Adding the -debug flag will add even more output.
>>>>
>>>> rob
>>>
>>> [klarmstrong2 at r6-idmclient <mailto:klarmstrong2 at r6-idmclient> ~]$
>>> sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443
>>> -CAfile /etc/ipa/ca.crt
>>> [sudo] password for klarmstrong2:
>>> CONNECTED(00000003)
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>>    i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> ...
>>> -----END CERTIFICATE-----
>>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2629 bytes and written 462 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : AES256-SHA
>>>     Session-ID:
>>> 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
>>>     Session-ID-ctx:
>>>     Master-Key: ...
>>>     Key-Arg   : None
>>>     Krb5 Principal: None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     Start Time: 1374585629
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 21 (unable to verify the first certificate)
>>>
>>>
>>> So it doesn't like it, yet I can still add a RHEL 6 client?  Is there
>>> more stringent checking with the version of OpenSSL in RHEL 5?
>>>
>>> -Kenny
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Ok, I am having troubles making sense of this.
>>
>> First, I checked the CA cert chain that I downloaded from our PKI
>> server to see if it's cool:
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598158
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>> ^C
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# ls
>> anaconda-ks.cfg  ca-agent.p12  CACert.cer  cacert.p12  CACert.p7b
>> install.log  install.log.syslog  ipa.cer  ipa.csr
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598365
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>>
>> Next, I check the cert that was issued by our local CA:
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>>    i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES128-SHA
>>     Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598365
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>>
>> So all that looks good, but I check the certificate against the IPA
>> server, and it fails:
>>
>>
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>    i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>    i:/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2629 bytes and written 462 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES256-SHA
>>     Session-ID:
>> 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
>>     Session-ID-ctx:
>>     Master-Key: ...
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1374598420
>>     Timeout   : 300 (sec)
>>     Verify return code: 21 (unable to verify the first certificate)
>> ---
>>
>>
>> So I get it that it would fail against the IPA server, since it didn't
>> issue it.  But what I don't understand is that if the certificate is
>> inherently ok, then why does it fail when I try to install the RHEL 5
>> client?
>>
>>
>> -Kenny
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I think that there is still something funky with the way RHEL 5 works
> with the SSL cert for IPA.
>
> I tried the client install again, using the exact CA certificate that I
> used when setting up the original IdM server, and tried to force the
> installation:
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --domain linuxrealm.liberty.edu --ca-cert-file=/root/CACert.cer --force
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> lnxrealmtest01.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Force set so not rolling back changes.
>
> It still looks like it tries to verify anyway, which of course fails.
>
> -Kenny

--force doesn't cause it to skip SSL verification.

Comparing RHEL 5 to 6 is comparing apples to oranges since they use
different crypto libraries (OpenSSL vs NSS). It is an interesting data
point though.

Had you been using an older version of OpenSSL I would have suspected
that was the problem, but since you're using the latest I'm not sure
what the issue is.

Can you verify that the full chain is being sent? openssl s_client
-showcerts

Is your IPA CA certificate signed by another authority (e.g. an external
CA installation)?

rob


Thanks Rob.

I tried the command again, and I'm showing that it is not getting the whole chain.  I had the cert signed by our internal CA, which has GTE upstream from that one.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130724/8302655d/attachment.htm>

From mkosek at redhat.com  Wed Jul 24 15:13:46 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 24 Jul 2013 17:13:46 +0200
Subject: [Freeipa-users] Announcing FreeIPA 3.3.0 Beta 1
Message-ID: <51EFEF2A.2000304@redhat.com>

The FreeIPA team is proud to announce FreeIPA v3.3.0 Beta 1.

It can be downloaded from http://www.freeipa.org/page/Downloads. As this is a
Beta release and Fedora 19 is now stable, there is no public Fedora build at
this time.

Please note, that you can help us test the new release in tomorrow's FreeIPA
3.3 Fedora 19 Test Day! See:

https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients

== Highlights in 3.3 beta 1 ==
=== New features for 3.3 ===
* Active Directory integration:
** Support of externally defined POSIX attributes for Active Directory trusted
domains
** Automatic discovery of Active Directory identity mapping configuration
** Support of trusted domain users for legacy clients
** Identity mapping for AD users can now be delegated
* Performance improvements in processing large number of users and groups
* Automated integration testing infrastructure
* ipa-advise utility is added to generate client setup advice based on  an IPA
master configuration
* FreeIPA-specific SELinux policies has been merged to the main SELinux policy
in Fedora 19
* SSSD 1.11 is required

=== Active Directory integration ===
Starting with FreeIPA 3.3, it is possible to define identity ranges for a
trusted Active Directory domain that rely on POSIX attributes provided by AD DC
instead of generating them out of corresponding security identifiers. This
functionality requires Services for Unix (SFU) or Server for NIS enabled on
Active Directory side and is provided mostly to aid with migration to SID-based
mapping.

In order to support externally defined POSIX attributes, identity ranges have
been extended to support new range types:
* AD trust with SID-based mapping: 'ipa-ad-trust' (default)
* SFU support: 'ipa-ad-trust-posix'

'ipa-ad-trust-posix' range type is activated when range discovery finds out SFU
is in use by Active Directory domain. To override automatic detection,
--range-type=ipa-ad-trust can be specified to 'ipa trust-add' command.

FreeIPA 3.3 requires SSSD 1.11 on the IPA master in order to support externally
defined POSIX attributes in AD.

More details: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD

FreeIPA 3.3 provides a new way to enable legacy clients to support trusted
domain users. A compatibility tree, provided by slapi-nis, can now be
configured to look up trusted domain users and handle authentication for them.
This functionality relies on SSSD 1.11 and an experimental patch for slapi-nis.
One can enable legacy clients support by running ipa-adtrust-install and
answering positively to the corresponding question.

More details: http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts

Finally, SSSD 1.11 is used to query identity information about trusted domains'
users from within IPA framework, including SID to name and name to SID
resolution. In addition to speed improvements, FreeIPA 3.3 allows to manage
mappings for trusted domains' users without requiring elevated privileges of
'trust admins'.

=== Performance improvements ===
When acting on large datasets, FreeIPA now reduces number of potential read
roundtrips required to update user and group information. When scaled to
thousands of users and groups, this shortens the time required by certain
operations tenfold.

=== Automated testing infrastructure ===
The FreeIPA team has been providing self-testing code for a long time.

The FreeIPA 3.3 test suite includes a framework for integration tests that
verify functionality such as replication across several machines. Tests can be
run manually, or by test automation servers such as Jenkins or Beaker.

Development builds now create a freeipa-tests RPM containing the test suite and
related tools. However, as the focus is on testing development code, this
package will not be released to Fedora yet.

More details: http://www.freeipa.org/page/V3/Integration_testing

Additionally, it is now possible to run Web UI tests through the test suite.

More details: http://www.freeipa.org/page/Web_UI_Integration_Tests

=== IPA advise tool ===
FreeIPA 3.3 introduces new framework to generate recipes of configuration based
on how IPA master is configured. These recipes can be taken to the target
client systems and used there to configure them for a specific task.

We expect to expand use of 'ipa-advise' tool to cover at least configuration of
legacy systems in subsequent releases. Contributions are always welcome to grow
capabilities of 'ipa-advise' tool to other areas.

More details:
http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts#Major_configuration_options_and_enablement

=== SELinux policy ===
SELinux policies specific to FreeIPA have been merged back to the main SELinux
policy package in Fedora 19. Starting with FreeIPA 3.2.2 (available in Fedora
19 updates) SELinux policy is no londer provided by freeipa-selinux package and
the package is removed in favor of selinux-policy package.

=== SSSD 1.11 is required ===
FreeIPA 3.3 depends on SSSD 1.11 for cross-realm trusts with Active Directory.
In particular, FreeIPA 3.3 depends on a new operational mode of SSSD called
'ipa_server_mode'. Thus, SSSD 1.11 is required for FreeIPA 3.3.

More details: https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode

== Upgrading ==
=== FreeIPA servers with CA installed prior to version 3.1 ===
Manual upgrade procedure is required for FreeIPA servers installed with version
prior to 3.1.

=== Other FreeIPA servers and clients ===
An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.

Please note, that the performance improvements requires an extended set of
indexes to be configured. RPM update for an IPA server with a excessive number
of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected
that all servers will be upgraded in a relatively short period (days or weeks
not months). They should be able to co-exist peacefully but new features will
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to
re-enroll it. SSH keys for already installed clients are not uploaded, you will
have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel
on Freenode.

== Detailed Changelog since 3.2.0 ==
=== Alexander Bokovoy (8): ===
* Fix cldap parser to work with a single equality filter (NtVer=...)
* Make sure domain_name is also set when processing INP_NAME requests
* Fix extdom plugin to provide unqualified name in response as sssd expects
* Generate syntethic MS-PAC for all services running on IPA master
* ipa-adtrust-install: configure compatibility tree to serve trusted domain users
* ipa-kdb: cache KDC hostname on startup
* ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case
* ipaserver/dcerpc: attempt to resolve SIDs through SSSD first

=== Ana Krivokapic (21): ===
* Prompt for nameserver IP address in dnszone-add
* Do not display success message on failure in web UI
* Ignore files generated by build
* Deprecate options --dom-sid and --dom-name in idrange-mod
* Prevent error when running IPA commands with su/sudo
* Fix displaying of success message
* Fix location of service.crt in .gitignore
* Improve handling of options in ipa-client-install
* Fail when adding a trust with a different range
* Do not display traceback to user
* Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install
* Fix bug in adtrustinstance
* Use correct DS instance in ipactl status
* Avoid systemd service deadlock during shutdown
* Make sure replication works after DM password is changed
* Use --ignore-dependencies only when necessary
* Properly handle non-existent cert files
* Add 'ipa_server_mode' option to SSSD configuration
* Bump version of sssd in spec file
* Use admin at REALM when testing if SSSD is ready
* Fix internal error in idrange-add

=== Diane Trout (1): ===
* Fix log format not a string literal.

=== Jakub Hrozek (3): ===
* Remove unused variable
* IPA KDB MS-PAC: return ENOMEM if allocation fails
* IPA KDB MS-PAC: remove unused variable

=== Jan Cholasta (21): ===
* Use the correct PKCS#12 file for HTTP server.
* Remove stray error condition in ipa-server-install.
* Handle exceptions gracefully when verifying PKCS#12 files.
* Skip empty lines when parsing pk12util output.
* Do not allow installing CA replicas in CA-less setup.
* Do not track DS certificate in CA-less setup.
* Fix CA-less check in ipa-replica-install and ipa-ca-install.
* Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns.
* Enable SASL mapping fallback.
* Skip cert issuer validation in service and host commands in CA-less install.
* Check trust chain length in CA-less install.
* Use LDAP search instead of *group_show to check if a group exists.
* Use LDAP search instead of *group_show to check for a group objectclass.
* Use LDAP modify operation directly to add/remove group members.
* Add missing substring indices for attributes managed by the referint plugin.
* Add missing equality index for ipaUniqueId.
* Run gpg-agent explicitly when encrypting/decrypting files.
* Add new hidden command option to suppress processing of membership attributes.
* Ask for PKCS#12 password interactively in ipa-server-install.
* Ask for PKCS#12 password interactively in ipa-replica-prepare.
* Print newline after receiving EOF in installutils.read_password.

=== Lukas Slebodnik (1): ===
* Use pkg-config to detect cmocka

=== Martin Kosek (11): ===
* Set KRB5CCNAME so that dirsrv can work with newer krb5-server
* Handle DIR type CCACHEs in test_cmdline properly
* Avoid exporting KRB5_KTNAME in dirsrv env
* Remove redundant u'' character
* Drop SELinux subpackage
* Drop redundant directory /var/cache/ipa/sessions
* Remove entitlement support
* Run server upgrade and restart in posttrans
* Require new selinux-policy replacing old server-selinux subpackage
* Bump minimum SSSD version
* Become 3.3.0 Beta 1

=== Nathaniel McCallum (10): ===
* Add ipaUserAuthType and ipaUserAuthTypeClass
* Add IPA OTP schema and ACLs
* ipa-kdb: Add OTP support
* Add the krb5/FreeIPA RADIUS companion daemon
* Remove unnecessary prefixes from ipa-pwd-extop files
* Add OTP support to ipa-pwd-extop
* Fix client install exception if /etc/ssh is missing
* Permit reads to ipatokenRadiusProxyUser objects
* Fix for small syntax error in OTP schema
* Use libunistring ulc_casecmp() on unicode strings

=== Petr Spacek (1): ===
* ipa-client-install: Add 'debug' and 'show' statements to nsupdate commands

=== Petr Viktorin (21): ===
* Remove leading zero from IPA_NUM_VERSION
* Relax getkeytab test to allow additional messages on stderr
* Remove code to install Dogtag 9
* Flush stream after writing service messages
* Make an ipa-tests package
* Add ipa-run-tests command
* Add Nose plugin for BeakerLib integration
* Add a plugin for test ordering
* Add a framework for integration test configuration
* Add a framework for integration testing
* Introduce a class for remote commands
* Collect logs from tests
* Show logs in failed tests
* tests: Allow public keys for authentication to the remote machines
* tests: Configure/unconfigure remote hosts
* Host class improvements
* Use dosctrings in BeakerLib phase descriptions
* Make BeakerLib logging less verbose
* BeakerLib plugin: Log http links in test docstrings
* Integration test config: Make it possible to specify host IP
* ipa-client: Use "ipa" as the package name for i18n

=== Petr Vobornik (18): ===
* Fix: HBAC Test tab is missing
* Move spec modifications from facet factories to pre_ops
* Unite and move facet pre_ops to related modules
* Web UI: move ./_base/metadata_provider.js to ./metadata.js
* Regression fix: missing control buttons in nested search facets
* Make ssbrowser.html work in IE 10
* Fix regression: missing facet tab group labels
* Regression fix: rule table with ext. member support doesn't offer any items
* Fix default value selection in radio widget
* Do not redirect to https in /ipa/ui on non-HTML files
* Create Firefox configuration extension on CA-less install
* Disable checkboxes and radios for readonly attributes
* Better automated test support
* Fix container element in adder dialogs
* Upstream Web UI tests
* Web UI search optimization
* Break long words in notification area
* Remove word 'field' from GECOS param label

=== Rob Crittenden (4): ===
* Bump version for development branch to 3.2.99
* Return the correct Content-type on negotiated XML-RPC requests.
* Add Camellia ciphers to allowed list.
* Hide sensitive attributes in LDAP updater logging and output

=== Simo Sorce (2): ===
* CLDAP: Fix domain handling in netlogon requests
* CLDAP: Return empty reply on non-fatal errors

=== Sumit Bose (5): ===
* Fix format string typo
* Fix type of printf argument
* Add PAC to master host TGTs
* extdom: replace winbind calls with POSIX/SSSD calls
* Remove winbind client configure check

=== Tomas Babej (22): ===
* Remove redundancy from hbactest help text
* Do not translate trust type and direction with --raw in trust_show and trust-find
* Support multiple local domain ranges with RID base set
* Do not allow removal of ID range of an active trust
* Use private ccache in ipa install tools
* Remove redundant check for env.interactive
* Add prompt_param method to avoid code duplication
* Incorporate interactive prompts in idrange-add
* Do not check userPassword with 7-bit plugin
* Manage ipa-otpd.socket by IPA
* Add ipaRangeType attribute to LDAP Schema
* Add update plugin to fill in ipaRangeType attribute
* Extend idrange commands to support new range origin types
* PEP8 fixes in idrange.py
* Remove hardcoded values from idrange plugin tests
* Return ipaRangeType as a list in idrange commands
* Do not redirect ipa/crl to HTTPS
* Add --range-type option that forces range type of the trusted domain
* Add libsss_nss_idmap-devel to BuildRequires
* Change group ownership of CRL publish directory
* Provide ipa-advise tool
* Use AD LDAP probing to create trusted domain ID range



From mkosek at redhat.com  Wed Jul 24 15:27:40 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Wed, 24 Jul 2013 17:27:40 +0200
Subject: [Freeipa-users] FreeIPA AD Trust improvements,
 Fedora 19 Test Day, July 25th
In-Reply-To: <51E9B5FF.7020306@redhat.com>
References: <51E9B5FF.7020306@redhat.com>
Message-ID: <51EFF26C.5000402@redhat.com>

Please note that the FreeIPA Fedora 19 Test Day is happening tomorrow!

Thanks in advance to all volunteers helping us test the new Active Directory
Trust features.

The FreeIPA Team

On 07/19/2013 11:56 PM, Dmitri Pal wrote:
> Hello,
> 
> The FreeIPA team is happy to welcome you to a Fedora Test Day that is
> being held on Thursday, July 25th.
> 
> We would like to invite you to take part in testing of the upcoming FreeIPA 3.3
> release containing 2 major improvements for easier deployment of FreeIPA Active
> Directory Trust feature to existing environments:
> 
> 1) Use POSIX attributes defined in Active Directory [1]
> 
> With previous FreeIPA releases, users coming from Active Directory to FreeIPA
> managed machines were always assigned POSIX attributes (UID and GID) by
> algorithmic mapping.
> 
> However, in some deployments, Active Directory users and groups already have
> defined custom POSIX attribute values (UID and GID), which may then be
> leveraged on Linux machines via other 3rd party Active Directory integration
> solutions. Administrator may choose to keep the values to not disrupt file
> ownerships.
> 
> With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these
> attributes when Active Directory user authenticates to Linux machines.
> 
> 
> 2) Expose POSIX data on legacy systems without recent SSSD
> 
> Administrators may have a deployment of machines which cannot use the recent
> SSSD with Active Directory Trust support but would still like to be able to
> authenticate with Active Directory user to these machines. This may affect for
> example older Linux machines, UNIX machines.
> 
> With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which
> will contain identities of the Active Directory users to the legacy systems.
> These systems may then leverage standard LDAP authentication in this tree
> allowing selected Active Directory users to authenticate.
> 
> 
> To read more about the Test Day and suggested tests, see the following link:
> 
> https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients
> 
> Thank you for your help and participation!
> 
> The FreeIPA team
> 
> [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
> [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts
> 
> [IdM | IPA] FAQs: https://url.corp.redhat.com/idm-faq
> Identity Management SME Team on Docspace
> https://url.corp.redhat.com/sme-idm
> Search the archives: post-office.corp.redhat.com/mailman/listinfo/idm-tech
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 



From klarmstrong2 at liberty.edu  Thu Jul 25 14:06:01 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 14:06:01 +0000
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <51E9B349.5060706@redhat.com>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
Message-ID: <1374761162.4302.2.camel@localhost.localdomain>

On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
I'm trying to install an IPA server using an external CA.

I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.

So then I go back to install using my certs:

ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer


I get this for output:

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
Configuration of CA failed


[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/20]: creating certificate server user
  [2/20]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
Configuration of CA failed
[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
    raise RuntimeError('Configuration of CA failed')



2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed

Any thoughts on what I can do to troubleshoot this?

Thanks.

-Kenny



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Several questions:
1) package and os version/distro?
2) what is in httpd logs?
3) what is in pki logs?

The names and locations of the logs partially depend on the answer to the first question.



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Hi all,

Just tried this again on a new clean install:

[3/4]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
Configuration of CA failed


This is on a RHEL 6.4 x86_64 host, fully updated

ipa-server-3.0.0-26.el6_4.4.x86_64
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-26.el6_4.4.x86_64


Here is the command that I am using to run the install:

ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca

and my /etc/hosts file:

[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

Am I missing something?

Thanks.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/e8ffa276/attachment.htm>

From mkosek at redhat.com  Thu Jul 25 14:22:51 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 25 Jul 2013 16:22:51 +0200
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <1374761162.4302.2.camel@localhost.localdomain>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
Message-ID: <51F134BB.1030705@redhat.com>

On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
> On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
> I'm trying to install an IPA server using an external CA.
> 
> I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
> 
> So then I go back to install using my certs:
> 
> ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
> 
> 
> I get this for output:
> 
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> 
> 
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>     self.start_creation(runtime=210)
> 
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
> 
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
> 
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>     self.start_creation(runtime=210)
> 
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
> 
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
> 
> 
> 
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
> 
> Any thoughts on what I can do to troubleshoot this?
> 
> Thanks.
> 
> -Kenny
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> Several questions:
> 1) package and os version/distro?
> 2) what is in httpd logs?
> 3) what is in pki logs?
> 
> The names and locations of the logs partially depend on the answer to the first question.
> 
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> Hi all,
> 
> Just tried this again on a new clean install:
> 
> [3/4]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTE!
 ST.LIBERTY
.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
> Configuration of CA failed
> 
> 
> This is on a RHEL 6.4 x86_64 host, fully updated
> 
> ipa-server-3.0.0-26.el6_4.4.x86_64
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
> ipa-client-3.0.0-26.el6_4.4.x86_64
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.4.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
> 
> 
> Here is the command that I am using to run the install:
> 
> ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
> 
> and my /etc/hosts file:
> 
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
> 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
> 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
> 
> Am I missing something?
> 
> Thanks.
> 
> -Kenny
> 

Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
pki-ca logs to be able to see related error messages.

Adding Ade from PKI developers to CC too.

Martin



From klarmstrong2 at liberty.edu  Thu Jul 25 14:34:35 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 14:34:35 +0000
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <51F134BB.1030705@redhat.com>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
Message-ID: <1374762875.4302.5.camel@localhost.localdomain>

On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:


On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
> On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
> I'm trying to install an IPA server using an external CA.
>
> I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>
> So then I go back to install using my certs:
>
> ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>
>
> I get this for output:
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
>
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>
> Any thoughts on what I can do to troubleshoot this?
>
> Thanks.
>
> -Kenny
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Several questions:
> 1) package and os version/distro?
> 2) what is in httpd logs?
> 3) what is in pki logs?
>
> The names and locations of the logs partially depend on the answer to the first question.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hi all,
>
> Just tried this again on a new clean install:
>
> [3/4]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTE!
 ST.LIBERTY
.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> This is on a RHEL 6.4 x86_64 host, fully updated
>
> ipa-server-3.0.0-26.el6_4.4.x86_64
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
> ipa-client-3.0.0-26.el6_4.4.x86_64
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.4.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
>
>
> Here is the command that I am using to run the install:
>
> ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>
> and my /etc/hosts file:
>
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
> 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
> 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>
> Am I missing something?
>
> Thanks.
>
> -Kenny
>

Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
pki-ca logs to be able to see related error messages.

Adding Ade from PKI developers to CC too.

Martin



Which PKI logs do you need?

I attached the ipa install log.

-Kenny

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/9bdf584c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaserver-install.log
Type: text/x-log
Size: 20946 bytes
Desc: ipaserver-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/9bdf584c/attachment.bin>

From klarmstrong2 at liberty.edu  Thu Jul 25 15:02:06 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 15:02:06 +0000
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <1374762875.4302.5.camel@localhost.localdomain>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
	<1374762875.4302.5.camel@localhost.localdomain>
Message-ID: <1374764526.4302.7.camel@localhost.localdomain>

On Thu, 2013-07-25 at 14:34 +0000, Armstrong, Kenneth Lawrence wrote:
On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:


On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
> On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
> I'm trying to install an IPA server using an external CA.
>
> I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>
> So then I go back to install using my certs:
>
> ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>
>
> I get this for output:
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_!
 cert_subje
ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>     method()
>
>   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
>
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>
> Any thoughts on what I can do to troubleshoot this?
>
> Thanks.
>
> -Kenny
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Several questions:
> 1) package and os version/distro?
> 2) what is in httpd logs?
> 3) what is in pki logs?
>
> The names and locations of the logs partially depend on the answer to the first question.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hi all,
>
> Just tried this again on a new clean install:
>
> [3/4]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTE!
 ST.LIBERTY
.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> This is on a RHEL 6.4 x86_64 host, fully updated
>
> ipa-server-3.0.0-26.el6_4.4.x86_64
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
> ipa-client-3.0.0-26.el6_4.4.x86_64
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
> ipa-python-3.0.0-26.el6_4.4.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
>
>
> Here is the command that I am using to run the install:
>
> ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>
> and my /etc/hosts file:
>
> [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
> 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
> 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>
> Am I missing something?
>
> Thanks.
>
> -Kenny
>

Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
pki-ca logs to be able to see related error messages.

Adding Ade from PKI developers to CC too.

Martin



Which PKI logs do you need?

I attached the ipa install log.

-Kenny



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Figured it out, there is an SELinux policy issue.  I ran the uninstall routine, setenforce 0 then tried again.  This is in the audit.log file:

[root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# sealert -a /var/log/audit/audit.log
100% donefound 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from read access on the file /anon_hugepage (deleted).

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label.
/anon_hugepage (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /anon_hugepage (deleted)

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that java should be allowed read access on the anon_hugepage (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that java should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

I am going to turn SELinux back on and continue when I get my cert back to see what happens then.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/8d4db430/attachment.htm>

From ziplyx at gmail.com  Thu Jul 25 14:31:48 2013
From: ziplyx at gmail.com (Zip Ly)
Date: Thu, 25 Jul 2013 16:31:48 +0200
Subject: [Freeipa-users]  How to communicate IPA with PHP
Message-ID: <CAO5uCSkW5b6p6Qt3=43u7zL9zSrXk=DJMwunuP00MRb_JgfnNg@mail.gmail.com>

I need to setup a proxy (S4U2proxy ?) so I can perform actions like
creating, retrieving users, make them a member of a group etc.

The problem is I don't know where to start. I've searched the internet for
xml-rpc, json-rpc, web API but I couln't find anything useful.

Is there anyone who already made this and can give me an example. Or can
someone tell me a strategy of what kind of information I should gather to
create this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/acde84ab/attachment.htm>

From rcritten at redhat.com  Thu Jul 25 15:51:03 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 25 Jul 2013 11:51:03 -0400
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <1374762875.4302.5.camel@localhost.localdomain>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
	<1374762875.4302.5.camel@localhost.localdomain>
Message-ID: <51F14967.60108@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
>> On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
>> > On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
>> > I'm trying to install an IPA server using an external CA.
>> >
>> > I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>> >
>> > So then I go back to install using my certs:
>> >
>> > ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>> >
>> >
>> > I get this for output:
>> >
>> > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >   [1/20]: creating certificate server user
>> >   [2/20]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!
 er_!
>>   cert_subje
>> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> >
>> >
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >   [1/20]: creating certificate server user
>> >   [2/20]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!
 er_!
>>   cert_subje
>> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>> >     self.start_creation(runtime=210)
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >     method()
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >     raise RuntimeError('Configuration of CA failed')
>> >
>> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >     self.start_creation(runtime=210)
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >     method()
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >     raise RuntimeError('Configuration of CA failed')
>> >
>> >
>> >
>> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >
>> > Any thoughts on what I can do to troubleshoot this?
>> >
>> > Thanks.
>> >
>> > -Kenny
>> >
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> >Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > Several questions:
>> > 1) package and os version/distro?
>> > 2) what is in httpd logs?
>> > 3) what is in pki logs?
>> >
>> > The names and locations of the logs partially depend on the answer to the first question.
>> >
>> >
>> >
>> > --
>> > Thank you,
>> > Dmitri Pal
>> >
>> > Sr. Engineering Manager for IdM portfolio
>> > Red Hat Inc.
>> >
>> >
>> > -------------------------------
>> > Looking to carve out IT costs?
>> >www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> >Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > Hi all,
>> >
>> > Just tried this again on a new clean install:
>> >
>> > [3/4]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREAL!
 MTE!
>>   ST.LIBERTY
>> .EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> >
>> >
>> > This is on a RHEL 6.4 x86_64 host, fully updated
>> >
>> > ipa-server-3.0.0-26.el6_4.4.x86_64
>> > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>> > ipa-client-3.0.0-26.el6_4.4.x86_64
>> > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>> > ipa-pki-common-theme-9.0.3-7.el6.noarch
>> > libipa_hbac-1.9.2-82.7.el6_4.x86_64
>> > ipa-python-3.0.0-26.el6_4.4.x86_64
>> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> > ipa-admintools-3.0.0-26.el6_4.4.x86_64
>> >
>> >
>> > Here is the command that I am using to run the install:
>> >
>> > ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>> >
>> > and my /etc/hosts file:
>> >
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
>> > 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
>> > 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>> >
>> > Am I missing something?
>> >
>> > Thanks.
>> >
>> > -Kenny
>> >
>>
>> Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
>> pki-ca logs to be able to see related error messages.
>>
>> Adding Ade from PKI developers to CC too.
>>
>> Martin
>>
>
> Which PKI logs do you need?
>
> I attached the ipa install log.
>
> -Kenny

This IPA log looks wrong. It appears to be from a first-run of the 
server, and not the second run, with --external-ca set.

rob



From klarmstrong2 at liberty.edu  Thu Jul 25 16:53:39 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 16:53:39 +0000
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <51F14967.60108@redhat.com>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
	<1374762875.4302.5.camel@localhost.localdomain>
	<51F14967.60108@redhat.com>
Message-ID: <1374771219.4302.9.camel@localhost.localdomain>

On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
>> On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
>> > On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
>> > I'm trying to install an IPA server using an external CA.
>> >
>> > I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>> >
>> > So then I go back to install using my certs:
>> >
>> > ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>> >
>> >
>> > I get this for output:
>> >
>> > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >   [1/20]: creating certificate server user
>> >   [2/20]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!
 er_!
>>   cert_subje
>> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> >
>> >
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >   [1/20]: creating certificate server user
>> >   [2/20]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv!
 er_!
>>   cert_subje
>> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>> >     self.start_creation(runtime=210)
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >     method()
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >     raise RuntimeError('Configuration of CA failed')
>> >
>> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >     self.start_creation(runtime=210)
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >     method()
>> >
>> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >     raise RuntimeError('Configuration of CA failed')
>> >
>> >
>> >
>> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >
>> > Any thoughts on what I can do to troubleshoot this?
>> >
>> > Thanks.
>> >
>> > -Kenny
>> >
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> >Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > Several questions:
>> > 1) package and os version/distro?
>> > 2) what is in httpd logs?
>> > 3) what is in pki logs?
>> >
>> > The names and locations of the logs partially depend on the answer to the first question.
>> >
>> >
>> >
>> > --
>> > Thank you,
>> > Dmitri Pal
>> >
>> > Sr. Engineering Manager for IdM portfolio
>> > Red Hat Inc.
>> >
>> >
>> > -------------------------------
>> > Looking to carve out IT costs?
>> >www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> >Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> > Hi all,
>> >
>> > Just tried this again on a new clean install:
>> >
>> > [3/4]: configuring certificate server instance
>> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREAL!
 MTE!
>>   ST.LIBERTY
>> .EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
>> > Configuration of CA failed
>> >
>> >
>> > This is on a RHEL 6.4 x86_64 host, fully updated
>> >
>> > ipa-server-3.0.0-26.el6_4.4.x86_64
>> > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>> > ipa-client-3.0.0-26.el6_4.4.x86_64
>> > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>> > ipa-pki-common-theme-9.0.3-7.el6.noarch
>> > libipa_hbac-1.9.2-82.7.el6_4.x86_64
>> > ipa-python-3.0.0-26.el6_4.4.x86_64
>> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> > ipa-admintools-3.0.0-26.el6_4.4.x86_64
>> >
>> >
>> > Here is the command that I am using to run the install:
>> >
>> > ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>> >
>> > and my /etc/hosts file:
>> >
>> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
>> > 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
>> > 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>> >
>> > Am I missing something?
>> >
>> > Thanks.
>> >
>> > -Kenny
>> >
>>
>> Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
>> pki-ca logs to be able to see related error messages.
>>
>> Adding Ade from PKI developers to CC too.
>>
>> Martin
>>
>
> Which PKI logs do you need?
>
> I attached the ipa install log.
>
> -Kenny

This IPA log looks wrong. It appears to be from a first-run of the
server, and not the second run, with --external-ca set.

rob



This is what was on the server.  With setenforce 0, I was able to get the install to complete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/44c8b62b/attachment.htm>

From mkosek at redhat.com  Thu Jul 25 17:14:16 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Thu, 25 Jul 2013 19:14:16 +0200
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <1374771219.4302.9.camel@localhost.localdomain>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
	<1374762875.4302.5.camel@localhost.localdomain>
	<51F14967.60108@redhat.com>
	<1374771219.4302.9.camel@localhost.localdomain>
Message-ID: <51F15CE8.3050802@redhat.com>

On 07/25/2013 06:53 PM, Armstrong, Kenneth Lawrence wrote:
> On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
>> >> On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
>> >> > On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
>> >> > On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
>> >> > I'm trying to install an IPA server using an external CA.
>> >> >
>> >> > I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>> >> >
>> >> > So then I go back to install using my certs:
>> >> >
>> >> > ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>> >> >
>> >> >
>> >> > I get this for output:
>> >> >
>> >> > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >> >   [1/20]: creating certificate server user
>> >> >   [2/20]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!
 erv!
>>   er_!
>> >>   cert_subje
>> >> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> >
>> >> >
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >> >   [1/20]: creating certificate server user
>> >> >   [2/20]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!
 erv!
>>   er_!
>> >>   cert_subje
>> >> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>> >> >     self.start_creation(runtime=210)
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >> >     method()
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >> >     raise RuntimeError('Configuration of CA failed')
>> >> >
>> >> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >> >     self.start_creation(runtime=210)
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >> >     method()
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >> >     raise RuntimeError('Configuration of CA failed')
>> >> >
>> >> >
>> >> >
>> >> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >> >
>> >> > Any thoughts on what I can do to troubleshoot this?
>> >> >
>> >> > Thanks.
>> >> >
>> >> > -Kenny
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Freeipa-users mailing list
>> >> >Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> >
>> >> >
>> >> > Several questions:
>> >> > 1) package and os version/distro?
>> >> > 2) what is in httpd logs?
>> >> > 3) what is in pki logs?
>> >> >
>> >> > The names and locations of the logs partially depend on the answer to the first question.
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Thank you,
>> >> > Dmitri Pal
>> >> >
>> >> > Sr. Engineering Manager for IdM portfolio
>> >> > Red Hat Inc.
>> >> >
>> >> >
>> >> > -------------------------------
>> >> > Looking to carve out IT costs?
>> >> >www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Freeipa-users mailing list
>> >> >Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> >
>> >> >
>> >> > Hi all,
>> >> >
>> >> > Just tried this again on a new clean install:
>> >> >
>> >> > [3/4]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR!
 EAL!
>>   MTE!
>> >>   ST.LIBERTY
>> >> .EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> >
>> >> >
>> >> > This is on a RHEL 6.4 x86_64 host, fully updated
>> >> >
>> >> > ipa-server-3.0.0-26.el6_4.4.x86_64
>> >> > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>> >> > ipa-client-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-pki-common-theme-9.0.3-7.el6.noarch
>> >> > libipa_hbac-1.9.2-82.7.el6_4.x86_64
>> >> > ipa-python-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> >> > ipa-admintools-3.0.0-26.el6_4.4.x86_64
>> >> >
>> >> >
>> >> > Here is the command that I am using to run the install:
>> >> >
>> >> > ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>> >> >
>> >> > and my /etc/hosts file:
>> >> >
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
>> >> > 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
>> >> > 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>> >> >
>> >> > Am I missing something?
>> >> >
>> >> > Thanks.
>> >> >
>> >> > -Kenny
>> >> >
>> >>
>> >> Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
>> >> pki-ca logs to be able to see related error messages.
>> >>
>> >> Adding Ade from PKI developers to CC too.
>> >>
>> >> Martin
>> >>
>> >
>> > Which PKI logs do you need?
>> >
>> > I attached the ipa install log.
>> >
>> > -Kenny
>>
>> This IPA log looks wrong. It appears to be from a first-run of the
>> server, and not the second run, with --external-ca set.
>>
>> rob
>>
> This is what was on the server.  With setenforce 0, I was able to get the
> install to complete

Thanks. Can you please file a Bugzilla for selinux-policy in RHEL? It would 
help us get the issue fixed. This is an URL for the Bugzilla:

https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=selinux-policy

It would be also helpful to write output of the following command so that we 
can see the raw AVCs:

# ausearch -m avc -ts today

Thank you,
Martin



From klarmstrong2 at liberty.edu  Thu Jul 25 17:24:56 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 17:24:56 +0000
Subject: [Freeipa-users] external CA install problem
In-Reply-To: <51F15CE8.3050802@redhat.com>
References: <1374253896.4930.4.camel@localhost.localdomain>
	<51E9B349.5060706@redhat.com>
	<1374761162.4302.2.camel@localhost.localdomain>
	<51F134BB.1030705@redhat.com>
	<1374762875.4302.5.camel@localhost.localdomain>
	<51F14967.60108@redhat.com>
	<1374771219.4302.9.camel@localhost.localdomain>
	<51F15CE8.3050802@redhat.com>
Message-ID: <1374773096.4302.10.camel@localhost.localdomain>

On Thu, 2013-07-25 at 19:14 +0200, Martin Kosek wrote:


On 07/25/2013 06:53 PM, Armstrong, Kenneth Lawrence wrote:
> On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote:
>> >> On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote:
>> >> > On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote:
>> >> > On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
>> >> > I'm trying to install an IPA server using an external CA.
>> >> >
>> >> > I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA.
>> >> >
>> >> > So then I go back to install using my certs:
>> >> >
>> >> > ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer
>> >> >
>> >> >
>> >> > I get this for output:
>> >> >
>> >> > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >> >   [1/20]: creating certificate server user
>> >> >   [2/20]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!
 erv!
>>   er_!
>> >>   cert_subje
>> >> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> >
>> >> >
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>> >> >   [1/20]: creating certificate server user
>> >> >   [2/20]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s!
 erv!
>>   er_!
>> >>   cert_subje
>> >> ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# tail /var/log/ipaserver-install.log
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
>> >> >     self.start_creation(runtime=210)
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >> >     method()
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >> >     raise RuntimeError('Configuration of CA failed')
>> >> >
>> >> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >> >     self.start_creation(runtime=210)
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
>> >> >     method()
>> >> >
>> >> >   File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance
>> >> >     raise RuntimeError('Configuration of CA failed')
>> >> >
>> >> >
>> >> >
>> >> > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
>> >> >
>> >> > Any thoughts on what I can do to troubleshoot this?
>> >> >
>> >> > Thanks.
>> >> >
>> >> > -Kenny
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Freeipa-users mailing list
>> >> >Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> >
>> >> >
>> >> > Several questions:
>> >> > 1) package and os version/distro?
>> >> > 2) what is in httpd logs?
>> >> > 3) what is in pki logs?
>> >> >
>> >> > The names and locations of the logs partially depend on the answer to the first question.
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Thank you,
>> >> > Dmitri Pal
>> >> >
>> >> > Sr. Engineering Manager for IdM portfolio
>> >> > Red Hat Inc.
>> >> >
>> >> >
>> >> > -------------------------------
>> >> > Looking to carve out IT costs?
>> >> >www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Freeipa-users mailing list
>> >> >Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>  <mailto:Freeipa-users at redhat.com>   <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
>> >> >https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> >
>> >> >
>> >> > Hi all,
>> >> >
>> >> > Just tried this again on a new clean install:
>> >> >
>> >> > [3/4]: configuring certificate server instance
>> >> > ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.lnxrealmtest.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR!
 EAL!
>>   MTE!
>> >>   ST.LIBERTY
>> >> .EDU -ca_server_cert_subject_name CN=lnxrealmtest01.lnxrealmtest.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_csr_file /root/ipa.csr -clone false' returned non-zero exit status 255
>> >> > Configuration of CA failed
>> >> >
>> >> >
>> >> > This is on a RHEL 6.4 x86_64 host, fully updated
>> >> >
>> >> > ipa-server-3.0.0-26.el6_4.4.x86_64
>> >> > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>> >> > ipa-client-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-pki-common-theme-9.0.3-7.el6.noarch
>> >> > libipa_hbac-1.9.2-82.7.el6_4.x86_64
>> >> > ipa-python-3.0.0-26.el6_4.4.x86_64
>> >> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> >> > ipa-admintools-3.0.0-26.el6_4.4.x86_64
>> >> >
>> >> >
>> >> > Here is the command that I am using to run the install:
>> >> >
>> >> > ipa-server-install --setup-dns --forwarder=10.254.20.82 --forwarder=10.254.10.82 --external-ca
>> >> >
>> >> > and my /etc/hosts file:
>> >> >
>> >> > [root at lnxrealmtest01<mailto:root at lnxrealmtest01> ~]# cat /etc/hosts
>> >> > 10.203.60.225 lnxrealmtest01.lnxrealmtest.liberty.edu lnxrealmtest
>> >> > 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
>> >> >
>> >> > Am I missing something?
>> >> >
>> >> > Thanks.
>> >> >
>> >> > -Kenny
>> >> >
>> >>
>> >> Thanks. As Dmitri wrote above, we would also need ipaserver-install.log and
>> >> pki-ca logs to be able to see related error messages.
>> >>
>> >> Adding Ade from PKI developers to CC too.
>> >>
>> >> Martin
>> >>
>> >
>> > Which PKI logs do you need?
>> >
>> > I attached the ipa install log.
>> >
>> > -Kenny
>>
>> This IPA log looks wrong. It appears to be from a first-run of the
>> server, and not the second run, with --external-ca set.
>>
>> rob
>>
> This is what was on the server.  With setenforce 0, I was able to get the
> install to complete

Thanks. Can you please file a Bugzilla for selinux-policy in RHEL? It would
help us get the issue fixed. This is an URL for the Bugzilla:

https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=selinux-policy

It would be also helpful to write output of the following command so that we
can see the raw AVCs:

# ausearch -m avc -ts today

Thank you,
Martin


Bug submitted:

https://bugzilla.redhat.com/show_bug.cgi?id=988495

Thanks!

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/ffc531ec/attachment.htm>

From klarmstrong2 at liberty.edu  Thu Jul 25 19:51:27 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Thu, 25 Jul 2013 19:51:27 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
	LDAP bind issue?
Message-ID: <1374781887.4302.15.camel@localhost.localdomain>

I am still having issues trying to get a RHEL 5.9 client to join a RHEL 6.4 IdM domain.

All packages on both systems updated.

First problem is this:

ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates

Which fails with:

root        : ERROR    Cannot obtain CA certificate
'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

All of the appropriate ports are open on the IdM server, and I verified this by telnetting to all of them.

I worked around this by running this:

wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt

Then ran:

ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt

And I was having better results, so apparently the RHEL 5.9 ipa-client-install does not want to download my cert.


On to the next problem:


User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.


It is the same user that I use to login to the web interface, and I am 100% positive that I am not entering the password incorrectly.  So why else would the admin user not be able to bind to my IdM setup?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/34e3e0e2/attachment.htm>

From dpal at redhat.com  Thu Jul 25 21:33:59 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 25 Jul 2013 17:33:59 -0400
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <CAO5uCSkW5b6p6Qt3=43u7zL9zSrXk=DJMwunuP00MRb_JgfnNg@mail.gmail.com>
References: <CAO5uCSkW5b6p6Qt3=43u7zL9zSrXk=DJMwunuP00MRb_JgfnNg@mail.gmail.com>
Message-ID: <51F199C7.4050303@redhat.com>

On 07/25/2013 10:31 AM, Zip Ly wrote:
> I need to setup a proxy (S4U2proxy ?) so I can perform actions like
> creating, retrieving users, make them a member of a group etc.
>  
> The problem is I don't know where to start. I've searched the internet
> for xml-rpc, json-rpc, web API but I couln't find anything useful.
>  
> Is there anyone who already made this and can give me an example. Or
> can someone tell me a strategy of what kind of information I should
> gather to create this.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Let us start with use cases , actors and workflow.

User using X connects to Y using protocol Z
Y being a kerberised server turns around and needs to perform an
operation against IPA

Can you please fill the gaps above and add more details?

Something like this is being done by the IPA management framework
itself. It uses kerberos ticket issued for IPA to turn around and
acquire ticket for LDAP. I hate to send people looking at the code so
may be a good starting point would be to find some mail from
freeipa-devel archives that covers the s4u2proxy design. Mail like this
would date back to Spring - Summer of 2011 and most likely would be
authored by John Dennis.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/ffaac169/attachment.htm>

From dpal at redhat.com  Thu Jul 25 21:35:32 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 25 Jul 2013 17:35:32 -0400
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374781887.4302.15.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
Message-ID: <51F19A24.8010005@redhat.com>

On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
> I am still having issues trying to get a RHEL 5.9 client to join a
> RHEL 6.4 IdM domain.
>
> All packages on both systems updated.
>
> First problem is this:
>
> ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> lnxrealmtest.liberty.edu --enable-dns-updates
>
> Which fails with:
>
> root        : ERROR    Cannot obtain CA certificate
> 'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> All of the appropriate ports are open on the IdM server, and I
> verified this by telnetting to all of them.
>
> I worked around this by running this:
>
> wget -O /etc/ipa/ca.crt
> http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
>
> Then ran:
>
> ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> --ca-cert-file=/etc/ipa/ca.crt
>
> And I was having better results, so apparently the RHEL 5.9
> ipa-client-install does not want to download my cert.

This rings the bell. It sounds like a known issue for 5.9 openssl libraries.
Rob can you add details please?

>
>
> On to the next problem:
>
>
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at LNXREALMTEST.LIBERTY.EDU
> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>
> Joining realm failed: SASL Bind failed Local error (-2) !
> child exited with 9
> Installation failed. Rolling back changes.
>
>
> It is the same user that I use to login to the web interface, and I am
> 100% positive that I am not entering the password incorrectly.  So why
> else would the admin user not be able to bind to my IdM setup?
>
> -Kenny
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130725/0d3a7103/attachment.htm>

From eminguez at redhat.com  Fri Jul 26 10:21:37 2013
From: eminguez at redhat.com (Eduardo Minguez)
Date: Fri, 26 Jul 2013 06:21:37 -0400 (EDT)
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <51F19A24.8010005@redhat.com>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
Message-ID: <24858152.147.1374834177771.JavaMail.javamailuser@localhost>

----- Original Message -----

> From: "Dmitri Pal" <dpal at redhat.com>
> To: freeipa-users at redhat.com
> Sent: Thursday, 25 July, 2013 11:35:32 PM
> Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to
> join, LDAP bind issue?

> On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
> > I am still having issues trying to get a RHEL 5.9 client to join a
> > RHEL 6.4 IdM domain.
> 

> > All packages on both systems updated.
> 

> > First problem is this:
> 

> > ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> > lnxrealmtest.liberty.edu --enable-dns-updates
> 

> > Which fails with:
> 

> > root : ERROR Cannot obtain CA certificate
> 
> > ' ldap://lnxrealmtest01.liberty.edu ' doesn't have a certificate.
> 
> > Installation failed. Rolling back changes.
> 
> > IPA client is not configured on this system.
> 

> > All of the appropriate ports are open on the IdM server, and I
> > verified this by telnetting to all of them.
> 

> > I worked around this by running this:
> 

> > wget -O /etc/ipa/ca.crt
> > http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
> 

> > Then ran:
> 

> > ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> > --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> > --ca-cert-file=/etc/ipa/ca.crt
> 

> > And I was having better results, so apparently the RHEL 5.9
> > ipa-client-install does not want to download my cert.
> 

> This rings the bell. It sounds like a known issue for 5.9 openssl
> libraries.
> Rob can you add details please?

> > On to the next problem:
> 

> > User authorized to enroll computers: admin
> 
> > Synchronizing time with KDC...
> 
> > Password for admin at LNXREALMTEST.LIBERTY.EDU :
> 

> > Joining realm failed: SASL Bind failed Local error (-2) !
> 
> > child exited with 9
> 
> > Installation failed. Rolling back changes.
> 

Run ipa-client-install with "-d" debug flag to get more information. I've had the same issue due to DNS reverse for the server not being correct (check the krb log in the server) 

> > It is the same user that I use to login to the web interface, and I
> > am 100% positive that I am not entering the password incorrectly.
> > So
> > why else would the admin user not be able to bind to my IdM setup?
> 

> > -Kenny
> 

> > _______________________________________________
> 
> > Freeipa-users mailing list Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> --
> Thank you,
> Dmitri Pal

> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.

> -------------------------------
> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-- 

Eduardo M?nguez P?rez 
Infrastructure Consultant (RHCE, RHCSA) 
Red Hat - Spain 
Mobile: +34 629803049 (CET/CEST) 
E-mail: eminguez at redhat.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/653d0811/attachment.htm>

From c.schmitt at briefdomain.de  Fri Jul 26 10:23:13 2013
From: c.schmitt at briefdomain.de (Schmitt, Christian)
Date: Fri, 26 Jul 2013 12:23:13 +0200
Subject: [Freeipa-users] Login to Web UI don't work after restart
Message-ID: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>

Hello,
currently I'm trying to get ipa working on a virtual environment, after we
updated the kernel and restarted ipa, we can't login to our web ui.

The time is totally correct, and nothing has changed except the kernel
update.

our current operatingsystem is CentOS 6.4 (with the newest updates)

The Web UI always says 'Your session has expired. Please re-login.'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/9b133bc5/attachment.htm>

From lukas.bezdicka at gooddata.com  Fri Jul 26 11:42:15 2013
From: lukas.bezdicka at gooddata.com (=?UTF-8?B?THVrw6HFoSBCZXpkacSNa2E=?=)
Date: Fri, 26 Jul 2013 13:42:15 +0200
Subject: [Freeipa-users] Login to Web UI don't work after restart
In-Reply-To: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>
References: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>
Message-ID: <CAEePdh=-UqSu3Te9acUHZY5KQguJQ66-FMuM9+Tm3d4VV9E67Q@mail.gmail.com>

Just a guess,
but when you restart your selinux contexts might get reset (they do at our
infrastructure). Had you check for:
audit2why < /var/log/audit/audit.log


On Fri, Jul 26, 2013 at 12:23 PM, Schmitt, Christian <
c.schmitt at briefdomain.de> wrote:

> Hello,
> currently I'm trying to get ipa working on a virtual environment, after we
> updated the kernel and restarted ipa, we can't login to our web ui.
>
> The time is totally correct, and nothing has changed except the kernel
> update.
>
> our current operatingsystem is CentOS 6.4 (with the newest updates)
>
> The Web UI always says 'Your session has expired. Please re-login.'
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/fa99cc62/attachment.htm>

From mkosek at redhat.com  Fri Jul 26 12:04:56 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 26 Jul 2013 14:04:56 +0200
Subject: [Freeipa-users] Login to Web UI don't work after restart
In-Reply-To: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>
References: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>
Message-ID: <51F265E8.20102@redhat.com>

On 07/26/2013 12:23 PM, Schmitt, Christian wrote:
> Hello,
> currently I'm trying to get ipa working on a virtual environment, after we
> updated the kernel and restarted ipa, we can't login to our web ui.
> 
> The time is totally correct, and nothing has changed except the kernel
> update.
> 
> our current operatingsystem is CentOS 6.4 (with the newest updates)
> 
> The Web UI always says 'Your session has expired. Please re-login.'
> 

I suspect this is caused by a known RHEL-6.2 to RHEL-6.4 upgrade glitch causing
ipa_memcached to not be added correctly to list of IPA services.

Is ipa_memcached service running? If not, can you please start it and try to
log in again?

Martin



From mkosek at redhat.com  Fri Jul 26 12:08:23 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 26 Jul 2013 14:08:23 +0200
Subject: [Freeipa-users] Login to Web UI don't work after restart
In-Reply-To: <51F265E8.20102@redhat.com>
References: <CAPDLAU4w2idUs55HWj2g4eO1h2S6ptXX0m5RJNVMpt=tCkvVNg@mail.gmail.com>
	<51F265E8.20102@redhat.com>
Message-ID: <51F266B7.4030904@redhat.com>

On 07/26/2013 02:04 PM, Martin Kosek wrote:
> On 07/26/2013 12:23 PM, Schmitt, Christian wrote:
>> Hello,
>> currently I'm trying to get ipa working on a virtual environment, after we
>> updated the kernel and restarted ipa, we can't login to our web ui.
>>
>> The time is totally correct, and nothing has changed except the kernel
>> update.
>>
>> our current operatingsystem is CentOS 6.4 (with the newest updates)
>>
>> The Web UI always says 'Your session has expired. Please re-login.'
>>
> 
> I suspect this is caused by a known RHEL-6.2 to RHEL-6.4 upgrade glitch causing
> ipa_memcached to not be added correctly to list of IPA services.
> 
> Is ipa_memcached service running? If not, can you please start it and try to
> log in again?
> 
> Martin

FYI, this is the probably related KB article including a procedure how to
permanently fix it (to avoid ipa_memcached not starting again next time you
restart):

https://access.redhat.com/site/solutions/413593

Martin



From rcritten at redhat.com  Fri Jul 26 12:48:43 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Jul 2013 08:48:43 -0400
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374781887.4302.15.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
Message-ID: <51F2702B.3040101@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> I am still having issues trying to get a RHEL 5.9 client to join a RHEL
> 6.4 IdM domain.
>
> All packages on both systems updated.
>
> First problem is this:
>
> ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> lnxrealmtest.liberty.edu --enable-dns-updates
>
> Which fails with:
>
> root        : ERROR    Cannot obtain CA certificate
> 'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> All of the appropriate ports are open on the IdM server, and I verified
> this by telnetting to all of them.
>
> I worked around this by running this:
>
> wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
>
> Then ran:
>
> ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> --ca-cert-file=/etc/ipa/ca.crt
>
> And I was having better results, so apparently the RHEL 5.9
> ipa-client-install does not want to download my cert.
>
>
> On to the next problem:
>
>
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at LNXREALMTEST.LIBERTY.EDU
> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>
> Joining realm failed: SASL Bind failed Local error (-2) !
> child exited with 9
> Installation failed. Rolling back changes.
>
>
> It is the same user that I use to login to the web interface, and I am
> 100% positive that I am not entering the password incorrectly.  So why
> else would the admin user not be able to bind to my IdM setup?

The client install log may have more details. And I'd check the KDC log 
(on server /var/log/krb5kdc.log) to see why the bind failed.

rob



From klarmstrong2 at liberty.edu  Fri Jul 26 13:20:57 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 26 Jul 2013 13:20:57 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <24858152.147.1374834177771.JavaMail.javamailuser@localhost>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
Message-ID: <1374844858.5157.3.camel@localhost.localdomain>

On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:


________________________________

From: "Dmitri Pal" <dpal at redhat.com>
To: freeipa-users at redhat.com
Sent: Thursday, 25 July, 2013 11:35:32 PM
Subject: Re: [Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue?

On 07/25/2013 03:51 PM, Armstrong, Kenneth Lawrence wrote:
I am still having issues trying to get a RHEL 5.9 client to join a RHEL 6.4 IdM domain.

All packages on both systems updated.

First problem is this:

ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates

Which fails with:

root        : ERROR    Cannot obtain CA certificate
'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

All of the appropriate ports are open on the IdM server, and I verified this by telnetting to all of them.

I worked around this by running this:

wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt

Then ran:

ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt

And I was having better results, so apparently the RHEL 5.9 ipa-client-install does not want to download my cert.

This rings the bell. It sounds like a known issue for 5.9 openssl libraries.
Rob can you add details please?



On to the next problem:


User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU>:

Joining realm failed: SASL Bind failed Local error (-2) !
child exited with 9
Installation failed. Rolling back changes.


Run ipa-client-install with "-d" debug flag to get more information. I've had the same issue due to DNS reverse for the server not being correct (check the krb log in the server)


It is the same user that I use to login to the web interface, and I am 100% positive that I am not entering the password incorrectly.  So why else would the admin user not be able to bind to my IdM setup?

-Kenny



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users





--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Eduardo M?nguez P?rez
Infrastructure Consultant (RHCE, RHCSA)
Red Hat - Spain
Mobile: +34 629803049 (CET/CEST)
E-mail: eminguez at redhat.com




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Ok, if I have time, I'll try with a RHEL 5.8 client today.


As for debug output, this is what I get:

[root at r5-idmclient<mailto:root at r5-idmclient> ~]# ipa-client-install --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
root        : ERROR    LDAP Error: Connect error: TLS: hostname does not match CN in peer certificate
root        : DEBUG    will use domain: lnxrealmtest.liberty.edu

root        : DEBUG    will use server: lnxrealmtest01.liberty.edu

Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


I do have an A record and PTR record for both lnxrealmtest01.liberty.edu and lnxrealmtest.lnxrealmtest.liberty.edu.

The part that confuses me (I'm still new to the innards of SSL) is this:

DAP Error: Connect error: TLS: hostname does not match CN in peer certificate

When I look at the cert using:

openssl x509 -in /etc/ipa/ca.crt -noout -text

I see this:

Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
        Validity
            Not Before: Jul 25 18:22:53 2013 GMT
            Not After : Jul 25 18:22:53 2033 GMT
        Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority


and ...

OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp


So is it trying to use CN=Certificate Authority when it's expecting the host name of the IPA server?

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/02cad421/attachment.htm>

From ziplyx at gmail.com  Fri Jul 26 10:31:19 2013
From: ziplyx at gmail.com (Zip Ly)
Date: Fri, 26 Jul 2013 12:31:19 +0200
Subject: [Freeipa-users] How to communicate IPA with PHP
Message-ID: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>

Normally if IPA has a well documented API then my approach would be:
user --> (internet) --> webserver --> lPA API --> IPA server


But since there isn't much info about the API then my approach would be:
user --> (internet) --> webserver --> a PHP script which acts as an custom
API --> IPA server


The problem is I don't know which commands are available en which
values/params I should send. For example:

http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#
These are commands for xml rpc. Without examples it's difficult to find
out how to use it.

But they are different from this example:
http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
In this example a "user_find" command is used, but this command cannot be
found in the official xml rpc document above.

In ssh I can display a list of commands with "ipa help commands" I don't
know if they are all supported in "/ipa/json" I probably need to replace
all dashes with underscores (correct me if I'm wrong).

If I want to display all the supported params from one certain command
for example "ipa help user-find". Then, are all the double dashed params
also the supported params which I can send with JSON?

I prefer using the native API if there is one (hidden somewhere), because I
don't want to reinvent the wheel with security leaks which I'm not aware
of. Especially when I need to execute CLI commands from the PHP scripts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/6d193126/attachment.htm>

From pspacek at redhat.com  Fri Jul 26 14:09:49 2013
From: pspacek at redhat.com (Petr Spacek)
Date: Fri, 26 Jul 2013 16:09:49 +0200
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
References: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
Message-ID: <51F2832D.3010101@redhat.com>

On 26.7.2013 12:31, Zip Ly wrote:
> Normally if IPA has a well documented API then my approach would be:
> user --> (internet) --> webserver --> lPA API --> IPA server
>
>
> But since there isn't much info about the API then my approach would be:
> user --> (internet) --> webserver --> a PHP script which acts as an custom
> API --> IPA server
>
>
> The problem is I don't know which commands are available en which
> values/params I should send. For example:
>
> http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#
> These are commands for xml rpc. Without examples it's difficult to find
> out how to use it.

Note that this link points to docs for FreeIPA 1.2.1, which is several years 
old and totally unsupported. Please use articles written for FreeIPA 2.x or 3.x.

> But they are different from this example:
> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
> In this example a "user_find" command is used, but this command cannot be
> found in the official xml rpc document above.
>
> In ssh I can display a list of commands with "ipa help commands" I don't
> know if they are all supported in "/ipa/json" I probably need to replace
> all dashes with underscores (correct me if I'm wrong).
>
> If I want to display all the supported params from one certain command
> for example "ipa help user-find". Then, are all the double dashed params
> also the supported params which I can send with JSON?
>
> I prefer using the native API if there is one (hidden somewhere), because I
> don't want to reinvent the wheel with security leaks which I'm not aware
> of. Especially when I need to execute CLI commands from the PHP scripts.

-- 
Petr^2 Spacek



From rcritten at redhat.com  Fri Jul 26 14:20:00 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Jul 2013 10:20:00 -0400
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374844858.5157.3.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
Message-ID: <51F28590.9050804@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
> Ok, if I have time, I'll try with a RHEL 5.8 client today.
>
>
> As for debug output, this is what I get:
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
> 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
> 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
> 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
> None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
> root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
> match CN in peer certificate
> root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>
> root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
> and lnxrealmtest.lnxrealmtest.liberty.edu.
>
> The part that confuses me (I'm still new to the innards of SSL) is this:
>
> DAP Error: Connect error: TLS: hostname does not match CN in peer
> certificate
>
> When I look at the cert using:
>
> openssl x509 -in /etc/ipa/ca.crt -noout -text
>
> I see this:
>
> Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>          Validity
>              Not Before: Jul 25 18:22:53 2013 GMT
>              Not After : Jul 25 18:22:53 2033 GMT
>          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>
>
> and ...
>
> OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp

No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert

rob



From klarmstrong2 at liberty.edu  Fri Jul 26 14:32:57 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 26 Jul 2013 14:32:57 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <51F28590.9050804@redhat.com>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
	<51F28590.9050804@redhat.com>
Message-ID: <1374849178.5157.5.camel@localhost.localdomain>

On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
> Ok, if I have time, I'll try with a RHEL 5.8 client today.
>
>
> As for debug output, this is what I get:
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
> 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
> 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
> 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
> 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
> None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
> root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
> match CN in peer certificate
> root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>
> root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
> and lnxrealmtest.lnxrealmtest.liberty.edu.
>
> The part that confuses me (I'm still new to the innards of SSL) is this:
>
> DAP Error: Connect error: TLS: hostname does not match CN in peer
> certificate
>
> When I look at the cert using:
>
> openssl x509 -in /etc/ipa/ca.crt -noout -text
>
> I see this:
>
> Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>          Validity
>              Not Before: Jul 25 18:22:53 2013 GMT
>              Not After : Jul 25 18:22:53 2033 GMT
>          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>
>
> and ...
>
> OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp

No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert

rob


Ok, that makes sense.  The CN in that cert is correct, so I corrected my command.  It's still failing on binding a user it looks like.

I've attached the complete output.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/ed6cb859/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipa-client-install-error.txt
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/ed6cb859/attachment.txt>

From rcritten at redhat.com  Fri Jul 26 14:37:02 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Jul 2013 10:37:02 -0400
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
References: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
Message-ID: <51F2898E.2080504@redhat.com>

Zip Ly wrote:
>
> Normally if IPA has a well documented API then my approach would be:
> user --> (internet) --> webserver --> lPA API --> IPA server
> But since there isn't much info about the API then my approach would be:
> user --> (internet) --> webserver --> a PHP script which acts as an
> custom API --> IPA server
> The problem is I don't know which commands are available en which
> values/params I should send. For example:
> http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#
> These are commands for xml rpc. Without examples it's difficult to find
> out how to use it.

The API changed between v1 and v2/3, so these docs are not right for 
your purposes.

We haven't formally documented the API (either json or xml-rpc) yet 
because it is still somewhat in flux. The API is baked into the ipa 
client, so any command you can run from there is the equivalent of a 
json/xml-rpc command, just substituting underscore for dash.

About the closest we have is API.txt in the source tree. This is really 
designed to be read by a computer but it outlines each command and the 
options it takes, and the output it returns.

> But they are different from this example:
> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
> In this example a "user_find" command is used, but this command cannot
> be found in the official xml rpc document above.
> In ssh I can display a list of commands with "ipa help commands" I don't
> know if they are all supported in "/ipa/json" I probably need to replace
> all dashes with underscores (correct me if I'm wrong).

The same commands and options are available over json as xml-rpc.

> If I want to display all the supported params from one certain command
> for example "ipa help user-find". Then, are all the double dashed params
> also the supported params which I can send with JSON?

Yes.

> I prefer using the native API if there is one (hidden somewhere),
> because I don't want to reinvent the wheel with security leaks which I'm
> not aware of. Especially when I need to execute CLI commands from
> the PHP scripts.

The native API is json/xml-rpc. They are currently equivalent. In the 
near future we are going to mark xml-rpc as deprecated and it will start 
to fall behind in features, and eventually we may drop it altogether.

rob



From rcritten at redhat.com  Fri Jul 26 14:47:01 2013
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 26 Jul 2013 10:47:01 -0400
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374849178.5157.5.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
	<51F28590.9050804@redhat.com>
	<1374849178.5157.5.camel@localhost.localdomain>
Message-ID: <51F28BE5.5030700@redhat.com>

Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
>> > Ok, if I have time, I'll try with a RHEL 5.8 client today.
>> >
>> >
>> > As for debug output, this is what I get:
>> >
>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
>> > root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
>> > 'uninstall': False, 'force': False, 'sssd': True,
>> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
>> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
>> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
>> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
>> > None}
>> > root        : DEBUG    missing options might be asked for interactively
>> > later
>> >
>> > root        : DEBUG    Loading Index file from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> > root        : DEBUG    Loading StateFile from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> > root        : DEBUG    [ipadnssearchkrb]
>> > root        : DEBUG    [ipacheckldap]
>> > root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
>> > root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
>> > match CN in peer certificate
>> > root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>> >
>> > root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>> >
>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>> > This may mean that the remote server is not up or is not reachable
>> > due to network or firewall settings.
>> > Installation failed. Rolling back changes.
>> > IPA client is not configured on this system.
>> >
>> >
>> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
>> > and lnxrealmtest.lnxrealmtest.liberty.edu.
>> >
>> > The part that confuses me (I'm still new to the innards of SSL) is this:
>> >
>> > DAP Error: Connect error: TLS: hostname does not match CN in peer
>> > certificate
>> >
>> > When I look at the cert using:
>> >
>> > openssl x509 -in /etc/ipa/ca.crt -noout -text
>> >
>> > I see this:
>> >
>> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >          Validity
>> >              Not Before: Jul 25 18:22:53 2013 GMT
>> >              Not After : Jul 25 18:22:53 2033 GMT
>> >          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >
>> >
>> > and ...
>> >
>> > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
>>
>> No, you looked at the wrong certificate.
>>
>> To look at it use:
>>
>> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
>>
>> rob
>
> Ok, that makes sense.  The CN in that cert is correct, so I corrected my
> command.  It's still failing on binding a user it looks like.
>
> I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we 
get on the client side is LOCAL_ERROR.

rob



From pvoborni at redhat.com  Fri Jul 26 14:59:10 2013
From: pvoborni at redhat.com (Petr Vobornik)
Date: Fri, 26 Jul 2013 16:59:10 +0200
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <51F2898E.2080504@redhat.com>
References: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
	<51F2898E.2080504@redhat.com>
Message-ID: <51F28EBE.6000606@redhat.com>

On 07/26/2013 04:37 PM, Rob Crittenden wrote:
> Zip Ly wrote:
>>
>> Normally if IPA has a well documented API then my approach would be:
>> user --> (internet) --> webserver --> lPA API --> IPA server
>> But since there isn't much info about the API then my approach would be:
>> user --> (internet) --> webserver --> a PHP script which acts as an
>> custom API --> IPA server
>> The problem is I don't know which commands are available en which
>> values/params I should send. For example:
>> http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#
>>
>> These are commands for xml rpc. Without examples it's difficult to find
>> out how to use it.
>
> The API changed between v1 and v2/3, so these docs are not right for
> your purposes.
>
> We haven't formally documented the API (either json or xml-rpc) yet
> because it is still somewhat in flux. The API is baked into the ipa
> client, so any command you can run from there is the equivalent of a
> json/xml-rpc command, just substituting underscore for dash.
>
> About the closest we have is API.txt in the source tree. This is really
> designed to be read by a computer but it outlines each command and the
> options it takes, and the output it returns.
>
>> But they are different from this example:
>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>
>> In this example a "user_find" command is used, but this command cannot
>> be found in the official xml rpc document above.
>> In ssh I can display a list of commands with "ipa help commands" I don't
>> know if they are all supported in "/ipa/json" I probably need to replace
>> all dashes with underscores (correct me if I'm wrong).
>
> The same commands and options are available over json as xml-rpc.
>
>> If I want to display all the supported params from one certain command
>> for example "ipa help user-find". Then, are all the double dashed params
>> also the supported params which I can send with JSON?
>
> Yes.

Note that for some LDAP attributes dash param names may be different 
than API option names. It those cases the correct one is LDAP attribute 
name.

Use `ipa show-mappings command-name` to find the correct names.

>
>> I prefer using the native API if there is one (hidden somewhere),
>> because I don't want to reinvent the wheel with security leaks which I'm
>> not aware of. Especially when I need to execute CLI commands from
>> the PHP scripts.
>
> The native API is json/xml-rpc. They are currently equivalent. In the
> near future we are going to mark xml-rpc as deprecated and it will start
> to fall behind in features, and eventually we may drop it altogether.
>
> rob
>

-- 
Petr Vobornik



From klarmstrong2 at liberty.edu  Fri Jul 26 14:59:29 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 26 Jul 2013 14:59:29 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <51F28BE5.5030700@redhat.com>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
	<51F28590.9050804@redhat.com>
	<1374849178.5157.5.camel@localhost.localdomain>
	<51F28BE5.5030700@redhat.com>
Message-ID: <1374850769.5157.8.camel@localhost.localdomain>

On Fri, 2013-07-26 at 10:47 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
>> > Ok, if I have time, I'll try with a RHEL 5.8 client today.
>> >
>> >
>> > As for debug output, this is what I get:
>> >
>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
>> > root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
>> > 'uninstall': False, 'force': False, 'sssd': True,
>> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
>> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
>> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
>> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
>> > None}
>> > root        : DEBUG    missing options might be asked for interactively
>> > later
>> >
>> > root        : DEBUG    Loading Index file from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> > root        : DEBUG    Loading StateFile from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> > root        : DEBUG    [ipadnssearchkrb]
>> > root        : DEBUG    [ipacheckldap]
>> > root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
>> > root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
>> > match CN in peer certificate
>> > root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>> >
>> > root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>> >
>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>> > This may mean that the remote server is not up or is not reachable
>> > due to network or firewall settings.
>> > Installation failed. Rolling back changes.
>> > IPA client is not configured on this system.
>> >
>> >
>> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
>> > and lnxrealmtest.lnxrealmtest.liberty.edu.
>> >
>> > The part that confuses me (I'm still new to the innards of SSL) is this:
>> >
>> > DAP Error: Connect error: TLS: hostname does not match CN in peer
>> > certificate
>> >
>> > When I look at the cert using:
>> >
>> > openssl x509 -in /etc/ipa/ca.crt -noout -text
>> >
>> > I see this:
>> >
>> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >          Validity
>> >              Not Before: Jul 25 18:22:53 2013 GMT
>> >              Not After : Jul 25 18:22:53 2033 GMT
>> >          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >
>> >
>> > and ...
>> >
>> > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
>>
>> No, you looked at the wrong certificate.
>>
>> To look at it use:
>>
>> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
>>
>> rob
>
> Ok, that makes sense.  The CN in that cert is correct, so I corrected my
> command.  It's still failing on binding a user it looks like.
>
> I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we
get on the client side is LOCAL_ERROR.

rob



I see this in /var/log/krb5kdc.log:

Jul 26 10:27:10 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.203.60.226: UNKNOWN_SERVER: authtime 0,  admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Server not found in Kerberos database
Jul 26 10:49:06 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): AS_REQ (4 etypes {18 17 16 23}) 10.203.60.225: NEEDED_PREAUTH: host/lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU<mailto:lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Additional pre-authentication required


This is in /var/log/dirsrv/slapd-PKI-IPA/access log:

[26/Jul/2013:10:28:36 -0400] conn=241 fd=65 slot=65 connection from 10.203.60.225 to 10.203.60.225
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 BIND dn="cn=Directory Manager" method=128 version=2
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 RESULT err=32 tag=101 nentries=0 etime=0
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 UNBIND
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 fd=65 closed - U1



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/c2a47255/attachment.htm>

From klarmstrong2 at liberty.edu  Fri Jul 26 18:14:22 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 26 Jul 2013 18:14:22 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374850769.5157.8.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
	<51F28590.9050804@redhat.com>
	<1374849178.5157.5.camel@localhost.localdomain>
	<51F28BE5.5030700@redhat.com>
	<1374850769.5157.8.camel@localhost.localdomain>
Message-ID: <1374862463.24390.5.camel@localhost.localdomain>

On Fri, 2013-07-26 at 14:59 +0000, Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 10:47 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
>> > Ok, if I have time, I'll try with a RHEL 5.8 client today.
>> >
>> >
>> > As for debug output, this is what I get:
>> >
>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
>> > root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
>> > 'uninstall': False, 'force': False, 'sssd': True,
>> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
>> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
>> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
>> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
>> > None}
>> > root        : DEBUG    missing options might be asked for interactively
>> > later
>> >
>> > root        : DEBUG    Loading Index file from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> > root        : DEBUG    Loading StateFile from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> > root        : DEBUG    [ipadnssearchkrb]
>> > root        : DEBUG    [ipacheckldap]
>> > root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
>> > root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
>> > match CN in peer certificate
>> > root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>> >
>> > root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>> >
>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>> > This may mean that the remote server is not up or is not reachable
>> > due to network or firewall settings.
>> > Installation failed. Rolling back changes.
>> > IPA client is not configured on this system.
>> >
>> >
>> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
>> > and lnxrealmtest.lnxrealmtest.liberty.edu.
>> >
>> > The part that confuses me (I'm still new to the innards of SSL) is this:
>> >
>> > DAP Error: Connect error: TLS: hostname does not match CN in peer
>> > certificate
>> >
>> > When I look at the cert using:
>> >
>> > openssl x509 -in /etc/ipa/ca.crt -noout -text
>> >
>> > I see this:
>> >
>> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >          Validity
>> >              Not Before: Jul 25 18:22:53 2013 GMT
>> >              Not After : Jul 25 18:22:53 2033 GMT
>> >          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >
>> >
>> > and ...
>> >
>> > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
>>
>> No, you looked at the wrong certificate.
>>
>> To look at it use:
>>
>> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
>>
>> rob
>
> Ok, that makes sense.  The CN in that cert is correct, so I corrected my
> command.  It's still failing on binding a user it looks like.
>
> I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we
get on the client side is LOCAL_ERROR.

rob



I see this in /var/log/krb5kdc.log:

Jul 26 10:27:10 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.203.60.226: UNKNOWN_SERVER: authtime 0,  admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Server not found in Kerberos database
Jul 26 10:49:06 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): AS_REQ (4 etypes {18 17 16 23}) 10.203.60.225: NEEDED_PREAUTH: host/lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU<mailto:lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Additional pre-authentication required


This is in /var/log/dirsrv/slapd-PKI-IPA/access log:

[26/Jul/2013:10:28:36 -0400] conn=241 fd=65 slot=65 connection from 10.203.60.225 to 10.203.60.225
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 BIND dn="cn=Directory Manager" method=128 version=2
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 RESULT err=32 tag=101 nentries=0 etime=0
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 UNBIND
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 fd=65 closed - U1





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


I tried a RHEL 5.8 client, and I didn't get the issue with the certificate not downloading, so it does seem like a problem with 5.9's libs on that one.

I am however getting the same binding error.  I even created another user that was in the admin group, and it still fails.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/4dc766d8/attachment.htm>

From klarmstrong2 at liberty.edu  Fri Jul 26 18:55:49 2013
From: klarmstrong2 at liberty.edu (Armstrong, Kenneth Lawrence)
Date: Fri, 26 Jul 2013 18:55:49 +0000
Subject: [Freeipa-users] still failing to get a RHEL 5 client to join,
 LDAP bind issue?
In-Reply-To: <1374862463.24390.5.camel@localhost.localdomain>
References: <1374781887.4302.15.camel@localhost.localdomain>
	<51F19A24.8010005@redhat.com>
	<24858152.147.1374834177771.JavaMail.javamailuser@localhost>
	<1374844858.5157.3.camel@localhost.localdomain>
	<51F28590.9050804@redhat.com>
	<1374849178.5157.5.camel@localhost.localdomain>
	<51F28BE5.5030700@redhat.com>
	<1374850769.5157.8.camel@localhost.localdomain>
	<1374862463.24390.5.camel@localhost.localdomain>
Message-ID: <1374864950.24390.8.camel@localhost.localdomain>

On Fri, 2013-07-26 at 18:14 +0000, Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 14:59 +0000, Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 10:47 -0400, Rob Crittenden wrote:


Armstrong, Kenneth Lawrence wrote:
> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote:
>> Armstrong, Kenneth Lawrence wrote:
>> > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
>> > Ok, if I have time, I'll try with a RHEL 5.8 client today.
>> >
>> >
>> > As for debug output, this is what I get:
>> >
>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>> > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
>> > root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
>> > 'uninstall': False, 'force': False, 'sssd': True,
>> > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
>> > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
>> > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
>> > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
>> > None}
>> > root        : DEBUG    missing options might be asked for interactively
>> > later
>> >
>> > root        : DEBUG    Loading Index file from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> > root        : DEBUG    Loading StateFile from
>> > '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> > root        : DEBUG    [ipadnssearchkrb]
>> > root        : DEBUG    [ipacheckldap]
>> > root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
>> > root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
>> > match CN in peer certificate
>> > root        : DEBUG    will use domain: lnxrealmtest.liberty.edu
>> >
>> > root        : DEBUG    will use server: lnxrealmtest01.liberty.edu
>> >
>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>> > This may mean that the remote server is not up or is not reachable
>> > due to network or firewall settings.
>> > Installation failed. Rolling back changes.
>> > IPA client is not configured on this system.
>> >
>> >
>> > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
>> > and lnxrealmtest.lnxrealmtest.liberty.edu.
>> >
>> > The part that confuses me (I'm still new to the innards of SSL) is this:
>> >
>> > DAP Error: Connect error: TLS: hostname does not match CN in peer
>> > certificate
>> >
>> > When I look at the cert using:
>> >
>> > openssl x509 -in /etc/ipa/ca.crt -noout -text
>> >
>> > I see this:
>> >
>> > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >          Validity
>> >              Not Before: Jul 25 18:22:53 2013 GMT
>> >              Not After : Jul 25 18:22:53 2033 GMT
>> >          Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
>> >
>> >
>> > and ...
>> >
>> > OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp
>>
>> No, you looked at the wrong certificate.
>>
>> To look at it use:
>>
>> # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert
>>
>> rob
>
> Ok, that makes sense.  The CN in that cert is correct, so I corrected my
> command.  It's still failing on binding a user it looks like.
>
> I've attached the complete output.

Take a look at your 389-ds error log and the KDC log. The only thing we
get on the client side is LOCAL_ERROR.

rob



I see this in /var/log/krb5kdc.log:

Jul 26 10:27:10 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.203.60.226: UNKNOWN_SERVER: authtime 0,  admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Server not found in Kerberos database
Jul 26 10:49:06 lnxrealmtest01.lnxrealmtest.liberty.edu krb5kdc[2987](info): AS_REQ (4 etypes {18 17 16 23}) 10.203.60.225: NEEDED_PREAUTH: host/lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU<mailto:lnxrealmtest01.lnxrealmtest.liberty.edu at LNXREALMTEST.LIBERTY.EDU> for krbtgt/LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU<mailto:LNXREALMTEST.LIBERTY.EDU at LNXREALMTEST.LIBERTY.EDU>, Additional pre-authentication required


This is in /var/log/dirsrv/slapd-PKI-IPA/access log:

[26/Jul/2013:10:28:36 -0400] conn=241 fd=65 slot=65 connection from 10.203.60.225 to 10.203.60.225
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 BIND dn="cn=Directory Manager" method=128 version=2
[26/Jul/2013:10:28:36 -0400] conn=241 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[26/Jul/2013:10:28:36 -0400] conn=241 op=1 RESULT err=32 tag=101 nentries=0 etime=0
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 UNBIND
[26/Jul/2013:10:28:36 -0400] conn=241 op=2 fd=65 closed - U1





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


I tried a RHEL 5.8 client, and I didn't get the issue with the certificate not downloading, so it does seem like a problem with 5.9's libs on that one.

I am however getting the same binding error.  I even created another user that was in the admin group, and it still fails.

-Kenny


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


Ok, so I was able to successfully joined a RHEL 5.8 client to the domain.  I had to take out all of the nameserver entries in the /etc/resolv.conf file and replaced it with the IP of the IdM server.

I tried the same exact thing on the 5.9 client, and it still fails.  I can't help but think that the messed up OpenSSL libs on 5.9 are the root cause of this.

-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130726/09a6aac8/attachment.htm>

From yamakasi.014 at gmail.com  Mon Jul 29 13:42:10 2013
From: yamakasi.014 at gmail.com (Matt .)
Date: Mon, 29 Jul 2013 15:42:10 +0200
Subject: [Freeipa-users] User_show works from webserver,
	user_add ipa: ERROR: Insufficient access
Message-ID: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>

Hi all,

Refering to this topic:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html

We are no able to do a show_user from a webserver on an IPA server, but
user_add gives a problem in rights.

On the IPA server there is added to the services:
HTTP/test-webserver.dev.domain.local at DEV.DOMAIN.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>

We installed mod_auth_kerb on the webserver and the IPA-server and created
a keytab also on both servers.
<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>

With our script we still get the following error because the rights that
the user has:

ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
'userPassword' attribute

When we add a user "apache" to the IPA server and give it admin rights and
set it to the "User Administrator" Role we still don't have the right
privileges to do so.

We need to setup a S4U2Proxy where we thought of that we did by installing
the mod_auth_kerb on the webserver, but this seems to be on the IPA servers.

The same question for the keytab, where do we use it when we use a simple
webserver form to add a user ? It's the same as in the topic here where
there is spoken about the "User privileges":
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244

What do we have to do on which server ? We have put a lot of time into the
user_show part and that works, now westill  need the user_add (and so on).

Has anyone some sort of sample/howto for this ?

Thanks in advance.

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130729/94afc8d7/attachment.htm>

From abokovoy at redhat.com  Mon Jul 29 13:57:53 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 29 Jul 2013 16:57:53 +0300
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
Message-ID: <20130729135753.GH15859@redhat.com>

Hi Matt,

On Mon, 29 Jul 2013, Matt . wrote:
>Hi all,
>
>Refering to this topic:
>https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html
>
>We are no able to do a show_user from a webserver on an IPA server, but
>user_add gives a problem in rights.
>
>On the IPA server there is added to the services:
>HTTP/test-webserver.dev.domain.local at DEV.DOMAIN.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>
>We installed mod_auth_kerb on the webserver and the IPA-server and created
>a keytab also on both servers.
><https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>
>With our script we still get the following error because the rights that
>the user has:
>
>ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>'userPassword' attribute
>
>When we add a user "apache" to the IPA server and give it admin rights and
>set it to the "User Administrator" Role we still don't have the right
>privileges to do so.
>
>We need to setup a S4U2Proxy where we thought of that we did by installing
>the mod_auth_kerb on the webserver, but this seems to be on the IPA servers.
>
>The same question for the keytab, where do we use it when we use a simple
>webserver form to add a user ? It's the same as in the topic here where
>there is spoken about the "User privileges":
>http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244
>
>What do we have to do on which server ? We have put a lot of time into the
>user_show part and that works, now westill  need the user_add (and so on).
>
>Has anyone some sort of sample/howto for this ?
As I said on IRC, I'm working on the article which explains all that.
Stay tuned.


-- 
/ Alexander Bokovoy



From yamakasi.014 at gmail.com  Mon Jul 29 14:00:16 2013
From: yamakasi.014 at gmail.com (Matt .)
Date: Mon, 29 Jul 2013 16:00:16 +0200
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <20130729135753.GH15859@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
Message-ID: <CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>

Hi Alexander,

That is great!

I hope that someone can find this topic and use it as reference as it tool
us some time to find the other one :)

Thanks!

Cheers,

Matt

2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>

> Hi Matt,
>
>
> On Mon, 29 Jul 2013, Matt . wrote:
>
>> Hi all,
>>
>> Refering to this topic:
>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>
>> We are no able to do a show_user from a webserver on an IPA server, but
>> user_add gives a problem in rights.
>>
>> On the IPA server there is added to the services:
>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>> >
>>
>>
>> We installed mod_auth_kerb on the webserver and the IPA-server and created
>> a keytab also on both servers.
>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>> >
>>
>>
>> With our script we still get the following error because the rights that
>> the user has:
>>
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>> 'userPassword' attribute
>>
>> When we add a user "apache" to the IPA server and give it admin rights and
>> set it to the "User Administrator" Role we still don't have the right
>> privileges to do so.
>>
>> We need to setup a S4U2Proxy where we thought of that we did by installing
>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
>> servers.
>>
>> The same question for the keytab, where do we use it when we use a simple
>> webserver form to add a user ? It's the same as in the topic here where
>> there is spoken about the "User privileges":
>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>
>> What do we have to do on which server ? We have put a lot of time into the
>> user_show part and that works, now westill  need the user_add (and so on).
>>
>> Has anyone some sort of sample/howto for this ?
>>
> As I said on IRC, I'm working on the article which explains all that.
> Stay tuned.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130729/7d1a3bbd/attachment.htm>

From abokovoy at redhat.com  Mon Jul 29 19:02:27 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Mon, 29 Jul 2013 22:02:27 +0300
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
Message-ID: <20130729190226.GJ15859@redhat.com>

Hi!

On Mon, 29 Jul 2013, Matt . wrote:
>Hi Alexander,
>
>That is great!
>
>I hope that someone can find this topic and use it as reference as it tool
>us some time to find the other one :)
You can find my blog post here:
http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html

Hope it helps. I've tested the scenario on Fedora 19.

>
>Thanks!
>
>Cheers,
>
>Matt
>
>2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>
>
>> Hi Matt,
>>
>>
>> On Mon, 29 Jul 2013, Matt . wrote:
>>
>>> Hi all,
>>>
>>> Refering to this topic:
>>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>>
>>> We are no able to do a show_user from a webserver on an IPA server, but
>>> user_add gives a problem in rights.
>>>
>>> On the IPA server there is added to the services:
>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>> >
>>>
>>>
>>> We installed mod_auth_kerb on the webserver and the IPA-server and created
>>> a keytab also on both servers.
>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>> >
>>>
>>>
>>> With our script we still get the following error because the rights that
>>> the user has:
>>>
>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>>> 'userPassword' attribute
>>>
>>> When we add a user "apache" to the IPA server and give it admin rights and
>>> set it to the "User Administrator" Role we still don't have the right
>>> privileges to do so.
>>>
>>> We need to setup a S4U2Proxy where we thought of that we did by installing
>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
>>> servers.
>>>
>>> The same question for the keytab, where do we use it when we use a simple
>>> webserver form to add a user ? It's the same as in the topic here where
>>> there is spoken about the "User privileges":
>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>>
>>> What do we have to do on which server ? We have put a lot of time into the
>>> user_show part and that works, now westill  need the user_add (and so on).
>>>
>>> Has anyone some sort of sample/howto for this ?
>>>
>> As I said on IRC, I'm working on the article which explains all that.
>> Stay tuned.
>>
>>
>> --
>> / Alexander Bokovoy
>>



-- 
/ Alexander Bokovoy



From yamakasi.014 at gmail.com  Tue Jul 30 07:57:43 2013
From: yamakasi.014 at gmail.com (Matt .)
Date: Tue, 30 Jul 2013 09:57:43 +0200
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <20130729190226.GJ15859@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com>
Message-ID: <CAPNQp07UTAXDpuv44kqVR4n=Pk7hpBLbQz73r-rpBuk99xsZgQ@mail.gmail.com>

Hi Alexander,

This doc is really great.

I have added the delegation target but we still get an err=50 on when
running our "add_user" script on the webserver.

On the IPA server we see a keytab file configured in the php.ini and on the
webserver we don't. Configs are quite the same here actually.

Something simple must be wrong I guess.

Thanks so far for the effort!

Cheers,

Matt


2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>

> Hi!
>
>
> On Mon, 29 Jul 2013, Matt . wrote:
>
>> Hi Alexander,
>>
>> That is great!
>>
>> I hope that someone can find this topic and use it as reference as it tool
>> us some time to find the other one :)
>>
> You can find my blog post here:
> http://vda.li/en/posts/2013/**07/29/Setting-up-S4U2Proxy-**
> with-FreeIPA/index.html<http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html>
>
> Hope it helps. I've tested the scenario on Fedora 19.
>
>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>
>>
>>  Hi Matt,
>>>
>>>
>>> On Mon, 29 Jul 2013, Matt . wrote:
>>>
>>>  Hi all,
>>>>
>>>> Refering to this topic:
>>>> https://www.redhat.com/****archives/freeipa-users/2013-****
>>>> July/msg00318.html<https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html>
>>>> <https://**www.redhat.com/archives/**freeipa-users/2013-July/**
>>>> msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>>> >
>>>>
>>>>
>>>> We are no able to do a show_user from a webserver on an IPA server, but
>>>> user_add gives a problem in rights.
>>>>
>>>> On the IPA server there is added to the services:
>>>> HTTP/test-webserver.dev.****domain.local at DEV.DOMAIN.LOCAL<****
>>>> https://test-zip.dev.msp.****cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.****local at DEV.MSP.CULLIE.LOCAL<htt**
>>>> ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.**
>>>> dev.msp.cullie.local at DEV.MSP.**CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>>> >
>>>>
>>>> >
>>>>
>>>>
>>>> We installed mod_auth_kerb on the webserver and the IPA-server and
>>>> created
>>>> a keytab also on both servers.
>>>> <https://test-zip.dev.msp.****cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.****local at DEV.MSP.CULLIE.LOCAL<htt**
>>>> ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.**
>>>> dev.msp.cullie.local at DEV.MSP.**CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>>> >
>>>>
>>>> >
>>>>
>>>>
>>>> With our script we still get the following error because the rights that
>>>> the user has:
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>>>> 'userPassword' attribute
>>>>
>>>> When we add a user "apache" to the IPA server and give it admin rights
>>>> and
>>>> set it to the "User Administrator" Role we still don't have the right
>>>> privileges to do so.
>>>>
>>>> We need to setup a S4U2Proxy where we thought of that we did by
>>>> installing
>>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
>>>> servers.
>>>>
>>>> The same question for the keytab, where do we use it when we use a
>>>> simple
>>>> webserver form to add a user ? It's the same as in the topic here where
>>>> there is spoken about the "User privileges":
>>>> http://comments.gmane.org/****gmane.linux.redhat.freeipa.****user/8244<http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244>
>>>> <http://comments.**gmane.org/gmane.linux.redhat.**freeipa.user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>>> >
>>>>
>>>>
>>>> What do we have to do on which server ? We have put a lot of time into
>>>> the
>>>> user_show part and that works, now westill  need the user_add (and so
>>>> on).
>>>>
>>>> Has anyone some sort of sample/howto for this ?
>>>>
>>>>  As I said on IRC, I'm working on the article which explains all that.
>>> Stay tuned.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130730/44ca5eed/attachment.htm>

From abokovoy at redhat.com  Tue Jul 30 08:20:36 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 30 Jul 2013 11:20:36 +0300
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <CAPNQp07UTAXDpuv44kqVR4n=Pk7hpBLbQz73r-rpBuk99xsZgQ@mail.gmail.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com>
	<CAPNQp07UTAXDpuv44kqVR4n=Pk7hpBLbQz73r-rpBuk99xsZgQ@mail.gmail.com>
Message-ID: <20130730082036.GL15859@redhat.com>

On Tue, 30 Jul 2013, Matt . wrote:
>Hi Alexander,
>
>This doc is really great.
>
>I have added the delegation target but we still get an err=50 on when
>running our "add_user" script on the webserver.
>
>On the IPA server we see a keytab file configured in the php.ini and on the
>webserver we don't. Configs are quite the same here actually.
>
>Something simple must be wrong I guess.
As I said on IRC, please first make sure you have working environment
with a simple shell script like in the article. This is to ensure the
basic flow is working correctly -- delegation records are in place and
FreeIPA is indeed allowing HTTP/web.server principal to impersonate the
user.

Next, you need to look into your use of LDAP bindings for PHP and make
sure you are authenticating with SASL GSSAPI method. The last comment at
http://php.net/manual/en/function.ldap-sasl-bind.php describes how this
can (and should) be done, using both SASL GSSAPI and TLS encryption.

There are four parts involved here:
1. IPA master should have delegation targets.
2. Web server should be set up as described.
3. Your web script should use SASL GSSAPI (or you should know what your are doing;)
4. Your client should negotiate Kerberos to the server when talking.

When all four are in place, it should work with whatever language you
have used to write your web application.
-- 
/ Alexander Bokovoy



From dpal at redhat.com  Tue Jul 30 11:41:54 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 30 Jul 2013 07:41:54 -0400
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <20130729190226.GJ15859@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com>
Message-ID: <51F7A682.3090300@redhat.com>

On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
> Hi!
>
> On Mon, 29 Jul 2013, Matt . wrote:
>> Hi Alexander,
>>
>> That is great!
>>
>> I hope that someone can find this topic and use it as reference as it
>> tool
>> us some time to find the other one :)
> You can find my blog post here:
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>
>
> Hope it helps. I've tested the scenario on Fedora 19.

I added it to the HOWTO section on wiki.
http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA

>
>>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>
>>
>>> Hi Matt,
>>>
>>>
>>> On Mon, 29 Jul 2013, Matt . wrote:
>>>
>>>> Hi all,
>>>>
>>>> Refering to this topic:
>>>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>>>
>>>>
>>>> We are no able to do a show_user from a webserver on an IPA server,
>>>> but
>>>> user_add gives a problem in rights.
>>>>
>>>> On the IPA server there is added to the services:
>>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> We installed mod_auth_kerb on the webserver and the IPA-server and
>>>> created
>>>> a keytab also on both servers.
>>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> With our script we still get the following error because the rights
>>>> that
>>>> the user has:
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>>>> 'userPassword' attribute
>>>>
>>>> When we add a user "apache" to the IPA server and give it admin
>>>> rights and
>>>> set it to the "User Administrator" Role we still don't have the right
>>>> privileges to do so.
>>>>
>>>> We need to setup a S4U2Proxy where we thought of that we did by
>>>> installing
>>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
>>>> servers.
>>>>
>>>> The same question for the keytab, where do we use it when we use a
>>>> simple
>>>> webserver form to add a user ? It's the same as in the topic here
>>>> where
>>>> there is spoken about the "User privileges":
>>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>>>
>>>>
>>>> What do we have to do on which server ? We have put a lot of time
>>>> into the
>>>> user_show part and that works, now westill  need the user_add (and
>>>> so on).
>>>>
>>>> Has anyone some sort of sample/howto for this ?
>>>>
>>> As I said on IRC, I'm working on the article which explains all that.
>>> Stay tuned.
>>>
>>>
>>> -- 
>>> / Alexander Bokovoy
>>>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From yamakasi.014 at gmail.com  Tue Jul 30 12:17:11 2013
From: yamakasi.014 at gmail.com (Matt .)
Date: Tue, 30 Jul 2013 14:17:11 +0200
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <51F7A682.3090300@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com> <51F7A682.3090300@redhat.com>
Message-ID: <CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com>

Hi Dimitri,

It's a good tuturial but I'm kinda stuck (and new to that part)

What we seem to need is:

A -> B -> C -> D
A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver

I thought we didn't need the C -> D part because this is what IPA does. We
actually need the A -> B -> C part exectured from a php script to add a
user with user_add.

More details about that are welcome.

Thanks!

Cheers,

Matt


2013/7/30 Dmitri Pal <dpal at redhat.com>

> On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
> > Hi!
> >
> > On Mon, 29 Jul 2013, Matt . wrote:
> >> Hi Alexander,
> >>
> >> That is great!
> >>
> >> I hope that someone can find this topic and use it as reference as it
> >> tool
> >> us some time to find the other one :)
> > You can find my blog post here:
> >
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
> >
> >
> > Hope it helps. I've tested the scenario on Fedora 19.
>
> I added it to the HOWTO section on wiki.
> http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
> >
> >>
> >> Thanks!
> >>
> >> Cheers,
> >>
> >> Matt
> >>
> >> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>
> >>
> >>> Hi Matt,
> >>>
> >>>
> >>> On Mon, 29 Jul 2013, Matt . wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> Refering to this topic:
> >>>>
> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
> >>>>
> >>>>
> >>>> We are no able to do a show_user from a webserver on an IPA server,
> >>>> but
> >>>> user_add gives a problem in rights.
> >>>>
> >>>> On the IPA server there is added to the services:
> >>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
> >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
> >>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<
> https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL
> >
> >>>>
> >>>> >
> >>>>
> >>>>
> >>>> We installed mod_auth_kerb on the webserver and the IPA-server and
> >>>> created
> >>>> a keytab also on both servers.
> >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
> >>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<
> https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL
> >
> >>>>
> >>>> >
> >>>>
> >>>>
> >>>> With our script we still get the following error because the rights
> >>>> that
> >>>> the user has:
> >>>>
> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
> >>>> 'userPassword' attribute
> >>>>
> >>>> When we add a user "apache" to the IPA server and give it admin
> >>>> rights and
> >>>> set it to the "User Administrator" Role we still don't have the right
> >>>> privileges to do so.
> >>>>
> >>>> We need to setup a S4U2Proxy where we thought of that we did by
> >>>> installing
> >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
> >>>> servers.
> >>>>
> >>>> The same question for the keytab, where do we use it when we use a
> >>>> simple
> >>>> webserver form to add a user ? It's the same as in the topic here
> >>>> where
> >>>> there is spoken about the "User privileges":
> >>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<
> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
> >>>>
> >>>>
> >>>> What do we have to do on which server ? We have put a lot of time
> >>>> into the
> >>>> user_show part and that works, now westill  need the user_add (and
> >>>> so on).
> >>>>
> >>>> Has anyone some sort of sample/howto for this ?
> >>>>
> >>> As I said on IRC, I'm working on the article which explains all that.
> >>> Stay tuned.
> >>>
> >>>
> >>> --
> >>> / Alexander Bokovoy
> >>>
> >
> >
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130730/0e552442/attachment.htm>

From yamakasi.014 at gmail.com  Tue Jul 30 13:11:04 2013
From: yamakasi.014 at gmail.com (Matt .)
Date: Tue, 30 Jul 2013 15:11:04 +0200
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <51F28EBE.6000606@redhat.com>
References: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
	<51F2898E.2080504@redhat.com> <51F28EBE.6000606@redhat.com>
Message-ID: <CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com>

Hi all,

We have found something out.

When you add a user (like cmdtestuser) to FreeIPA and add it to group:

- admins
- trust admins
- editors

And you add this same useraccount to a Linux box and do a "su cmdtestuser"
you are able to do a "kinit" abd give your password that user has in
FreeIPA.

After this you can run a  curl script from the commandline with a
"add_user" and actually add that user to IPA. So that works.

That is what we actually want to do from PHP but testing this with a
HTTP/HTTPD user in IPA doesn't work.

Shouldn't that be possible ?

I hope so!

Cheers,

Matt




2013/7/26 Petr Vobornik <pvoborni at redhat.com>

> On 07/26/2013 04:37 PM, Rob Crittenden wrote:
>
>> Zip Ly wrote:
>>
>>>
>>> Normally if IPA has a well documented API then my approach would be:
>>> user --> (internet) --> webserver --> lPA API --> IPA server
>>> But since there isn't much info about the API then my approach would be:
>>> user --> (internet) --> webserver --> a PHP script which acts as an
>>> custom API --> IPA server
>>> The problem is I don't know which commands are available en which
>>> values/params I should send. For example:
>>> http://www.freeipa.org/docs/1.**2/Administrators_Reference/en-**
>>> US/html/chap-Administration_**Reference-XML_RPC_Application_**
>>> Programming_Interface_API_**Documentation.html#<http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#>
>>>
>>> These are commands for xml rpc. Without examples it's difficult to find
>>> out how to use it.
>>>
>>
>> The API changed between v1 and v2/3, so these docs are not right for
>> your purposes.
>>
>> We haven't formally documented the API (either json or xml-rpc) yet
>> because it is still somewhat in flux. The API is baked into the ipa
>> client, so any command you can run from there is the equivalent of a
>> json/xml-rpc command, just substituting underscore for dash.
>>
>> About the closest we have is API.txt in the source tree. This is really
>> designed to be read by a computer but it outlines each command and the
>> options it takes, and the output it returns.
>>
>>  But they are different from this example:
>>> http://adam.younglogic.com/**2010/07/talking-to-freeipa-**
>>> json-web-api-via-curl/<http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/>
>>>
>>> In this example a "user_find" command is used, but this command cannot
>>> be found in the official xml rpc document above.
>>> In ssh I can display a list of commands with "ipa help commands" I don't
>>> know if they are all supported in "/ipa/json" I probably need to replace
>>> all dashes with underscores (correct me if I'm wrong).
>>>
>>
>> The same commands and options are available over json as xml-rpc.
>>
>>  If I want to display all the supported params from one certain command
>>> for example "ipa help user-find". Then, are all the double dashed params
>>> also the supported params which I can send with JSON?
>>>
>>
>> Yes.
>>
>
> Note that for some LDAP attributes dash param names may be different than
> API option names. It those cases the correct one is LDAP attribute name.
>
> Use `ipa show-mappings command-name` to find the correct names.
>
>
>
>>  I prefer using the native API if there is one (hidden somewhere),
>>> because I don't want to reinvent the wheel with security leaks which I'm
>>> not aware of. Especially when I need to execute CLI commands from
>>> the PHP scripts.
>>>
>>
>> The native API is json/xml-rpc. They are currently equivalent. In the
>> near future we are going to mark xml-rpc as deprecated and it will start
>> to fall behind in features, and eventually we may drop it altogether.
>>
>> rob
>>
>>
> --
> Petr Vobornik
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130730/69ff7135/attachment.htm>

From dpal at redhat.com  Tue Jul 30 15:43:51 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 30 Jul 2013 11:43:51 -0400
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com> <51F7A682.3090300@redhat.com>
	<CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com>
Message-ID: <51F7DF37.1090505@redhat.com>

On 07/30/2013 08:17 AM, Matt . wrote:
> Hi Dimitri,
>
> It's a good tuturial but I'm kinda stuck (and new to that part)
>
> What we seem to need is:
>
> A -> B -> C -> D
> A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
>
> I thought we didn't need the C -> D part because this is what IPA
> does. We actually need the A -> B -> C part exectured from a php
> script to add a user with user_add.
>
> More details about that are welcome.

You use the article but instead of accessing LDAP directly you need to
access ipa web sever because you will be running IPA commands and not
LDAP queries.
So you instead of using |ldap/ipa.example.com| principal as outlined in
the article you configure aquision of tickets for |http/ipa.example.com|.
Makes sense?

>
> Thanks!
>
> Cheers,
>
> Matt
>
>
> 2013/7/30 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>
>     On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
>     > Hi!
>     >
>     > On Mon, 29 Jul 2013, Matt . wrote:
>     >> Hi Alexander,
>     >>
>     >> That is great!
>     >>
>     >> I hope that someone can find this topic and use it as reference
>     as it
>     >> tool
>     >> us some time to find the other one :)
>     > You can find my blog post here:
>     >
>     http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>     >
>     >
>     > Hope it helps. I've tested the scenario on Fedora 19.
>
>     I added it to the HOWTO section on wiki.
>     http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
>     >
>     >>
>     >> Thanks!
>     >>
>     >> Cheers,
>     >>
>     >> Matt
>     >>
>     >> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com
>     <mailto:abokovoy at redhat.com>>
>     >>
>     >>> Hi Matt,
>     >>>
>     >>>
>     >>> On Mon, 29 Jul 2013, Matt . wrote:
>     >>>
>     >>>> Hi all,
>     >>>>
>     >>>> Refering to this topic:
>     >>>>
>     https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>     >>>>
>     >>>>
>     >>>> We are no able to do a show_user from a webserver on an IPA
>     server,
>     >>>> but
>     >>>> user_add gives a problem in rights.
>     >>>>
>     >>>> On the IPA server there is added to the services:
>     >>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>     >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>     >>>>
>     test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>     >>>>
>     >>>> >
>     >>>>
>     >>>>
>     >>>> We installed mod_auth_kerb on the webserver and the
>     IPA-server and
>     >>>> created
>     >>>> a keytab also on both servers.
>     >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>     >>>>
>     test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>     >>>>
>     >>>> >
>     >>>>
>     >>>>
>     >>>> With our script we still get the following error because the
>     rights
>     >>>> that
>     >>>> the user has:
>     >>>>
>     >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege
>     to the
>     >>>> 'userPassword' attribute
>     >>>>
>     >>>> When we add a user "apache" to the IPA server and give it admin
>     >>>> rights and
>     >>>> set it to the "User Administrator" Role we still don't have
>     the right
>     >>>> privileges to do so.
>     >>>>
>     >>>> We need to setup a S4U2Proxy where we thought of that we did by
>     >>>> installing
>     >>>> the mod_auth_kerb on the webserver, but this seems to be on
>     the IPA
>     >>>> servers.
>     >>>>
>     >>>> The same question for the keytab, where do we use it when we
>     use a
>     >>>> simple
>     >>>> webserver form to add a user ? It's the same as in the topic here
>     >>>> where
>     >>>> there is spoken about the "User privileges":
>     >>>>
>     http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>     >>>>
>     >>>>
>     >>>> What do we have to do on which server ? We have put a lot of time
>     >>>> into the
>     >>>> user_show part and that works, now westill  need the user_add
>     (and
>     >>>> so on).
>     >>>>
>     >>>> Has anyone some sort of sample/howto for this ?
>     >>>>
>     >>> As I said on IRC, I'm working on the article which explains
>     all that.
>     >>> Stay tuned.
>     >>>
>     >>>
>     >>> --
>     >>> / Alexander Bokovoy
>     >>>
>     >
>     >
>     >
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130730/59edb57c/attachment.htm>

From abokovoy at redhat.com  Tue Jul 30 15:52:25 2013
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Tue, 30 Jul 2013 18:52:25 +0300
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <51F7DF37.1090505@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com> <51F7A682.3090300@redhat.com>
	<CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com>
	<51F7DF37.1090505@redhat.com>
Message-ID: <20130730155225.GM15859@redhat.com>

On Tue, 30 Jul 2013, Dmitri Pal wrote:
>On 07/30/2013 08:17 AM, Matt . wrote:
>> Hi Dimitri,
>>
>> It's a good tuturial but I'm kinda stuck (and new to that part)
>>
>> What we seem to need is:
>>
>> A -> B -> C -> D
>> A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
>>
>> I thought we didn't need the C -> D part because this is what IPA
>> does. We actually need the A -> B -> C part exectured from a php
>> script to add a user with user_add.
>>
>> More details about that are welcome.
>
>You use the article but instead of accessing LDAP directly you need to
>access ipa web sever because you will be running IPA commands and not
>LDAP queries.
>So you instead of using |ldap/ipa.example.com| principal as outlined in
>the article you configure aquision of tickets for |http/ipa.example.com|.
>Makes sense?
Yes and Matt actually solved his problem on IRC and now is happily deploying
his servers. :)

I'll extend the article to cover the case when you need to talk to both
LDAP and IPA server XML-RPC/JSON API.

Ideally we need to introduce some commands to manage delegations between
services. An RFE ticket for CLI?

>
>>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>>
>> 2013/7/30 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>>
>>     On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
>>     > Hi!
>>     >
>>     > On Mon, 29 Jul 2013, Matt . wrote:
>>     >> Hi Alexander,
>>     >>
>>     >> That is great!
>>     >>
>>     >> I hope that someone can find this topic and use it as reference
>>     as it
>>     >> tool
>>     >> us some time to find the other one :)
>>     > You can find my blog post here:
>>     >
>>     http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>>     >
>>     >
>>     > Hope it helps. I've tested the scenario on Fedora 19.
>>
>>     I added it to the HOWTO section on wiki.
>>     http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>>
>>     >
>>     >>
>>     >> Thanks!
>>     >>
>>     >> Cheers,
>>     >>
>>     >> Matt
>>     >>
>>     >> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com
>>     <mailto:abokovoy at redhat.com>>
>>     >>
>>     >>> Hi Matt,
>>     >>>
>>     >>>
>>     >>> On Mon, 29 Jul 2013, Matt . wrote:
>>     >>>
>>     >>>> Hi all,
>>     >>>>
>>     >>>> Refering to this topic:
>>     >>>>
>>     https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>     >>>>
>>     >>>>
>>     >>>> We are no able to do a show_user from a webserver on an IPA
>>     server,
>>     >>>> but
>>     >>>> user_add gives a problem in rights.
>>     >>>>
>>     >>>> On the IPA server there is added to the services:
>>     >>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>>     >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>     >>>>
>>     test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>     >>>>
>>     >>>> >
>>     >>>>
>>     >>>>
>>     >>>> We installed mod_auth_kerb on the webserver and the
>>     IPA-server and
>>     >>>> created
>>     >>>> a keytab also on both servers.
>>     >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>     >>>>
>>     test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local at DEV.MSP.CULLIE.LOCAL>
>>     >>>>
>>     >>>> >
>>     >>>>
>>     >>>>
>>     >>>> With our script we still get the following error because the
>>     rights
>>     >>>> that
>>     >>>> the user has:
>>     >>>>
>>     >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege
>>     to the
>>     >>>> 'userPassword' attribute
>>     >>>>
>>     >>>> When we add a user "apache" to the IPA server and give it admin
>>     >>>> rights and
>>     >>>> set it to the "User Administrator" Role we still don't have
>>     the right
>>     >>>> privileges to do so.
>>     >>>>
>>     >>>> We need to setup a S4U2Proxy where we thought of that we did by
>>     >>>> installing
>>     >>>> the mod_auth_kerb on the webserver, but this seems to be on
>>     the IPA
>>     >>>> servers.
>>     >>>>
>>     >>>> The same question for the keytab, where do we use it when we
>>     use a
>>     >>>> simple
>>     >>>> webserver form to add a user ? It's the same as in the topic here
>>     >>>> where
>>     >>>> there is spoken about the "User privileges":
>>     >>>>
>>     http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>     >>>>
>>     >>>>
>>     >>>> What do we have to do on which server ? We have put a lot of time
>>     >>>> into the
>>     >>>> user_show part and that works, now westill  need the user_add
>>     (and
>>     >>>> so on).
>>     >>>>
>>     >>>> Has anyone some sort of sample/howto for this ?
>>     >>>>
>>     >>> As I said on IRC, I'm working on the article which explains
>>     all that.
>>     >>> Stay tuned.
>>     >>>
>>     >>>
>>     >>> --
>>     >>> / Alexander Bokovoy
>>     >>>
>>     >
>>     >
>>     >
>>
>>
>>     --
>>     Thank you,
>>     Dmitri Pal
>>
>>     Sr. Engineering Manager for IdM portfolio
>>     Red Hat Inc.
>>
>>
>>     -------------------------------
>>     Looking to carve out IT costs?
>>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>-- 
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc.
>
>
>-------------------------------
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>

>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
/ Alexander Bokovoy



From mkosek at redhat.com  Tue Jul 30 15:55:01 2013
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 30 Jul 2013 17:55:01 +0200
Subject: [Freeipa-users] User_show works from webserver,
 user_add ipa: ERROR: Insufficient access
In-Reply-To: <20130730155225.GM15859@redhat.com>
References: <CAPNQp04TvC27H05G=D9aJdBgGLY142pxMiqv5xRMaY-3RTEy4Q@mail.gmail.com>
	<20130729135753.GH15859@redhat.com>
	<CAPNQp06U6KYvP+enfiUxrnk8+-JcofEDbZPRS52n7fuq1JVzxA@mail.gmail.com>
	<20130729190226.GJ15859@redhat.com> <51F7A682.3090300@redhat.com>
	<CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com>
	<51F7DF37.1090505@redhat.com> <20130730155225.GM15859@redhat.com>
Message-ID: <51F7E1D5.2060405@redhat.com>

On 07/30/2013 05:52 PM, Alexander Bokovoy wrote:
> On Tue, 30 Jul 2013, Dmitri Pal wrote:
>> On 07/30/2013 08:17 AM, Matt . wrote:
>>> Hi Dimitri,
>>>
>>> It's a good tuturial but I'm kinda stuck (and new to that part)
>>>
>>> What we seem to need is:
>>>
>>> A -> B -> C -> D
>>> A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
>>>
>>> I thought we didn't need the C -> D part because this is what IPA
>>> does. We actually need the A -> B -> C part exectured from a php
>>> script to add a user with user_add.
>>>
>>> More details about that are welcome.
>>
>> You use the article but instead of accessing LDAP directly you need to
>> access ipa web sever because you will be running IPA commands and not
>> LDAP queries.
>> So you instead of using |ldap/ipa.example.com| principal as outlined in
>> the article you configure aquision of tickets for |http/ipa.example.com|.
>> Makes sense?
> Yes and Matt actually solved his problem on IRC and now is happily deploying
> his servers. :)
> 
> I'll extend the article to cover the case when you need to talk to both
> LDAP and IPA server XML-RPC/JSON API.
> 
> Ideally we need to introduce some commands to manage delegations between
> services. An RFE ticket for CLI?
> 

Already filed :-)
https://fedorahosted.org/freeipa/ticket/3644

Contributions are very welcome.

Martin



From dpal at redhat.com  Tue Jul 30 16:03:20 2013
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 30 Jul 2013 12:03:20 -0400
Subject: [Freeipa-users] How to communicate IPA with PHP
In-Reply-To: <CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com>
References: <CAO5uCSm07DzO6jca=i-2rV0qiM3W2c23nywCNKLgV9tdYVBz1A@mail.gmail.com>
	<51F2898E.2080504@redhat.com> <51F28EBE.6000606@redhat.com>
	<CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com>
Message-ID: <51F7E3C8.2050804@redhat.com>

On 07/30/2013 09:11 AM, Matt . wrote:
> Hi all,
>
> We have found something out.
>
> When you add a user (like cmdtestuser) to FreeIPA and add it to group:
>
> - admins
> - trust admins
> - editors

This does not matter really if you just trying to do authentication.
This would matter if you start to execute administrative commands with
the user. As a starting point putting user into admins group would
enable him to do everything. However in general we suggest that you
Identify operations that your application would perform
Identify permissions and privileges needed for those operations
Create a role that grants those privileges
Associate the user to the role (directly) or via a new group that you
would create.

Bottom line after you sort out the authentication and ticket delegation
you would need to think about access control and reduce the privileges
of your PHP application to only operations it really needs to perform.

>
> And you add this same useraccount to a Linux box and do a "su
> cmdtestuser" you are able to do a "kinit" abd give your password that
> user has in FreeIPA.

How do you "add" it? Do you actually define a local user? That would be
wrong.

>
> After this you can run a  curl script from the commandline with a
> "add_user" and actually add that user to IPA. So that works.

Yes because you effectively ran a ipa user-add command just yourselves
using curl. 

>
> That is what we actually want to do from PHP but testing this with a
> HTTP/HTTPD user in IPA doesn't work.
>
Are you talking about local HTTP user that was added to the local
/etc/passwd file?
Of cause it would not work. You need to run your application using a
user (principal) that IPA (Kerberos) recognizes.


> Shouldn't that be possible ?

It is possible.
And you can do it two ways: you can use end user identity to perform
operations against IPA or you can give privileges to the PHP application
to perform operation using its own identity. The former is preferable.
In the latter case you sort of hand keys to the kingdom to the PHP
application and even if you confine its privileges as I described above
you would 
have to build access control into your PHP application if you want to
allow different admins to perform different operations via your PHP
application.
So the best would be to use user identity so please use Alexander's
article and make your PHP application acquire ticket on user behalf.
Make your users members of the admin group for testing purposes to sort
the authentication issues but once done define the right privileges for
them so that they can execute only the commands that they are entitled
to execute.


HTH

>
> I hope so!
>
> Cheers,
>
> Matt
>
>
>
>
> 2013/7/26 Petr Vobornik <pvoborni at redhat.com <mailto:pvoborni at redhat.com>>
>
>     On 07/26/2013 04:37 PM, Rob Crittenden wrote:
>
>         Zip Ly wrote:
>
>
>             Normally if IPA has a well documented API then my approach
>             would be:
>             user --> (internet) --> webserver --> lPA API --> IPA server
>             But since there isn't much info about the API then my
>             approach would be:
>             user --> (internet) --> webserver --> a PHP script which
>             acts as an
>             custom API --> IPA serve
>             The problem is I don't know which commands are available
>             en which
>             values/params I should send. For example:
>             http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#
>
>             These are commands for xml rpc. Without examples it's
>             difficult to find
>             out how to use it.
>
>
>         The API changed between v1 and v2/3, so these docs are not
>         right for
>         your purposes.
>
>         We haven't formally documented the API (either json or
>         xml-rpc) yet
>         because it is still somewhat in flux. The API is baked into
>         the ipa
>         client, so any command you can run from there is the
>         equivalent of a
>         json/xml-rpc command, just substituting underscore for dash.
>
>         About the closest we have is API.txt in the source tree. This
>         is really
>         designed to be read by a computer but it outlines each command
>         and the
>         options it takes, and the output it returns.
>
>             But they are different from this example:
>             http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>
>             In this example a "user_find" command is used, but this
>             command cannot
>             be found in the official xml rpc document above.
>             In ssh I can display a list of commands with "ipa help
>             commands" I don't
>             know if they are all supported in "/ipa/json" I probably
>             need to replace
>             all dashes with underscores (correct me if I'm wrong).
>
>
>         The same commands and options are available over json as xml-rpc.
>
>             If I want to display all the supported params from one
>             certain command
>             for example "ipa help user-find". Then, are all the double
>             dashed params
>             also the supported params which I can send with JSON?
>
>
>         Yes.
>
>
>     Note that for some LDAP attributes dash param names may be
>     different than API option names. It those cases the correct one is
>     LDAP attribute name.
>
>     Use `ipa show-mappings command-name` to find the correct names.
>
>
>
>             I prefer using the native API if there is one (hidden
>             somewhere),
>             because I don't want to reinvent the wheel with security
>             leaks which I'm
>             not aware of. Especially when I need to execute CLI
>             commands from
>             the PHP scripts.
>
>
>         The native API is json/xml-rpc. They are currently equivalent.
>         In the
>         near future we are going to mark xml-rpc as deprecated and it
>         will start
>         to fall behind in features, and eventually we may drop it
>         altogether.
>
>         rob
>
>
>     -- 
>     Petr Vobornik
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130730/fcad99e3/attachment.htm>

From sakodak at gmail.com  Tue Jul 30 19:41:59 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 30 Jul 2013 14:41:59 -0500
Subject: [Freeipa-users] authenticate with base domain name?
Message-ID: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>

I've been searching and I know it's been answered before but I can't find it.

I have UNIX.DOMAIN.COM as my IPA realm.

I have some hosts that sit on (in dns) domain.com (they are not part
of any other Kerberos realms.)

I'm unable to currently change the domain names on these boxes.

In krb5.conf I have the mappings:

domain.com = UNIX.DOMAIN.COM
.domain.com = UNIX.DOMAIN.COM

I can do a kinit admin from the client machine and get a ticket.

I'm unable to authenticate via ssh to the client machine (with the user admin.)

I'm able to "su" to the user, so we're talking to ldap and kerberos.

I have the GSSAPI options set in sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

But, in the syslog I see:

Miscellaneous failure\nNo principal in keytab matches desired name\n

I'm sure this is because I generated the keytab for
"host.unix.domain.com" instead of "host.domain.com" -- but I don't
know how to accomplish the second one.

I may be on the wrong track here.  Every time I think I understand
this I get hit with something that shows me that I'm still clueless.

A pointer to a previous discussion on this would be sufficient, I think.

Thanks,

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6



From sakodak at gmail.com  Tue Jul 30 19:58:42 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 30 Jul 2013 14:58:42 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
Message-ID: <CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>

Nevermind, AIX problem (surprise, surprise!)

Since it's half-kerberized at this point (the default is system auth,
not kerb/ldap) it failed.

I had to create entries in /etc/security/user for the users I wanted
to test with and explicitly state that I wanted them to log on via
krb5/ldap.

--Jason

On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sakodak at gmail.com> wrote:
> I've been searching and I know it's been answered before but I can't find it.
>
> I have UNIX.DOMAIN.COM as my IPA realm.
>
> I have some hosts that sit on (in dns) domain.com (they are not part
> of any other Kerberos realms.)
>
> I'm unable to currently change the domain names on these boxes.
>
> In krb5.conf I have the mappings:
>
> domain.com = UNIX.DOMAIN.COM
> .domain.com = UNIX.DOMAIN.COM
>
> I can do a kinit admin from the client machine and get a ticket.
>
> I'm unable to authenticate via ssh to the client machine (with the user admin.)
>
> I'm able to "su" to the user, so we're talking to ldap and kerberos.
>
> I have the GSSAPI options set in sshd_config:
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> But, in the syslog I see:
>
> Miscellaneous failure\nNo principal in keytab matches desired name\n
>
> I'm sure this is because I generated the keytab for
> "host.unix.domain.com" instead of "host.domain.com" -- but I don't
> know how to accomplish the second one.
>
> I may be on the wrong track here.  Every time I think I understand
> this I get hit with something that shows me that I'm still clueless.
>
> A pointer to a previous discussion on this would be sufficient, I think.
>
> Thanks,
>
> --Jason
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6



From sakodak at gmail.com  Tue Jul 30 20:01:18 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 30 Jul 2013 15:01:18 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
Message-ID: <CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>

Ok, so, yeah -- my first question stands.  This works when it falls
back to LDAP, but it does not honor a kerberos ticket.  Is there a way
to do that in the same circumstances?

Thanks again,

--Jason

On Tue, Jul 30, 2013 at 2:58 PM, KodaK <sakodak at gmail.com> wrote:
> Nevermind, AIX problem (surprise, surprise!)
>
> Since it's half-kerberized at this point (the default is system auth,
> not kerb/ldap) it failed.
>
> I had to create entries in /etc/security/user for the users I wanted
> to test with and explicitly state that I wanted them to log on via
> krb5/ldap.
>
> --Jason
>
> On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sakodak at gmail.com> wrote:
>> I've been searching and I know it's been answered before but I can't find it.
>>
>> I have UNIX.DOMAIN.COM as my IPA realm.
>>
>> I have some hosts that sit on (in dns) domain.com (they are not part
>> of any other Kerberos realms.)
>>
>> I'm unable to currently change the domain names on these boxes.
>>
>> In krb5.conf I have the mappings:
>>
>> domain.com = UNIX.DOMAIN.COM
>> .domain.com = UNIX.DOMAIN.COM
>>
>> I can do a kinit admin from the client machine and get a ticket.
>>
>> I'm unable to authenticate via ssh to the client machine (with the user admin.)
>>
>> I'm able to "su" to the user, so we're talking to ldap and kerberos.
>>
>> I have the GSSAPI options set in sshd_config:
>>
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> But, in the syslog I see:
>>
>> Miscellaneous failure\nNo principal in keytab matches desired name\n
>>
>> I'm sure this is because I generated the keytab for
>> "host.unix.domain.com" instead of "host.domain.com" -- but I don't
>> know how to accomplish the second one.
>>
>> I may be on the wrong track here.  Every time I think I understand
>> this I get hit with something that shows me that I'm still clueless.
>>
>> A pointer to a previous discussion on this would be sufficient, I think.
>>
>> Thanks,
>>
>> --Jason
>>
>> --
>> The government is going to read our mail anyway, might as well make it
>> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6



From Steven.Jones at vuw.ac.nz  Tue Jul 30 23:16:48 2013
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 30 Jul 2013 23:16:48 +0000
Subject: [Freeipa-users] password resetting into IPA
Message-ID: <833D8E48405E064EBC54C84EC6B36E407A340529@STAWINCOX10MBX1.staff.vuw.ac.nz>

Has anybody tried this?

http://code.google.com/p/pwm/

Would it work is is it advised not to use it, if so reasons please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



From sakodak at gmail.com  Wed Jul 31 01:21:56 2013
From: sakodak at gmail.com (KodaK)
Date: Tue, 30 Jul 2013 20:21:56 -0500
Subject: [Freeipa-users] password resetting into IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E407A340529@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E407A340529@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <CAA9J0ZH_YK4z=-bR9NN869hVuU7=+o1BQSDPOnr+FgktKXgbTQ@mail.gmail.com>

On Tue, Jul 30, 2013 at 6:16 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> Has anybody tried this?
>
> http://code.google.com/p/pwm/
>
> Would it work is is it advised not to use it, if so reasons please?
>

It's been talked about a bit in this mailing list.  I had issues, and I know of
another person who was setting it up (but I never heard any success reports.)

Give it a shot and see where you can go with it.

I used this:

http://ltb-project.org/wiki/documentation/self-service-password

But it's much simpler and feature-poor than PWM seems to be.
(But works for what I need.)



From linux at karasik.org  Wed Jul 31 11:04:27 2013
From: linux at karasik.org (Vitaly)
Date: Wed, 31 Jul 2013 14:04:27 +0300
Subject: [Freeipa-users] IPA clients doesn't see all user's group
Message-ID: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>

I have IPA2  on RHEL6 server and RHEL/CENTOS 5/6 clients.
For some users Linux doesn't see all  groups. For example:

#ipa user-show myuser
.......
Member of groups: group1,group2,group3

#id myuser
uid=1815600038(myuser) gid=1002(group1) groups=1002(group1),1000(group2)

How I can debug and fix this?

TIA,
Vitaly



From jhrozek at redhat.com  Wed Jul 31 11:15:30 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 31 Jul 2013 13:15:30 +0200
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
Message-ID: <20130731111530.GA1042@hendrix.brq.redhat.com>

On Wed, Jul 31, 2013 at 02:04:27PM +0300, Vitaly wrote:
> I have IPA2  on RHEL6 server and RHEL/CENTOS 5/6 clients.
> For some users Linux doesn't see all  groups. For example:
> 
> #ipa user-show myuser
> .......
> Member of groups: group1,group2,group3
> 
> #id myuser
> uid=1815600038(myuser) gid=1002(group1) groups=1002(group1),1000(group2)
> 
> How I can debug and fix this?
> 
> TIA,
> Vitaly

What exact SSSD version is this?

Was user added to group3 recently so that the cache might have stale records?

Do you see the same problem on both RHEL5 and RHEL6 clients?



From linux at karasik.org  Wed Jul 31 11:29:13 2013
From: linux at karasik.org (Vitaly)
Date: Wed, 31 Jul 2013 14:29:13 +0300
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <20130731111530.GA1042@hendrix.brq.redhat.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
Message-ID: <CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>

>What exact SSSD version is this?
1.5.1-58.el5 and 1.5.1-66.el6_2.3

>Was user added to group3 recently so that the cache might have stale records?
Originally it was "old" group; after that I added some new group - the
same problem.
I restarted sssd with removing its cache - didn't help.

>Do you see the same problem on both RHEL5 and RHEL6 clients?
yes


On Wed, Jul 31, 2013 at 2:15 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Wed, Jul 31, 2013 at 02:04:27PM +0300, Vitaly wrote:
>> I have IPA2  on RHEL6 server and RHEL/CENTOS 5/6 clients.
>> For some users Linux doesn't see all  groups. For example:
>>
>> #ipa user-show myuser
>> .......
>> Member of groups: group1,group2,group3
>>
>> #id myuser
>> uid=1815600038(myuser) gid=1002(group1) groups=1002(group1),1000(group2)
>>
>> How I can debug and fix this?
>>
>> TIA,
>> Vitaly
>
> What exact SSSD version is this?
>
> Was user added to group3 recently so that the cache might have stale records?
>
> Do you see the same problem on both RHEL5 and RHEL6 clients?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From james.hogarth at gmail.com  Wed Jul 31 11:36:17 2013
From: james.hogarth at gmail.com (James Hogarth)
Date: Wed, 31 Jul 2013 12:36:17 +0100
Subject: [Freeipa-users] Providing minimal permissions to read replication
	status
Message-ID: <CAGkb5vfVc-cP9TefjngMs6itxa3O3_v5F7Q6R0eupQMQsPMJoA@mail.gmail.com>

Hi,

We're looking to add monitoring to our IPA replicas and want to provide a
user with the minimum possible permissions to do so.

Allowing the user to have the Replication Administrators role works but for
monitoring the ability to add/modify/remove is overkill by a long shot.

There's no existing permission for Read Replication Agreements - only add,
remove and modify.

I've tried to use ipa perimssion-add with --filter to allow access to
objectClass=nsds5replicationagreement but checking the status via:

ldapsearch -Y GSSAPI -h c6test2.c6ipa.local  -b cn=config
'(objectclass=nsds5replicationagreement)'

Does not show anything unless the account being tested with gets
replication administrator privileges...

I've tried using subtree as well but the ipa command errors that the base
of cn=config is not $SUFFIX ... and out of scope.

What am I missing to set this up - or is this not possible with the
role/privilege/permission mechanism within IPA? I can see how the
replication administration permissions are added in replica-acis.ldif but
I'm concerned that if I manually add an ACI via pure LDIF commands it will
cause issues with future IPA upgrades due to schema differences - so was
hoping to remain within the IPA command side of things...

1) Is this even possible with the ipa command?
2) If I use ldapmodify to add a new permission by hand via ldif for "Read
Replication Agreements" will this likely break on IPA upgrades in future?

Cheers,

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130731/1d921eaf/attachment.htm>

From sbose at redhat.com  Wed Jul 31 11:56:52 2013
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 31 Jul 2013 13:56:52 +0200
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
Message-ID: <20130731115652.GA3648@localhost.localdomain>

On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote:
> Ok, so, yeah -- my first question stands.  This works when it falls
> back to LDAP, but it does not honor a kerberos ticket.  Is there a way
> to do that in the same circumstances?
> 
> Thanks again,
> 
> --Jason
> 
> On Tue, Jul 30, 2013 at 2:58 PM, KodaK <sakodak at gmail.com> wrote:
> > Nevermind, AIX problem (surprise, surprise!)
> >
> > Since it's half-kerberized at this point (the default is system auth,
> > not kerb/ldap) it failed.
> >
> > I had to create entries in /etc/security/user for the users I wanted
> > to test with and explicitly state that I wanted them to log on via
> > krb5/ldap.
> >
> > --Jason
> >
> > On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sakodak at gmail.com> wrote:
> >> I've been searching and I know it's been answered before but I can't find it.
> >>
> >> I have UNIX.DOMAIN.COM as my IPA realm.
> >>
> >> I have some hosts that sit on (in dns) domain.com (they are not part
> >> of any other Kerberos realms.)
> >>
> >> I'm unable to currently change the domain names on these boxes.
> >>
> >> In krb5.conf I have the mappings:
> >>
> >> domain.com = UNIX.DOMAIN.COM
> >> .domain.com = UNIX.DOMAIN.COM
> >>
> >> I can do a kinit admin from the client machine and get a ticket.
> >>
> >> I'm unable to authenticate via ssh to the client machine (with the user admin.)
> >>
> >> I'm able to "su" to the user, so we're talking to ldap and kerberos.
> >>
> >> I have the GSSAPI options set in sshd_config:
> >>
> >> GSSAPIAuthentication yes
> >> GSSAPICleanupCredentials yes
> >>
> >> But, in the syslog I see:
> >>
> >> Miscellaneous failure\nNo principal in keytab matches desired name\n
> >>
> >> I'm sure this is because I generated the keytab for
> >> "host.unix.domain.com" instead of "host.domain.com" -- but I don't
> >> know how to accomplish the second one.

I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
transfer the new keytab to host.domain.com.

HTH

bye,
Sumit

> >>
> >> I may be on the wrong track here.  Every time I think I understand
> >> this I get hit with something that shows me that I'm still clueless.
> >>
> >> A pointer to a previous discussion on this would be sufficient, I think.
> >>
> >> Thanks,
> >>
> >> --Jason
> >>
> >> --
> >> The government is going to read our mail anyway, might as well make it
> >> tough for them.  GPG Public key ID:  B6A1A7C6
> >
> >
> >
> > --
> > The government is going to read our mail anyway, might as well make it
> > tough for them.  GPG Public key ID:  B6A1A7C6
> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Wed Jul 31 11:57:29 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 31 Jul 2013 13:57:29 +0200
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
	<CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
Message-ID: <20130731115729.GD1042@hendrix.brq.redhat.com>

On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote:
> >What exact SSSD version is this?
> 1.5.1-58.el5 and 1.5.1-66.el6_2.3

The .el5 version looks OK to me, but you should really upgrade from
6.2..

> 
> >Was user added to group3 recently so that the cache might have stale records?
> Originally it was "old" group; after that I added some new group - the
> same problem.
> I restarted sssd with removing its cache - didn't help.
> 

Ah, OK, thank you for verifying this.

> >Do you see the same problem on both RHEL5 and RHEL6 clients?
> yes
> 

Interesting, can you run ipa user-show --all --raw myuser and check if
all three groups are visible as values of the "memberof" attribute? I
suspect they will..

If they do, can you then put debug_level=7 to the [domain] section of
sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd
?



From linux at karasik.org  Wed Jul 31 12:27:41 2013
From: linux at karasik.org (Vitaly)
Date: Wed, 31 Jul 2013 15:27:41 +0300
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <20130731115729.GD1042@hendrix.brq.redhat.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
	<CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
	<20130731115729.GD1042@hendrix.brq.redhat.com>
Message-ID: <CANpTS0395+CHc-BCu0-xe7Hokzbmq_DJQ01DZhwpiY1oaqEtCA@mail.gmail.com>

Jakub, many thanks!

>Interesting, can you run ipa user-show --all --raw myuser and check if
>all three groups are visible as values of the "memberof" attribute? I
>suspect they will..
Yes, all 3 groups are visible

>If they do, can you then put debug_level=7 to the [domain] section of
>sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd

As far as I see  for problematic group3

........
(Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]]
[sdap_initgr_nested_search] (2): Search for group
cn=group3,cn=groups,cn=accounts,
,dc=example,dc=com, returned 0 results. Skipping
.......

So I tried on my IPA client "getent  group group2/3" -  there is an
answer for group2, but not for group3. Interesting...
In IPA server "ipa group-show group2/3 "  show similar output for both
groups, including members.




Jakub, if you agree, I'll send you log to your email, I prefer do not
post it to the list.

On Wed, Jul 31, 2013 at 2:57 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Wed, Jul 31, 2013 at 02:29:13PM +0300, Vitaly wrote:
>> >What exact SSSD version is this?
>> 1.5.1-58.el5 and 1.5.1-66.el6_2.3
>
> The .el5 version looks OK to me, but you should really upgrade from
> 6.2..
>
>>
>> >Was user added to group3 recently so that the cache might have stale records?
>> Originally it was "old" group; after that I added some new group - the
>> same problem.
>> I restarted sssd with removing its cache - didn't help.
>>
>
> Ah, OK, thank you for verifying this.
>
>> >Do you see the same problem on both RHEL5 and RHEL6 clients?
>> yes
>>
>
> Interesting, can you run ipa user-show --all --raw myuser and check if
> all three groups are visible as values of the "memberof" attribute? I
> suspect they will..
>
> If they do, can you then put debug_level=7 to the [domain] section of
> sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd
> ?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Wed Jul 31 12:40:44 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 31 Jul 2013 14:40:44 +0200
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <CANpTS0395+CHc-BCu0-xe7Hokzbmq_DJQ01DZhwpiY1oaqEtCA@mail.gmail.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
	<CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
	<20130731115729.GD1042@hendrix.brq.redhat.com>
	<CANpTS0395+CHc-BCu0-xe7Hokzbmq_DJQ01DZhwpiY1oaqEtCA@mail.gmail.com>
Message-ID: <20130731124044.GE1042@hendrix.brq.redhat.com>

On Wed, Jul 31, 2013 at 03:27:41PM +0300, Vitaly wrote:
> Jakub, many thanks!
> 
> >Interesting, can you run ipa user-show --all --raw myuser and check if
> >all three groups are visible as values of the "memberof" attribute? I
> >suspect they will..
> Yes, all 3 groups are visible
> 
> >If they do, can you then put debug_level=7 to the [domain] section of
> >sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd
> 
> As far as I see  for problematic group3
> 
> ........
> (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]]
> [sdap_initgr_nested_search] (2): Search for group
> cn=group3,cn=groups,cn=accounts,
> ,dc=example,dc=com, returned 0 results. Skipping
> .......
> 
> So I tried on my IPA client "getent  group group2/3" -  there is an
> answer for group2, but not for group3. Interesting...
> In IPA server "ipa group-show group2/3 "  show similar output for both
> groups, including members.
> 
> 
> 
> 

Does the group have posix GID?

> Jakub, if you agree, I'll send you log to your email, I prefer do not
> post it to the list.

Sure, that's fine.



From linux at karasik.org  Wed Jul 31 12:55:06 2013
From: linux at karasik.org (Vitaly)
Date: Wed, 31 Jul 2013 15:55:06 +0300
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <20130731124044.GE1042@hendrix.brq.redhat.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
	<CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
	<20130731115729.GD1042@hendrix.brq.redhat.com>
	<CANpTS0395+CHc-BCu0-xe7Hokzbmq_DJQ01DZhwpiY1oaqEtCA@mail.gmail.com>
	<20130731124044.GE1042@hendrix.brq.redhat.com>
Message-ID: <CANpTS00B8Fpcb1qbnn_PRh-H6xRCR1BqK_vZV-6iRLv99sF1gw@mail.gmail.com>

Jakub, many thanks and I'm really sorry for so stupid questions!
yes, you're right, group3 didn't have posix GID :-)

Vitaly

On Wed, Jul 31, 2013 at 3:40 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Wed, Jul 31, 2013 at 03:27:41PM +0300, Vitaly wrote:
>> Jakub, many thanks!
>>
>> >Interesting, can you run ipa user-show --all --raw myuser and check if
>> >all three groups are visible as values of the "memberof" attribute? I
>> >suspect they will..
>> Yes, all 3 groups are visible
>>
>> >If they do, can you then put debug_level=7 to the [domain] section of
>> >sssd.conf, restart sssd and attach or paste the logs from /var/log/sssd
>>
>> As far as I see  for problematic group3
>>
>> ........
>> (Wed Jul 31 12:10:39 2013) [sssd[be[example.com]]]
>> [sdap_initgr_nested_search] (2): Search for group
>> cn=group3,cn=groups,cn=accounts,
>> ,dc=example,dc=com, returned 0 results. Skipping
>> .......
>>
>> So I tried on my IPA client "getent  group group2/3" -  there is an
>> answer for group2, but not for group3. Interesting...
>> In IPA server "ipa group-show group2/3 "  show similar output for both
>> groups, including members.
>>
>>
>>
>>
>
> Does the group have posix GID?
>
>> Jakub, if you agree, I'll send you log to your email, I prefer do not
>> post it to the list.
>
> Sure, that's fine.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Wed Jul 31 13:08:12 2013
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Wed, 31 Jul 2013 15:08:12 +0200
Subject: [Freeipa-users] IPA clients doesn't see all user's group
In-Reply-To: <CANpTS00B8Fpcb1qbnn_PRh-H6xRCR1BqK_vZV-6iRLv99sF1gw@mail.gmail.com>
References: <CANpTS00Bpk+uxmABJ6-6N-E127NjuxudA-awTxw2Vx=v__wGYA@mail.gmail.com>
	<20130731111530.GA1042@hendrix.brq.redhat.com>
	<CANpTS031Tsm8exo_vUUrq6ur_Czo9=9=L--Su8zbf=gJ-zu53A@mail.gmail.com>
	<20130731115729.GD1042@hendrix.brq.redhat.com>
	<CANpTS0395+CHc-BCu0-xe7Hokzbmq_DJQ01DZhwpiY1oaqEtCA@mail.gmail.com>
	<20130731124044.GE1042@hendrix.brq.redhat.com>
	<CANpTS00B8Fpcb1qbnn_PRh-H6xRCR1BqK_vZV-6iRLv99sF1gw@mail.gmail.com>
Message-ID: <20130731130812.GF1042@hendrix.brq.redhat.com>

On Wed, Jul 31, 2013 at 03:55:06PM +0300, Vitaly wrote:
> Jakub, many thanks and I'm really sorry for so stupid questions!
> yes, you're right, group3 didn't have posix GID :-)
> 
> Vitaly

No problem, I'm glad the issue got sorted out :-)

I think that recent versions of the SSSD print a more user-friendly
debug message into the logs..



From sakodak at gmail.com  Wed Jul 31 16:09:43 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 31 Jul 2013 11:09:43 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <20130731115652.GA3648@localhost.localdomain>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
Message-ID: <CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>

On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:

> I think that's the issue. You have to make sure that host.domain.com has

> a DNS entry somewhere, it does not have to be the IPA DNS but the DNS

> setup must be correct so the IPA DNS can forward the request to the

> right server. Then you can call 'ipa host-add host.domain.com' which

> will create a host entry with the principal

> host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and

> transfer the new keytab to host.domain.com.

Ok, I'm dumbfounded (again.)

I've removed the old host from IPA:

xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'

ipa: ERROR: sla400q1.unix.domain.com: host not found

And I added the new host:

[xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'

 Host name: sla400q1.domain.com

 Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM

 Password: False

 Keytab: True

 Managed by: sla400q1.domain.com

I generated the keytab:

[xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab

[xxx at slpidml01 ~]$

Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab

But, when I list the principals in the keytab:

sla400q1:/var/adm> /usr/krb5/bin/klist -k -e

Keytab name:  FILE:/etc/krb5/krb5.keytab

KVNO Principal

---- ---------

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

Where are the sla400q1.unix.domain.com coming from? I've done this over and
over, I can't find

any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never
had any

unix.comain.com references.

In addition, I?m still getting the error:

Miscellaneous failure\nNo principal in keytab matches desired name\n

in the logs, even though:

sla400q1:/var/adm> grep sla400q1 /etc/hosts

192.168.42.108  sla400q1-bk

#10.200.5.48    sla400q1.domain.com sla400q1

10.200.5.48     sla400q1.domain.com sla400q1

sla400q1:/var/adm> hostname

sla400q1.domain.com

sla400q1:/var/adm> domainname

domain.com

sla400q1:/var/adm>

Any clues?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130731/1a0c1fd8/attachment.htm>

From sakodak at gmail.com  Wed Jul 31 16:12:47 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 31 Jul 2013 11:12:47 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
Message-ID: <CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>

On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:

>
>
> On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> > I think that's the issue. You have to make sure that host.domain.com has
>
> > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
>
> > setup must be correct so the IPA DNS can forward the request to the
>
> > right server. Then you can call 'ipa host-add host.domain.com' which
>
> > will create a host entry with the principal
>
> > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
>
> > transfer the new keytab to host.domain.com.
>
> Ok, I'm dumbfounded (again.)
>
> I've removed the old host from IPA:
>
> xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
>
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
>
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/session/xml'
>
> ipa: ERROR: sla400q1.unix.domain.com: host not found
>
> And I added the new host:
>
> [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
>
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
>
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/xml'
>
>  Host name: sla400q1.domain.com
>
>  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
>
>  Password: False
>
>   Keytab: True
>
>  Managed by: sla400q1.domain.com
>
> I generated the keytab:
>
> [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> and stored in: /tmp/sla400q1.keytab
>
> [xxx at slpidml01 ~]$
>
> Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
>
> But, when I list the principals in the keytab:
>
> sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
>
> Keytab name:  FILE:/etc/krb5/krb5.keytab
>
> KVNO Principal
>
> ---- ---------
>
>    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> with HMAC/sha1)
>
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> with HMAC/sha1)
>
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> Where are the sla400q1.unix.domain.com coming from? I've done this over
> and over, I can't find
>
> any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
> never had any
>
> unix.comain.com references.
>
> In addition, I?m still getting the error:
>
> Miscellaneous failure\nNo principal in keytab matches desired name\n
>
> in the logs, even though:
>
> sla400q1:/var/adm> grep sla400q1 /etc/hosts
>
> 192.168.42.108  sla400q1-bk
>
> #10.200.5.48    sla400q1.domain.com sla400q1
>
> 10.200.5.48     sla400q1.domain.com sla400q1
>
> sla400q1:/var/adm> hostname
>
> sla400q1.domain.com
>
> sla400q1:/var/adm> domainname
>
> domain.com
>
> sla400q1:/var/adm>
>
> Any clues?
>
>
forgot to add:

sla400q1:/var/adm> nslookup 10.200.5.48
Server:         10.200.2.24
Address:        10.200.2.24#53

48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130731/0ea37c32/attachment.htm>

From sbose at redhat.com  Wed Jul 31 16:21:29 2013
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 31 Jul 2013 18:21:29 +0200
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
Message-ID: <20130731162129.GC3648@localhost.localdomain>

On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
> 
> > I think that's the issue. You have to make sure that host.domain.com has
> 
> > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
> 
> > setup must be correct so the IPA DNS can forward the request to the
> 
> > right server. Then you can call 'ipa host-add host.domain.com' which
> 
> > will create a host entry with the principal
> 
> > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
> 
> > transfer the new keytab to host.domain.com.
> 
> Ok, I'm dumbfounded (again.)
> 
> I've removed the old host from IPA:
> 
> xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
> 
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
> 
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/session/xml'
> 
> ipa: ERROR: sla400q1.unix.domain.com: host not found
> 
> And I added the new host:
> 
> [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
> 
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
> 
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/xml'
> 
>  Host name: sla400q1.domain.com
> 
>  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
> 
>  Password: False
> 
>  Keytab: True
> 
>  Managed by: sla400q1.domain.com
> 
> I generated the keytab:
> 
> [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> and stored in: /tmp/sla400q1.keytab

does /tmp/sla400q1.keytab still exists from your previous attempts?
ipa-getkeytab might just add the news keys if the file is not empty?

bye,
Sumit

> 
> [xxx at slpidml01 ~]$
> 
> Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
> 
> But, when I list the principals in the keytab:
> 
> sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
> 
> Keytab name:  FILE:/etc/krb5/krb5.keytab
> 
> KVNO Principal
> 
> ---- ---------
> 
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
> 
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
> 
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
> 
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
> 
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
> SHA-1 HMAC)
> 
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
> 
>   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> 
> Where are the sla400q1.unix.domain.com coming from? I've done this over and
> over, I can't find
> 
> any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never
> had any
> 
> unix.comain.com references.
> 
> In addition, I?m still getting the error:
> 
> Miscellaneous failure\nNo principal in keytab matches desired name\n
> 
> in the logs, even though:
> 
> sla400q1:/var/adm> grep sla400q1 /etc/hosts
> 
> 192.168.42.108  sla400q1-bk
> 
> #10.200.5.48    sla400q1.domain.com sla400q1
> 
> 10.200.5.48     sla400q1.domain.com sla400q1
> 
> sla400q1:/var/adm> hostname
> 
> sla400q1.domain.com
> 
> sla400q1:/var/adm> domainname
> 
> domain.com
> 
> sla400q1:/var/adm>
> 
> Any clues?



From sbose at redhat.com  Wed Jul 31 16:24:20 2013
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 31 Jul 2013 18:24:20 +0200
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
	<CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
Message-ID: <20130731162420.GD3648@localhost.localdomain>

On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
> 
> >
> >
> > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
> >
> > > I think that's the issue. You have to make sure that host.domain.com has
> >
> > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
> >
> > > setup must be correct so the IPA DNS can forward the request to the
> >
> > > right server. Then you can call 'ipa host-add host.domain.com' which
> >
> > > will create a host entry with the principal
> >
> > > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
> >
> > > transfer the new keytab to host.domain.com.
> >
> > Ok, I'm dumbfounded (again.)
> >
> > I've removed the old host from IPA:
> >
> > xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
> >
> > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
> >
> > ipa: INFO: Forwarding 'host_show' to server u'
> > https://slpidml01.unix.domain.com/ipa/session/xml'
> >
> > ipa: ERROR: sla400q1.unix.domain.com: host not found
> >
> > And I added the new host:
> >
> > [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
> >
> > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
> >
> > ipa: INFO: Forwarding 'host_show' to server u'
> > https://slpidml01.unix.domain.com/ipa/xml'
> >
> >  Host name: sla400q1.domain.com
> >
> >  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
> >
> >  Password: False
> >
> >   Keytab: True
> >
> >  Managed by: sla400q1.domain.com
> >
> > I generated the keytab:
> >
> > [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> > and stored in: /tmp/sla400q1.keytab
> >
> > [xxx at slpidml01 ~]$
> >
> > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
> >
> > But, when I list the principals in the keytab:
> >
> > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
> >
> > Keytab name:  FILE:/etc/krb5/krb5.keytab
> >
> > KVNO Principal
> >
> > ---- ---------
> >
> >    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> > with HMAC/sha1)
> >
> >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> > with HMAC/sha1)
> >
> >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > 96-bit SHA-1 HMAC)
> >
> >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > HMAC/sha1)
> >
> >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >
> > Where are the sla400q1.unix.domain.com coming from? I've done this over
> > and over, I can't find
> >
> > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
> > never had any
> >
> > unix.comain.com references.
> >
> > In addition, I?m still getting the error:
> >
> > Miscellaneous failure\nNo principal in keytab matches desired name\n
> >
> > in the logs, even though:
> >
> > sla400q1:/var/adm> grep sla400q1 /etc/hosts
> >
> > 192.168.42.108  sla400q1-bk
> >
> > #10.200.5.48    sla400q1.domain.com sla400q1
> >
> > 10.200.5.48     sla400q1.domain.com sla400q1
> >
> > sla400q1:/var/adm> hostname
> >
> > sla400q1.domain.com
> >
> > sla400q1:/var/adm> domainname
> >
> > domain.com
> >
> > sla400q1:/var/adm>
> >
> > Any clues?
> >
> >
> forgot to add:
> 
> sla400q1:/var/adm> nslookup 10.200.5.48
> Server:         10.200.2.24
> Address:        10.200.2.24#53
> 
> 48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.

hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos
does some reverse DNS lookups it might end up looking for
home/SLA400Q1.domain.com at UNIX.DOMAIN.COM. If you cannot change the case
of the DNS entry, please try to create an IPA host with the case
returned by DNS.

HTH

bye,
Sumit
> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



From sakodak at gmail.com  Wed Jul 31 18:28:11 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 31 Jul 2013 13:28:11 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <20130731162420.GD3648@localhost.localdomain>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
	<CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
	<20130731162420.GD3648@localhost.localdomain>
Message-ID: <CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>

On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
> >
> > >
> > >
> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
> > >
> > > > I think that's the issue. You have to make sure that host.domain.com has
> > >
> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
> > >
> > > > setup must be correct so the IPA DNS can forward the request to the
> > >
> > > > right server. Then you can call 'ipa host-add host.domain.com' which
> > >
> > > > will create a host entry with the principal
> > >
> > > > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
> > >
> > > > transfer the new keytab to host.domain.com.
> > >
> > > Ok, I'm dumbfounded (again.)
> > >
> > > I've removed the old host from IPA:
> > >
> > > xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
> > >
> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
> > >
> > > ipa: INFO: Forwarding 'host_show' to server u'
> > > https://slpidml01.unix.domain.com/ipa/session/xml'
> > >
> > > ipa: ERROR: sla400q1.unix.domain.com: host not found
> > >
> > > And I added the new host:
> > >
> > > [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
> > >
> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
> > >
> > > ipa: INFO: Forwarding 'host_show' to server u'
> > > https://slpidml01.unix.domain.com/ipa/xml'
> > >
> > >  Host name: sla400q1.domain.com
> > >
> > >  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
> > >
> > >  Password: False
> > >
> > >   Keytab: True
> > >
> > >  Managed by: sla400q1.domain.com
> > >
> > > I generated the keytab:
> > >
> > > [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> > > and stored in: /tmp/sla400q1.keytab
> > >
> > > [xxx at slpidml01 ~]$
> > >
> > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
> > >
> > > But, when I list the principals in the keytab:
> > >
> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
> > >
> > > Keytab name:  FILE:/etc/krb5/krb5.keytab
> > >
> > > KVNO Principal
> > >
> > > ---- ---------
> > >
> > >    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> > > with HMAC/sha1)
> > >
> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> > > with HMAC/sha1)
> > >
> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> > > 96-bit SHA-1 HMAC)
> > >
> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> > > HMAC/sha1)
> > >
> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> > >
> > > Where are the sla400q1.unix.domain.com coming from? I've done this over
> > > and over, I can't find
> > >
> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
> > > never had any
> > >
> > > unix.comain.com references.
> > >
> > > In addition, I?m still getting the error:
> > >
> > > Miscellaneous failure\nNo principal in keytab matches desired name\n
> > >
> > > in the logs, even though:
> > >
> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts
> > >
> > > 192.168.42.108  sla400q1-bk
> > >
> > > #10.200.5.48    sla400q1.domain.com sla400q1
> > >
> > > 10.200.5.48     sla400q1.domain.com sla400q1
> > >
> > > sla400q1:/var/adm> hostname
> > >
> > > sla400q1.domain.com
> > >
> > > sla400q1:/var/adm> domainname
> > >
> > > domain.com
> > >
> > > sla400q1:/var/adm>
> > >
> > > Any clues?
> > >
> > >
> > forgot to add:
> >
> > sla400q1:/var/adm> nslookup 10.200.5.48
> > Server:         10.200.2.24
> > Address:        10.200.2.24#53
> >
> > 48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.
>
> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos
> does some reverse DNS lookups it might end up looking for
> home/SLA400Q1.domain.com at UNIX.DOMAIN.COM. If you cannot change the case
> of the DNS entry, please try to create an IPA host with the case
> returned by DNS.
>
>

IPA just changes SLA400Q1.domain.com to lower case when I do a host-add.

I've asked the admins of "domain.com" to change the reverse entry,
we'll see how that goes.

Thanks again,

--Jason



From sakodak at gmail.com  Wed Jul 31 18:57:50 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 31 Jul 2013 13:57:50 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
	<CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
	<20130731162420.GD3648@localhost.localdomain>
	<CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>
Message-ID: <CAA9J0ZGt=grCHGkp_P8ocegg7HNBYomgs377cCYHziRVqSxCMw@mail.gmail.com>

On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sakodak at gmail.com> wrote:
> On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sbose at redhat.com> wrote:
>>
>> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
>> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
>> >
>> > >
>> > >
>> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
>> > >
>> > > > I think that's the issue. You have to make sure that host.domain.com has
>> > >
>> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
>> > >
>> > > > setup must be correct so the IPA DNS can forward the request to the
>> > >
>> > > > right server. Then you can call 'ipa host-add host.domain.com' which
>> > >
>> > > > will create a host entry with the principal
>> > >
>> > > > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
>> > >
>> > > > transfer the new keytab to host.domain.com.
>> > >
>> > > Ok, I'm dumbfounded (again.)
>> > >
>> > > I've removed the old host from IPA:
>> > >
>> > > xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
>> > >
>> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
>> > >
>> > > ipa: INFO: Forwarding 'host_show' to server u'
>> > > https://slpidml01.unix.domain.com/ipa/session/xml'
>> > >
>> > > ipa: ERROR: sla400q1.unix.domain.com: host not found
>> > >
>> > > And I added the new host:
>> > >
>> > > [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
>> > >
>> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
>> > >
>> > > ipa: INFO: Forwarding 'host_show' to server u'
>> > > https://slpidml01.unix.domain.com/ipa/xml'
>> > >
>> > >  Host name: sla400q1.domain.com
>> > >
>> > >  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
>> > >
>> > >  Password: False
>> > >
>> > >   Keytab: True
>> > >
>> > >  Managed by: sla400q1.domain.com
>> > >
>> > > I generated the keytab:
>> > >
>> > > [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
>> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
>> > > and stored in: /tmp/sla400q1.keytab
>> > >
>> > > [xxx at slpidml01 ~]$
>> > >
>> > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
>> > >
>> > > But, when I list the principals in the keytab:
>> > >
>> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
>> > >
>> > > Keytab name:  FILE:/etc/krb5/krb5.keytab
>> > >
>> > > KVNO Principal
>> > >
>> > > ---- ---------
>> > >
>> > >    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
>> > > with HMAC/sha1)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
>> > > with HMAC/sha1)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > > Where are the sla400q1.unix.domain.com coming from? I've done this over
>> > > and over, I can't find
>> > >
>> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
>> > > never had any
>> > >
>> > > unix.comain.com references.
>> > >
>> > > In addition, I?m still getting the error:
>> > >
>> > > Miscellaneous failure\nNo principal in keytab matches desired name\n
>> > >
>> > > in the logs, even though:
>> > >
>> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts
>> > >
>> > > 192.168.42.108  sla400q1-bk
>> > >
>> > > #10.200.5.48    sla400q1.domain.com sla400q1
>> > >
>> > > 10.200.5.48     sla400q1.domain.com sla400q1
>> > >
>> > > sla400q1:/var/adm> hostname
>> > >
>> > > sla400q1.domain.com
>> > >
>> > > sla400q1:/var/adm> domainname
>> > >
>> > > domain.com
>> > >
>> > > sla400q1:/var/adm>
>> > >
>> > > Any clues?
>> > >
>> > >
>> > forgot to add:
>> >
>> > sla400q1:/var/adm> nslookup 10.200.5.48
>> > Server:         10.200.2.24
>> > Address:        10.200.2.24#53
>> >
>> > 48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.
>>
>> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos
>> does some reverse DNS lookups it might end up looking for
>> home/SLA400Q1.domain.com at UNIX.DOMAIN.COM. If you cannot change the case
>> of the DNS entry, please try to create an IPA host with the case
>> returned by DNS.
>>
>>
>
> IPA just changes SLA400Q1.domain.com to lower case when I do a host-add.
>
> I've asked the admins of "domain.com" to change the reverse entry,
> we'll see how that goes.
>
> Thanks again,
>
> --Jason

Unfortunately, that made no difference:

sla400q1:/var/adm> nslookup 10.200.5.48
Server:         10.200.2.24
Address:        10.200.2.24#53

48.5.200.10.in-addr.arpa        name = sla400q1.domain.com.


Jul 31 14:55:09 sla400q1 auth|security:debug sshd[25624644]: debug1:
Miscellaneous failure\nNo principal in keytab matches desired name\n

It sure would be nice if the desired name was printed along with that
error message.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6



From sbose at redhat.com  Wed Jul 31 19:32:52 2013
From: sbose at redhat.com (Sumit Bose)
Date: Wed, 31 Jul 2013 21:32:52 +0200
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZGt=grCHGkp_P8ocegg7HNBYomgs377cCYHziRVqSxCMw@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
	<CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
	<20130731162420.GD3648@localhost.localdomain>
	<CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>
	<CAA9J0ZGt=grCHGkp_P8ocegg7HNBYomgs377cCYHziRVqSxCMw@mail.gmail.com>
Message-ID: <20130731193252.GE3648@localhost.localdomain>

On Wed, Jul 31, 2013 at 01:57:50PM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sakodak at gmail.com> wrote:
> > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sbose at redhat.com> wrote:
> >>
> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
> >> >
> >> > >
> >> > >
> >> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
> >> > >
> 
> Unfortunately, that made no difference:
> 
> sla400q1:/var/adm> nslookup 10.200.5.48
> Server:         10.200.2.24
> Address:        10.200.2.24#53
> 
> 48.5.200.10.in-addr.arpa        name = sla400q1.domain.com.
> 
> 
> Jul 31 14:55:09 sla400q1 auth|security:debug sshd[25624644]: debug1:
> Miscellaneous failure\nNo principal in keytab matches desired name\n
> 
> It sure would be nice if the desired name was printed along with that
> error message.

Can you increase the debug level of sshd any further? Maybe the name is
listen then? Are you sure sshd is expecting the keytab in
/etc/krb5/krb5.keytab on AIX?

bye,
Sumit
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6



From sakodak at gmail.com  Wed Jul 31 20:03:04 2013
From: sakodak at gmail.com (KodaK)
Date: Wed, 31 Jul 2013 15:03:04 -0500
Subject: [Freeipa-users] authenticate with base domain name?
In-Reply-To: <CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>
References: <CAA9J0ZHxwQ0pbWboNbUFYUSz-+SLBKCXgZ5Zn3imBV99K-m_rQ@mail.gmail.com>
	<CAA9J0ZEs_OAKJN7iuY4gSPD4o+Aa+u7eex64hn=4PTkV0eRURw@mail.gmail.com>
	<CAA9J0ZEokyOyeWPH9+Fr0ddawUrkH9n4-KCqFyY+w9v4_euoAg@mail.gmail.com>
	<20130731115652.GA3648@localhost.localdomain>
	<CAA9J0ZGLpEUr1o2DFYH8rZNMrSJTHenictqA6SV4hvA17vfupA@mail.gmail.com>
	<CAA9J0ZH5+QimyPynUMsBDtyLiqAyKz4b52HgB6ZuntbdY6dgPw@mail.gmail.com>
	<20130731162420.GD3648@localhost.localdomain>
	<CAA9J0ZHEBrgFteS6assoEZGnKJCZ=N6agThDmN5yheb8SBQmow@mail.gmail.com>
Message-ID: <CAA9J0ZGzdQvU_bkGkwZiX1CDab3BCMYPRPvJ3D4Bmyt1weTFZg@mail.gmail.com>

On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sakodak at gmail.com> wrote:
> On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sbose at redhat.com> wrote:
>>
>> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
>> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
>> >
>> > >
>> > >
>> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
>> > >
>> > > > I think that's the issue. You have to make sure that host.domain.com has
>> > >
>> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
>> > >
>> > > > setup must be correct so the IPA DNS can forward the request to the
>> > >
>> > > > right server. Then you can call 'ipa host-add host.domain.com' which
>> > >
>> > > > will create a host entry with the principal
>> > >
>> > > > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
>> > >
>> > > > transfer the new keytab to host.domain.com.
>> > >
>> > > Ok, I'm dumbfounded (again.)
>> > >
>> > > I've removed the old host from IPA:
>> > >
>> > > xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
>> > >
>> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
>> > >
>> > > ipa: INFO: Forwarding 'host_show' to server u'
>> > > https://slpidml01.unix.domain.com/ipa/session/xml'
>> > >
>> > > ipa: ERROR: sla400q1.unix.domain.com: host not found
>> > >
>> > > And I added the new host:
>> > >
>> > > [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
>> > >
>> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
>> > >
>> > > ipa: INFO: Forwarding 'host_show' to server u'
>> > > https://slpidml01.unix.domain.com/ipa/xml'
>> > >
>> > >  Host name: sla400q1.domain.com
>> > >
>> > >  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
>> > >
>> > >  Password: False
>> > >
>> > >   Keytab: True
>> > >
>> > >  Managed by: sla400q1.domain.com
>> > >
>> > > I generated the keytab:
>> > >
>> > > [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
>> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
>> > > and stored in: /tmp/sla400q1.keytab
>> > >
>> > > [xxx at slpidml01 ~]$
>> > >
>> > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
>> > >
>> > > But, when I list the principals in the keytab:
>> > >
>> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
>> > >
>> > > Keytab name:  FILE:/etc/krb5/krb5.keytab
>> > >
>> > > KVNO Principal
>> > >
>> > > ---- ---------
>> > >
>> > >    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
>> > > with HMAC/sha1)
>> > >
>> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
>> > > with HMAC/sha1)
>> > >
>> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
>> > > 96-bit SHA-1 HMAC)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
>> > > HMAC/sha1)
>> > >
>> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>> > >
>> > > Where are the sla400q1.unix.domain.com coming from? I've done this over
>> > > and over, I can't find
>> > >
>> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
>> > > never had any
>> > >
>> > > unix.comain.com references.
>> > >
>> > > In addition, I?m still getting the error:
>> > >
>> > > Miscellaneous failure\nNo principal in keytab matches desired name\n
>> > >
>> > > in the logs, even though:
>> > >
>> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts
>> > >
>> > > 192.168.42.108  sla400q1-bk
>> > >
>> > > #10.200.5.48    sla400q1.domain.com sla400q1
>> > >
>> > > 10.200.5.48     sla400q1.domain.com sla400q1
>> > >
>> > > sla400q1:/var/adm> hostname
>> > >
>> > > sla400q1.domain.com
>> > >
>> > > sla400q1:/var/adm> domainname
>> > >
>> > > domain.com
>> > >
>> > > sla400q1:/var/adm>
>> > >
>> > > Any clues?
>> > >
>> > >
>> > forgot to add:
>> >
>> > sla400q1:/var/adm> nslookup 10.200.5.48
>> > Server:         10.200.2.24
>> > Address:        10.200.2.24#53
>> >
>> > 48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.
>>
>> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos
>> does some reverse DNS lookups it might end up looking for
>> home/SLA400Q1.domain.com at UNIX.DOMAIN.COM. If you cannot change the case
>> of the DNS entry, please try to create an IPA host with the case
>> returned by DNS.
>>
>>
>
> IPA just changes SLA400Q1.domain.com to lower case when I do a host-add.
>
> I've asked the admins of "domain.com" to change the reverse entry,
> we'll see how that goes.
>
> Thanks again,
>
> --Jason

Blew everything away regarding this host in IPA, cleared the keytab
and caches on the AIX box.

And I have success.  Finally.

Thanks!



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6