<html><body>Hi Robert, No I did not cut it off ....there was no reason listed.. that was the last line about the issue. I did find this to be my issue however <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1262718">https://bugzilla.redhat.com/show_bug.cgi?id=1262718</a> ... having our sat guys see if they can pull the new selinux policy packages as I do not see them avail right now for my boxes. [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent ---- type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0 name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK a2=0x4000 a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write } for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir ---- type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0 name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=NORMAL type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180 a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write } for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file [root@server2 log]# rpm -qf /etc/ipa/nssdb ipa-python-4.1.0-18.el7_1.4.x86_64 Encryption types.. thanks for the command.. good to know but hate seeing the arcfour and des options as I know DISA will not like that. [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject # filter: (objectclass=*) # requesting: krbSupportedEncSaltTypes # # IPA.LOCAL, kerberos, ipa.local dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Sean Hogan <img width="16" height="16" src="cid:1__=88BB0AFDDFC609B68f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Rob Crittenden ---11/17/2016 07:59:55 AM---Sean Hogan wrote: > Hi Jakub,">Rob Crittenden ---11/17/2016 07:59:55 AM---Sean Hogan wrote: > Hi Jakub, From: Rob Crittenden <rcritten@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhrozek@redhat.com> Cc: freeipa-users@redhat.com, Martin Babinsky <mbabinsk@redhat.com> Date: 11/17/2016 07:59 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>Sean Hogan wrote: > Hi Jakub, > > I ended up re-enrolling the box and it is behaving as expected except I > am not getting a host cert. Robert indicated auto host cert no longer > avail with rhel 7 but using the --request -cert option on enroll to get > a host cert if I wanted one. I did so and get this in the install log > > > *2016-11-16T22:00:53Z DEBUG Starting external process* > *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' > 'certmonger.service'* > *2016-11-16T22:00:53Z DEBUG Process finished, return code=0* > *2016-11-16T22:00:53Z DEBUG stdout=active* > > *2016-11-16T22:00:53Z DEBUG stderr=* > *2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed* Did you cut off the reason reported for the request failing? > Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) > IPA server? You could look in the server logs for details. > As for crypto on RHEL 6 IPA I have (if this is what you looking for). > However this is modified version as it took me a while to get this list > to pass tenable scans by modding the dse files. > [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` These are the TLS settings for LDAP, not the Kerberos encryption types supported. You instead want to run: $ ldapsearch -x -D 'cn=directory manager' -W -s base -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes rob </tt> </body></html>