From kambiz at mcnc.org Thu Jul 2 19:04:05 2009 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Thu, 02 Jul 2009 15:04:05 -0400 Subject: [Freeipa-users] quick question regarding AD <--> FreeIPA password sync ... Message-ID: <4A4D04A5.8070407@mcnc.org> Looking at : http://www.freeipa.org/page/PasswordSynchronization Its not clear to me what is meant by: "Just assign an identity and password to the remote synchronization agent and list this identity in the passSyncManagersDNs attribute. " Is it possible to have a sample configuration described in greater detail? Do I go through "add user"? or "add service principal" in the web ui? Also, during the installation of the WinSync agent on AD, the username and password I presume are the same as the remote sync agent described above, correct? What values are needed for "Cert Token" and "Search Base" ? Thanks for your help Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From rcritten at redhat.com Thu Jul 2 19:44:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Jul 2009 15:44:12 -0400 Subject: [Freeipa-users] quick question regarding AD <--> FreeIPA password sync ... In-Reply-To: <4A4D04A5.8070407@mcnc.org> References: <4A4D04A5.8070407@mcnc.org> Message-ID: <4A4D0E0C.5030403@redhat.com> Kambiz Aghaiepour wrote: > Looking at : > > http://www.freeipa.org/page/PasswordSynchronization > > Its not clear to me what is meant by: > "Just assign an identity and password to the remote synchronization > agent and list this identity in the passSyncManagersDNs attribute. " > > Is it possible to have a sample configuration described in greater > detail? Do I go through "add user"? or "add service principal" in the > web ui? The user for this is created by ipa-replica-manage when you create an AD sync agreement. You can get the details on this user in ipaserver/install/replication.py the function add_passsync_user() What this page is trying to say is that we don't want password policy applied to any passwords that might be coming in from AD (including requiring a password reset). There is a list of DNs stored in the IPA password policy config entry of users who can change passwords outside of policy. This user gets added to that automatically (also in this function). > > Also, during the installation of the WinSync agent on AD, the username > and password I presume are the same as the remote sync agent described > above, correct? What values are needed for "Cert Token" and "Search Base" ? Been a while since I did AD replication but I believe that Cert Token is the password for the NSS database on the AD side and IIRC Search Base is where entries are found in the IPA server (dc=example,dc=com). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From m.s.hannessen at drecomm.nl Mon Jul 6 08:40:38 2009 From: m.s.hannessen at drecomm.nl (Mark Hannessen) Date: Mon, 6 Jul 2009 10:40:38 +0200 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields In-Reply-To: <4A379B29.8080105@redhat.com> References: <200906161108.06173.m.s.hannessen@drecomm.nl> <4A379B29.8080105@redhat.com> Message-ID: <200907061040.39103.m.s.hannessen@drecomm.nl> Hi Rob, ( and list ) Sorry for the very late reply. We are still interested in using FreeIPA for our project. Any support you could give us to the minimum needed for multi valued attributes working would be more then welcome. Kind Regards, Mark Hannessen On Tuesday 16 June 2009 03:16:25 pm Rob Crittenden wrote: > Mark Hannessen wrote: > > Hi List, > > > > > > I am currently deploying a freeipa installation for use in within our > > company. > > I have succesfully added a couple of custom attributes to the fedora > > directory server and to the webinterface using ipacustomfields in > > cn=ipaConfig,cn=etc > > > > > > All attributes however appear in the interface as single valued > > attributes. > > > > > > Does anyone know if it is possible ( or hackable ) to present them as > > multivalued attributes in the interface? ( all my custom attributes > > happen to be multi valued, so a hack that would make them all appear > > multi valued would be enough in my case as well ) > > Unfortunately our support for UI customization is very weak right now > (which is one reason we started from scratch again). > > It only supports single-valued custom attributes right now. To try to > add in multi-valued attributes would require a fair bit of work. In > order to make the UI act the way we wanted we had to dump the TurboGears > template system so it isn't as simple as adding in a new reference to a > UI object. A bunch of custom code needs to be added, particularly for > multi-valued fields. > > It isn't an impossible task but it would require a bit of coding on your > end. I can try to point you in the right direction if you want to go > that route (you'd just have to be careful about saving your work so an > IPA update doesn't wipe it all out). > > rob From kambiz at mcnc.org Mon Jul 6 16:12:42 2009 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Mon, 06 Jul 2009 12:12:42 -0400 Subject: [Freeipa-users] more password sync with AD questions .... Message-ID: <4A52227A.9030702@mcnc.org> Once AD password sync is established, is there an easy way to prepopulate the users in freeipa with the users in AD? Or do I need to define the users in freeipa that I want to sync? Also is there a risk of overwriting a users password in AD if the user is defined in FreeIPA after the sync agreement is setup? Thanks Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From rcritten at redhat.com Mon Jul 6 17:35:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2009 13:35:04 -0400 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields In-Reply-To: <200907061040.39103.m.s.hannessen@drecomm.nl> References: <200906161108.06173.m.s.hannessen@drecomm.nl> <4A379B29.8080105@redhat.com> <200907061040.39103.m.s.hannessen@drecomm.nl> Message-ID: <4A5235C8.4060707@redhat.com> Mark Hannessen wrote: > Hi Rob, ( and list ) > > Sorry for the very late reply. > We are still interested in using FreeIPA for our project. > > Any support you could give us to the minimum needed for multi valued > attributes working would be more then welcome. > Ok, it is going to require a fair bit of work to add them. The files you need to edit in the source tree are in ipa-server/ipa-gui/ipagui. They are installed in /usr/share/ipa/ipagui. What I would recommend doing is using the attribute mobile as a template. You will need to define whatever new attributes you want in forms/user.py A new field will look like: c = ExpandingForm(name="countries", label="Country", fields=[c]) You also need to add initialization and conversion calls in subcontrollers/user.py. Finally you add the new attributes to templates/usernewform.py and templates/usereditform.py. Again, follow the existing convention. This is way harder than it needs to be because we wanted totally control over the appearance so we couldn't use the traditional TurboGears rendering engine. This means that all the attributes are hardcoded and this is particularly ugly when it comes to multi-valued attributes. We use the ExpandingForm widget to display things and this relies heavily on Javascript. The form uses a pluralized form of the attribute (telephonenumbers, mobiles, etc) to store the data visually for the user. This gets converted back into an LDAP attribute name in subcontrollers/user.py. Hope that isn't too scary. rob > Kind Regards, > > Mark Hannessen > > On Tuesday 16 June 2009 03:16:25 pm Rob Crittenden wrote: >> Mark Hannessen wrote: >>> Hi List, >>> >>> >>> I am currently deploying a freeipa installation for use in within our >>> company. >>> I have succesfully added a couple of custom attributes to the fedora >>> directory server and to the webinterface using ipacustomfields in >>> cn=ipaConfig,cn=etc >>> >>> >>> All attributes however appear in the interface as single valued >>> attributes. >>> >>> >>> Does anyone know if it is possible ( or hackable ) to present them as >>> multivalued attributes in the interface? ( all my custom attributes >>> happen to be multi valued, so a hack that would make them all appear >>> multi valued would be enough in my case as well ) >> Unfortunately our support for UI customization is very weak right now >> (which is one reason we started from scratch again). >> >> It only supports single-valued custom attributes right now. To try to >> add in multi-valued attributes would require a fair bit of work. In >> order to make the UI act the way we wanted we had to dump the TurboGears >> template system so it isn't as simple as adding in a new reference to a >> UI object. A bunch of custom code needs to be added, particularly for >> multi-valued fields. >> >> It isn't an impossible task but it would require a bit of coding on your >> end. I can try to point you in the right direction if you want to go >> that route (you'd just have to be careful about saving your work so an >> IPA update doesn't wipe it all out). >> >> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jul 6 17:42:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jul 2009 13:42:06 -0400 Subject: [Freeipa-users] more password sync with AD questions .... In-Reply-To: <4A52227A.9030702@mcnc.org> References: <4A52227A.9030702@mcnc.org> Message-ID: <4A52376E.1000305@redhat.com> Kambiz Aghaiepour wrote: > Once AD password sync is established, is there an easy way to > prepopulate the users in freeipa with the users in AD? Or do I need to > define the users in freeipa that I want to sync? Also is there a risk > of overwriting a users password in AD if the user is defined in FreeIPA > after the sync agreement is setup? > > Thanks > Kambiz > IIRC users created on AD will be synced to IPA but not the other way around. The linkage between an IPA user and a DS user is the attribute samAccountName. If the entry lacks this (and the ntUser objectclass) then they will not be synced. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From m.s.hannessen at drecomm.nl Wed Jul 8 11:39:21 2009 From: m.s.hannessen at drecomm.nl (Mark Hannessen) Date: Wed, 8 Jul 2009 13:39:21 +0200 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields In-Reply-To: <4A5235C8.4060707@redhat.com> References: <200906161108.06173.m.s.hannessen@drecomm.nl> <200907061040.39103.m.s.hannessen@drecomm.nl> <4A5235C8.4060707@redhat.com> Message-ID: <200907081339.21826.m.s.hannessen@drecomm.nl> O my, o my.... But I actually got it to work :D Thanks you very much for the push in the right direction, it really helped. I think i'll be writing a bash script that will generate the template files though. It's to Prone to errors to do it all by hand. In order to get there i had to modify the following files: ./forms/user.py ./templates/usereditform.kid ./templates/usernewform.kid ./templates/usershow.kid ./subcontrollers/user.py Kind regards, Mark Hannessen On Monday 06 July 2009 07:35:04 pm you wrote: > Mark Hannessen wrote: > > Hi Rob, ( and list ) > > > > Sorry for the very late reply. > > We are still interested in using FreeIPA for our project. > > > > Any support you could give us to the minimum needed for multi valued > > attributes working would be more then welcome. > > Ok, it is going to require a fair bit of work to add them. > > The files you need to edit in the source tree are in > ipa-server/ipa-gui/ipagui. They are installed in /usr/share/ipa/ipagui. > > What I would recommend doing is using the attribute mobile as a template. > > You will need to define whatever new attributes you want in forms/user.py > > A new field will look like: > > c = ExpandingForm(name="countries", label="Country", fields=[c]) > > You also need to add initialization and conversion calls in > subcontrollers/user.py. > > Finally you add the new attributes to templates/usernewform.py and > templates/usereditform.py. Again, follow the existing convention. This > is way harder than it needs to be because we wanted totally control over > the appearance so we couldn't use the traditional TurboGears rendering > engine. This means that all the attributes are hardcoded and this is > particularly ugly when it comes to multi-valued attributes. We use the > ExpandingForm widget to display things and this relies heavily on > Javascript. > > The form uses a pluralized form of the attribute (telephonenumbers, > mobiles, etc) to store the data visually for the user. This gets > converted back into an LDAP attribute name in subcontrollers/user.py. > > Hope that isn't too scary. > > rob > > > Kind Regards, > > > > Mark Hannessen > > > > On Tuesday 16 June 2009 03:16:25 pm Rob Crittenden wrote: > >> Mark Hannessen wrote: > >>> Hi List, > >>> > >>> > >>> I am currently deploying a freeipa installation for use in within our > >>> company. > >>> I have succesfully added a couple of custom attributes to the fedora > >>> directory server and to the webinterface using ipacustomfields in > >>> cn=ipaConfig,cn=etc > >>> > >>> > >>> All attributes however appear in the interface as single valued > >>> attributes. > >>> > >>> > >>> Does anyone know if it is possible ( or hackable ) to present them as > >>> multivalued attributes in the interface? ( all my custom attributes > >>> happen to be multi valued, so a hack that would make them all appear > >>> multi valued would be enough in my case as well ) > >> > >> Unfortunately our support for UI customization is very weak right now > >> (which is one reason we started from scratch again). > >> > >> It only supports single-valued custom attributes right now. To try to > >> add in multi-valued attributes would require a fair bit of work. In > >> order to make the UI act the way we wanted we had to dump the TurboGears > >> template system so it isn't as simple as adding in a new reference to a > >> UI object. A bunch of custom code needs to be added, particularly for > >> multi-valued fields. > >> > >> It isn't an impossible task but it would require a bit of coding on your > >> end. I can try to point you in the right direction if you want to go > >> that route (you'd just have to be careful about saving your work so an > >> IPA update doesn't wipe it all out). > >> > >> rob From rcritten at redhat.com Wed Jul 8 13:01:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jul 2009 09:01:48 -0400 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields In-Reply-To: <200907081339.21826.m.s.hannessen@drecomm.nl> References: <200906161108.06173.m.s.hannessen@drecomm.nl> <200907061040.39103.m.s.hannessen@drecomm.nl> <4A5235C8.4060707@redhat.com> <200907081339.21826.m.s.hannessen@drecomm.nl> Message-ID: <4A5498BC.4000500@redhat.com> Mark Hannessen wrote: > O my, o my.... > > But I actually got it to work :D > > Thanks you very much for the push in the right direction, it really helped. I > think i'll be writing a bash script that will generate the template files > though. It's to Prone to errors to do it all by hand. > > In order to get there i had to modify the following files: > > ./forms/user.py > ./templates/usereditform.kid > ./templates/usernewform.kid > ./templates/usershow.kid > ./subcontrollers/user.py Sweet, glad you got it working! cheers rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From visser.rob at gmail.com Fri Jul 10 15:03:07 2009 From: visser.rob at gmail.com (Rob Visser) Date: Fri, 10 Jul 2009 17:03:07 +0200 Subject: [Freeipa-users] Smart card integration into FreeIPA Message-ID: <869100480907100803y4cabde99tbc7508c544f341b3@mail.gmail.com> Somewhere in the FreeIPA documentation it is stated that it is not recommnended to use pk_init to integrate smart card. How should it be done? Thanks, Rob Visser -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Christensen at viveli.com Fri Jul 10 22:16:33 2009 From: David.Christensen at viveli.com (David Christensen) Date: Fri, 10 Jul 2009 17:16:33 -0500 Subject: [Freeipa-users] User passwords expired Message-ID: <4A57BDC1.8070507@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Every user I add is indicated as their password being expired, assuming this is normal and this forces users to create their own password when they first log in (not sure) I tried logging in as a test user. I was prompted with the expired password update now and attempted to do so. When I tried to change the password I got an error: kinit(v5) password change failed while getting initial credentials. What is this error telling me? I tried changing the password for the user via the UI but the account is still indicated as password expired. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpXvcAACgkQ5B+8XEnAvqvN/wCghcU0UmOevzBHlxnaCBgOHDP2 ZIEAnRkz3MIVLc8s+xzSWErlJpuTUGqV =ioYn -----END PGP SIGNATURE----- From ssorce at redhat.com Sat Jul 11 15:36:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Jul 2009 11:36:48 -0400 Subject: [Freeipa-users] User passwords expired In-Reply-To: <4A57BDC1.8070507@viveli.com> References: <4A57BDC1.8070507@viveli.com> Message-ID: <1247326608.6317.231.camel@localhost.localdomain> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Every user I add is indicated as their password being expired, assuming > this is normal and this forces users to create their own password when > they first log in (not sure) I tried logging in as a test user. See: http://freeipa.org/page/NewPasswordsExpired > I was prompted with the expired password update now and attempted to do > so. When I tried to change the password I got an error: kinit(v5) > password change failed while getting initial credentials. > > What is this error telling me? Is ipa-kpasswd running on your IPA Server ? Do you see errors in /var/log/krb5kdc.log on the server ? > I tried changing the password for the user via the UI but the account is > still indicated as password expired. Expected, see the doc above. Simo. -- Simo Sorce * Red Hat, Inc * New York From David.Christensen at viveli.com Sat Jul 11 19:41:23 2009 From: David.Christensen at viveli.com (David Christensen) Date: Sat, 11 Jul 2009 14:41:23 -0500 Subject: [Freeipa-users] User passwords expired In-Reply-To: <1247326608.6317.231.camel@localhost.localdomain> References: <4A57BDC1.8070507@viveli.com> <1247326608.6317.231.camel@localhost.localdomain> Message-ID: <4A58EAE3.1060303@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Every user I add is indicated as their password being expired, assuming >> this is normal and this forces users to create their own password when >> they first log in (not sure) I tried logging in as a test user. > > See: http://freeipa.org/page/NewPasswordsExpired > >> I was prompted with the expired password update now and attempted to do >> so. When I tried to change the password I got an error: kinit(v5) >> password change failed while getting initial credentials. >> >> What is this error telling me? > > Is ipa-kpasswd running on your IPA Server ? > Do you see errors in /var/log/krb5kdc.log on the server ? > >> I tried changing the password for the user via the UI but the account is >> still indicated as password expired. > > Expected, see the doc above. > > Simo. > Simo, This is a sample of the log file for the test user I have been using: 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED: davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has expired 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional pre-authentication required 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262, etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, etyp es {r ep=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM I verified that ipa_kpasswd is indeed running. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpY6uMACgkQ5B+8XEnAvquLpQCfQfzhSBbfprtFeqVSonnc3KgV w/UAnjzwPR/zl0t8795un+z0AlHSsABk =+7A2 -----END PGP SIGNATURE----- From ssorce at redhat.com Sat Jul 11 20:21:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 11 Jul 2009 16:21:02 -0400 Subject: [Freeipa-users] User passwords expired In-Reply-To: <4A58EAE3.1060303@viveli.com> References: <4A57BDC1.8070507@viveli.com> <1247326608.6317.231.camel@localhost.localdomain> <4A58EAE3.1060303@viveli.com> Message-ID: <1247343663.6317.237.camel@localhost.localdomain> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Every user I add is indicated as their password being expired, assuming > >> this is normal and this forces users to create their own password when > >> they first log in (not sure) I tried logging in as a test user. > > > > See: http://freeipa.org/page/NewPasswordsExpired > > > >> I was prompted with the expired password update now and attempted to do > >> so. When I tried to change the password I got an error: kinit(v5) > >> password change failed while getting initial credentials. > >> > >> What is this error telling me? > > > > Is ipa-kpasswd running on your IPA Server ? > > Do you see errors in /var/log/krb5kdc.log on the server ? > > > >> I tried changing the password for the user via the UI but the account is > >> still indicated as password expired. > > > > Expected, see the doc above. > > > > Simo. > > > Simo, > > This is a sample of the log file for the test user I have been using: > 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED: > davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password > has expired > 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: > davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional > pre-authentication required > 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262, > etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for > kadmin/changepw at EXAMPLE.COM > 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: > kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, > Additional pre-authentication required > 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, > etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for > krbtgt/EXAMPLE.COM at EXAMPLE.COM > 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime > 1247265271, etyp es {r ep=18 tkt=18 ses=18}, > kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM > > I verified that ipa_kpasswd is indeed running. This sequence seem also to indicate that ipa-kpasswd is actually attempting the password change (see kadmin/changepw getting a ticket for the ldap server). I wonder if this is just a timeout issue as it strangely took 9 seconds between kinit getting a ticket and ipa-kpasswd starting to perform a password change. So presumably the whole operation took more. If you "time" kinit how long does it take to return the error ? If you re-run kinit what do you get ? Does it accept the old password or does it require the new one to succeed ? Simo. -- Simo Sorce * Red Hat, Inc * New York From David.Christensen at viveli.com Sat Jul 11 20:42:56 2009 From: David.Christensen at viveli.com (David Christensen) Date: Sat, 11 Jul 2009 15:42:56 -0500 Subject: [Freeipa-users] User passwords expired In-Reply-To: <1247343663.6317.237.camel@localhost.localdomain> References: <4A57BDC1.8070507@viveli.com> <1247326608.6317.231.camel@localhost.localdomain> <4A58EAE3.1060303@viveli.com> <1247343663.6317.237.camel@localhost.localdomain> Message-ID: <4A58F950.9020305@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Simo Sorce wrote: >>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Every user I add is indicated as their password being expired, assuming >>>> this is normal and this forces users to create their own password when >>>> they first log in (not sure) I tried logging in as a test user. >>> See: http://freeipa.org/page/NewPasswordsExpired >>> >>>> I was prompted with the expired password update now and attempted to do >>>> so. When I tried to change the password I got an error: kinit(v5) >>>> password change failed while getting initial credentials. >>>> >>>> What is this error telling me? >>> Is ipa-kpasswd running on your IPA Server ? >>> Do you see errors in /var/log/krb5kdc.log on the server ? >>> >>>> I tried changing the password for the user via the UI but the account is >>>> still indicated as password expired. >>> Expected, see the doc above. >>> >>> Simo. >>> >> Simo, >> >> This is a sample of the log file for the test user I have been using: >> 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED: >> davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password >> has expired >> 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: >> davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional >> pre-authentication required >> 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262, >> etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for >> kadmin/changepw at EXAMPLE.COM >> 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: >> kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, >> Additional pre-authentication required >> 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, >> etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for >> krbtgt/EXAMPLE.COM at EXAMPLE.COM >> 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ >> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime >> 1247265271, etyp es {r ep=18 tkt=18 ses=18}, >> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM >> >> I verified that ipa_kpasswd is indeed running. > > This sequence seem also to indicate that ipa-kpasswd is actually > attempting the password change (see kadmin/changepw getting a ticket for > the ldap server). > I wonder if this is just a timeout issue as it strangely took 9 seconds > between kinit getting a ticket and ipa-kpasswd starting to perform a > password change. So presumably the whole operation took more. > > If you "time" kinit how long does it take to return the error ? > > If you re-run kinit what do you get ? > Does it accept the old password or does it require the new one to > succeed ? > > Simo. > It is pretty fast actually, no latency at all. When I use kinit and it prompts me for a password, I have to use the password that I set via the UI, anything else and I get an error that the passord is incorrect. This is what I get when I use the password set in the UI via the admin account: Password for davidc at EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Password change failed while getting initial credentials David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpY+VAACgkQ5B+8XEnAvqunzQCeLO71t+P9pUKNbfWKKIFIWcro R8kAn3GO9fF3DBnXsweul/o3iL2c26O5 =BJ9R -----END PGP SIGNATURE----- From David.Christensen at viveli.com Mon Jul 13 15:07:38 2009 From: David.Christensen at viveli.com (David Christensen) Date: Mon, 13 Jul 2009 10:07:38 -0500 Subject: [Freeipa-users] User passwords expired In-Reply-To: <4A58F950.9020305@viveli.com> References: <4A57BDC1.8070507@viveli.com> <1247326608.6317.231.camel@localhost.localdomain> <4A58EAE3.1060303@viveli.com> <1247343663.6317.237.camel@localhost.localdomain> <4A58F950.9020305@viveli.com> Message-ID: <4A5B4DBA.4000601@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Christensen wrote: > Simo Sorce wrote: >> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Simo Sorce wrote: >>>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Every user I add is indicated as their password being expired, assuming >>>>> this is normal and this forces users to create their own password when >>>>> they first log in (not sure) I tried logging in as a test user. >>>> See: http://freeipa.org/page/NewPasswordsExpired >>>> >>>>> I was prompted with the expired password update now and attempted to do >>>>> so. When I tried to change the password I got an error: kinit(v5) >>>>> password change failed while getting initial credentials. >>>>> >>>>> What is this error telling me? >>>> Is ipa-kpasswd running on your IPA Server ? >>>> Do you see errors in /var/log/krb5kdc.log on the server ? >>>> >>>>> I tried changing the password for the user via the UI but the account is >>>>> still indicated as password expired. >>>> Expected, see the doc above. >>>> >>>> Simo. >>>> >>> Simo, >>> >>> This is a sample of the log file for the test user I have been using: >>> 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED: >>> davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password >>> has expired >>> 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: >>> davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional >>> pre-authentication required >>> 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262, >>> etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for >>> kadmin/changepw at EXAMPLE.COM >>> 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: >>> kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, >>> Additional pre-authentication required >>> 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, >>> etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for >>> krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ >>> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime >>> 1247265271, etyp es {r ep=18 tkt=18 ses=18}, >>> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM >>> >>> I verified that ipa_kpasswd is indeed running. >> This sequence seem also to indicate that ipa-kpasswd is actually >> attempting the password change (see kadmin/changepw getting a ticket for >> the ldap server). >> I wonder if this is just a timeout issue as it strangely took 9 seconds >> between kinit getting a ticket and ipa-kpasswd starting to perform a >> password change. So presumably the whole operation took more. > >> If you "time" kinit how long does it take to return the error ? > >> If you re-run kinit what do you get ? >> Does it accept the old password or does it require the new one to >> succeed ? > Simo. It is pretty fast actually, no latency at all. When I use kinit and it prompts me for a password, I have to use the password that I set via the UI, anything else and I get an error that the passord is incorrect. This is what I get when I use the password set in the UI via the admin account: Password for davidc at EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Password change failed while getting initial credentials David _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpbTboACgkQ5B+8XEnAvqsu1gCfdouzvILrepKxRU5yKWR/rkLE Qr0AnRRQ0ttacfzfxBLwEpurB4NWz9X5 =KPFa -----END PGP SIGNATURE----- From ssorce at redhat.com Mon Jul 13 19:12:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 13 Jul 2009 15:12:37 -0400 Subject: [Freeipa-users] User passwords expired In-Reply-To: <4A5B4DBA.4000601@viveli.com> References: <4A57BDC1.8070507@viveli.com> <1247326608.6317.231.camel@localhost.localdomain> <4A58EAE3.1060303@viveli.com> <1247343663.6317.237.camel@localhost.localdomain> <4A58F950.9020305@viveli.com> <4A5B4DBA.4000601@viveli.com> Message-ID: <1247512357.29458.10.camel@localhost.localdomain> On Mon, 2009-07-13 at 10:07 -0500, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Christensen wrote: > > Simo Sorce wrote: > >> On Sat, 2009-07-11 at 14:41 -0500, David Christensen wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> Simo Sorce wrote: > >>>> On Fri, 2009-07-10 at 17:16 -0500, David Christensen wrote: > >>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>> Hash: SHA1 > >>>>> > >>>>> Every user I add is indicated as their password being expired, assuming > >>>>> this is normal and this forces users to create their own password when > >>>>> they first log in (not sure) I tried logging in as a test user. > >>>> See: http://freeipa.org/page/NewPasswordsExpired > >>>> > >>>>> I was prompted with the expired password update now and attempted to do > >>>>> so. When I tried to change the password I got an error: kinit(v5) > >>>>> password change failed while getting initial credentials. > >>>>> > >>>>> What is this error telling me? > >>>> Is ipa-kpasswd running on your IPA Server ? > >>>> Do you see errors in /var/log/krb5kdc.log on the server ? > >>>> > >>>>> I tried changing the password for the user via the UI but the account is > >>>>> still indicated as password expired. > >>>> Expected, see the doc above. > >>>> > >>>> Simo. > >>>> > >>> Simo, > >>> > >>> This is a sample of the log file for the test user I have been using: > >>> 1 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: CLIENT KEY EXPIRED: > >>> davidc at EXAMPLE.CO M for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password > >>> has expired > >>> 2 103 Jul 10 17:34:19 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: > >>> davidc at EXAMPLE.CO M for kadmin/changepw at EXAMPLE.COM, Additional > >>> pre-authentication required > >>> 3 104 Jul 10 17:34:22 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265262, > >>> etype s {re p=18 tkt=18 ses=18}, davidc at EXAMPLE.COM for > >>> kadmin/changepw at EXAMPLE.COM > >>> 4 105 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: NEEDED_PREAUTH: > >>> kadmin/changepw at E XAMPLE .COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, > >>> Additional pre-authentication required > >>> 5 106 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): AS_REQ (7 > >>> etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime 1247265271, > >>> etype s {re p=18 tkt=18 ses=18}, kadmin/changepw at EXAMPLE.COM for > >>> krbtgt/EXAMPLE.COM at EXAMPLE.COM > >>> 6 107 Jul 10 17:34:31 ipa1.example.com krb5kdc[28909](info): TGS_REQ > >>> (7 etypes {18 17 16 23 1 3 2}) 192.168.155.21: ISSUE: authtime > >>> 1247265271, etyp es {r ep=18 tkt=18 ses=18}, > >>> kadmin/changepw at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM > >>> > >>> I verified that ipa_kpasswd is indeed running. > >> This sequence seem also to indicate that ipa-kpasswd is actually > >> attempting the password change (see kadmin/changepw getting a ticket for > >> the ldap server). > >> I wonder if this is just a timeout issue as it strangely took 9 seconds > >> between kinit getting a ticket and ipa-kpasswd starting to perform a > >> password change. So presumably the whole operation took more. > > > >> If you "time" kinit how long does it take to return the error ? > > > >> If you re-run kinit what do you get ? > >> Does it accept the old password or does it require the new one to > >> succeed ? > > > Simo. > > It is pretty fast actually, no latency at all. > > When I use kinit and it prompts me for a password, I have to use the > password that I set via the UI, anything else and I get an error that > the passord is incorrect. > > This is what I get when I use the password set in the UI via the admin > account: > > Password for davidc at EXAMPLE.COM: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials can you see if there sis any error in /var/log/messages from ipa-kpasswd ? Simo. -- Simo Sorce * Red Hat, Inc * New York From kwade at redhat.com Tue Jul 14 14:40:34 2009 From: kwade at redhat.com (Karsten Wade) Date: Tue, 14 Jul 2009 07:40:34 -0700 Subject: [Freeipa-users] OSCON in San Jose next week Message-ID: <20090714144034.GA29199@calliope.phig.org> Curious if anyone is going to OSCON (O'Reilly Open Source Convention) in San Jose next week? Are you interested in leading any sessions about FreeIPA at the OSCamp? OSCamp is a mini-unconference/BarCamp[1] in the middle of OSCON. It is a series of scheduled-on-the-fly talks and roundtable sessions: http://en.oreilly.com/oscon2009/public/schedule/detail/9001 If you'd like to do a session/something about FreeIPA, I can help you in whatever way you need. I'll be at OSCON representing Fedora[2], but can come over to OSCamp to help get you started. If you've done a BarCamp before, I'm sure you don't need my handholding, but please drop by the Fedora booth and let me know you are doing a session, I'd love to be there! cheers - Karsten [1] http://en.wikipedia.org/wiki/Unconference http://en.wikipedia.org/wiki/BarCamp http://barcamp.org [2] http://iquaid.org/2009/07/14/fedora-and-oscon-and-you/ -- Karsten 'quaid' Wade, Community Gardener http://quaid.fedorapeople.org AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From David.Christensen at viveli.com Tue Jul 14 15:15:52 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 14 Jul 2009 10:15:52 -0500 Subject: [Freeipa-users] Issue with users logging in for the first time using X Message-ID: <4A5CA128.9050808@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am having an issue when a new user is logging in for the first time using an X session. When they first login everything seems to go ok, when they enter their password, they are prompted that their password has expired and informed that they need to change their pw, they are asked for the kerberos pw, then prompted for a new Unix pw, where they enter it twice, however once they do this they get an error that the user can not be authorized. However, ff the user then logs in to any kerberized box via ssh, and goes through the same procedure their password is changed and once this is done they are then able to login via an X session. Any ideas as to why this happens? Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpcoSgACgkQ5B+8XEnAvqtNTgCggkGvpsVHioH0RH7o7XHDgYdz R9IAnjT27NX09oUr7hFzwLR0FhafWA+P =Wf37 -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Jul 15 13:14:16 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 15 Jul 2009 09:14:16 -0400 Subject: [Freeipa-users] Smart card integration into FreeIPA In-Reply-To: <869100480907100803y4cabde99tbc7508c544f341b3@mail.gmail.com> References: <869100480907100803y4cabde99tbc7508c544f341b3@mail.gmail.com> Message-ID: <1247663656.29458.60.camel@localhost.localdomain> On Fri, 2009-07-10 at 17:03 +0200, Rob Visser wrote: > Somewhere in the FreeIPA documentation it is stated that it is not > recommnended to use pk_init to integrate smart card. > > How should it be done? Rob, can you point me at where you've seen this ? At the moment ipa does not provide a native method of dealing with smartcards, it is certainly in the plans to allow that at some point, but some more research is needed on our side to make sure all works properly in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York From james_roman at ssaihq.com Wed Jul 15 14:39:51 2009 From: james_roman at ssaihq.com (James Roman) Date: Wed, 15 Jul 2009 10:39:51 -0400 Subject: [Freeipa-users] Generating a Certificate Signing Request Message-ID: <4A5DEA37.1030305@ssaihq.com> I've seen that you can import a CA signed certificate into freeipa. Normally, with fedora directory server, you would generate a CSR using the Certificate Request Wizard and them import the signed certificate. Are there any instructions on generating a CSR for use with freeipa? From rcritten at redhat.com Wed Jul 15 14:58:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jul 2009 10:58:53 -0400 Subject: [Freeipa-users] Generating a Certificate Signing Request In-Reply-To: <4A5DEA37.1030305@ssaihq.com> References: <4A5DEA37.1030305@ssaihq.com> Message-ID: <4A5DEEAD.8090404@redhat.com> James Roman wrote: > I've seen that you can import a CA signed certificate into freeipa. > Normally, with fedora directory server, you would generate a CSR using > the Certificate Request Wizard and them import the signed certificate. > Are there any instructions on generating a CSR for use with freeipa? You can install an IPA server using a given set of PKCS#12 files, yes. IPA requires SSL from the get-go so you can't install it in non-SSL mode and then add it, like you can with basic Apache and 389. To get these PKCS#12 files (one for Apache and one for 389) you can use any tool you'd like including openssl and the NSS certutil utilities (and pk12util to make the PKCS#12). When generating the CSR be sure to set the CN in the subject to match the FQDN of the IPA server. An example of doing this using the NSS utilies (which I'm more familiar with) would be: Start by creating a new, temporary NSS database $ mkdir ipacerts $ certutil -N -d ipacerts Now generate a CSR $ certutil -R -d ipacerts -s "CN=ipa.example.com,OU=IPA,O=example" -g 1024 -a -o csr.txt 1024 is the key size, use a larger key if you'd like Your CSR is in csr.txt Once you get the cert, import it. In this example the cert is in the file cert.txt $ certutil -A -n Server-Cert -d ipacerts -t u,u,u -a < cert.txt You'll also want to add the CA that issued the cert to the database, say that's in ca.txt $ certutil -A -n "CA certificate" -d ipacerts -t CT,, -a < ca.txt Verify that everything is a-ok $ certutil -V -u V -n Server-Cert -d ipacerts (should return valid certificate) Export the cert $ pk12util -o cert.p12 -n Server-Cert -d ipacerts A few notes: - There is nothing magical about the "Server-Cert" nickname. Use any unique string you'd like. - You need to add the CA so that it gets put into the PKCS#12 file along with the server cert I think that covers it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james_roman at ssaihq.com Fri Jul 17 14:41:35 2009 From: james_roman at ssaihq.com (James Roman) Date: Fri, 17 Jul 2009 10:41:35 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure Message-ID: <4A608D9F.1050405@ssaihq.com> First off, thanks Rob for the direction on creating a certificate. After reading up on Mozilla's NSS, I think I've got a pretty fair grounding. So I successfully generated a CSR and had it signed. I imported my certificate and CA chain into the NSS database and exported it to a PKCS12 cert. I am primarily concerned with using the public cert on the HTTP interface. However, when I go to import it using ipa-server-certificate, it chokes on the names in the CA certificate chain. (One of the certs uses full website address for the name.) I can manually import each of the certificates in the CA chain using certutil on the /etc/httpd/alias directory. Will this work? Are there any other configuration changes that I need to make the http interface function properly (like changes in the nss.conf)? What about manually modifying the directory server (/etc/dirsrv/slapd-KRBDOMAIN)? From rcritten at redhat.com Mon Jul 20 16:26:34 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2009 12:26:34 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A608D9F.1050405@ssaihq.com> References: <4A608D9F.1050405@ssaihq.com> Message-ID: <4A649ABA.3010208@redhat.com> James Roman wrote: > First off, thanks Rob for the direction on creating a certificate. After > reading up on Mozilla's NSS, I think I've got a pretty fair grounding. > > So I successfully generated a CSR and had it signed. I imported my > certificate and CA chain into the NSS database and exported it to a > PKCS12 cert. I am primarily concerned with using the public cert on the > HTTP interface. However, when I go to import it using > ipa-server-certificate, it chokes on the names in the CA certificate > chain. (One of the certs uses full website address for the name.) I can > manually import each of the certificates in the CA chain using certutil > on the /etc/httpd/alias directory. What do you mean by choke? Do you have a python backtrace or can you send me the ipaserver-install.log? > Will this work? > Are there any other configuration changes that I need to make the http > interface function properly (like changes in the nss.conf)? > What about manually modifying the directory server > (/etc/dirsrv/slapd-KRBDOMAIN)? > What distro are you using? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james_roman at ssaihq.com Tue Jul 21 14:12:02 2009 From: james_roman at ssaihq.com (James Roman) Date: Tue, 21 Jul 2009 10:12:02 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A649ABA.3010208@redhat.com> References: <4A608D9F.1050405@ssaihq.com> <4A649ABA.3010208@redhat.com> Message-ID: <4A65CCB2.40507@ssaihq.com> Rob Crittenden wrote: > James Roman wrote: >> First off, thanks Rob for the direction on creating a certificate. >> After reading up on Mozilla's NSS, I think I've got a pretty fair >> grounding. >> >> So I successfully generated a CSR and had it signed. I imported my >> certificate and CA chain into the NSS database and exported it to a >> PKCS12 cert. I am primarily concerned with using the public cert on >> the HTTP interface. However, when I go to import it using >> ipa-server-certificate, it chokes on the names in the CA certificate >> chain. (One of the certs uses full website address for the name.) I >> can manually import each of the certificates in the CA chain using >> certutil on the /etc/httpd/alias directory. > > What do you mean by choke? Do you have a python backtrace or can you > send me the ipaserver-install.log? Here is what I get when importing the p12 file using "ipa-server-certinstall". The reasons for the errors are fairly self-evident when you see how it parses the command line arguments. # ipa-server-certinstall -w /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx --http_pin='mysecretpin' an unexpected error occurred: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255 Traceback (most recent call last): File "/usr/sbin/ipa-server-certinstall", line 137, in main server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert cdb.trust_root_cert(server_cert[0]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert "-t", "CT,CT,"]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil return ipautil.run(new_args, stdin) File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run raise CalledProcessError(p.returncode, ' '.join(args)) CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned non-zero exit status 255 I'm left with most of the certificate chain > >> Will this work? >> Are there any other configuration changes that I need to make the >> http interface function properly (like changes in the nss.conf)? >> What about manually modifying the directory server >> (/etc/dirsrv/slapd-KRBDOMAIN)? >> > > What distro are you using? > > rob Fedora 9 From rcritten at redhat.com Tue Jul 21 14:44:52 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jul 2009 10:44:52 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A65CCB2.40507@ssaihq.com> References: <4A608D9F.1050405@ssaihq.com> <4A649ABA.3010208@redhat.com> <4A65CCB2.40507@ssaihq.com> Message-ID: <4A65D464.1040609@redhat.com> James Roman wrote: > Rob Crittenden wrote: >> James Roman wrote: >>> First off, thanks Rob for the direction on creating a certificate. >>> After reading up on Mozilla's NSS, I think I've got a pretty fair >>> grounding. >>> >>> So I successfully generated a CSR and had it signed. I imported my >>> certificate and CA chain into the NSS database and exported it to a >>> PKCS12 cert. I am primarily concerned with using the public cert on >>> the HTTP interface. However, when I go to import it using >>> ipa-server-certificate, it chokes on the names in the CA certificate >>> chain. (One of the certs uses full website address for the name.) I >>> can manually import each of the certificates in the CA chain using >>> certutil on the /etc/httpd/alias directory. >> >> What do you mean by choke? Do you have a python backtrace or can you >> send me the ipaserver-install.log? > Here is what I get when importing the p12 file using > "ipa-server-certinstall". The reasons for the errors are fairly > self-evident when you see how it parses the command line arguments. > > # ipa-server-certinstall -w > /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx > --http_pin='mysecretpin' > an unexpected error occurred: Command '/usr/bin/certutil -d > /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go > Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc. -t > CT,CT,' returned non-zero exit status 255 > Traceback (most recent call last): > File "/usr/sbin/ipa-server-certinstall", line 137, in main > server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") > File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert > cdb.trust_root_cert(server_cert[0]) > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, > in trust_root_cert > "-t", "CT,CT,"]) > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, > in run_certutil > return ipautil.run(new_args, stdin) > File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run > raise CalledProcessError(p.returncode, ' '.join(args)) > CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n > Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 > Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' returned > non-zero exit status 255 > > I'm left with most of the certificate chain Ok, we shouldn't need to mess with builtin CAs at all. Can you file a bug on this? In the meantime, this patch should fix things for you: diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index 8cb1d08..610ca1d 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -318,8 +318,9 @@ class CertDB(object): def trust_root_cert(self, nickname): root_nickname = self.find_root_cert(nickname) - self.run_certutil(["-M", "-n", root_nickname, - "-t", "CT,CT,"]) + if root_nickname is not None and root_nickname[:7] != "Builtin": + self.run_certutil(["-M", "-n", root_nickname, + "-t", "CT,CT,"]) def find_server_certs(self): p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, If you are careful you should be able to modify, as root, the IPA python source. You'll find it in /usr/lib/python2.5/site-packages/ipaserver/certs.py Indentation matters in python so be sure to apply this exactly. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james_roman at ssaihq.com Tue Jul 21 17:33:42 2009 From: james_roman at ssaihq.com (James Roman) Date: Tue, 21 Jul 2009 13:33:42 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A65D464.1040609@redhat.com> References: <4A608D9F.1050405@ssaihq.com> <4A649ABA.3010208@redhat.com> <4A65CCB2.40507@ssaihq.com> <4A65D464.1040609@redhat.com> Message-ID: <4A65FBF6.7030003@ssaihq.com> Rob Crittenden wrote: > James Roman wrote: >> Rob Crittenden wrote: >>> James Roman wrote: >>>> First off, thanks Rob for the direction on creating a certificate. >>>> After reading up on Mozilla's NSS, I think I've got a pretty fair >>>> grounding. >>>> >>>> So I successfully generated a CSR and had it signed. I imported my >>>> certificate and CA chain into the NSS database and exported it to a >>>> PKCS12 cert. I am primarily concerned with using the public cert on >>>> the HTTP interface. However, when I go to import it using >>>> ipa-server-certificate, it chokes on the names in the CA >>>> certificate chain. (One of the certs uses full website address for >>>> the name.) I can manually import each of the certificates in the CA >>>> chain using certutil on the /etc/httpd/alias directory. >>> >>> What do you mean by choke? Do you have a python backtrace or can you >>> send me the ipaserver-install.log? >> Here is what I get when importing the p12 file using >> "ipa-server-certinstall". The reasons for the errors are fairly >> self-evident when you see how it parses the command line arguments. >> >> # ipa-server-certinstall -w >> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx >> --http_pin='mysecretpin' >> an unexpected error occurred: Command '/usr/bin/certutil -d >> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" >> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, >> Inc. -t CT,CT,' returned non-zero exit status 255 >> Traceback (most recent call last): >> File "/usr/sbin/ipa-server-certinstall", line 137, in main >> server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, >> "") >> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert >> cdb.trust_root_cert(server_cert[0]) >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >> 322, in trust_root_cert >> "-t", "CT,CT,"]) >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >> 126, in run_certutil >> return ipautil.run(new_args, stdin) >> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run >> raise CalledProcessError(p.returncode, ' '.join(args)) >> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -M >> -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 >> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' >> returned non-zero exit status 255 >> >> I'm left with most of the certificate chain > > Ok, we shouldn't need to mess with builtin CAs at all. > > Can you file a bug on this? > > In the meantime, this patch should fix things for you: > > diff --git a/ipa-server/ipaserver/certs.py > b/ipa-server/ipaserver/certs.py > index 8cb1d08..610ca1d 100644 > --- a/ipa-server/ipaserver/certs.py > +++ b/ipa-server/ipaserver/certs.py > @@ -318,8 +318,9 @@ class CertDB(object): > def trust_root_cert(self, nickname): > root_nickname = self.find_root_cert(nickname) > > - self.run_certutil(["-M", "-n", root_nickname, > - "-t", "CT,CT,"]) > + if root_nickname is not None and root_nickname[:7] != "Builtin": > + self.run_certutil(["-M", "-n", root_nickname, > + "-t", "CT,CT,"]) > > def find_server_certs(self): > p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, > > If you are careful you should be able to modify, as root, the IPA > python source. You'll find it in > /usr/lib/python2.5/site-packages/ipaserver/certs.py > > Indentation matters in python so be sure to apply this exactly. > > rob Well it worked partly. I was able to successfully import the certificate for the webserver. It did not set the trust attributes on the CA certificates (perhaps that was the point). If I run the command to import the certificate for the directory server, it fails on a different part of the CA chain now. # ipa-server-certinstall -d /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx --dirsrv_pin='mysecretpin' Directory Manager password: an unexpected error occurred: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 Traceback (most recent call last): File "/usr/sbin/ipa-server-certinstall", line 132, in main server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert cdb.trust_root_cert(server_cert[0]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, in trust_root_cert "-t", "CT,CT,"]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil return ipautil.run(new_args, stdin) File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run raise CalledProcessError(p.returncode, ' '.join(args)) CalledProcessError: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 From james_roman at ssaihq.com Tue Jul 21 18:17:35 2009 From: james_roman at ssaihq.com (James Roman) Date: Tue, 21 Jul 2009 14:17:35 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A65FBF6.7030003@ssaihq.com> References: <4A608D9F.1050405@ssaihq.com> <4A649ABA.3010208@redhat.com> <4A65CCB2.40507@ssaihq.com> <4A65D464.1040609@redhat.com> <4A65FBF6.7030003@ssaihq.com> Message-ID: <4A66063F.3030503@ssaihq.com> James Roman wrote: > Rob Crittenden wrote: >> James Roman wrote: >>> Rob Crittenden wrote: >>>> James Roman wrote: >>>>> First off, thanks Rob for the direction on creating a certificate. >>>>> After reading up on Mozilla's NSS, I think I've got a pretty fair >>>>> grounding. >>>>> >>>>> So I successfully generated a CSR and had it signed. I imported my >>>>> certificate and CA chain into the NSS database and exported it to >>>>> a PKCS12 cert. I am primarily concerned with using the public cert >>>>> on the HTTP interface. However, when I go to import it using >>>>> ipa-server-certificate, it chokes on the names in the CA >>>>> certificate chain. (One of the certs uses full website address for >>>>> the name.) I can manually import each of the certificates in the >>>>> CA chain using certutil on the /etc/httpd/alias directory. >>>> >>>> What do you mean by choke? Do you have a python backtrace or can >>>> you send me the ipaserver-install.log? >>> Here is what I get when importing the p12 file using >>> "ipa-server-certinstall". The reasons for the errors are fairly >>> self-evident when you see how it parses the command line arguments. >>> >>> # ipa-server-certinstall -w >>> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx >>> --http_pin='mysecretpin' >>> an unexpected error occurred: Command '/usr/bin/certutil -d >>> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" >>> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, >>> Inc. -t CT,CT,' returned non-zero exit status 255 >>> Traceback (most recent call last): >>> File "/usr/sbin/ipa-server-certinstall", line 137, in main >>> server_cert = import_cert(dirname, pkcs12_fname, >>> options.http_pin, "") >>> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert >>> cdb.trust_root_cert(server_cert[0]) >>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >>> 322, in trust_root_cert >>> "-t", "CT,CT,"]) >>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >>> 126, in run_certutil >>> return ipautil.run(new_args, stdin) >>> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in >>> run >>> raise CalledProcessError(p.returncode, ' '.join(args)) >>> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias >>> -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 >>> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' >>> returned non-zero exit status 255 >>> >>> I'm left with most of the certificate chain >> >> Ok, we shouldn't need to mess with builtin CAs at all. >> >> Can you file a bug on this? >> >> In the meantime, this patch should fix things for you: >> >> diff --git a/ipa-server/ipaserver/certs.py >> b/ipa-server/ipaserver/certs.py >> index 8cb1d08..610ca1d 100644 >> --- a/ipa-server/ipaserver/certs.py >> +++ b/ipa-server/ipaserver/certs.py >> @@ -318,8 +318,9 @@ class CertDB(object): >> def trust_root_cert(self, nickname): >> root_nickname = self.find_root_cert(nickname) >> >> - self.run_certutil(["-M", "-n", root_nickname, >> - "-t", "CT,CT,"]) >> + if root_nickname is not None and root_nickname[:7] != >> "Builtin": >> + self.run_certutil(["-M", "-n", root_nickname, >> + "-t", "CT,CT,"]) >> >> def find_server_certs(self): >> p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, >> >> If you are careful you should be able to modify, as root, the IPA >> python source. You'll find it in >> /usr/lib/python2.5/site-packages/ipaserver/certs.py >> >> Indentation matters in python so be sure to apply this exactly. >> >> rob > Well it worked partly. I was able to successfully import the > certificate for the webserver. It did not set the trust attributes on > the CA certificates (perhaps that was the point). If I run the command > to import the certificate for the directory server, it fails on a > different part of the CA chain now. > > # ipa-server-certinstall -d > /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx > --dirsrv_pin='mysecretpin' > Directory Manager password: > an unexpected error occurred: Command '/usr/bin/certutil -d > /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned > non-zero exit status 255 > Traceback (most recent call last): > File "/usr/sbin/ipa-server-certinstall", line 132, in main > server_cert = import_cert(dirname, pkcs12_fname, > options.dirsrv_pin, passwd) > File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert > cdb.trust_root_cert(server_cert[0]) > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, > in trust_root_cert > "-t", "CT,CT,"]) > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, > in run_certutil > return ipautil.run(new_args, stdin) > File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run > raise CalledProcessError(p.returncode, ' '.join(args)) > CalledProcessError: Command '/usr/bin/certutil -d > /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned > non-zero exit status 255 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Looking into this a bit closer, my best guess is that the problem really exists in the find_root_cert routine. If I manually run certutil -O on my server certificate, I get: "valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network] "Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US] "Go Daddy Secure Certification Authority" [serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US] "servername server-cert" [CN=servername.realm.com,OU=Domain Control Validated,O=servername.realm.com] It looks like it is choking on the quotes around the organization name. Does this routine really need to return the part between the square brackets? From what i've seen thus far, it does not look like the Distinguished Name is required for certificate management. Can the string just be chopped off after the friendly name? From rcritten at redhat.com Tue Jul 21 19:06:31 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jul 2009 15:06:31 -0400 Subject: [Freeipa-users] Public CA signed Certificate import failure In-Reply-To: <4A66063F.3030503@ssaihq.com> References: <4A608D9F.1050405@ssaihq.com> <4A649ABA.3010208@redhat.com> <4A65CCB2.40507@ssaihq.com> <4A65D464.1040609@redhat.com> <4A65FBF6.7030003@ssaihq.com> <4A66063F.3030503@ssaihq.com> Message-ID: <4A6611B7.9000701@redhat.com> James Roman wrote: > James Roman wrote: >> Rob Crittenden wrote: >>> James Roman wrote: >>>> Rob Crittenden wrote: >>>>> James Roman wrote: >>>>>> First off, thanks Rob for the direction on creating a certificate. >>>>>> After reading up on Mozilla's NSS, I think I've got a pretty fair >>>>>> grounding. >>>>>> >>>>>> So I successfully generated a CSR and had it signed. I imported my >>>>>> certificate and CA chain into the NSS database and exported it to >>>>>> a PKCS12 cert. I am primarily concerned with using the public cert >>>>>> on the HTTP interface. However, when I go to import it using >>>>>> ipa-server-certificate, it chokes on the names in the CA >>>>>> certificate chain. (One of the certs uses full website address for >>>>>> the name.) I can manually import each of the certificates in the >>>>>> CA chain using certutil on the /etc/httpd/alias directory. >>>>> >>>>> What do you mean by choke? Do you have a python backtrace or can >>>>> you send me the ipaserver-install.log? >>>> Here is what I get when importing the p12 file using >>>> "ipa-server-certinstall". The reasons for the errors are fairly >>>> self-evident when you see how it parses the command line arguments. >>>> >>>> # ipa-server-certinstall -w >>>> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx >>>> --http_pin='mysecretpin' >>>> an unexpected error occurred: Command '/usr/bin/certutil -d >>>> /etc/httpd/alias -M -n Builtin Object Token:Go Daddy Class 2 CA" >>>> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, >>>> Inc. -t CT,CT,' returned non-zero exit status 255 >>>> Traceback (most recent call last): >>>> File "/usr/sbin/ipa-server-certinstall", line 137, in main >>>> server_cert = import_cert(dirname, pkcs12_fname, >>>> options.http_pin, "") >>>> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert >>>> cdb.trust_root_cert(server_cert[0]) >>>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >>>> 322, in trust_root_cert >>>> "-t", "CT,CT,"]) >>>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >>>> 126, in run_certutil >>>> return ipautil.run(new_args, stdin) >>>> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in >>>> run >>>> raise CalledProcessError(p.returncode, ' '.join(args)) >>>> CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias >>>> -M -n Builtin Object Token:Go Daddy Class 2 CA" [OU=Go Daddy Class 2 >>>> Certification Authority,O="The Go Daddy Group, Inc. -t CT,CT,' >>>> returned non-zero exit status 255 >>>> >>>> I'm left with most of the certificate chain >>> >>> Ok, we shouldn't need to mess with builtin CAs at all. >>> >>> Can you file a bug on this? >>> >>> In the meantime, this patch should fix things for you: >>> >>> diff --git a/ipa-server/ipaserver/certs.py >>> b/ipa-server/ipaserver/certs.py >>> index 8cb1d08..610ca1d 100644 >>> --- a/ipa-server/ipaserver/certs.py >>> +++ b/ipa-server/ipaserver/certs.py >>> @@ -318,8 +318,9 @@ class CertDB(object): >>> def trust_root_cert(self, nickname): >>> root_nickname = self.find_root_cert(nickname) >>> >>> - self.run_certutil(["-M", "-n", root_nickname, >>> - "-t", "CT,CT,"]) >>> + if root_nickname is not None and root_nickname[:7] != >>> "Builtin": >>> + self.run_certutil(["-M", "-n", root_nickname, >>> + "-t", "CT,CT,"]) >>> >>> def find_server_certs(self): >>> p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, >>> >>> If you are careful you should be able to modify, as root, the IPA >>> python source. You'll find it in >>> /usr/lib/python2.5/site-packages/ipaserver/certs.py >>> >>> Indentation matters in python so be sure to apply this exactly. >>> >>> rob >> Well it worked partly. I was able to successfully import the >> certificate for the webserver. It did not set the trust attributes on >> the CA certificates (perhaps that was the point). If I run the command >> to import the certificate for the directory server, it fails on a >> different part of the CA chain now. >> >> # ipa-server-certinstall -d >> /data/ipacerts/godaddy/server.suffix.com-godaddycert.pfx >> --dirsrv_pin='mysecretpin' >> Directory Manager password: >> an unexpected error occurred: Command '/usr/bin/certutil -d >> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" >> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 >> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned >> non-zero exit status 255 >> Traceback (most recent call last): >> File "/usr/sbin/ipa-server-certinstall", line 132, in main >> server_cert = import_cert(dirname, pkcs12_fname, >> options.dirsrv_pin, passwd) >> File "/usr/sbin/ipa-server-certinstall", line 116, in import_cert >> cdb.trust_root_cert(server_cert[0]) >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 325, >> in trust_root_cert >> "-t", "CT,CT,"]) >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, >> in run_certutil >> return ipautil.run(new_args, stdin) >> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run >> raise CalledProcessError(p.returncode, ' '.join(args)) >> CalledProcessError: Command '/usr/bin/certutil -d >> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" >> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 >> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned >> non-zero exit status 255 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Looking into this a bit closer, my best guess is that the problem > really exists in the find_root_cert routine. If I manually run certutil > -O on my server certificate, I get: > > "valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation > Network] > > "Go Daddy Class 2 Certification Authority" [OU=Go Daddy Class 2 > Certification Authority,O="The Go Daddy Group, Inc.",C=US] > > "Go Daddy Secure Certification Authority" > [serialNumber=07969287,CN=Go Daddy Secure Certification > Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US] > > "servername server-cert" [CN=servername.realm.com,OU=Domain Control > Validated,O=servername.realm.com] > > It looks like it is choking on the quotes around the organization name. > Does this routine really need to return the part between the square > brackets? From what i've seen thus far, it does not look like the > Distinguished Name is required for certificate management. Can the > string just be chopped off after the friendly name? I think you're onto something there. Python's re module doesn't count quotes so it looks like it is taking everything between the first quote and the last one. If I'm reading the backtrace properly, for example, it looks like it is dropping the C=US which is outside the last set of quotes. I think that adding in a more precise match will fix in. In some quickie unit tests this seems to work: --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -311,15 +311,16 @@ class CertDB(object): chain = p.stdout.read() chain = chain.split("\n") - root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0] + root_nickname = re.match('\ *"(.*) \[".*', chain[0]).groups()[0] Can you give this a try? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jrobertm8 at yahoo.com Fri Jul 24 08:02:13 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Fri, 24 Jul 2009 16:02:13 +0800 (SGT) Subject: [Freeipa-users] (no subject) Message-ID: <823990.52112.qm@web76313.mail.sg1.yahoo.com> Hi, I have a few questions regarding the functionalities of the WebGUI. I have setup a single machine as an IPA server.? I have edited the /etc/hosts with my machine's IP address and hostname.? And have IPA server after downloading it from yum. After I have successfully setup my machine for IPA, I tried to verify if its working.? As the documentations prescribed, I attempted to kinit using the admin account and I accessed the WebGUI.? I tried to add users through the WebGUI. After adding a test user, I tried to kinit the test user but it tells me that I have the wrong password.? This is the same password that I entered when I created the user. What seems to be the problem with my setup. TIA John Robert Mendoza -------------- next part -------------- An HTML attachment was scrubbed... URL: From amrossi at linux.it Fri Jul 24 08:35:22 2009 From: amrossi at linux.it (Andrea Modesto Rossi) Date: Fri, 24 Jul 2009 10:35:22 +0200 (CEST) Subject: [Freeipa-users] (no subject) In-Reply-To: <823990.52112.qm@web76313.mail.sg1.yahoo.com> References: <823990.52112.qm@web76313.mail.sg1.yahoo.com> Message-ID: <34832.91.193.45.7.1248424522.squirrel@picard.linux.it> On Ven, 24 Luglio 2009 10:02 am, John Robert Mendoza wrote: > Hi, > > After adding a test user, I tried to kinit the test > user but it tells me that I have the wrong password.?? This is the same > password that I entered when I created the user. > when you create a new user this account is immediately Locked (security reason) because you have to change the password during the first connection. So you can try a ssh connection instead a KINIT procedure. Of course, on /etc/ssh/sshd_config set to YES ChallengeResponseAuthentication entry. I hope this help you. Cheers, -- Andrea Modesto Rossi Fedora Ambassador From jeff.moody at evscorporation.com Sat Jul 25 19:47:16 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Sat, 25 Jul 2009 14:47:16 -0500 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> I'm trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM. I have installed the FreeIPA software and can load its configuration page on the IPA server - so the service appears to be running. I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP'ed that to the IPA server. Following the instructions from TFM, I run the following command: [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync This is the output from that command: Directory Manager password: INFO:root:Shutting down dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for ipamem1.evscorporation.com INFO:root:Restarted directory server ipamem1.evscorporation.com INFO:root:Could not validate connection to remote server dc1.evscorporation.com:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server] INFO:root:Added agreement for other host dc1.evscorporation.com Additionally, in the /var/lib/dirsrv/ errors log, I have the following error: [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) On the Windows server, the Passsync service is running and as far as I know I installed the right certificate on the Passsync side by following the instructions at (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) and the only message in the Passsync log on the Windows side is: 07/25/09 14:32:15: PassSync service started I'm sure that I'm just missing some simple, stupid little thing...but I have no earthly idea as to what that could be. Any help/suggestions/troubleshooting anyone can help me with, I would greatly appreciate it. Thanks. ---- Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 27 14:05:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jul 2009 10:05:19 -0400 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> Message-ID: <4A6DB41F.9070000@redhat.com> Jeff Moody wrote: > I?m trying to set up password/identity sync to the FreeIPA server from a > Windows 2003R2 SP2 server to a Fedora 10 VM. > > I have installed the FreeIPA software and can load its configuration > page on the IPA server ? so the service appears to be running. > > I have our Windows DC running the Windows 2003 Enterprise Certificate > Authority service and have exported its root certificate and SCP?ed that > to the IPA server. > > Following the instructions from TFM, I run the following command: > > > > [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn > CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw > WindowsAccountPassword --cacert /root/dc1-base64-x509.cer > dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync > > > > This is the output from that command: > > > > Directory Manager password: > > INFO:root:Shutting down dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root: > > INFO:root: > > INFO:root:Starting dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate > database for ipamem1.evscorporation.com > > INFO:root:Restarted directory server ipamem1.evscorporation.com > > INFO:root:Could not validate connection to remote server > dc1.evscorporation.com:636 - continuing > > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > "Can't contact LDAP server"} > > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com > > Windows PassSync entry exists, not resetting password > > INFO:root:Added new sync agreement, waiting for it to become ready . . . > > INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP > error: Can't contact LDAP server: start: 0: end: 0 > > INFO:root:Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP > error: Can't contact LDAP server] > > INFO:root:Added agreement for other host dc1.evscorporation.com > > > > Additionally, in the /var/lib/dirsrv/ errors log, I have the following > error: > > > > [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send > bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] > mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's > Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) > > > > On the Windows server, the Passsync service is running and as far as I > know I installed the right certificate on the Passsync side by following > the instructions at > (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) > and the only message in the Passsync log on the Windows side is: > > > > 07/25/09 14:32:15: PassSync service started > > > > I?m sure that I?m just missing some simple, stupid little thing?but I > have no earthly idea as to what that could be. Any > help/suggestions/troubleshooting anyone can help me with, I would > greatly appreciate it. > Hmm, clearly an SSL trust issue. Lets start by making sure that DS has the CA you provided loaded and trusted: # certutil -L -d /etc/dirsrv/slapd-INSTANCE It should include your CA and have a trust like CT,,C I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jeff.moody at evscorporation.com Mon Jul 27 14:29:21 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Mon, 27 Jul 2009 09:29:21 -0500 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <4A6DB41F.9070000@redhat.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE209259@evsxmail1.evscorporation.com> Pardon my ignorance, but are there any special steps outside of the ipa-replica-manage command with the Root Cert from the AD server needed to get the certificate installed? I had some other issues with the VM over the weekend and am rebuilding the VM now to reinstall the IPA server software and will be able to check and give you the output of certutil later today. Thanks. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, July 27, 2009 9:05 AM To: Jeff Moody Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Jeff Moody wrote: > I'm trying to set up password/identity sync to the FreeIPA server from a > Windows 2003R2 SP2 server to a Fedora 10 VM. > > I have installed the FreeIPA software and can load its configuration > page on the IPA server - so the service appears to be running. > > I have our Windows DC running the Windows 2003 Enterprise Certificate > Authority service and have exported its root certificate and SCP'ed that > to the IPA server. > > Following the instructions from TFM, I run the following command: > > > > [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn > CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw > WindowsAccountPassword --cacert /root/dc1-base64-x509.cer > dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync > > > > This is the output from that command: > > > > Directory Manager password: > > INFO:root:Shutting down dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root: > > INFO:root: > > INFO:root:Starting dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate > database for ipamem1.evscorporation.com > > INFO:root:Restarted directory server ipamem1.evscorporation.com > > INFO:root:Could not validate connection to remote server > dc1.evscorporation.com:636 - continuing > > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > "Can't contact LDAP server"} > > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com > > Windows PassSync entry exists, not resetting password > > INFO:root:Added new sync agreement, waiting for it to become ready . . . > > INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP > error: Can't contact LDAP server: start: 0: end: 0 > > INFO:root:Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP > error: Can't contact LDAP server] > > INFO:root:Added agreement for other host dc1.evscorporation.com > > > > Additionally, in the /var/lib/dirsrv/ errors log, I have the following > error: > > > > [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send > bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] > mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's > Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) > > > > On the Windows server, the Passsync service is running and as far as I > know I installed the right certificate on the Passsync side by following > the instructions at > (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) > and the only message in the Passsync log on the Windows side is: > > > > 07/25/09 14:32:15: PassSync service started > > > > I'm sure that I'm just missing some simple, stupid little thing.but I > have no earthly idea as to what that could be. Any > help/suggestions/troubleshooting anyone can help me with, I would > greatly appreciate it. > Hmm, clearly an SSL trust issue. Lets start by making sure that DS has the CA you provided loaded and trusted: # certutil -L -d /etc/dirsrv/slapd-INSTANCE It should include your CA and have a trust like CT,,C I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently? rob From jgalipea at redhat.com Mon Jul 27 15:41:03 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Mon, 27 Jul 2009 11:41:03 -0400 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <4A6DB41F.9070000@redhat.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> Message-ID: <4A6DCA8F.20402@redhat.com> Rob Crittenden wrote: > Jeff Moody wrote: >> I?m trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server ? so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP?ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >> Certificate issuer is not recognized.) 11 (Resource temporarily >> unavailable) >> >> >> >> On the Windows server, the Passsync service is running and as far as >> I know I installed the right certificate on the Passsync side by >> following the instructions at >> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >> and the only message in the Passsync log on the Windows side is: >> >> >> >> 07/25/09 14:32:15: PassSync service started >> >> >> >> I?m sure that I?m just missing some simple, stupid little thing?but I >> have no earthly idea as to what that could be. Any >> help/suggestions/troubleshooting anyone can help me with, I would >> greatly appreciate it. >> > > Hmm, clearly an SSL trust issue. > > Lets start by making sure that DS has the CA you provided loaded and > trusted: > > # certutil -L -d /etc/dirsrv/slapd-INSTANCE > > It should include your CA and have a trust like CT,,C > > I found that I needed to reboot my AD server when installing the CA > service and getting PassSync installed. Have you rebooted recently? These instructions are much more comprehensive and include that a reboot of the AD machine is required. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html Jenny > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jeff.moody at evscorporation.com Mon Jul 27 15:48:52 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Mon, 27 Jul 2009 10:48:52 -0500 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <4A6DCA8F.20402@redhat.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> <4A6DCA8F.20402@redhat.com> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE20926C@evsxmail1.evscorporation.com> I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: Jenny Galipeau [mailto:jgalipea at redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: > Jeff Moody wrote: >> I'm trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server - so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP'ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >> Certificate issuer is not recognized.) 11 (Resource temporarily >> unavailable) >> >> >> >> On the Windows server, the Passsync service is running and as far as >> I know I installed the right certificate on the Passsync side by >> following the instructions at >> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >> and the only message in the Passsync log on the Windows side is: >> >> >> >> 07/25/09 14:32:15: PassSync service started >> >> >> >> I'm sure that I'm just missing some simple, stupid little thing.but I >> have no earthly idea as to what that could be. Any >> help/suggestions/troubleshooting anyone can help me with, I would >> greatly appreciate it. >> > > Hmm, clearly an SSL trust issue. > > Lets start by making sure that DS has the CA you provided loaded and > trusted: > > # certutil -L -d /etc/dirsrv/slapd-INSTANCE > > It should include your CA and have a trust like CT,,C > > I found that I needed to reboot my AD server when installing the CA > service and getting PassSync installed. Have you rebooted recently? These instructions are much more comprehensive and include that a reboot of the AD machine is required. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html Jenny > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jeff.moody at evscorporation.com Mon Jul 27 15:59:13 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Mon, 27 Jul 2009 10:59:13 -0500 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <712B6F0C7079C0459DB8A063743A3CB0BE20926C@evsxmail1.evscorporation.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> <4A6DCA8F.20402@redhat.com> <712B6F0C7079C0459DB8A063743A3CB0BE20926C@evsxmail1.evscorporation.com> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE20926E@evsxmail1.evscorporation.com> Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? Thanks a ton for the help on this. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jeff Moody Sent: Monday, July 27, 2009 10:49 AM To: Jenny Galipeau; Rob Crittenden Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: Jenny Galipeau [mailto:jgalipea at redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: > Jeff Moody wrote: >> I'm trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server - so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP'ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >> Certificate issuer is not recognized.) 11 (Resource temporarily >> unavailable) >> >> >> >> On the Windows server, the Passsync service is running and as far as >> I know I installed the right certificate on the Passsync side by >> following the instructions at >> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >> and the only message in the Passsync log on the Windows side is: >> >> >> >> 07/25/09 14:32:15: PassSync service started >> >> >> >> I'm sure that I'm just missing some simple, stupid little thing.but I >> have no earthly idea as to what that could be. Any >> help/suggestions/troubleshooting anyone can help me with, I would >> greatly appreciate it. >> > > Hmm, clearly an SSL trust issue. > > Lets start by making sure that DS has the CA you provided loaded and > trusted: > > # certutil -L -d /etc/dirsrv/slapd-INSTANCE > > It should include your CA and have a trust like CT,,C > > I found that I needed to reboot my AD server when installing the CA > service and getting PassSync installed. Have you rebooted recently? These instructions are much more comprehensive and include that a reboot of the AD machine is required. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html Jenny > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jgalipea at redhat.com Mon Jul 27 17:13:57 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Mon, 27 Jul 2009 13:13:57 -0400 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <712B6F0C7079C0459DB8A063743A3CB0BE20926E@evsxmail1.evscorporation.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> <4A6DCA8F.20402@redhat.com> <712B6F0C7079C0459DB8A063743A3CB0BE20926C@evsxmail1.evscorporation.com> <712B6F0C7079C0459DB8A063743A3CB0BE20926E@evsxmail1.evscorporation.com> Message-ID: <4A6DE055.7060008@redhat.com> Jeff Moody wrote: > Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: > Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. > > I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? > > Thanks a ton for the help on this. > > Your Active Directory may already be SSL secured. But if not I suspect it is Domain Controller. Where is the Microsoft Certificate Authority installed? On the same machine as the Domain Controller? If the Certificate Authority is installed on the same machine and was installed before installing the domain controller - it automatically issues machines certificates for all machines added to the domain. Then you would just need to export the Root CA certificate and add it to the Directory Server as a trusted Root CA. Jenny > ---- > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.moody at evscorporation.com > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jeff Moody > Sent: Monday, July 27, 2009 10:49 AM > To: Jenny Galipeau; Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 > > I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. > > ---- > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.moody at evscorporation.com > > > -----Original Message----- > From: Jenny Galipeau [mailto:jgalipea at redhat.com] > Sent: Monday, July 27, 2009 10:41 AM > To: Rob Crittenden > Cc: Jeff Moody; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 > > Rob Crittenden wrote: > >> Jeff Moody wrote: >> >>> I'm trying to set up password/identity sync to the FreeIPA server >>> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >>> >>> I have installed the FreeIPA software and can load its configuration >>> page on the IPA server - so the service appears to be running. >>> >>> I have our Windows DC running the Windows 2003 Enterprise Certificate >>> Authority service and have exported its root certificate and SCP'ed >>> that to the IPA server. >>> >>> Following the instructions from TFM, I run the following command: >>> >>> >>> >>> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn >>> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >>> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >>> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >>> >>> >>> >>> This is the output from that command: >>> >>> >>> >>> Directory Manager password: >>> >>> INFO:root:Shutting down dirsrv: >>> >>> EVSCORPORATION-COM... [ OK ] >>> >>> >>> >>> INFO:root: >>> >>> INFO:root: >>> >>> INFO:root: >>> >>> INFO:root:Starting dirsrv: >>> >>> EVSCORPORATION-COM... [ OK ] >>> >>> >>> >>> INFO:root: >>> >>> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >>> certificate database for ipamem1.evscorporation.com >>> >>> INFO:root:Restarted directory server ipamem1.evscorporation.com >>> >>> INFO:root:Could not validate connection to remote server >>> dc1.evscorporation.com:636 - continuing >>> >>> INFO:root:The error was: {'info': 'error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >>> 'desc': "Can't contact LDAP server"} >>> >>> The user for the Windows PassSync service is >>> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >>> >>> Windows PassSync entry exists, not resetting password >>> >>> INFO:root:Added new sync agreement, waiting for it to become ready . . . >>> >>> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >>> error: Can't contact LDAP server: start: 0: end: 0 >>> >>> INFO:root:Agreement is ready, starting replication . . . >>> >>> Starting replication, please wait until this has completed. >>> >>> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >>> LDAP error: Can't contact LDAP server] >>> >>> INFO:root:Added agreement for other host dc1.evscorporation.com >>> >>> >>> >>> Additionally, in the /var/lib/dirsrv/ errors log, I have the >>> following error: >>> >>> >>> >>> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >>> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >>> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >>> Certificate issuer is not recognized.) 11 (Resource temporarily >>> unavailable) >>> >>> >>> >>> On the Windows server, the Passsync service is running and as far as >>> I know I installed the right certificate on the Passsync side by >>> following the instructions at >>> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >>> and the only message in the Passsync log on the Windows side is: >>> >>> >>> >>> 07/25/09 14:32:15: PassSync service started >>> >>> >>> >>> I'm sure that I'm just missing some simple, stupid little thing.but I >>> have no earthly idea as to what that could be. Any >>> help/suggestions/troubleshooting anyone can help me with, I would >>> greatly appreciate it. >>> >>> >> Hmm, clearly an SSL trust issue. >> >> Lets start by making sure that DS has the CA you provided loaded and >> trusted: >> >> # certutil -L -d /etc/dirsrv/slapd-INSTANCE >> >> It should include your CA and have a trust like CT,,C >> >> I found that I needed to reboot my AD server when installing the CA >> service and getting PassSync installed. Have you rebooted recently? >> > These instructions are much more comprehensive and include that a reboot > of the AD machine is required. > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html > Jenny > >> rob >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jeff.moody at evscorporation.com Mon Jul 27 17:33:08 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Mon, 27 Jul 2009 12:33:08 -0500 Subject: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 In-Reply-To: <4A6DE055.7060008@redhat.com> References: <712B6F0C7079C0459DB8A063743A3CB0BE209237@evsxmail1.evscorporation.com> <4A6DB41F.9070000@redhat.com> <4A6DCA8F.20402@redhat.com> <712B6F0C7079C0459DB8A063743A3CB0BE20926C@evsxmail1.evscorporation.com> <712B6F0C7079C0459DB8A063743A3CB0BE20926E@evsxmail1.evscorporation.com> <4A6DE055.7060008@redhat.com> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE20927B@evsxmail1.evscorporation.com> Rob has helped me resolve this. Essentially, this was the issue. The machine was a domain controller first and I installed the CA utilities (much) later. When I created the server as an Enterprise CA, it apparently created two certificate authorities (which may be the wrong verbage, but unfortunately my knowledge of SSL is rather limited) - one for DC1 and one for DC1-CA. What the documentation had me leading to believe was that the DC1 CA cert would be what I needed for the sync process to work. What Rob helped me discover was that it needed the DC1-CA cert. Once I tracked down that certificate (which Microsoft doesn't make easy to do) and exported it, I was able to install it as part of the IPA Server ipa-replica-manage process and the user accounts have replicated. Now, if I can find a "nice" GUI for adding the synchronized user accounts to groups which only exist on the IPA Server side, I will be a very, very happy camper. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: Jenny Galipeau [mailto:jgalipea at redhat.com] Sent: Monday, July 27, 2009 12:14 PM To: Jeff Moody Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Jeff Moody wrote: > Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: > Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. > > I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? > > Thanks a ton for the help on this. > > Your Active Directory may already be SSL secured. But if not I suspect it is Domain Controller. Where is the Microsoft Certificate Authority installed? On the same machine as the Domain Controller? If the Certificate Authority is installed on the same machine and was installed before installing the domain controller - it automatically issues machines certificates for all machines added to the domain. Then you would just need to export the Root CA certificate and add it to the Directory Server as a trusted Root CA. Jenny > ---- > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.moody at evscorporation.com > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jeff Moody > Sent: Monday, July 27, 2009 10:49 AM > To: Jenny Galipeau; Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 > > I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. > > ---- > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.moody at evscorporation.com > > > -----Original Message----- > From: Jenny Galipeau [mailto:jgalipea at redhat.com] > Sent: Monday, July 27, 2009 10:41 AM > To: Rob Crittenden > Cc: Jeff Moody; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 > > Rob Crittenden wrote: > >> Jeff Moody wrote: >> >>> I'm trying to set up password/identity sync to the FreeIPA server >>> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >>> >>> I have installed the FreeIPA software and can load its configuration >>> page on the IPA server - so the service appears to be running. >>> >>> I have our Windows DC running the Windows 2003 Enterprise Certificate >>> Authority service and have exported its root certificate and SCP'ed >>> that to the IPA server. >>> >>> Following the instructions from TFM, I run the following command: >>> >>> >>> >>> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn >>> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >>> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >>> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >>> >>> >>> >>> This is the output from that command: >>> >>> >>> >>> Directory Manager password: >>> >>> INFO:root:Shutting down dirsrv: >>> >>> EVSCORPORATION-COM... [ OK ] >>> >>> >>> >>> INFO:root: >>> >>> INFO:root: >>> >>> INFO:root: >>> >>> INFO:root:Starting dirsrv: >>> >>> EVSCORPORATION-COM... [ OK ] >>> >>> >>> >>> INFO:root: >>> >>> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >>> certificate database for ipamem1.evscorporation.com >>> >>> INFO:root:Restarted directory server ipamem1.evscorporation.com >>> >>> INFO:root:Could not validate connection to remote server >>> dc1.evscorporation.com:636 - continuing >>> >>> INFO:root:The error was: {'info': 'error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >>> 'desc': "Can't contact LDAP server"} >>> >>> The user for the Windows PassSync service is >>> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >>> >>> Windows PassSync entry exists, not resetting password >>> >>> INFO:root:Added new sync agreement, waiting for it to become ready . . . >>> >>> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >>> error: Can't contact LDAP server: start: 0: end: 0 >>> >>> INFO:root:Agreement is ready, starting replication . . . >>> >>> Starting replication, please wait until this has completed. >>> >>> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >>> LDAP error: Can't contact LDAP server] >>> >>> INFO:root:Added agreement for other host dc1.evscorporation.com >>> >>> >>> >>> Additionally, in the /var/lib/dirsrv/ errors log, I have the >>> following error: >>> >>> >>> >>> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >>> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >>> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >>> Certificate issuer is not recognized.) 11 (Resource temporarily >>> unavailable) >>> >>> >>> >>> On the Windows server, the Passsync service is running and as far as >>> I know I installed the right certificate on the Passsync side by >>> following the instructions at >>> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >>> and the only message in the Passsync log on the Windows side is: >>> >>> >>> >>> 07/25/09 14:32:15: PassSync service started >>> >>> >>> >>> I'm sure that I'm just missing some simple, stupid little thing.but I >>> have no earthly idea as to what that could be. Any >>> help/suggestions/troubleshooting anyone can help me with, I would >>> greatly appreciate it. >>> >>> >> Hmm, clearly an SSL trust issue. >> >> Lets start by making sure that DS has the CA you provided loaded and >> trusted: >> >> # certutil -L -d /etc/dirsrv/slapd-INSTANCE >> >> It should include your CA and have a trust like CT,,C >> >> I found that I needed to reboot my AD server when installing the CA >> service and getting PassSync installed. Have you rebooted recently? >> > These instructions are much more comprehensive and include that a reboot > of the AD machine is required. > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html > Jenny > >> rob >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From David.Christensen at viveli.com Tue Jul 28 20:20:07 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 28 Jul 2009 15:20:07 -0500 Subject: [Freeipa-users] Groups Message-ID: <4A6F5D77.3080005@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I add a user to additional groups beyond ipausers; groups that were manually added, why is the ipa UI showing users belonging to the group, but not showing them belonging to the group when I run `getent group "groupname"`? If I just run `getent group` I see all the groups in ipa as well as any users that are assigned to them, which shows the users of the group that was empty when I ran getent group "groupname". Any reason why this is occuring? Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvXXcACgkQ5B+8XEnAvqvBRQCeLLU7gEYBIdTWJC58ApceOQCL pMUAnRUpF7PIsLlPEUM+/VpVlwb2O5+9 =Batl -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Jul 28 20:37:46 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jul 2009 16:37:46 -0400 Subject: [Freeipa-users] Groups In-Reply-To: <4A6F5D77.3080005@viveli.com> References: <4A6F5D77.3080005@viveli.com> Message-ID: <4A6F619A.3040705@redhat.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > When I add a user to additional groups beyond ipausers; groups that were > manually added, why is the ipa UI showing users belonging to the group, > but not showing them belonging to the group when I run `getent group > "groupname"`? If I just run `getent group` I see all the groups in ipa > as well as any users that are assigned to them, which shows the users of > the group that was empty when I ran getent group "groupname". > > Any reason why this is occuring? > Is nscd running? It may have cached the group. You can try restarting nscd or invalidating the group cache with: nscd -i group. nscd is a mixed blessing. It saves a lot of work for the LDAP server but can cause lots of grief like this. Fortunately it has a *ton* of knobs to turn, see nscd.conf for details on tuning your caches (positive and negative). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From David.Christensen at viveli.com Tue Jul 28 21:34:53 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 28 Jul 2009 16:34:53 -0500 Subject: [Freeipa-users] Groups In-Reply-To: <4A6F5D77.3080005@viveli.com> References: <4A6F5D77.3080005@viveli.com> Message-ID: <4A6F6EFD.1040804@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Christensen wrote: > When I add a user to additional groups beyond ipausers; groups that were > manually added, why is the ipa UI showing users belonging to the group, > but not showing them belonging to the group when I run `getent group > "groupname"`? If I just run `getent group` I see all the groups in ipa > as well as any users that are assigned to them, which shows the users of > the group that was empty when I ran getent group "groupname". > > Any reason why this is occuring? > > Thanks. Got the answer, in case anyone else runs into this- nscd caches the groups, so after adding/modifying groups you need to run "nscd -i group" as root. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvbv0ACgkQ5B+8XEnAvqv+9QCgjSMpJtB7PF+DoRQ0Yad65agU xq4An1ZINHRgEpJCdh99gbDJ22h6MJzz =qeVK -----END PGP SIGNATURE----- From David.Christensen at viveli.com Tue Jul 28 21:37:47 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 28 Jul 2009 16:37:47 -0500 Subject: [Freeipa-users] Adding a cert post install Message-ID: <4A6F6FAB.6050307@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvb6oACgkQ5B+8XEnAvqtmDACeMUc0dpCffRiJ8CAK0hfZYl+N bqgAnRVx5wMvU7VcLTMu9pLHU9+BhJB0 =BVsI -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Jul 28 22:06:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jul 2009 18:06:02 -0400 Subject: [Freeipa-users] Adding a cert post install In-Reply-To: <4A6F6FAB.6050307@viveli.com> References: <4A6F6FAB.6050307@viveli.com> Message-ID: <4A6F764A.3050603@redhat.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If freeIPA was installed and a CA signed cert was not used during the > install and instead the freeipa generated one was used, it is possible > to import one post install? There is a tool to do that, ipa-server-certinstall. > If not this is not possible or rather difficult, is it possible to > backup the freeIPA DB and import it after a new install to use the legit > CA cert? It isn't too difficult to do but you have to understand the ramifications. When you create any replicas you'll need to provide two certificates for it (one for Apache and one for 389) in the form of PKCS#12 files and they need to be issued from the same CA as your other IPA servers (or they must already be trusted). You just have to be very careful, basically. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kwade at redhat.com Tue Jul 28 22:40:05 2009 From: kwade at redhat.com (Karsten Wade) Date: Tue, 28 Jul 2009 15:40:05 -0700 Subject: [Freeipa-users] Self-intro: Karsten (quaid) Wade Message-ID: <20090728224005.GU7063@calliope.phig.org> Hi: This may be new on this list, but if you are interested (as I am) in participating and contributing in FreeIPA, a quick introduction to others is helpful. Other emails I send from now on should make more sense with this context. :) I'd like to make it easier to join the development of the FreeIPA platform. There are a lot of places to contribute, and one really big reason to bother: If you use FreeIPA, whatever you contribute will come back to help you many times over.[1] You already participate if you are on this mailing list, if you ask and answer questions. If you are on #freeipa (irc.freenode.net), even your regular presence lurking helps us all feel there are people out there listening (and learning) when we have problems. Running the code is an important way of participating, especially if you test early, find bugs, and file reports. Yet, there are barriers that make it harder for you to easily turn participation in to a greater contribution. One of the first things I am working on is making it easier to get edit access to the wiki at http://freeipa.org. A wiki is a useful tool for collaborating on all aspects of a project. For example, some of the items on this mailing list could be in an FAQ or as a small how-to. If we can make it easy for answers to migrate from here to an organized wiki, a single contribution can have a greater effect. A very early example of what it takes to make a quick how-to/what-is page: http://freeipa.org/page/Writing_how_to_documentation_on_the_wiki http://freeipa.org/page/Category:How_to http://freeipa.org/page/Category:What_is Helping grow sustainable communities is what I do for Red Hat. You can find more through my user page: http://freeipa.org/page/User:Quaid Cheers - Karsten [1] I'm defining users as the folks I see here -- systems administrators exploring, installing, configuring, and maintaining FreeIPA. -- Karsten 'quaid' Wade, Community Gardener http://quaid.fedorapeople.org AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From David.Christensen at viveli.com Tue Jul 28 22:56:04 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 28 Jul 2009 17:56:04 -0500 Subject: [Freeipa-users] Adding a cert post install In-Reply-To: <4A6F764A.3050603@redhat.com> References: <4A6F6FAB.6050307@viveli.com> <4A6F764A.3050603@redhat.com> Message-ID: <4A6F8204.9030006@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > David Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> If freeIPA was installed and a CA signed cert was not used during the >> install and instead the freeipa generated one was used, it is possible >> to import one post install? > > There is a tool to do that, ipa-server-certinstall. > >> If not this is not possible or rather difficult, is it possible to >> backup the freeIPA DB and import it after a new install to use the legit >> CA cert? > > It isn't too difficult to do but you have to understand the > ramifications. When you create any replicas you'll need to provide two > certificates for it (one for Apache and one for 389) in the form of > PKCS#12 files and they need to be issued from the same CA as your other > IPA servers (or they must already be trusted). > > You just have to be very careful, basically. > > rob Thanks for the info Rob. Does the same ramification exist using the ipa-server-certinstall tool or is that just when trying to re-create an instance of IPA and importing the DB? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvggQACgkQ5B+8XEnAvqsA+ACfdUc8QzKgkOQiIoTdF2Z3xxqF bBkAn2Hu0/XFcgKEeZYK38BOugkRqHF5 =7Uhp -----END PGP SIGNATURE----- From jrobertm8 at yahoo.com Wed Jul 29 02:44:41 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Wed, 29 Jul 2009 10:44:41 +0800 (SGT) Subject: [Freeipa-users] password problem Message-ID: <675102.60062.qm@web76305.mail.sg1.yahoo.com> Hi to all, I currently have setup a freeipa server on a virtual machine and have some issues I just want to be cleared with. My setup is as follows: I have tweaked the /etc/hosts file to register the hostname and ip address of the machine to where I have installed the server. Then, I installed the ipa server from yum and have successfully created my realm and directory server.? I have used the -N option to disable the configuration and installation of the NTP server.? I have configured the /etc/ntp.conf to synchronize the time with our own ntp server.? After the installation, I configured the browser to enable the webgui.? I have successfully done this, and have accessed the administrator page after obtaining the admin ticket.? Now I tried to create a test user.? This test user has sufficient required entries for an account to be created. Now that the user is existing, the page issued that the users password has expired.? I know this is a security feature.? I then tried to kinit with the test user, it asked for the password and I, in return, supplied the password from which is identical from the password I supplied during the creation of the test user.? Kinit outputs with an error kinit(v5): Password incorrect while getting initial credentials. I looked up for the krb5kdc.log and found these: Jul 29 10:40:06 xx.xxx.xxx.xxx krb5kdc[1478](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 202.90.157.229: CLIENT KEY EXPIRED: hertz at XXX.XXX.XXX.XXX for krbtgt/XXX.XXX.XXX.XXX at XXX.XXX.XXX.XXX, Password has expired. I just X'ed out our realm and the hostname of the machine. Isn't it that the password that was supplied during the registration of a user is supposed to be his kerberos password too? What seemed to be the problem? Thanks John Robert Mendoza -------------- next part -------------- An HTML attachment was scrubbed... URL: From visser.rob at gmail.com Wed Jul 29 14:18:27 2009 From: visser.rob at gmail.com (Rob Visser) Date: Wed, 29 Jul 2009 16:18:27 +0200 Subject: [Freeipa-users] Kerberos authentication + LDAP authorization with apache Message-ID: <869100480907290718t6183be6fod552b5ca0f66d004@mail.gmail.com> Hello, I would like achieve authorization on a kerberised web-page. My idea is to use an LDAP query for group membership, i.e. the uid should be a member of a certain group in order to serve out pages. Authentication with Kerberos gssapi works well. I do not know how to achieve the authorization. This is what I tried: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms USN.TIC Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on AuthzLDAPAuthoritative on AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic Require valid-user Satisfy all Any help is appreciated. Rob Visser -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 29 14:23:05 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jul 2009 10:23:05 -0400 Subject: [Freeipa-users] Adding a cert post install In-Reply-To: <4A6F8204.9030006@viveli.com> References: <4A6F6FAB.6050307@viveli.com> <4A6F764A.3050603@redhat.com> <4A6F8204.9030006@viveli.com> Message-ID: <4A705B49.2020309@redhat.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> David Christensen wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> If freeIPA was installed and a CA signed cert was not used during the >>> install and instead the freeipa generated one was used, it is possible >>> to import one post install? >> There is a tool to do that, ipa-server-certinstall. >> >>> If not this is not possible or rather difficult, is it possible to >>> backup the freeIPA DB and import it after a new install to use the legit >>> CA cert? >> It isn't too difficult to do but you have to understand the >> ramifications. When you create any replicas you'll need to provide two >> certificates for it (one for Apache and one for 389) in the form of >> PKCS#12 files and they need to be issued from the same CA as your other >> IPA servers (or they must already be trusted). >> >> You just have to be very careful, basically. >> >> rob > > Thanks for the info Rob. > > Does the same ramification exist using the ipa-server-certinstall tool Yes, once you replace the self-signed CA you'll be responsible for providing all future certificates via PKCS#12 files and ensuring that the required CA certs will be available for trust purposes. It isn't an overwhelming task but can be confusing for those new to SSL. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jul 29 14:42:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jul 2009 10:42:04 -0400 Subject: [Freeipa-users] password problem In-Reply-To: <675102.60062.qm@web76305.mail.sg1.yahoo.com> References: <675102.60062.qm@web76305.mail.sg1.yahoo.com> Message-ID: <4A705FBC.9040509@redhat.com> John Robert Mendoza wrote: > Hi to all, > > I currently have setup a freeipa server on a virtual machine and have > some issues I just want to be cleared with. > > My setup is as follows: > > I have tweaked the /etc/hosts file to register the hostname and ip > address of the machine to where I have installed the server. > > Then, I installed the ipa server from yum and have successfully created > my realm and directory server. I have used the -N option to disable the > configuration and installation of the NTP server. I have configured the > /etc/ntp.conf to synchronize the time with our own ntp server. > > After the installation, I configured the browser to enable the webgui. > I have successfully done this, and have accessed the administrator page > after obtaining the admin ticket. Now I tried to create a test user. > This test user has sufficient required entries for an account to be > created. Now that the user is existing, the page issued that the users > password has expired. I know this is a security feature. I then tried > to kinit with the test user, it asked for the password and I, in return, > supplied the password from which is identical from the password I > supplied during the creation of the test user. Kinit outputs with an > error kinit(v5): Password incorrect while getting initial credentials. > > I looked up for the krb5kdc.log and found these: > Jul 29 10:40:06 xx.xxx.xxx.xxx krb5kdc[1478](info): AS_REQ (7 etypes {18 > 17 16 23 1 3 2}) 202.90.157.229: CLIENT KEY EXPIRED: > hertz at XXX.XXX.XXX.XXX for krbtgt/XXX.XXX.XXX.XXX at XXX.XXX.XXX.XXX, > Password has expired. > > I just X'ed out our realm and the hostname of the machine. > Isn't it that the password that was supplied during the registration of > a user is supposed to be his kerberos password too? Yes, this password expired message is expected. Immediately after this message you should see a NEEDED_PREAUTH for kadmin/changepw at REALM, basically asking for the current password. Does the password work if you do a simple bind to LDAP? e.g. something like this to search for a login 'tuser' % ldapsearch -x -D "uid=tuser,cn=users,cn=accounts,dc=example,dc=com" -W -b "dc=example,dc=com" uid=tuser rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From David.Christensen at viveli.com Wed Jul 29 15:05:09 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 29 Jul 2009 10:05:09 -0500 Subject: [Freeipa-users] Adding a cert post install In-Reply-To: <4A705B49.2020309@redhat.com> References: <4A6F6FAB.6050307@viveli.com> <4A6F764A.3050603@redhat.com> <4A6F8204.9030006@viveli.com> <4A705B49.2020309@redhat.com> Message-ID: <4A706525.3060606@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > David Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rob Crittenden wrote: >>> David Christensen wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> If freeIPA was installed and a CA signed cert was not used during the >>>> install and instead the freeipa generated one was used, it is possible >>>> to import one post install? >>> There is a tool to do that, ipa-server-certinstall. >>> >>>> If not this is not possible or rather difficult, is it possible to >>>> backup the freeIPA DB and import it after a new install to use the >>>> legit >>>> CA cert? >>> It isn't too difficult to do but you have to understand the >>> ramifications. When you create any replicas you'll need to provide two >>> certificates for it (one for Apache and one for 389) in the form of >>> PKCS#12 files and they need to be issued from the same CA as your other >>> IPA servers (or they must already be trusted). >>> >>> You just have to be very careful, basically. >>> >>> rob >> >> Thanks for the info Rob. >> >> Does the same ramification exist using the ipa-server-certinstall tool > > Yes, once you replace the self-signed CA you'll be responsible for > providing all future certificates via PKCS#12 files and ensuring that > the required CA certs will be available for trust purposes. > > It isn't an overwhelming task but can be confusing for those new to SSL. > > rob Thanks for clarifying. Can the tool be used on replicas? I created a replica for multimaster replication using the default install so I will need to import the SSL cert for both ipa servers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpwZSUACgkQ5B+8XEnAvqtlJgCeMNJNNN4z9V/PnvJr6bnFMMnX FhwAnA4gQpDuHEsa+14VoeWXAwod68YX =7JRY -----END PGP SIGNATURE----- From rcritten at redhat.com Wed Jul 29 15:22:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jul 2009 11:22:33 -0400 Subject: [Freeipa-users] Adding a cert post install In-Reply-To: <4A706525.3060606@viveli.com> References: <4A6F6FAB.6050307@viveli.com> <4A6F764A.3050603@redhat.com> <4A6F8204.9030006@viveli.com> <4A705B49.2020309@redhat.com> <4A706525.3060606@viveli.com> Message-ID: <4A706939.6080100@redhat.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> David Christensen wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Rob Crittenden wrote: >>>> David Christensen wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> If freeIPA was installed and a CA signed cert was not used during the >>>>> install and instead the freeipa generated one was used, it is possible >>>>> to import one post install? >>>> There is a tool to do that, ipa-server-certinstall. >>>> >>>>> If not this is not possible or rather difficult, is it possible to >>>>> backup the freeIPA DB and import it after a new install to use the >>>>> legit >>>>> CA cert? >>>> It isn't too difficult to do but you have to understand the >>>> ramifications. When you create any replicas you'll need to provide two >>>> certificates for it (one for Apache and one for 389) in the form of >>>> PKCS#12 files and they need to be issued from the same CA as your other >>>> IPA servers (or they must already be trusted). >>>> >>>> You just have to be very careful, basically. >>>> >>>> rob >>> Thanks for the info Rob. >>> >>> Does the same ramification exist using the ipa-server-certinstall tool >> Yes, once you replace the self-signed CA you'll be responsible for >> providing all future certificates via PKCS#12 files and ensuring that >> the required CA certs will be available for trust purposes. >> >> It isn't an overwhelming task but can be confusing for those new to SSL. >> >> rob > > Thanks for clarifying. Can the tool be used on replicas? I created a > replica for multimaster replication using the default install so I will > need to import the SSL cert for both ipa servers. Yes, it should work fine on replicas too. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jul 29 17:51:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jul 2009 13:51:03 -0400 Subject: [Freeipa-users] Kerberos authentication + LDAP authorization with apache In-Reply-To: <869100480907290718t6183be6fod552b5ca0f66d004@mail.gmail.com> References: <869100480907290718t6183be6fod552b5ca0f66d004@mail.gmail.com> Message-ID: <4A708C07.1080803@redhat.com> Rob Visser wrote: > Hello, > > I would like achieve authorization on a kerberised web-page. > My idea is to use an LDAP query for group membership, i.e. the uid > should be a member of a certain group in order to serve out pages. > > Authentication with Kerberos gssapi works well. > I do not know how to achieve the authorization. > > This is what I tried: > > > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbServiceName HTTP > KrbAuthRealms USN.TIC > Krb5KeyTab /etc/httpd/conf/ipa.keytab > KrbSaveCredentials on > AuthzLDAPAuthoritative on > AuthLDAPUrl ldap://localhost/cn=users,cn=accounts,dc=usn,dc=tic?uid > Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=usn,dc=tic > Require valid-user > Satisfy all > > > > Any help is appreciated. > You almost have it. With kerberos, REMOTE_USER is going to be set to the principal name (admin at EXAMPLE.COM). You need to tweak your AuthLDAPUrl to use krbprincipalname instead of uid and it should work. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: