[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
thierry bordaz
tbordaz at redhat.com
Tue Dec 9 09:27:54 UTC 2014
Hello,
Niranjan, may I have access to your test machine.
thanks
theirry
On 12/09/2014 10:01 AM, Martin Kosek wrote:
> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>> Hello,
>>> WE NEED HELP!
>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
>>> http://www.freeipa.org/page/V4/OTP
>>> If you want to see this feature in downstream distros sooner rather than later we need your help!
>>> Please give it a try and provide feedback. We really, really need it!
>> I am unable to configure ipa-server with freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below error:
>>
>> Done configuring certificate server (pki-tomcatd).
>> Configuring directory server (dirsrv): Estimated time 10 seconds
>> [1/3]: configuring ssl for ds instance
>> [2/3]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>> [3/3]: adding CA certificate entry
>> Done configuring directory server (dirsrv).
>> CA did not start in 300.0s
>>
>>
>> Versions used:
>> ==============
>> freeipa-client-4.1.2-1.fc20.x86_64
>> freeipa-server-4.1.2-1.fc20.x86_64
>> libipa_hbac-1.12.2-2.fc20.x86_64
>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>> sssd-ipa-1.12.2-2.fc20.x86_64
>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>> python-iniparse-0.4-9.fc20.noarch
>> freeipa-admintools-4.1.2-1.fc20.x86_64
>> freeipa-python-4.1.2-1.fc20.x86_64
>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>
>> BaseOS:Fedora release 20 (Heisenbug)
>>
>>
>> Steps to reproduce:
>> ---------------
>>
>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>> [mkosek-freeipa]
>> name=Copr repo for freeipa owned by mkosek
>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>> skip_if_unavailable=True
>> gpgcheck=0
>> enabled=1
>>
>> 2. Install freeipa-server packages from the above repo
>>
>> 3. Issue ipa-server-install
>>
>> [root at pkiserver1 ~]# ipa-server-install
>>
>> The log file for this installation can be found in /var/log/ipaserver-install.log
>> ==============================================================================
>> This program will set up the FreeIPA Server.
>>
>> This includes:
>> * Configure a stand-alone CA (dogtag) for certificate management
>> * Configure the Network Time Daemon (ntpd)
>> * Create and configure an instance of Directory Server
>> * Create and configure a Kerberos Key Distribution Center (KDC)
>> * Configure Apache (httpd)
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>> WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
>> in favor of ntpd
>>
>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>
>> Existing BIND configuration detected, overwrite? [no]: yes
>> Enter the fully qualified domain name of the computer
>> on which you're setting up server software. Using the form
>> <hostname>.<domainname>
>> Example: master.example.com.
>>
>>
>> Server host name [pkiserver1.example.org]:
>>
>> Warning: skipping DNS resolution of host pkiserver1.example.org
>> The domain name has been determined based on the host name.
>>
>> Please confirm the domain name [example.org]:
>>
>> The kerberos protocol requires a Realm name to be defined.
>> This is typically the domain name converted to uppercase.
>>
>> Please provide a realm name [EXAMPLE.ORG]:
>> Certain directory server operations require an administrative user.
>> This user is referred to as the Directory Manager and has full access
>> to the Directory for system management tasks and will be added to the
>>
>> The IPA server requires an administrative user, named 'admin'.
>> This user is a regular system account used for IPA server administration.
>>
>> IPA admin password:
>> Password (confirm):
>>
>> Do you want to configure DNS forwarders? [yes]: no
>> No DNS forwarders configured
>> Do you want to configure the reverse zone? [yes]:
>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>
>> The IPA Master Server will be configured with:
>> Hostname: pkiserver1.example.org
>> IP address(es): 192.168.122.246
>> Domain name: example.org
>> Realm name: EXAMPLE.ORG
>>
>> BIND DNS server will be configured to serve IPA domain with:
>> Forwarders: No forwarders
>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>>
>> instance of directory server created for IPA.
>> The password must be at least 8 characters long.
>>
>> Directory Manager password:
>> Password (confirm):
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>> [1/38]: creating directory server user
>> [2/38]: creating directory server instance
>> [3/38]: adding default schema
>> [4/38]: enabling memberof plugin
>> [5/38]: enabling winsync plugin
>> [6/38]: configuring replication version plugin
>> [7/38]: enabling IPA enrollment plugin
>> [8/38]: enabling ldapi
>> [9/38]: configuring uniqueness plugin
>> [10/38]: configuring uuid plugin
>> [11/38]: configuring modrdn plugin
>> [12/38]: configuring DNS plugin
>> [13/38]: enabling entryUSN plugin
>> [14/38]: configuring lockout plugin
>> [15/38]: creating indices
>> [16/38]: enabling referential integrity plugin
>> [17/38]: configuring certmap.conf
>> [18/38]: configure autobind for root
>> [19/38]: configure new location for managed entries
>> [20/38]: configure dirsrv ccache
>> [21/38]: enable SASL mapping fallback
>> [22/38]: restarting directory server
>> [23/38]: adding default layout
>> [24/38]: adding delegation layout
>> [25/38]: creating container for managed entries
>> [26/38]: configuring user private groups
>> [27/38]: configuring netgroups from hostgroups
>> [28/38]: creating default Sudo bind user
>> [29/38]: creating default Auto Member layout
>> [30/38]: adding range check plugin
>> [31/38]: creating default HBAC rule allow_all
>> [32/38]: initializing group membership
>> [33/38]: adding master entry
>> [34/38]: configuring Posix uid/gid generation
>> [35/38]: adding replication acis
>> [36/38]: enabling compatibility plugin
>> [37/38]: tuning directory server
>> [38/38]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>> [1/27]: creating certificate server user
>> [2/27]: configuring certificate server instance
>> [3/27]: stopping certificate server instance to update CS.cfg
>> [4/27]: backing up CS.cfg
>> [5/27]: disabling nonces
>> [6/27]: set up CRL publishing
>> [7/27]: enable PKIX certificate path discovery and validation
>> [8/27]: starting certificate server instance
>> [9/27]: creating RA agent certificate database
>> [10/27]: importing CA chain to RA certificate database
>> [11/27]: fixing RA database permissions
>> [12/27]: setting up signing cert profile
>> [13/27]: set certificate subject base
>> [14/27]: enabling Subject Key Identifier
>> [15/27]: enabling Subject Alternative Name
>> [16/27]: enabling CRL and OCSP extensions for certificates
>> [17/27]: setting audit signing renewal to 2 years
>> [18/27]: configuring certificate server to start on boot
>> [19/27]: restarting certificate server
>> [20/27]: requesting RA certificate from CA
>> [21/27]: issuing RA agent certificate
>> [22/27]: adding RA agent as a trusted user
>> [23/27]: configure certmonger for renewals
>> [24/27]: configure certificate renewals
>> [25/27]: configure RA certificate renewal
>> [26/27]: configure Server-Cert certificate renewal
>> [27/27]: Configure HTTP to proxy connections
>> Done configuring certificate server (pki-tomcatd).
>> Configuring directory server (dirsrv): Estimated time 10 seconds
>> [1/3]: configuring ssl for ds instance
>> [2/3]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>> [3/3]: adding CA certificate entry
>> Done configuring directory server (dirsrv).
>>
>> CA did not start in 300.0s
>>
>> Attaching ipaserver-install.log, pkispawn logs
>>
>> Any hints on how to overcome the above error.
> The error is obviously in Directory Server restart. I am not sure what causes
>
> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server ([Errno 2]
> No such file or directory:
> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the
> installation log for details.
>
> The first restart worked and it uses the same call, AFAIK. It would be
> interesting to see the latest logs of the instance after ipa-server-install
> crashes:
>
> # systemctl status dirsrv at EXAMPLE-ORG.service
>
> It may have some useful logs that would reveal what happened.
>
> Martin
More information about the Freeipa-users
mailing list