[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
Niranjan M.R
mrniranjan at redhat.com
Tue Dec 9 09:48:49 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/09/2014 02:57 PM, thierry bordaz wrote:
> Hello,
>
> Niranjan, may I have access to your test machine.
>
It's a vm on my laptop. I am trying to reproduce on another VM
to which i can give access. I will provide the details of this VM as soon
as possible.
Mean while i am providing ns-slapd access logs, ipa-logs and pkispawn logs.
> thanks
> theirry
>
>
> On 12/09/2014 10:01 AM, Martin Kosek wrote:
>> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>>> Hello,
>>>> WE NEED HELP!
>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
>>>> http://www.freeipa.org/page/V4/OTP
>>>> If you want to see this feature in downstream distros sooner rather than later we need your help!
>>>> Please give it a try and provide feedback. We really, really need it!
>>> I am unable to configure ipa-server with freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below error:
>>>
>>> Done configuring certificate server (pki-tomcatd).
>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>> [1/3]: configuring ssl for ds instance
>>> [2/3]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>> [3/3]: adding CA certificate entry
>>> Done configuring directory server (dirsrv).
>>> CA did not start in 300.0s
>>>
>>>
>>> Versions used:
>>> ==============
>>> freeipa-client-4.1.2-1.fc20.x86_64
>>> freeipa-server-4.1.2-1.fc20.x86_64
>>> libipa_hbac-1.12.2-2.fc20.x86_64
>>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>>> sssd-ipa-1.12.2-2.fc20.x86_64
>>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>>> python-iniparse-0.4-9.fc20.noarch
>>> freeipa-admintools-4.1.2-1.fc20.x86_64
>>> freeipa-python-4.1.2-1.fc20.x86_64
>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>>
>>> BaseOS:Fedora release 20 (Heisenbug)
>>>
>>>
>>> Steps to reproduce:
>>> ---------------
>>>
>>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>>> [mkosek-freeipa]
>>> name=Copr repo for freeipa owned by mkosek
>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>>> skip_if_unavailable=True
>>> gpgcheck=0
>>> enabled=1
>>>
>>> 2. Install freeipa-server packages from the above repo
>>>
>>> 3. Issue ipa-server-install
>>>
>>> [root at pkiserver1 ~]# ipa-server-install
>>>
>>> The log file for this installation can be found in /var/log/ipaserver-install.log
>>> ==============================================================================
>>> This program will set up the FreeIPA Server.
>>>
>>> This includes:
>>> * Configure a stand-alone CA (dogtag) for certificate management
>>> * Configure the Network Time Daemon (ntpd)
>>> * Create and configure an instance of Directory Server
>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>> * Configure Apache (httpd)
>>>
>>> To accept the default shown in brackets, press the Enter key.
>>>
>>> WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
>>> in favor of ntpd
>>>
>>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>>
>>> Existing BIND configuration detected, overwrite? [no]: yes
>>> Enter the fully qualified domain name of the computer
>>> on which you're setting up server software. Using the form
>>> <hostname>.<domainname>
>>> Example: master.example.com.
>>>
>>>
>>> Server host name [pkiserver1.example.org]:
>>>
>>> Warning: skipping DNS resolution of host pkiserver1.example.org
>>> The domain name has been determined based on the host name.
>>>
>>> Please confirm the domain name [example.org]:
>>>
>>> The kerberos protocol requires a Realm name to be defined.
>>> This is typically the domain name converted to uppercase.
>>>
>>> Please provide a realm name [EXAMPLE.ORG]:
>>> Certain directory server operations require an administrative user.
>>> This user is referred to as the Directory Manager and has full access
>>> to the Directory for system management tasks and will be added to the
>>>
>>> The IPA server requires an administrative user, named 'admin'.
>>> This user is a regular system account used for IPA server administration.
>>>
>>> IPA admin password:
>>> Password (confirm):
>>>
>>> Do you want to configure DNS forwarders? [yes]: no
>>> No DNS forwarders configured
>>> Do you want to configure the reverse zone? [yes]:
>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>
>>> The IPA Master Server will be configured with:
>>> Hostname: pkiserver1.example.org
>>> IP address(es): 192.168.122.246
>>> Domain name: example.org
>>> Realm name: EXAMPLE.ORG
>>>
>>> BIND DNS server will be configured to serve IPA domain with:
>>> Forwarders: No forwarders
>>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>>
>>> Continue to configure the system with these values? [no]: yes
>>>
>>> The following operations may take some minutes to complete.
>>> Please wait until the prompt is returned.
>>>
>>>
>>> instance of directory server created for IPA.
>>> The password must be at least 8 characters long.
>>>
>>> Directory Manager password:
>>> Password (confirm):
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>> [1/38]: creating directory server user
>>> [2/38]: creating directory server instance
>>> [3/38]: adding default schema
>>> [4/38]: enabling memberof plugin
>>> [5/38]: enabling winsync plugin
>>> [6/38]: configuring replication version plugin
>>> [7/38]: enabling IPA enrollment plugin
>>> [8/38]: enabling ldapi
>>> [9/38]: configuring uniqueness plugin
>>> [10/38]: configuring uuid plugin
>>> [11/38]: configuring modrdn plugin
>>> [12/38]: configuring DNS plugin
>>> [13/38]: enabling entryUSN plugin
>>> [14/38]: configuring lockout plugin
>>> [15/38]: creating indices
>>> [16/38]: enabling referential integrity plugin
>>> [17/38]: configuring certmap.conf
>>> [18/38]: configure autobind for root
>>> [19/38]: configure new location for managed entries
>>> [20/38]: configure dirsrv ccache
>>> [21/38]: enable SASL mapping fallback
>>> [22/38]: restarting directory server
>>> [23/38]: adding default layout
>>> [24/38]: adding delegation layout
>>> [25/38]: creating container for managed entries
>>> [26/38]: configuring user private groups
>>> [27/38]: configuring netgroups from hostgroups
>>> [28/38]: creating default Sudo bind user
>>> [29/38]: creating default Auto Member layout
>>> [30/38]: adding range check plugin
>>> [31/38]: creating default HBAC rule allow_all
>>> [32/38]: initializing group membership
>>> [33/38]: adding master entry
>>> [34/38]: configuring Posix uid/gid generation
>>> [35/38]: adding replication acis
>>> [36/38]: enabling compatibility plugin
>>> [37/38]: tuning directory server
>>> [38/38]: configuring directory to start on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>>> [1/27]: creating certificate server user
>>> [2/27]: configuring certificate server instance
>>> [3/27]: stopping certificate server instance to update CS.cfg
>>> [4/27]: backing up CS.cfg
>>> [5/27]: disabling nonces
>>> [6/27]: set up CRL publishing
>>> [7/27]: enable PKIX certificate path discovery and validation
>>> [8/27]: starting certificate server instance
>>> [9/27]: creating RA agent certificate database
>>> [10/27]: importing CA chain to RA certificate database
>>> [11/27]: fixing RA database permissions
>>> [12/27]: setting up signing cert profile
>>> [13/27]: set certificate subject base
>>> [14/27]: enabling Subject Key Identifier
>>> [15/27]: enabling Subject Alternative Name
>>> [16/27]: enabling CRL and OCSP extensions for certificates
>>> [17/27]: setting audit signing renewal to 2 years
>>> [18/27]: configuring certificate server to start on boot
>>> [19/27]: restarting certificate server
>>> [20/27]: requesting RA certificate from CA
>>> [21/27]: issuing RA agent certificate
>>> [22/27]: adding RA agent as a trusted user
>>> [23/27]: configure certmonger for renewals
>>> [24/27]: configure certificate renewals
>>> [25/27]: configure RA certificate renewal
>>> [26/27]: configure Server-Cert certificate renewal
>>> [27/27]: Configure HTTP to proxy connections
>>> Done configuring certificate server (pki-tomcatd).
>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>> [1/3]: configuring ssl for ds instance
>>> [2/3]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>> [3/3]: adding CA certificate entry
>>> Done configuring directory server (dirsrv).
>>>
>>> CA did not start in 300.0s
>>>
>>> Attaching ipaserver-install.log, pkispawn logs
>>>
>>> Any hints on how to overcome the above error.
>> The error is obviously in Directory Server restart. I am not sure what causes
>>
>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server ([Errno 2]
>> No such file or directory:
>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the
>> installation log for details.
>>
>> The first restart worked and it uses the same call, AFAIK. It would be
>> interesting to see the latest logs of the instance after ipa-server-install
>> crashes:
>>
>> # systemctl status dirsrv at EXAMPLE-ORG.service
>>
>> It may have some useful logs that would reveal what happened.
>>
>> Martin
>
- --
Niranjan
irc: mrniranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iKYEARECAGYFAlSGxYFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8e61wCgtCSWtdpOMWVP+Pr7fPmoXiPC
DAsAoI0phFg3dtQJNRvpm8YCjLEs9r66
=1MYR
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-ds-cs.logs.tar.gz
Type: application/x-gzip
Size: 197820 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/ccbbe676/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dirsrv-config.tar.gz
Type: application/x-gzip
Size: 150605 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/ccbbe676/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x6047C7C7.asc
Type: application/pgp-keys
Size: 1893 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/ccbbe676/attachment-0002.bin>
More information about the Freeipa-users
mailing list