[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
thierry bordaz
tbordaz at redhat.com
Tue Dec 9 17:44:30 UTC 2014
On 12/09/2014 04:07 PM, thierry bordaz wrote:
> On 12/09/2014 11:15 AM, thierry bordaz wrote:
>> On 12/09/2014 10:48 AM, Niranjan M.R wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 12/09/2014 02:57 PM, thierry bordaz wrote:
>>>> Hello,
>>>>
>>>> Niranjan, may I have access to your test machine.
>>>>
>>> It's a vm on my laptop. I am trying to reproduce on another VM
>>> to which i can give access. I will provide the details of this VM as
>>> soon
>>> as possible.
>>>
>>> Mean while i am providing ns-slapd access logs, ipa-logs and
>>> pkispawn logs.
>>
>> Something curious is that the installer is waiting for DS to restart
>> but it is looking like DS has not received the terminaison signal.
>>
>> 2014-12-09T09:37:49Z DEBUG Waiting for CA to start...
>> ...
>> 2014-12-09T09:42:45Z DEBUG Waiting for CA to start...
>>
>>
>> [09/Dec/2014:04:37:41 -0500] - Warning: Adding configuration
>> attribute "nsslapd-security"
>>
>> << here we should expect a restart of DS >>
>>
>> First why DS did not receive the restart order and then as it is
>> still running (DS looks idle) what does the install is waiting for.
>
> At the end of the CS configuration, the installer configure ssl
> DS, restart DS it and then reach the ldap to retrieve the CA
> status. It fails
>
> pki/pki-tomcat/localhost.2014-12-09.log
> Dec 09, 2014 4:37:49 AM
> org.apache.catalina.core.StandardWrapperValve invoke
> SEVERE: Servlet.service() for servlet [caGetStatus] in context
> with path [/ca] threw exception
> java.io.IOException: CS server is not ready to serve.
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
>
> Its fails to reach DS because:
> 0.localhost-startStop-1 - [09/Dec/2014:04:37:49 EST] [8] [3] In
> Ldap (bound) connection pool to host xxxx port 636, Cannot connect
> to LDAP server. Error: netscape.ldap.LDAPException: IO Error
> creating JSS SSL Socket (-1)
>
> Having not been able to restart DS, the secure port is not enabled
> so the CA failure after 5min was normal.
>
> So the remaining question was why the DS service restart failed.
> The systemd file was dirsrv at dir.service ->
> /usr/lib/systemd/system/dirsrv at .service.
>
I compared the installation logs with my own installation and I have not
found any difference that would explain why you got
'/etc/systemd/system/dirsrv.target.wants/dirsrv at dir.service' instead of
'/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'.
I would like to check if /var/lib/ipa/sysrestore/sysrestore.state file
contains 'serverid=dir' or 'serverid=EXAMPLE-ORG'. would you please sent
it to me ?
thanks
thierry
>
>
>>
>>
>>
>>>
>>>
>>>> thanks
>>>> theirry
>>>>
>>>>
>>>> On 12/09/2014 10:01 AM, Martin Kosek wrote:
>>>>> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>>>>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>>>>>> Hello,
>>>>>>> WE NEED HELP!
>>>>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is
>>>>>>> support for the two factor authentication using HOTP/TOTP
>>>>>>> compatible software tokens like FreeOTP (open source compatible
>>>>>>> alternative to Google Authenticator) and hardware tokens like
>>>>>>> Yubikeys. This feature allows Kerberos and LDAP clients of a
>>>>>>> FreeIPA server to authenticate using the normal account password
>>>>>>> as the first factor and an OTP token as a second factor. For
>>>>>>> those environments where a 2FA solution is already in place,
>>>>>>> FreeIPA can act as a proxy via RADIUS. More about this feature
>>>>>>> can be read here.
>>>>>>> http://www.freeipa.org/page/V4/OTP
>>>>>>> If you want to see this feature in downstream distros sooner
>>>>>>> rather than later we need your help!
>>>>>>> Please give it a try and provide feedback. We really, really
>>>>>>> need it!
>>>>>> I am unable to configure ipa-server with
>>>>>> freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails
>>>>>> with below error:
>>>>>>
>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>> [1/3]: configuring ssl for ds instance
>>>>>> [2/3]: restarting directory server
>>>>>> ipa : CRITICAL Failed to restart the directory server
>>>>>> ([Errno 2] No such file or directory:
>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service').
>>>>>> See the installation log for details.
>>>>>> [3/3]: adding CA certificate entry
>>>>>> Done configuring directory server (dirsrv).
>>>>>> CA did not start in 300.0s
>>>>>>
>>>>>>
>>>>>> Versions used:
>>>>>> ==============
>>>>>> freeipa-client-4.1.2-1.fc20.x86_64
>>>>>> freeipa-server-4.1.2-1.fc20.x86_64
>>>>>> libipa_hbac-1.12.2-2.fc20.x86_64
>>>>>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>>>>>> sssd-ipa-1.12.2-2.fc20.x86_64
>>>>>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>>>>>> python-iniparse-0.4-9.fc20.noarch
>>>>>> freeipa-admintools-4.1.2-1.fc20.x86_64
>>>>>> freeipa-python-4.1.2-1.fc20.x86_64
>>>>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>>>>>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>>>>>
>>>>>> BaseOS:Fedora release 20 (Heisenbug)
>>>>>>
>>>>>>
>>>>>> Steps to reproduce:
>>>>>> ---------------
>>>>>>
>>>>>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>>>>>> [mkosek-freeipa]
>>>>>> name=Copr repo for freeipa owned by mkosek
>>>>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>>>>>>
>>>>>> skip_if_unavailable=True
>>>>>> gpgcheck=0
>>>>>> enabled=1
>>>>>>
>>>>>> 2. Install freeipa-server packages from the above repo
>>>>>>
>>>>>> 3. Issue ipa-server-install
>>>>>>
>>>>>> [root at pkiserver1 ~]# ipa-server-install
>>>>>>
>>>>>> The log file for this installation can be found in
>>>>>> /var/log/ipaserver-install.log
>>>>>> ==============================================================================
>>>>>>
>>>>>> This program will set up the FreeIPA Server.
>>>>>>
>>>>>> This includes:
>>>>>> * Configure a stand-alone CA (dogtag) for certificate management
>>>>>> * Configure the Network Time Daemon (ntpd)
>>>>>> * Create and configure an instance of Directory Server
>>>>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>>>>> * Configure Apache (httpd)
>>>>>>
>>>>>> To accept the default shown in brackets, press the Enter key.
>>>>>>
>>>>>> WARNING: conflicting time&date synchronization service 'chronyd'
>>>>>> will be disabled
>>>>>> in favor of ntpd
>>>>>>
>>>>>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>>>>>
>>>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>>>> Enter the fully qualified domain name of the computer
>>>>>> on which you're setting up server software. Using the form
>>>>>> <hostname>.<domainname>
>>>>>> Example: master.example.com.
>>>>>>
>>>>>>
>>>>>> Server host name [pkiserver1.example.org]:
>>>>>>
>>>>>> Warning: skipping DNS resolution of host pkiserver1.example.org
>>>>>> The domain name has been determined based on the host name.
>>>>>>
>>>>>> Please confirm the domain name [example.org]:
>>>>>>
>>>>>> The kerberos protocol requires a Realm name to be defined.
>>>>>> This is typically the domain name converted to uppercase.
>>>>>>
>>>>>> Please provide a realm name [EXAMPLE.ORG]:
>>>>>> Certain directory server operations require an administrative user.
>>>>>> This user is referred to as the Directory Manager and has full
>>>>>> access
>>>>>> to the Directory for system management tasks and will be added to
>>>>>> the
>>>>>>
>>>>>> The IPA server requires an administrative user, named 'admin'.
>>>>>> This user is a regular system account used for IPA server
>>>>>> administration.
>>>>>>
>>>>>> IPA admin password:
>>>>>> Password (confirm):
>>>>>>
>>>>>> Do you want to configure DNS forwarders? [yes]: no
>>>>>> No DNS forwarders configured
>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>>>>
>>>>>> The IPA Master Server will be configured with:
>>>>>> Hostname: pkiserver1.example.org
>>>>>> IP address(es): 192.168.122.246
>>>>>> Domain name: example.org
>>>>>> Realm name: EXAMPLE.ORG
>>>>>>
>>>>>> BIND DNS server will be configured to serve IPA domain with:
>>>>>> Forwarders: No forwarders
>>>>>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>>>>>
>>>>>> Continue to configure the system with these values? [no]: yes
>>>>>>
>>>>>> The following operations may take some minutes to complete.
>>>>>> Please wait until the prompt is returned.
>>>>>>
>>>>>>
>>>>>> instance of directory server created for IPA.
>>>>>> The password must be at least 8 characters long.
>>>>>>
>>>>>> Directory Manager password:
>>>>>> Password (confirm):
>>>>>> Configuring NTP daemon (ntpd)
>>>>>> [1/4]: stopping ntpd
>>>>>> [2/4]: writing configuration
>>>>>> [3/4]: configuring ntpd to start on boot
>>>>>> [4/4]: starting ntpd
>>>>>> Done configuring NTP daemon (ntpd).
>>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>>> [1/38]: creating directory server user
>>>>>> [2/38]: creating directory server instance
>>>>>> [3/38]: adding default schema
>>>>>> [4/38]: enabling memberof plugin
>>>>>> [5/38]: enabling winsync plugin
>>>>>> [6/38]: configuring replication version plugin
>>>>>> [7/38]: enabling IPA enrollment plugin
>>>>>> [8/38]: enabling ldapi
>>>>>> [9/38]: configuring uniqueness plugin
>>>>>> [10/38]: configuring uuid plugin
>>>>>> [11/38]: configuring modrdn plugin
>>>>>> [12/38]: configuring DNS plugin
>>>>>> [13/38]: enabling entryUSN plugin
>>>>>> [14/38]: configuring lockout plugin
>>>>>> [15/38]: creating indices
>>>>>> [16/38]: enabling referential integrity plugin
>>>>>> [17/38]: configuring certmap.conf
>>>>>> [18/38]: configure autobind for root
>>>>>> [19/38]: configure new location for managed entries
>>>>>> [20/38]: configure dirsrv ccache
>>>>>> [21/38]: enable SASL mapping fallback
>>>>>> [22/38]: restarting directory server
>>>>>> [23/38]: adding default layout
>>>>>> [24/38]: adding delegation layout
>>>>>> [25/38]: creating container for managed entries
>>>>>> [26/38]: configuring user private groups
>>>>>> [27/38]: configuring netgroups from hostgroups
>>>>>> [28/38]: creating default Sudo bind user
>>>>>> [29/38]: creating default Auto Member layout
>>>>>> [30/38]: adding range check plugin
>>>>>> [31/38]: creating default HBAC rule allow_all
>>>>>> [32/38]: initializing group membership
>>>>>> [33/38]: adding master entry
>>>>>> [34/38]: configuring Posix uid/gid generation
>>>>>> [35/38]: adding replication acis
>>>>>> [36/38]: enabling compatibility plugin
>>>>>> [37/38]: tuning directory server
>>>>>> [38/38]: configuring directory to start on boot
>>>>>> Done configuring directory server (dirsrv).
>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>>> minutes 30 seconds
>>>>>> [1/27]: creating certificate server user
>>>>>> [2/27]: configuring certificate server instance
>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>>> [4/27]: backing up CS.cfg
>>>>>> [5/27]: disabling nonces
>>>>>> [6/27]: set up CRL publishing
>>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>>> [8/27]: starting certificate server instance
>>>>>> [9/27]: creating RA agent certificate database
>>>>>> [10/27]: importing CA chain to RA certificate database
>>>>>> [11/27]: fixing RA database permissions
>>>>>> [12/27]: setting up signing cert profile
>>>>>> [13/27]: set certificate subject base
>>>>>> [14/27]: enabling Subject Key Identifier
>>>>>> [15/27]: enabling Subject Alternative Name
>>>>>> [16/27]: enabling CRL and OCSP extensions for certificates
>>>>>> [17/27]: setting audit signing renewal to 2 years
>>>>>> [18/27]: configuring certificate server to start on boot
>>>>>> [19/27]: restarting certificate server
>>>>>> [20/27]: requesting RA certificate from CA
>>>>>> [21/27]: issuing RA agent certificate
>>>>>> [22/27]: adding RA agent as a trusted user
>>>>>> [23/27]: configure certmonger for renewals
>>>>>> [24/27]: configure certificate renewals
>>>>>> [25/27]: configure RA certificate renewal
>>>>>> [26/27]: configure Server-Cert certificate renewal
>>>>>> [27/27]: Configure HTTP to proxy connections
>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>> [1/3]: configuring ssl for ds instance
>>>>>> [2/3]: restarting directory server
>>>>>> ipa : CRITICAL Failed to restart the directory server
>>>>>> ([Errno 2] No such file or directory:
>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service').
>>>>>> See the installation log for details.
>>>>>> [3/3]: adding CA certificate entry
>>>>>> Done configuring directory server (dirsrv).
>>>>>>
>>>>>> CA did not start in 300.0s
>>>>>>
>>>>>> Attaching ipaserver-install.log, pkispawn logs
>>>>>>
>>>>>> Any hints on how to overcome the above error.
>>>>> The error is obviously in Directory Server restart. I am not sure
>>>>> what causes
>>>>>
>>>>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
>>>>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory
>>>>> server ([Errno 2]
>>>>> No such file or directory:
>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service').
>>>>> See the
>>>>> installation log for details.
>>>>>
>>>>> The first restart worked and it uses the same call, AFAIK. It
>>>>> would be
>>>>> interesting to see the latest logs of the instance after
>>>>> ipa-server-install
>>>>> crashes:
>>>>>
>>>>> # systemctl status dirsrv at EXAMPLE-ORG.service
>>>>>
>>>>> It may have some useful logs that would reveal what happened.
>>>>>
>>>>> Martin
>>>
>>> - -- Niranjan
>>> irc: mrniranjan
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>>
>>> iKYEARECAGYFAlSGxYFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
>>> bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
>>> RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8e61wCgtCSWtdpOMWVP+Pr7fPmoXiPC
>>> DAsAoI0phFg3dtQJNRvpm8YCjLEs9r66
>>> =1MYR
>>> -----END PGP SIGNATURE-----
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/513d5d45/attachment.htm>
More information about the Freeipa-users
mailing list