[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
Niranjan M.R
mrniranjan at redhat.com
Thu Dec 11 07:56:55 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/09/2014 11:14 PM, thierry bordaz wrote:
> On 12/09/2014 04:07 PM, thierry bordaz wrote:
>> On 12/09/2014 11:15 AM, thierry bordaz wrote:
>>> On 12/09/2014 10:48 AM, Niranjan M.R wrote:
> On 12/09/2014 02:57 PM, thierry bordaz wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Niranjan, may I have access to your test machine.
>>>>>>
> It's a vm on my laptop. I am trying to reproduce on another VM
> to which i can give access. I will provide the details of this VM as soon
> as possible.
>
> Mean while i am providing ns-slapd access logs, ipa-logs and pkispawn logs.
>>>>
>>>> Something curious is that the installer is waiting for DS to restart but it is looking like DS has not received the terminaison signal.
>>>>
>>>> 2014-12-09T09:37:49Z DEBUG Waiting for CA to start...
>>>> ...
>>>> 2014-12-09T09:42:45Z DEBUG Waiting for CA to start...
>>>>
>>>>
>>>> [09/Dec/2014:04:37:41 -0500] - Warning: Adding configuration attribute "nsslapd-security"
>>>>
>>>> << here we should expect a restart of DS >>
>>>>
>>>> First why DS did not receive the restart order and then as it is still running (DS looks idle) what does the install is waiting for.
>>>
>>> At the end of the CS configuration, the installer configure ssl DS, restart DS it and then reach the ldap to retrieve the CA status. It fails
>>>
>>> pki/pki-tomcat/localhost.2014-12-09.log
>>> Dec 09, 2014 4:37:49 AM org.apache.catalina.core.StandardWrapperValve invoke
>>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception
>>> java.io.IOException: CS server is not ready to serve.
>>> at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
>>> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
>>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
>>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
>>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
>>> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>> Its fails to reach DS because:
>>> 0.localhost-startStop-1 - [09/Dec/2014:04:37:49 EST] [8] [3] In Ldap (bound) connection pool to host xxxx port 636, Cannot connect to LDAP
>>> server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>>
>>> Having not been able to restart DS, the secure port is not enabled so the CA failure after 5min was normal.
>>>
>>> So the remaining question was why the DS service restart failed.
>>> The systemd file was dirsrv at dir.service -> /usr/lib/systemd/system/dirsrv at .service.
>>>
>
>> I compared the installation logs with my own installation and I have not found any difference that would explain why you got
>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at dir.service' instead of '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'.
>
>> I would like to check if /var/lib/ipa/sysrestore/sysrestore.state file contains 'serverid=dir' or 'serverid=EXAMPLE-ORG'. would you please sent it to me ?
I am attaching the sysrestore.state and all the logs. Thanks a lot for looking in to this.
>
>> thanks
>> thierry
>>>
>>>
>>>>
>>>>
>>>>
>
>
>>>>>> thanks
>>>>>> theirry
>>>>>>
>>>>>>
>>>>>> On 12/09/2014 10:01 AM, Martin Kosek wrote:
>>>>>>> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>>>>>>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>>>>>>>> Hello,
>>>>>>>>> WE NEED HELP!
>>>>>>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software
>>>>>>>>> tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows
>>>>>>>>> Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP token as a
>>>>>>>>> second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature
>>>>>>>>> can be read here.
>>>>>>>>> http://www.freeipa.org/page/V4/OTP
>>>>>>>>> If you want to see this feature in downstream distros sooner rather than later we need your help!
>>>>>>>>> Please give it a try and provide feedback. We really, really need it!
>>>>>>>> I am unable to configure ipa-server with freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below error:
>>>>>>>>
>>>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>>>> [1/3]: configuring ssl for ds instance
>>>>>>>> [2/3]: restarting directory server
>>>>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>>>>> [3/3]: adding CA certificate entry
>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>> CA did not start in 300.0s
>>>>>>>>
>>>>>>>>
>>>>>>>> Versions used:
>>>>>>>> ==============
>>>>>>>> freeipa-client-4.1.2-1.fc20.x86_64
>>>>>>>> freeipa-server-4.1.2-1.fc20.x86_64
>>>>>>>> libipa_hbac-1.12.2-2.fc20.x86_64
>>>>>>>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>>>>>>>> sssd-ipa-1.12.2-2.fc20.x86_64
>>>>>>>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>>>>>>>> python-iniparse-0.4-9.fc20.noarch
>>>>>>>> freeipa-admintools-4.1.2-1.fc20.x86_64
>>>>>>>> freeipa-python-4.1.2-1.fc20.x86_64
>>>>>>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>>>>>>>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>>>>>>>
>>>>>>>> BaseOS:Fedora release 20 (Heisenbug)
>>>>>>>>
>>>>>>>>
>>>>>>>> Steps to reproduce:
>>>>>>>> ---------------
>>>>>>>>
>>>>>>>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>>>>>>>> [mkosek-freeipa]
>>>>>>>> name=Copr repo for freeipa owned by mkosek
>>>>>>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>>>>>>>> skip_if_unavailable=True
>>>>>>>> gpgcheck=0
>>>>>>>> enabled=1
>>>>>>>>
>>>>>>>> 2. Install freeipa-server packages from the above repo
>>>>>>>>
>>>>>>>> 3. Issue ipa-server-install
>>>>>>>>
>>>>>>>> [root at pkiserver1 ~]# ipa-server-install
>>>>>>>>
>>>>>>>> The log file for this installation can be found in /var/log/ipaserver-install.log
>>>>>>>> ==============================================================================
>>>>>>>> This program will set up the FreeIPA Server.
>>>>>>>>
>>>>>>>> This includes:
>>>>>>>> * Configure a stand-alone CA (dogtag) for certificate management
>>>>>>>> * Configure the Network Time Daemon (ntpd)
>>>>>>>> * Create and configure an instance of Directory Server
>>>>>>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>>>>>>> * Configure Apache (httpd)
>>>>>>>>
>>>>>>>> To accept the default shown in brackets, press the Enter key.
>>>>>>>>
>>>>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
>>>>>>>> in favor of ntpd
>>>>>>>>
>>>>>>>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>>>>>>>
>>>>>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>>>>>> Enter the fully qualified domain name of the computer
>>>>>>>> on which you're setting up server software. Using the form
>>>>>>>> <hostname>.<domainname>
>>>>>>>> Example: master.example.com.
>>>>>>>>
>>>>>>>>
>>>>>>>> Server host name [pkiserver1.example.org]:
>>>>>>>>
>>>>>>>> Warning: skipping DNS resolution of host pkiserver1.example.org
>>>>>>>> The domain name has been determined based on the host name.
>>>>>>>>
>>>>>>>> Please confirm the domain name [example.org]:
>>>>>>>>
>>>>>>>> The kerberos protocol requires a Realm name to be defined.
>>>>>>>> This is typically the domain name converted to uppercase.
>>>>>>>>
>>>>>>>> Please provide a realm name [EXAMPLE.ORG]:
>>>>>>>> Certain directory server operations require an administrative user.
>>>>>>>> This user is referred to as the Directory Manager and has full access
>>>>>>>> to the Directory for system management tasks and will be added to the
>>>>>>>>
>>>>>>>> The IPA server requires an administrative user, named 'admin'.
>>>>>>>> This user is a regular system account used for IPA server administration.
>>>>>>>>
>>>>>>>> IPA admin password:
>>>>>>>> Password (confirm):
>>>>>>>>
>>>>>>>> Do you want to configure DNS forwarders? [yes]: no
>>>>>>>> No DNS forwarders configured
>>>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>>>>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>>>>>>
>>>>>>>> The IPA Master Server will be configured with:
>>>>>>>> Hostname: pkiserver1.example.org
>>>>>>>> IP address(es): 192.168.122.246
>>>>>>>> Domain name: example.org
>>>>>>>> Realm name: EXAMPLE.ORG
>>>>>>>>
>>>>>>>> BIND DNS server will be configured to serve IPA domain with:
>>>>>>>> Forwarders: No forwarders
>>>>>>>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>>>>>>>
>>>>>>>> Continue to configure the system with these values? [no]: yes
>>>>>>>>
>>>>>>>> The following operations may take some minutes to complete.
>>>>>>>> Please wait until the prompt is returned.
>>>>>>>>
>>>>>>>>
>>>>>>>> instance of directory server created for IPA.
>>>>>>>> The password must be at least 8 characters long.
>>>>>>>>
>>>>>>>> Directory Manager password:
>>>>>>>> Password (confirm):
>>>>>>>> Configuring NTP daemon (ntpd)
>>>>>>>> [1/4]: stopping ntpd
>>>>>>>> [2/4]: writing configuration
>>>>>>>> [3/4]: configuring ntpd to start on boot
>>>>>>>> [4/4]: starting ntpd
>>>>>>>> Done configuring NTP daemon (ntpd).
>>>>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>>>>> [1/38]: creating directory server user
>>>>>>>> [2/38]: creating directory server instance
>>>>>>>> [3/38]: adding default schema
>>>>>>>> [4/38]: enabling memberof plugin
>>>>>>>> [5/38]: enabling winsync plugin
>>>>>>>> [6/38]: configuring replication version plugin
>>>>>>>> [7/38]: enabling IPA enrollment plugin
>>>>>>>> [8/38]: enabling ldapi
>>>>>>>> [9/38]: configuring uniqueness plugin
>>>>>>>> [10/38]: configuring uuid plugin
>>>>>>>> [11/38]: configuring modrdn plugin
>>>>>>>> [12/38]: configuring DNS plugin
>>>>>>>> [13/38]: enabling entryUSN plugin
>>>>>>>> [14/38]: configuring lockout plugin
>>>>>>>> [15/38]: creating indices
>>>>>>>> [16/38]: enabling referential integrity plugin
>>>>>>>> [17/38]: configuring certmap.conf
>>>>>>>> [18/38]: configure autobind for root
>>>>>>>> [19/38]: configure new location for managed entries
>>>>>>>> [20/38]: configure dirsrv ccache
>>>>>>>> [21/38]: enable SASL mapping fallback
>>>>>>>> [22/38]: restarting directory server
>>>>>>>> [23/38]: adding default layout
>>>>>>>> [24/38]: adding delegation layout
>>>>>>>> [25/38]: creating container for managed entries
>>>>>>>> [26/38]: configuring user private groups
>>>>>>>> [27/38]: configuring netgroups from hostgroups
>>>>>>>> [28/38]: creating default Sudo bind user
>>>>>>>> [29/38]: creating default Auto Member layout
>>>>>>>> [30/38]: adding range check plugin
>>>>>>>> [31/38]: creating default HBAC rule allow_all
>>>>>>>> [32/38]: initializing group membership
>>>>>>>> [33/38]: adding master entry
>>>>>>>> [34/38]: configuring Posix uid/gid generation
>>>>>>>> [35/38]: adding replication acis
>>>>>>>> [36/38]: enabling compatibility plugin
>>>>>>>> [37/38]: tuning directory server
>>>>>>>> [38/38]: configuring directory to start on boot
>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>>>>>>>> [1/27]: creating certificate server user
>>>>>>>> [2/27]: configuring certificate server instance
>>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>>>>> [4/27]: backing up CS.cfg
>>>>>>>> [5/27]: disabling nonces
>>>>>>>> [6/27]: set up CRL publishing
>>>>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>>>>> [8/27]: starting certificate server instance
>>>>>>>> [9/27]: creating RA agent certificate database
>>>>>>>> [10/27]: importing CA chain to RA certificate database
>>>>>>>> [11/27]: fixing RA database permissions
>>>>>>>> [12/27]: setting up signing cert profile
>>>>>>>> [13/27]: set certificate subject base
>>>>>>>> [14/27]: enabling Subject Key Identifier
>>>>>>>> [15/27]: enabling Subject Alternative Name
>>>>>>>> [16/27]: enabling CRL and OCSP extensions for certificates
>>>>>>>> [17/27]: setting audit signing renewal to 2 years
>>>>>>>> [18/27]: configuring certificate server to start on boot
>>>>>>>> [19/27]: restarting certificate server
>>>>>>>> [20/27]: requesting RA certificate from CA
>>>>>>>> [21/27]: issuing RA agent certificate
>>>>>>>> [22/27]: adding RA agent as a trusted user
>>>>>>>> [23/27]: configure certmonger for renewals
>>>>>>>> [24/27]: configure certificate renewals
>>>>>>>> [25/27]: configure RA certificate renewal
>>>>>>>> [26/27]: configure Server-Cert certificate renewal
>>>>>>>> [27/27]: Configure HTTP to proxy connections
>>>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>>>> [1/3]: configuring ssl for ds instance
>>>>>>>> [2/3]: restarting directory server
>>>>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>>>>> [3/3]: adding CA certificate entry
>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>>
>>>>>>>> CA did not start in 300.0s
>>>>>>>>
>>>>>>>> Attaching ipaserver-install.log, pkispawn logs
>>>>>>>>
>>>>>>>> Any hints on how to overcome the above error.
>>>>>>> The error is obviously in Directory Server restart. I am not sure what causes
>>>>>>>
>>>>>>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
>>>>>>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server ([Errno 2]
>>>>>>> No such file or directory:
>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the
>>>>>>> installation log for details.
>>>>>>>
>>>>>>> The first restart worked and it uses the same call, AFAIK. It would be
>>>>>>> interesting to see the latest logs of the instance after ipa-server-install
>>>>>>> crashes:
>>>>>>>
>>>>>>> # systemctl status dirsrv at EXAMPLE-ORG.service
>>>>>>>
>>>>>>> It may have some useful logs that would reveal what happened.
>>>>>>>
>>>>>>> Martin
>
> -- Niranjan
> irc: mrniranjan
>>>
>>
>>
>>
>
>
>
- --
Niranjan
irc: mrniranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iKYEARECAGYFAlSJTkdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8cirgCfXtbPkzQcb+yLpjN1cf1UheC8
sXcAn3GBoeGcgRscYLIF4cCfh3KwQJpW
=rTOO
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-logs.tar.gz
Type: application/x-gzip
Size: 301779 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141211/596df932/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x6047C7C7.asc
Type: application/pgp-keys
Size: 1893 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141211/596df932/attachment-0001.bin>
More information about the Freeipa-users
mailing list