[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
thierry bordaz
tbordaz at redhat.com
Thu Dec 11 14:35:00 UTC 2014
On 12/11/2014 08:56 AM, Niranjan M.R wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/09/2014 11:14 PM, thierry bordaz wrote:
>> On 12/09/2014 04:07 PM, thierry bordaz wrote:
>>> On 12/09/2014 11:15 AM, thierry bordaz wrote:
>>>> On 12/09/2014 10:48 AM, Niranjan M.R wrote:
>> On 12/09/2014 02:57 PM, thierry bordaz wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Niranjan, may I have access to your test machine.
>>>>>>>
>> It's a vm on my laptop. I am trying to reproduce on another VM
>> to which i can give access. I will provide the details of this VM as soon
>> as possible.
>>
>> Mean while i am providing ns-slapd access logs, ipa-logs and pkispawn logs.
>>>>> Something curious is that the installer is waiting for DS to restart but it is looking like DS has not received the terminaison signal.
>>>>>
>>>>> 2014-12-09T09:37:49Z DEBUG Waiting for CA to start...
>>>>> ...
>>>>> 2014-12-09T09:42:45Z DEBUG Waiting for CA to start...
>>>>>
>>>>>
>>>>> [09/Dec/2014:04:37:41 -0500] - Warning: Adding configuration attribute "nsslapd-security"
>>>>>
>>>>> << here we should expect a restart of DS >>
>>>>>
>>>>> First why DS did not receive the restart order and then as it is still running (DS looks idle) what does the install is waiting for.
>>>> At the end of the CS configuration, the installer configure ssl DS, restart DS it and then reach the ldap to retrieve the CA status. It fails
>>>>
>>>> pki/pki-tomcat/localhost.2014-12-09.log
>>>> Dec 09, 2014 4:37:49 AM org.apache.catalina.core.StandardWrapperValve invoke
>>>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca] threw exception
>>>> java.io.IOException: CS server is not ready to serve.
>>>> at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
>>>> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
>>>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
>>>> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>>>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
>>>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
>>>> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>>
>>>> Its fails to reach DS because:
>>>> 0.localhost-startStop-1 - [09/Dec/2014:04:37:49 EST] [8] [3] In Ldap (bound) connection pool to host xxxx port 636, Cannot connect to LDAP
>>>> server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>>>
>>>> Having not been able to restart DS, the secure port is not enabled so the CA failure after 5min was normal.
>>>>
>>>> So the remaining question was why the DS service restart failed.
>>>> The systemd file was dirsrv at dir.service -> /usr/lib/systemd/system/dirsrv at .service.
>>>>
>>> I compared the installation logs with my own installation and I have not found any difference that would explain why you got
>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at dir.service' instead of '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'.
>>> I would like to check if /var/lib/ipa/sysrestore/sysrestore.state file contains 'serverid=dir' or 'serverid=EXAMPLE-ORG'. would you please sent it to me ?
> I am attaching the sysrestore.state and all the logs. Thanks a lot for looking in to this.
Hello,
Well the sysrestore contains the expected service 'dirsrv' but not
'dir'.
I am sorry but I have no clue of what would explain why the service
link 'dirsrv at EXAMPLE-ORG.service' would have been turned into
'dirsrv at dir.service'.
The service was correctly set just before pki-tomcatd configuration.
Once pki-tomcatd completed, SSL is configured on directory and the
restart failed because the service was incorrectly set.
Looking at the log of pki-tomcatd configuration, I do not find
anything related to directory service in that period of time.
Looking at the code, the only reason that could explain such file
(dirsrv at dir.service) would be that a service 'dir' was enabled (in
addition to removal of EXAMPLE-ORG). But nowhere a 'dir' service is
enabled.
thanks
thierry
>
>
>>> thanks
>>> thierry
>>>>
>>>>>
>>>>>
>>
>>>>>>> thanks
>>>>>>> theirry
>>>>>>>
>>>>>>>
>>>>>>> On 12/09/2014 10:01 AM, Martin Kosek wrote:
>>>>>>>> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>>>>>>>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>>>>>>>>> Hello,
>>>>>>>>>> WE NEED HELP!
>>>>>>>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software
>>>>>>>>>> tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows
>>>>>>>>>> Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP token as a
>>>>>>>>>> second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature
>>>>>>>>>> can be read here.
>>>>>>>>>> http://www.freeipa.org/page/V4/OTP
>>>>>>>>>> If you want to see this feature in downstream distros sooner rather than later we need your help!
>>>>>>>>>> Please give it a try and provide feedback. We really, really need it!
>>>>>>>>> I am unable to configure ipa-server with freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below error:
>>>>>>>>>
>>>>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>>>>> [1/3]: configuring ssl for ds instance
>>>>>>>>> [2/3]: restarting directory server
>>>>>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>>>>>> [3/3]: adding CA certificate entry
>>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>>> CA did not start in 300.0s
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Versions used:
>>>>>>>>> ==============
>>>>>>>>> freeipa-client-4.1.2-1.fc20.x86_64
>>>>>>>>> freeipa-server-4.1.2-1.fc20.x86_64
>>>>>>>>> libipa_hbac-1.12.2-2.fc20.x86_64
>>>>>>>>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>>>>>>>>> sssd-ipa-1.12.2-2.fc20.x86_64
>>>>>>>>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>>>>>>>>> python-iniparse-0.4-9.fc20.noarch
>>>>>>>>> freeipa-admintools-4.1.2-1.fc20.x86_64
>>>>>>>>> freeipa-python-4.1.2-1.fc20.x86_64
>>>>>>>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>>>>>>>>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>>>>>>>>
>>>>>>>>> BaseOS:Fedora release 20 (Heisenbug)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Steps to reproduce:
>>>>>>>>> ---------------
>>>>>>>>>
>>>>>>>>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>>>>>>>>> [mkosek-freeipa]
>>>>>>>>> name=Copr repo for freeipa owned by mkosek
>>>>>>>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>>>>>>>>> skip_if_unavailable=True
>>>>>>>>> gpgcheck=0
>>>>>>>>> enabled=1
>>>>>>>>>
>>>>>>>>> 2. Install freeipa-server packages from the above repo
>>>>>>>>>
>>>>>>>>> 3. Issue ipa-server-install
>>>>>>>>>
>>>>>>>>> [root at pkiserver1 ~]# ipa-server-install
>>>>>>>>>
>>>>>>>>> The log file for this installation can be found in /var/log/ipaserver-install.log
>>>>>>>>> ==============================================================================
>>>>>>>>> This program will set up the FreeIPA Server.
>>>>>>>>>
>>>>>>>>> This includes:
>>>>>>>>> * Configure a stand-alone CA (dogtag) for certificate management
>>>>>>>>> * Configure the Network Time Daemon (ntpd)
>>>>>>>>> * Create and configure an instance of Directory Server
>>>>>>>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>>>>>>>> * Configure Apache (httpd)
>>>>>>>>>
>>>>>>>>> To accept the default shown in brackets, press the Enter key.
>>>>>>>>>
>>>>>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
>>>>>>>>> in favor of ntpd
>>>>>>>>>
>>>>>>>>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>>>>>>>>
>>>>>>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>>>>>>> Enter the fully qualified domain name of the computer
>>>>>>>>> on which you're setting up server software. Using the form
>>>>>>>>> <hostname>.<domainname>
>>>>>>>>> Example: master.example.com.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Server host name [pkiserver1.example.org]:
>>>>>>>>>
>>>>>>>>> Warning: skipping DNS resolution of host pkiserver1.example.org
>>>>>>>>> The domain name has been determined based on the host name.
>>>>>>>>>
>>>>>>>>> Please confirm the domain name [example.org]:
>>>>>>>>>
>>>>>>>>> The kerberos protocol requires a Realm name to be defined.
>>>>>>>>> This is typically the domain name converted to uppercase.
>>>>>>>>>
>>>>>>>>> Please provide a realm name [EXAMPLE.ORG]:
>>>>>>>>> Certain directory server operations require an administrative user.
>>>>>>>>> This user is referred to as the Directory Manager and has full access
>>>>>>>>> to the Directory for system management tasks and will be added to the
>>>>>>>>>
>>>>>>>>> The IPA server requires an administrative user, named 'admin'.
>>>>>>>>> This user is a regular system account used for IPA server administration.
>>>>>>>>>
>>>>>>>>> IPA admin password:
>>>>>>>>> Password (confirm):
>>>>>>>>>
>>>>>>>>> Do you want to configure DNS forwarders? [yes]: no
>>>>>>>>> No DNS forwarders configured
>>>>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>>>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>>>>>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>>>>>>>
>>>>>>>>> The IPA Master Server will be configured with:
>>>>>>>>> Hostname: pkiserver1.example.org
>>>>>>>>> IP address(es): 192.168.122.246
>>>>>>>>> Domain name: example.org
>>>>>>>>> Realm name: EXAMPLE.ORG
>>>>>>>>>
>>>>>>>>> BIND DNS server will be configured to serve IPA domain with:
>>>>>>>>> Forwarders: No forwarders
>>>>>>>>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>>>>>>>>
>>>>>>>>> Continue to configure the system with these values? [no]: yes
>>>>>>>>>
>>>>>>>>> The following operations may take some minutes to complete.
>>>>>>>>> Please wait until the prompt is returned.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> instance of directory server created for IPA.
>>>>>>>>> The password must be at least 8 characters long.
>>>>>>>>>
>>>>>>>>> Directory Manager password:
>>>>>>>>> Password (confirm):
>>>>>>>>> Configuring NTP daemon (ntpd)
>>>>>>>>> [1/4]: stopping ntpd
>>>>>>>>> [2/4]: writing configuration
>>>>>>>>> [3/4]: configuring ntpd to start on boot
>>>>>>>>> [4/4]: starting ntpd
>>>>>>>>> Done configuring NTP daemon (ntpd).
>>>>>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>>>>>> [1/38]: creating directory server user
>>>>>>>>> [2/38]: creating directory server instance
>>>>>>>>> [3/38]: adding default schema
>>>>>>>>> [4/38]: enabling memberof plugin
>>>>>>>>> [5/38]: enabling winsync plugin
>>>>>>>>> [6/38]: configuring replication version plugin
>>>>>>>>> [7/38]: enabling IPA enrollment plugin
>>>>>>>>> [8/38]: enabling ldapi
>>>>>>>>> [9/38]: configuring uniqueness plugin
>>>>>>>>> [10/38]: configuring uuid plugin
>>>>>>>>> [11/38]: configuring modrdn plugin
>>>>>>>>> [12/38]: configuring DNS plugin
>>>>>>>>> [13/38]: enabling entryUSN plugin
>>>>>>>>> [14/38]: configuring lockout plugin
>>>>>>>>> [15/38]: creating indices
>>>>>>>>> [16/38]: enabling referential integrity plugin
>>>>>>>>> [17/38]: configuring certmap.conf
>>>>>>>>> [18/38]: configure autobind for root
>>>>>>>>> [19/38]: configure new location for managed entries
>>>>>>>>> [20/38]: configure dirsrv ccache
>>>>>>>>> [21/38]: enable SASL mapping fallback
>>>>>>>>> [22/38]: restarting directory server
>>>>>>>>> [23/38]: adding default layout
>>>>>>>>> [24/38]: adding delegation layout
>>>>>>>>> [25/38]: creating container for managed entries
>>>>>>>>> [26/38]: configuring user private groups
>>>>>>>>> [27/38]: configuring netgroups from hostgroups
>>>>>>>>> [28/38]: creating default Sudo bind user
>>>>>>>>> [29/38]: creating default Auto Member layout
>>>>>>>>> [30/38]: adding range check plugin
>>>>>>>>> [31/38]: creating default HBAC rule allow_all
>>>>>>>>> [32/38]: initializing group membership
>>>>>>>>> [33/38]: adding master entry
>>>>>>>>> [34/38]: configuring Posix uid/gid generation
>>>>>>>>> [35/38]: adding replication acis
>>>>>>>>> [36/38]: enabling compatibility plugin
>>>>>>>>> [37/38]: tuning directory server
>>>>>>>>> [38/38]: configuring directory to start on boot
>>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>>>>>>>>> [1/27]: creating certificate server user
>>>>>>>>> [2/27]: configuring certificate server instance
>>>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>>>>>> [4/27]: backing up CS.cfg
>>>>>>>>> [5/27]: disabling nonces
>>>>>>>>> [6/27]: set up CRL publishing
>>>>>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>>>>>> [8/27]: starting certificate server instance
>>>>>>>>> [9/27]: creating RA agent certificate database
>>>>>>>>> [10/27]: importing CA chain to RA certificate database
>>>>>>>>> [11/27]: fixing RA database permissions
>>>>>>>>> [12/27]: setting up signing cert profile
>>>>>>>>> [13/27]: set certificate subject base
>>>>>>>>> [14/27]: enabling Subject Key Identifier
>>>>>>>>> [15/27]: enabling Subject Alternative Name
>>>>>>>>> [16/27]: enabling CRL and OCSP extensions for certificates
>>>>>>>>> [17/27]: setting audit signing renewal to 2 years
>>>>>>>>> [18/27]: configuring certificate server to start on boot
>>>>>>>>> [19/27]: restarting certificate server
>>>>>>>>> [20/27]: requesting RA certificate from CA
>>>>>>>>> [21/27]: issuing RA agent certificate
>>>>>>>>> [22/27]: adding RA agent as a trusted user
>>>>>>>>> [23/27]: configure certmonger for renewals
>>>>>>>>> [24/27]: configure certificate renewals
>>>>>>>>> [25/27]: configure RA certificate renewal
>>>>>>>>> [26/27]: configure Server-Cert certificate renewal
>>>>>>>>> [27/27]: Configure HTTP to proxy connections
>>>>>>>>> Done configuring certificate server (pki-tomcatd).
>>>>>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>>>>>> [1/3]: configuring ssl for ds instance
>>>>>>>>> [2/3]: restarting directory server
>>>>>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>>>>>> [3/3]: adding CA certificate entry
>>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>>>
>>>>>>>>> CA did not start in 300.0s
>>>>>>>>>
>>>>>>>>> Attaching ipaserver-install.log, pkispawn logs
>>>>>>>>>
>>>>>>>>> Any hints on how to overcome the above error.
>>>>>>>> The error is obviously in Directory Server restart. I am not sure what causes
>>>>>>>>
>>>>>>>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
>>>>>>>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server ([Errno 2]
>>>>>>>> No such file or directory:
>>>>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the
>>>>>>>> installation log for details.
>>>>>>>>
>>>>>>>> The first restart worked and it uses the same call, AFAIK. It would be
>>>>>>>> interesting to see the latest logs of the instance after ipa-server-install
>>>>>>>> crashes:
>>>>>>>>
>>>>>>>> # systemctl status dirsrv at EXAMPLE-ORG.service
>>>>>>>>
>>>>>>>> It may have some useful logs that would reveal what happened.
>>>>>>>>
>>>>>>>> Martin
>> -- Niranjan
>> irc: mrniranjan
>>>
>>>
>>
>>
> - --
> Niranjan
> irc: mrniranjan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iKYEARECAGYFAlSJTkdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
> bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
> RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8cirgCfXtbPkzQcb+yLpjN1cf1UheC8
> sXcAn3GBoeGcgRscYLIF4cCfh3KwQJpW
> =rTOO
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141211/4f527e95/attachment.htm>
More information about the Freeipa-users
mailing list