From tk at mdevsys.com Thu Oct 1 01:22:25 2015
From: tk at mdevsys.com (TomK)
Date: Wed, 30 Sep 2015 21:22:25 -0400
Subject: [Freeipa-users] HBAC
In-Reply-To: <560BD190.7050401@redhat.com>
References: <560B3A68.7020401@mdevsys.com> <560B3D73.9050704@mdevsys.com>
<20150930055047.GG4539@redhat.com> <560BD190.7050401@redhat.com>
Message-ID: <560C8AD1.5080105@mdevsys.com>
On 9/30/2015 8:12 AM, Martin Kosek wrote:
> On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:
>> On Tue, 29 Sep 2015, TomK wrote:
>>> Hey Guy's,
>>>
>>> (Sending this again as I didn't have this email included in the freeipa-users
>>> mailing list so not sure if the other message will get posted.)
>>>
>>> Before I post a ticket to RH Support for an RFE, I'll post the request here
>>> to get some feedback on options and what ideas folks have. I've a situation
>>> as follows. I have the following setup in WS 2012 AD DC:
>>>
>>> TomK (user)
>>> TomK Groups:
>>> unixg
>>> windowsg
>>>
>>> unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
>>> windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'
>>>
>>> TomK(user) also has the 'host' attribute defined as per the proper RFC for
>>> LDAP. With SSSD rules I can define the rules to read the user 'host'
>>> attribute but not the group 'host' attribute:
>>>
>>>
>>> |access_provider = ldap ldap_access_order = host ldap_user_authorized_host =
>>> host|
>>>
>>>
>>> Essentially TomK to be given access to hosts listed in the 'host' attribute
>>> but denied entry into lab05 for example (not listed in any group 'host'
>>> attribute above) to the server. If I have a new user that has joined that
>>> particular team at our organization, I can simply add her/him to the above
>>> groups and this user would get access only to the listed servers in 'host'
>>> attribute by default. I don't need to specify new groups in customized
>>> sssd.conf or ldap.conf files or in sshd config files. Hence less to update
>>> with Salt or any other CM suite. I've managed to setup SUDO rules and with
>>> the openssh-ldap.diff schema SSH public keys could be stored in AD as well
>>> and be read by OpenSSH. So aside from the HBAC capability on groups,
>>> virtually all our needs are handled by the WS2012 AD DC as it has to follow
>>> the OpenLDAP standard anyway. Now to get this we considered and are still
>>> considering FreeIPA. However this idea poses a set of challenges:
>>>
>>> 1) In large organizations where the AD support department are only trained in
>>> Windows AD setup and configuration (Only windows guy's) this would require a
>>> minimal of 3 bodies to support that know LDAP/Linux. This is a large cost.
>>>
>>> 2) The additional server requires the same hardening as the Windows AD DC
>>> servers meaning a new procedure has to be carved out for the 2+ FreeIPA
>>> servers to be supported, hardened and maintained (upgraded).
>>>
>>> Now I probably sound somewhat anti-FreeIPA, however the challenges of
>>> implementing it in large organizations surface after some deliberation, so
>>> probably better to list then as it may help direct development of the product
>>> to contend with the challenges (Like having a document fully dedicated to
>>> hardening a FreeIPA server with selinux and other technologies in easy to
>>> maintain configuration). I could be mistaken but some folks mention that
>>> it's 'better' to implement this sort of HBAC through other means (?? iptables
>>> ??) but never tried the alternatives yet.
>>>
>>> So, cutting to the end, would it be possible to add an attribute like:
>>>
>>> |ldap_user_authorized_host|
>>>
>>> but perhaps called 'ldap_group_authorized_host' to the SSSD code to enable
>>> reading the 'host' attribute on AD/LDAP defined groups?
>> In FreeIPA we support HBAC rules for AD users and groups. What exactly
>> is wrong with that?
>>
>> See 'ipa help trust' for details how to map AD groups to IPA groups and
>> then 'ipa help hbacrule' for how to limit access of those groups to
>> specific hosts and services on them.
>>
>> This is all covered well in the guide:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> More reading on External groups used for AD access control:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups
>
> I would also suggest a video with HBAC and Trust in action:
>
> https://www.youtube.com/watch?v=sQnNFJOzwa8
>
> HTH,
> Martin
We already defined HBAC rules in the manner that all the links you
pointed out indicate as an early implementation. As a product, there is
no issue in IDM from that perspective. This is all great and the
product is fine from that perspective.
It would be good to have a dual option of either allowing SSSD or IDM /
FreeIPA have full HBAC capability not just FreeIPA / IDM as in our
organization that would be a huge cost savings vs implementing IDM as a
separate Linux DC to be managed by a separate team. So for those
customers that wish to go directly to AD or have already invested in AD
can choose SSSD only (If MS bundles AD with certain purchases, for
example, that is an actual cost savings for a company). Other customers
who wish to keep the two separate so they do not flood AD DC's with non
Windows AD settings can integrate IDM.
There will be cases where there could be a potential to save on costs vs
AD so the Linux IDM could be chosen as an Enterprise DC to which Windows
server authenticate as well as Linux ones or vice versa, whereas those
organizations already implementing Windows AD can have the option to
have Linux servers connecting to the AD DC via SSSD.
Since SSSD and IDM are so closely coupled, for someone who requires
HBAC, the choice is either take both SSSD and IDM or neither. So other
solutions are being explored instead.
Do these reasons make sense as to why I posted the original ask?
Thanks,
TomK
From pspacek at redhat.com Thu Oct 1 07:15:08 2015
From: pspacek at redhat.com (Petr Spacek)
Date: Thu, 1 Oct 2015 09:15:08 +0200
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To:
References:
Message-ID: <560CDD7C.8090804@redhat.com>
On 30.9.2015 20:36, Matt Wells wrote:
> Hi all, I hoped I may glean some brilliance from the group.
> I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan
> was to replicate users+passwords with Windows 2012R2 server but following
> some of the information in the other posts and docs we've moved to a
> trust. The trust has been setup using the documentation and in short it's
> worked without issue. I'm able to get principles from the Windows realm (
> marvel.comics.com). So what I'm attempting and failing to do is
> authenticating my IPA users to the Windows 8 desktops. Ideally I don't
> want any users in AD, it's simply there to deliver a GPO and in the next
> year it will be phased out and we'll be replacing Windows 8 with linux
> desktops.
>
> So
> marvel.comics.com = windows
> dc.comics.com = freeipa
>
> # rpm -qi freeipa-server
> Name : freeipa-server
> Version : 4.1.4
> Release : 1.fc21
> Architecture: x86_64
> Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
> Group : System Environment/Base
> Size : 4521059
> License : GPLv3+
> Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
> 89ad4e8795a43f54
> Source RPM : freeipa-4.1.4-1.fc21.src.rpm
> Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
> Build Host : buildhw-07.phx2.fedoraproject.org
> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
> Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
> 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
> Fedora release 21 (Twenty One)
>
> To cut to the chase here's me logging into a Windows 8 desktop system. I
> try to login 3 different ways; this system is a member of the marvel
> domain. Time is extremely close, close enough that I feel really good
> about ruling it out. Any light you all could shed on this would be
> outstanding. Thank you all for your time on this, I really appreciate all
> the time and effort this team puts into reading these posts.
>
> Username: dc/greenlantern
> Password: ************
>
> [root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
> greenlantern
> [30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
>
> Username: greenlanter at dc
> Password: ************
>
>
> [30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
>
>
> Username: greenlanter at dc.comics.com
> Password: ************
>
> [30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
> @DC.COMICS.COM
> )(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
> )))" attrs="krbPrincipalName krbCanonicalName
> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
>
>>From what I can tell, everything looks good to wbinfo; we see the domain
> and he see's us. In the AD trust I can go under the trust and validate the
> trust with no issues.
> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
> BUILTIN : online
> DC : online
> MARVEL : online
> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
> marvel.comics.com
> Name : MARVEL
> Alt_Name : marvel.comics.com
> SID : S-1-5-21-3495301974-2766379234-3984916731
> Active Directory : Yes
> Native : Yes
> Primary : No
> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
> 'MARVEL.COMICS.COM\Domain
> Admins'
> S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
> marvel.comics.com
> Name : MARVEL
> Alt_Name : marvel.comics.com
> SID : S-1-5-21-3495301974-2766379234-3984916731
> Active Directory : Yes
> Native : Yes
> Primary : No
Unfortunately you will not be able to log into Windows workstations using IPA
users because FreeIPA is (at the moment) missing Global Catalog component
which prevents Windows from working with IPA users.
It should work the other way around, but there is nothing you can do at the
moment to make it working with IPA users in Windows. Global Catalog is several
months away in the best case.
Sorry.
--
Petr^2 Spacek
From paul.c.arnold4.ctr at mail.mil Thu Oct 1 10:05:45 2015
From: paul.c.arnold4.ctr at mail.mil (Arnold, Paul C CTR USARMY PEO STRI (US))
Date: Thu, 1 Oct 2015 10:05:45 +0000
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <560CDD7C.8090804@redhat.com>
References: ,
<560CDD7C.8090804@redhat.com>
Message-ID: <7322D64AC622D441BC921DE15D30CD215496AA0D@ugunhpsp.easf.csd.disa.mil>
In a similar vein, is anyone aware of a (safe) automated work-around that can periodically map users into localized Windows accounts? I am conceptualizing some sort of powershell script involving a query to 389DS, but automating any form of account management that way sounds moderately terrifying, and may be out of the scope of this mailing list.
Regards,
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Petr Spacek [pspacek at redhat.com]
Sent: Thursday, October 01, 2015 03:15 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
This email was sent from a non-Department of Defense email account, and contained active links. All links are disabled, and require you to copy and paste the address to a Web browser. Please verify the identity of the sender, and confirm authenticity of all links contained within the message.
Unfortunately you will not be able to log into Windows workstations using IPA
users because FreeIPA is (at the moment) missing Global Catalog component
which prevents Windows from working with IPA users.
It should work the other way around, but there is nothing you can do at the
moment to make it working with IPA users in Windows. Global Catalog is several
months away in the best case.
Sorry.
--
Petr^2 Spacek
From pbrezina at redhat.com Thu Oct 1 11:59:37 2015
From: pbrezina at redhat.com (=?ISO-8859-2?Q?Pavel_B=F8ezina?=)
Date: Thu, 01 Oct 2015 13:59:37 +0200
Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
In-Reply-To:
References: <20150915123638.GN2884@hendrix>
<9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local>
<20150918084152.GF3162@hendrix.redhat.com>
<66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local>
<20150921192924.GQ13819@hendrix.redhat.com>
<594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local>
<20150921200943.GY13819@hendrix.redhat.com>
<4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local>
<560A7BA1.7080706@redhat.com>
<3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local>
<20150930124219.GT15644@hendrix.arn.redhat.com>
Message-ID: <560D2029.7000407@redhat.com>
On 09/30/2015 09:04 PM, Andy Thompson wrote:
>> On Wed, Sep 30, 2015 at 12:17:22PM +0000, Andy Thompson wrote:
>>>> On 09/21/2015 10:42 PM, Andy Thompson wrote:
>>>>>> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote:
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>>>>>>>> Sent: Monday, September 21, 2015 3:29 PM
>>>>>>>> To: Andy Thompson
>>>>>>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com
>>>>>>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
>>>>>>>>
>>>>>>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson wrote:
>>>>>>>>>>
>>>>>>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson
>> wrote:
>>>>>>>>>>> I've narrowed it down a bit doing some testing. The sudo
>>>>>>>>>>> rules work when
>>>>>>>>>> I remove the user group restriction from them. My sudo rules
>>>>>>>>>> all have my ad groups in the rule
>>>>>>>>>>>
>>>>>>>>>>> Rule name: ad_linux_admins
>>>>>>>>>>> Enabled: TRUE
>>>>>>>>>>> Host category: all
>>>>>>>>>>> Command category: all
>>>>>>>>>>> RunAs User category: all
>>>>>>>>>>> RunAs Group category: all
>>>>>>>>>>> User Groups: ad_linux_admins <- if I remove this then
>>>>>>>>>>> the rule gets
>>>>>>>>>> applied
>>>>>>>>>>
>>>>>>>>>> Nice catch. Is the group visible after you login and run id?
>>>>>>>>>>
>>>>>>>>>> What is the exact IPA server version?
>>>>>>>>>
>>>>>>>>> Ok I also figured out if I rename my AD groups to match my IPA
>>>>>>>>> groups then
>>>>>>>> the sudo rules are applied.
>>>>>>>>>
>>>>>>>>> I tested a couple things though, if I put a rule in the local
>>>>>>>>> sudoers file on a server running sssd 1.11
>>>>>>>>>
>>>>>>>>> %@ "sudo commands"
>>>>>>>>>
>>>>>>>>> That rule was not applied. If I remove the then
>>>>>>>>> the rule got
>>>>>>>> applied.
>>>>>>>>>
>>>>>>>>> On a server running sssd 1.12 that rule works, but does not
>>>>>>>>> work if I
>>>>>>>> remove the . And none of the IPA sudo rules work.
>>>>>>>> So something changed with the domain suffix between versions it
>>>>>>>> would appear.
>>>>>>>>>
>>>>>>>>> They key to making the IPA sudo rules work in 1.12 is to
>>>>>>>>> remove the
>>>>>>>> default_domain_suffix setting in the sssd.conf, but that's not
>>>>>>>> an option in my environment.
>>>>>>>>>
>>>>>>>>> So all the moving parts together, it appears that having AD
>>>>>>>>> groups with a different name than the IPA groups in
>>>>>>>>> conjunction with the default_domain_suffix setting breaks things
>> right now in 1.12.
>>>>>>>>> Appears since I renamed the ad group to match then the rule
>>>>>>>>> without a domain suffix will get matched now
>>>>>>>>
>>>>>>>> Hello Andy,
>>>>>>>>
>>>>>>>> I'm sorry for the constant delays, but I was busy with some
>>>>>>>> trust-related fixes lately.
>>>>>>>>
>>>>>>>> Did you have a chance to confirm that just swapping sssd /on
>>>>>>>> the client/ while keeping the same version on the server fixes
>>>>>>>> the issue for
>>>>>> you?
>>>>>>>>
>>>>>>>> Pavel (CC), can you help me out here, please? I have the setup
>>>>>>>> ready on my machine, so tomorrow we can take a look and
>>>>>>>> experiment (I can give you access to my environment via tmate
>>>>>>>> maybe..), but I wasn't able to reproduce the issue locally yet.
>>>>>>>
>>>>>>> It's fine I understand the backlog.
>>>>>>>
>>>>>>> I was not able to backrev the sssd due to dependency issues. I
>>>>>>> tried
>>>>>> downgrading all the dependencies and got in a loop and stopped
>>>>>> trying. Are there any tricks you can think of to downgrade the
>>>>>> sssd
>>>> cleanly?
>>>>>>>
>>>>>>> -andy
>>>>>>>
>>>>>>
>>>>>> What failures are you getting? I normally just download all
>>>>>> \*sss\* packages and then downgrade with rpm -U --oldpackage.
>>>>>
>>>>>
>>>>> I'm just trying to use yum. If I yum downgrade sssd I get a ton
>>>>> of deps. If include all the deps it lists
>>>>>
>>>>> yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5
>>>>> sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python
>>>>> python-sssdconfig
>>>>>
>>>>> I get multilib errors with libsss_idmap.
>>>>>
>>>>> Looks like my local repo doesn't have libsss_idmap 1.11 available.
>>>>> Let me
>>>> look into that and see what repo it sits in and see if I can figure
>>>> out why it's not pulling in.
>>>>>
>>>>> -andy
>>>>>
>>>>
>>>> Hi, since none of us is able to reproduce this in house, can you
>>>> give us more precise steps how to reproduce and more information?
>>>> What I have in mind at this moment is:
>>>>
>>>> 1) How is membership defined? I suspect it goes as AD-USER ->
>>>> AD-GROUP
>>>> -> IPA->GROUP, right? What types of groups are used?
>>>>
>>>
>>> I have AD user->AD group->external IPA group->IPA group
>>>
>>>> 2) sssd.conf might also turn out to be useful
>>>>
>>>> 3) Remove SSSD and sudo logs, reproduce and send us all the logs
>>>> please with the commands to reproduce. Not just snippets.
>>>>
>>>
>>> I can gather this up and get it over to you.
>>>
>>> Actually I just realized I have two other environments and this is working
>> without issue in those environments. I haven't done a full sudo rollout in
>> those environments yet so I didn't think to check those, but the admins rule
>> is working correctly and I haven't renamed any ad groups to match my IPA
>> groups.
>>>
>>> Could it be something in a sudo rule or something in AD that's interfering
>> with this working correctly?
>>
>> I would first try to find the difference in the environment. Are sssd versions
>> the same on the clients and servers? Are sudo versions the same?
>>
>> ...etc.
>>
>> Pavel has a sudo troubleshooting guide in the works, maybe it would help..
>
> All updates are controlled from the same repo so versions are all the same between the environments, that's why I'm wondering if something in AD could cause this. Can't imagine what it would be though. Groups are all mapped in the same way.
>Sudo is setup the same and works fine it was just the AD group name
being different that is throwing it fits in this one environment. Once
I renamed the AD groups to match it all started pulling in without any
issue.
I think I don't really understand this paragraph. Can you be more
descriptive and specific here, please? Please, give us specific examples
of the groups, names, rules, etc.
>
> I will add the finer grained rules in the other environments when I start rolling it out there one at a time and see if I can tie it to any of those.
>
> -andy
>
From Markus.Moj at mc.ingenico.com Thu Oct 1 12:14:34 2015
From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com)
Date: Thu, 1 Oct 2015 12:14:34 +0000
Subject: [Freeipa-users] [FreeIPA] SUDO fails with system error
Message-ID:
Dear @all,
I?ve an issue with two, Oracle Linux based, clients and my freeipa server. I can authenticate on any on the enrolled machines but the two oracle server aren?t able to access sudo and I don?t know why.
Here are a few thing I?ve already figured out.
Both machines are enrolled from scratch and I see following entries in ldap_child.log
(Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3933]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/@' not found in Kerberos database
(Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3934]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/@' not found in Kerberos database
Furthermore I get following entries in secure log
pam_unix(sudo:auth): authentication failure; logname= uid=957400001 euid=0 tty=/dev/pts/1 ruser= rhost= user=
pam_sss(sudo:auth): authentication failure; logname= uid=957400001 euid=0 tty=/dev/pts/1 ruser= rhost= user=
pam_sss(sudo:auth): received for user : 4 (System error)
Also I get following entries in sssd_pam.log
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [@]
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [] added to PAM initgroup cache
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): user:
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sudo
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 6457
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name:
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x7f0d05f51ab0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f0d04221ed0:3:@]
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7f0d05f51ab0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7f0d05f479e0
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][]
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Thu Oct 1 14:06:14 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f0d05f51110][20]
(Thu Oct 1 14:06:17 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f0d05f51110][20]
(Thu Oct 1 14:06:17 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
In krb5_child.log I get following entries
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [main] (0x0400): krb5_child started.
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [unpack_buffer] (0x1000): total buffer size: [129]
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [unpack_buffer] (0x0100): cmd [241] uid [957400001] gid [957400001] validate [true] enterprise principal [false] offline [false] UPN [@]
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:957400001] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/@]
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/@ in keytab.
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [match_principal] (0x1000): Principal matched to the sample (host/@).
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [become_user] (0x0200): Trying to become user [957400001][957400001].
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [main] (0x2000): Running as [957400001][957400001].
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [k5c_setup] (0x2000): Running as [957400001][957400001].
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [main] (0x0400): Will perform online auth
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm []
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.736207: Getting initial credentials for @
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.736379: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.736466: Retrieving host/@ -> krb5_ccache_conf_data/fast_avail/krbtgt\/\@@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_ with result: -1765328243/Matching credential not found
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.736618: Sending request (167 bytes) to
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.736984: Initiating TCP connection to stream 10.46.155.120:88
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.737944: Sending TCP request to stream 10.46.155.120:88
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.740873: Received answer (356 bytes) from stream 10.46.155.120:88
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.740920: Terminating TCP connection to stream 10.46.155.120:88
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.741032: Response was from master KDC
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.741096: Received error from KDC: -1765328359/Additional pre-authentication required
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.741133: Upgrading to FAST due to presence of PA_FX_FAST in reply
(Thu Oct 1 14:06:14 2015) [[sssd[krb5_child[6458]]]] [sss_child_krb5_trace_cb] (0x4000): [6458] 1443701174.741151: Restarting to upgrade to FAST
Maybe someone is able and is willing to help. Thanks in advance
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 476 bytes
Desc: not available
URL:
From Andy.Thompson at e-tcc.com Thu Oct 1 12:53:14 2015
From: Andy.Thompson at e-tcc.com (Andy Thompson)
Date: Thu, 1 Oct 2015 12:53:14 +0000
Subject: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
In-Reply-To: <560D2029.7000407@redhat.com>
References: <20150915123638.GN2884@hendrix>
<9685d8df363c41bea5501ec5c0094c0e@TCCCORPEXCH02.TCC.local>
<20150918084152.GF3162@hendrix.redhat.com>
<66af2f79790146edbee4f9f34061f8f9@TCCCORPEXCH02.TCC.local>
<20150921192924.GQ13819@hendrix.redhat.com>
<594cb56fe2d54826b2d82711089d6652@TCCCORPEXCH02.TCC.local>
<20150921200943.GY13819@hendrix.redhat.com>
<4f5f2129a13f4d7e9aadfc35872ba5c3@TCCCORPEXCH02.TCC.local>
<560A7BA1.7080706@redhat.com>
<3ab447cc1e9549869d9cb58176bce9cf@TCCCORPEXCH02.TCC.local>
<20150930124219.GT15644@hendrix.arn.redhat.com>
<560D2029.7000407@redhat.com>
Message-ID: <39daeab99a154236a32a0695090124a1@TCCCORPEXCH02.TCC.local>
> On 09/30/2015 09:04 PM, Andy Thompson wrote:
> >> On Wed, Sep 30, 2015 at 12:17:22PM +0000, Andy Thompson wrote:
> >>>> On 09/21/2015 10:42 PM, Andy Thompson wrote:
> >>>>>> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote:
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> >>>>>>>> Sent: Monday, September 21, 2015 3:29 PM
> >>>>>>>> To: Andy Thompson
> >>>>>>>> Cc: freeipa-users at redhat.com; pbrezina at redhat.com
> >>>>>>>> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
> >>>>>>>>
> >>>>>>>> On Mon, Sep 21, 2015 at 02:22:54PM +0000, Andy Thompson
> wrote:
> >>>>>>>>>>
> >>>>>>>>>> On Thu, Sep 17, 2015 at 11:42:54AM +0000, Andy Thompson
> >> wrote:
> >>>>>>>>>>> I've narrowed it down a bit doing some testing. The sudo
> >>>>>>>>>>> rules work when
> >>>>>>>>>> I remove the user group restriction from them. My sudo rules
> >>>>>>>>>> all have my ad groups in the rule
> >>>>>>>>>>>
> >>>>>>>>>>> Rule name: ad_linux_admins
> >>>>>>>>>>> Enabled: TRUE
> >>>>>>>>>>> Host category: all
> >>>>>>>>>>> Command category: all
> >>>>>>>>>>> RunAs User category: all
> >>>>>>>>>>> RunAs Group category: all
> >>>>>>>>>>> User Groups: ad_linux_admins <- if I remove this then
> >>>>>>>>>>> the rule gets
> >>>>>>>>>> applied
> >>>>>>>>>>
> >>>>>>>>>> Nice catch. Is the group visible after you login and run id?
> >>>>>>>>>>
> >>>>>>>>>> What is the exact IPA server version?
> >>>>>>>>>
> >>>>>>>>> Ok I also figured out if I rename my AD groups to match my IPA
> >>>>>>>>> groups then
> >>>>>>>> the sudo rules are applied.
> >>>>>>>>>
> >>>>>>>>> I tested a couple things though, if I put a rule in the local
> >>>>>>>>> sudoers file on a server running sssd 1.11
> >>>>>>>>>
> >>>>>>>>> %@ "sudo commands"
> >>>>>>>>>
> >>>>>>>>> That rule was not applied. If I remove the then
> >>>>>>>>> the rule got
> >>>>>>>> applied.
> >>>>>>>>>
> >>>>>>>>> On a server running sssd 1.12 that rule works, but does not
> >>>>>>>>> work if I
> >>>>>>>> remove the . And none of the IPA sudo rules work.
> >>>>>>>> So something changed with the domain suffix between versions it
> >>>>>>>> would appear.
> >>>>>>>>>
> >>>>>>>>> They key to making the IPA sudo rules work in 1.12 is to
> >>>>>>>>> remove the
> >>>>>>>> default_domain_suffix setting in the sssd.conf, but that's not
> >>>>>>>> an option in my environment.
> >>>>>>>>>
> >>>>>>>>> So all the moving parts together, it appears that having AD
> >>>>>>>>> groups with a different name than the IPA groups in
> >>>>>>>>> conjunction with the default_domain_suffix setting breaks
> >>>>>>>>> things
> >> right now in 1.12.
> >>>>>>>>> Appears since I renamed the ad group to match then the rule
> >>>>>>>>> without a domain suffix will get matched now
> >>>>>>>>
> >>>>>>>> Hello Andy,
> >>>>>>>>
> >>>>>>>> I'm sorry for the constant delays, but I was busy with some
> >>>>>>>> trust-related fixes lately.
> >>>>>>>>
> >>>>>>>> Did you have a chance to confirm that just swapping sssd /on
> >>>>>>>> the client/ while keeping the same version on the server fixes
> >>>>>>>> the issue for
> >>>>>> you?
> >>>>>>>>
> >>>>>>>> Pavel (CC), can you help me out here, please? I have the setup
> >>>>>>>> ready on my machine, so tomorrow we can take a look and
> >>>>>>>> experiment (I can give you access to my environment via tmate
> >>>>>>>> maybe..), but I wasn't able to reproduce the issue locally yet.
> >>>>>>>
> >>>>>>> It's fine I understand the backlog.
> >>>>>>>
> >>>>>>> I was not able to backrev the sssd due to dependency issues. I
> >>>>>>> tried
> >>>>>> downgrading all the dependencies and got in a loop and stopped
> >>>>>> trying. Are there any tricks you can think of to downgrade the
> >>>>>> sssd
> >>>> cleanly?
> >>>>>>>
> >>>>>>> -andy
> >>>>>>>
> >>>>>>
> >>>>>> What failures are you getting? I normally just download all
> >>>>>> \*sss\* packages and then downgrade with rpm -U --oldpackage.
> >>>>>
> >>>>>
> >>>>> I'm just trying to use yum. If I yum downgrade sssd I get a ton
> >>>>> of deps. If include all the deps it lists
> >>>>>
> >>>>> yum downgrade sssd sssd-proxy sssd-ipa sssd-common-pac sssd-krb5
> >>>>> sssd-krb5-common sssd-ldap sssd-ad libipa_hbac libipa_hbac-python
> >>>>> python-sssdconfig
> >>>>>
> >>>>> I get multilib errors with libsss_idmap.
> >>>>>
> >>>>> Looks like my local repo doesn't have libsss_idmap 1.11 available.
> >>>>> Let me
> >>>> look into that and see what repo it sits in and see if I can figure
> >>>> out why it's not pulling in.
> >>>>>
> >>>>> -andy
> >>>>>
> >>>>
> >>>> Hi, since none of us is able to reproduce this in house, can you
> >>>> give us more precise steps how to reproduce and more information?
> >>>> What I have in mind at this moment is:
> >>>>
> >>>> 1) How is membership defined? I suspect it goes as AD-USER ->
> >>>> AD-GROUP
> >>>> -> IPA->GROUP, right? What types of groups are used?
> >>>>
> >>>
> >>> I have AD user->AD group->external IPA group->IPA group
> >>>
> >>>> 2) sssd.conf might also turn out to be useful
> >>>>
> >>>> 3) Remove SSSD and sudo logs, reproduce and send us all the logs
> >>>> please with the commands to reproduce. Not just snippets.
> >>>>
> >>>
> >>> I can gather this up and get it over to you.
> >>>
> >>> Actually I just realized I have two other environments and this is
> >>> working
> >> without issue in those environments. I haven't done a full sudo
> >> rollout in those environments yet so I didn't think to check those,
> >> but the admins rule is working correctly and I haven't renamed any ad
> >> groups to match my IPA groups.
> >>>
> >>> Could it be something in a sudo rule or something in AD that's
> >>> interfering
> >> with this working correctly?
> >>
> >> I would first try to find the difference in the environment. Are sssd
> >> versions the same on the clients and servers? Are sudo versions the
> same?
> >>
> >> ...etc.
> >>
> >> Pavel has a sudo troubleshooting guide in the works, maybe it would
> help..
> >
> > All updates are controlled from the same repo so versions are all the same
> between the environments, that's why I'm wondering if something in AD
> could cause this. Can't imagine what it would be though. Groups are all
> mapped in the same way.
> >Sudo is setup the same and works fine it was just the AD group name being
> different that is throwing it fits in this one environment. Once I renamed the
> AD groups to match it all started pulling in without any issue.
>
> I think I don't really understand this paragraph. Can you be more descriptive
> and specific here, please? Please, give us specific examples of the groups,
> names, rules, etc.
>
For example, in my environments I have a group in AD called "Linux Admins". I've got that mapped into IPA as below
Linux Admins-> ad_linux_admins_external -> ad_linux_admins (posix)
In the environment displaying this behavior I had to rename the AD group to "ad_linux_admins" to match the posix group name in IPA in order for sudo rules to work in conjunction with the default_domain_suffix configured in sssd.
-andy
From kretebe at freemail.hu Thu Oct 1 09:20:20 2015
From: kretebe at freemail.hu (=?UTF-8?Q?Moln=C3=A1r_Domokos?=)
Date: Thu, 1 Oct 2015 11:20:20 +0200 (CEST)
Subject: [Freeipa-users] Sudo entry not found by sssd in the cache db
In-Reply-To: <560A7AC5.20607@redhat.com>
Message-ID:
"Pavel B?ezina" ?rta:
>On 09/15/2015 09:10 AM, Moln?r Domokos wrote:
>>
>> "Moln?r Domokos" ?rta:
>>
>> On 09/14/2015 03:08 PM, Pavel B?ezina wrote:
>>> On 09/11/2015 02:40 PM, Moln?r Domokos wrote:
>>>> Full log attached.
>>>> "Moln?r Domokos" ?rta:
>>>>
>>>>
>>>> "Pavel B?ezina" ?rta:
>>>>
>>>> On 09/09/2015 09:31 PM, Moln?r Domokos wrote:
>>>> > I have a working IPA server and a working client
>>>> config on an OpenSuse
>>>> > 13.2 with the following versions:
>>>> > nappali:~ # rpm -qa |grep sssd
>>>> > sssd-tools-1.12.2-3.4.1.i586
>>>> > sssd-krb5-1.12.2-3.4.1.i586
>>>> > python-sssd-config-1.12.2-3.4.1.i586
>>>> > sssd-ipa-1.12.2-3.4.1.i586
>>>> > sssd-1.12.2-3.4.1.i586
>>>> > sssd-dbus-1.12.2-3.4.1.i586
>>>> > sssd-krb5-common-1.12.2-3.4.1.i586
>>>> > sssd-ldap-1.12.2-3.4.1.i586
>>>> > sssd is confihured for nss, pam, sudo
>>>> > There is a test sudo rule defined in the ipa server,
>>>> which applies to
>>>> > user "doma". However when the user tries to use sudo
>>>> the rule does not
>>>> > work.
>>>> > doma at nappali:/home/doma> sudo ls
>>>> > doma's password:
>>>> > doma is not allowed to run sudo on nappali. This
>>>> incident will be reported.
>>>> > The corresponding log in the sssd_sudo.log is this:
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_cmd_get_version] (0x0200):
>>>> > Received client version [1].
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_cmd_get_version] (0x0200):
>>>> > Offered version [1].
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_parse_name_for_domains]
>>>> > (0x0200): name 'doma' matched without domain, user is doma
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_parse_name_for_domains]
>>>> > (0x0200): name 'doma' matched without domain, user is doma
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sudosrv_cmd_parse_query_done]
>>>> > (0x0200): Requesting default options for [doma] from
>>>> []
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sudosrv_get_user] (0x0200):
>>>> > Requesting info about [doma at szilva]
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> > [sudosrv_get_sudorules_query_cache] (0x0200):
>>>> Searching sysdb with
>>>> >
>>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> > [sudosrv_get_sudorules_query_cache] (0x0200):
>>>> Searching sysdb with
>>>> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_parse_name_for_domains]
>>>> > (0x0200): name 'doma' matched without domain, user is doma
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sss_parse_name_for_domains]
>>>> > (0x0200): name 'doma' matched without domain, user is doma
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sudosrv_cmd_parse_query_done]
>>>> > (0x0200): Requesting rules for [doma] from []
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> [sudosrv_get_user] (0x0200):
>>>> > Requesting info about [doma at szilva]
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> > [sudosrv_get_sudorules_query_cache] (0x0200):
>>>> Searching sysdb with
>>>> >
>>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp<=1441826725)))]
>>>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>>> > [sudosrv_get_sudorules_query_cache] (0x0200):
>>>> Searching sysdb with
>>>> >
>>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>>>> > (Wed Sep 9 21:25:30 2015) [sssd[sudo]] [client_recv]
>>>> (0x0200): Client
>>>> > disconnected!
>>>> > This seems perfectly OK with one exception. The query
>>>> against the sysdb
>>>> > does not find the entry. This is strange because the
>>>> entry is there.
>>>> > Log in sssd.log:
>>>> > (Wed Sep 2 08:52:13 2015) [sssd]
>>>> [sysdb_domain_init_internal] (0x0200):
>>>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>>>> > So we know that the sysdb is
>>>> /var/lib/sss/db/cache_szilva.ldb
>>>> > Running the exact same query seen above in the
>>>> sssd_sudo.log against the
>>>> > db returns:
>>>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>>>> >
>>>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>>>> > asq: Unable to register control with rootdse!
>>>> > # record 1
>>>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>>>> > cn: Doma_ls
>>>> > dataExpireTimestamp: 1441830262
>>>> > entryUSN: 20521
>>>> > name: Doma_ls
>>>> > objectClass: sudoRule
>>>> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
>>>> > sudoCommand: ls
>>>> > sudoHost: nappali.szilva
>>>> > sudoRunAsGroup: ALL
>>>> > sudoRunAsUser: ALL
>>>> > sudoUser: doma
>>>> > distinguishedName:
>>>> name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>>>> > # returned 1 records
>>>> > # 1 entries
>>>> > # 0 referrals
>>>> > This confirms that the entry is indeed there in the
>>>> db. Why is it found
>>>> > with ldbsearch and why does sssd_sudo not find it?
>>>> > I am pretty much stuck with this one. Anyone has an idea?
>>>> >
>>>> >
>>>> Hi,
>>>> this is strange. Can you provide the logs with debug
>>>> level set to 0x3ff0
>>>>
>>>> please? Can you also send it as an attachment? Thanks!
>>>>
>>>> Sure. Here it is. Now I can see that the rule is returned. The
>>>> question is why the rule does not match. Anyway much better :)
>>>
>>> Hi, thanks for the logs. Since the rule is returned, we will get
>>> more information from sudo logs. Can you please enable sudo
>>> logging by putting the following line into /etc/sudo.conf?
>>>
>>> Debug sudo /var/log/sudo_debug all at trace
>>>
>>> Run sudo and send us /var/log/sudo_debug? Thanks
>>
>> Thanks for the tip with the proper debug syntax - I was unable to
>> get a single log item out of sudo before.
>>
>> I think I have found something. This is the relevant part of the
>> output of all at debug (you need this not trace I think):
>>
>> Sep 14 22:13:39 sudo[2314] username=doma
>> Sep 14 22:13:39 sudo[2314] domainname=NULL
>> Sep 14 22:13:39 sudo[2314] state |= USERMATCH
>> Sep 14 22:13:39 sudo[2314] Received 1 rule(s)
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175
>> Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE
>> Sep 14 22:13:39 sudo[2314] emalloc: cnt=1
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556
>> Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva
>> Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206
>> Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61
>> Sep 14 22:13:39 sudo[2314] <- addr_matches_if @ ./match_addr.c:71 :=
>> false
>> Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local
>> host: false @ addr_matches() ./match_addr.c:217
>> Sep 14 22:13:39 sudo[2314] <- addr_matches @ ./match_addr.c:218 := false
>> Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941
>> Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+'
>> Sep 14 22:13:39 sudo[2314] <- netgr_matches @ ./match.c:953 := false
>> Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776
>> Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern
>> nappali.szilva: false @ hostname_matches() ./match.c:788
>> Sep 14 22:13:39 sudo[2314] <- hostname_matches @ ./match.c:789 := false
>> Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not
>> Sep 14 22:13:39 sudo[2314] <- sudo_sss_check_host @ ./sssd.c:591 :=
>> false
>> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_filterp @ ./sssd.c:654
>> := 0
>> Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1
>> -> 0)
>> Sep 14 22:13:39 sudo[2314] <- sudo_sss_filter_result @ ./sssd.c:221
>> := 0xb7c9e410
>> Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) =>
>> f_sss_result=(0xb7c9e410, 0)
>> Sep 14 22:13:39 sudo[2314] <- sudo_sss_result_get @ ./sssd.c:728 :=
>> 0xb7c9e410
>> Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries
>> Sep 14 22:13:39 sudo[2314] Done with LDAP searches
>>
>>
>> And here is the code from match.c.
>>
>> bool
>> hostname_matches(const char *shost, const char *lhost, const char
>> *pattern)
>> {
>> debug_decl(hostname_matches, SUDO_DEBUG_MATCH)
>> const char *host;
>> bool rc;
>>
>> host = strchr(pattern, '.') != NULL ? lhost : shost;
>> if (has_meta(pattern)) {
>> rc = !fnmatch(pattern, host, FNM_CASEFOLD);
>> } else {
>> rc = !strcasecmp(host, pattern);
>> }
>> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
>> "host %s matches sudoers pattern %s: %s",
>> host, pattern, rc ? "true" : "false");
>> debug_return_bool(rc);
>> }
>>
>> By the look of it it should match. I tried to find out how shost and
>> lhost get their values - these are macros to a member of the
>> sudo_user struct but that part is not debugged. Only thing I can
>> confirm is that I do not get the
>>
>> log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host);
>>
>> from line 816 of sudoers.c.
>>
>> I also checked the hosts file and there I do have the
>>
>> 192.168.110.3 nappali nappali.szilva
>>
>> entry.
>>
>> Still stuck whit this.
>> On 09/14/2015 03:08 PM, Pavel B?ezina wrote:
>> On 09/11/2015 02:40 PM, Moln?r Domokos wrote:
>> Full log attached.
>> "Moln?r Domokos" ?rta:
>>
>>
>> "Pavel B?ezina" ?rta:
>>
>> On 09/09/2015 09:31 PM, Moln?r Domokos wrote:
>>
>> > I have a working IPA server and a working client config on an OpenSuse
>> > 13.2 with the following versions:
>> > nappali:~ # rpm -qa |grep sssd
>> > sssd-tools-1.12.2-3.4.1.i586
>> > sssd-krb5-1.12.2-3.4.1.i586
>> > python-sssd-config-1.12.2-3.4.1.i586
>> > sssd-ipa-1.12.2-3.4.1.i586
>> > sssd-1.12.2-3.4.1.i586
>> > sssd-dbus-1.12.2-3.4.1.i586
>> > sssd-krb5-common-1.12.2-3.4.1.i586
>> > sssd-ldap-1.12.2-3.4.1.i586
>> > sssd is confihured for nss, pam, sudo
>>
>> > There is a test sudo rule defined in the ipa server, which applies to
>> > user "doma".
>> However when the user tries to use sudo the rule does not
>> > work.
>> > doma at nappali:/home/doma> sudo ls
>> > doma's password:
>> > doma is not allowed to run sudo on nappali.
>> This incident will be reported.
>> > The corresponding log in the sssd_sudo.log is this:
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> > Received client version [1].
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> > Offered version [1].
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>>
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>>
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting default options for [doma] from []
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> > Requesting info about [doma at szilva]
>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>
>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp
>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> > [(&(objectClass=sudoRule)(|(name=defaults)))]
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>>
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>>
>> > (0x0200): name 'doma' matched without domain, user is doma
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> > (0x0200): Requesting rules for [doma] from []
>> > (Wed Sep
>> 9 21:25:25 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> > Requesting info about [doma at szilva]
>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>
>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*))(&(dataExpireTimestamp
>> > (Wed Sep 9 21:25:25 2015) [sssd[sudo]]
>>
>> > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>>
>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))]
>> > (Wed Sep
>> 9 21:25:30 2015) [sssd[sudo]] [client_recv] (0x0200): Client
>> > disconnected!
>>
>> > This seems perfectly OK with one exception. The query against the sysdb
>>
>> > does not find the entry. This is strange because the entry is there.
>> > Log in sssd.log:
>> > (Wed Sep
>> 2 08:52:13 2015) [sssd] [sysdb_domain_init_internal] (0x0200):
>> > DB File for szilva: /var/lib/sss/db/cache_szilva.ldb
>>
>> > So we know that the sysdb is /var/lib/sss/db/cache_szilva.ldb
>>
>> > Running the exact same query seen above in the sssd_sudo.log against the
>> > db returns:
>> > ldbsearch -H /var/lib/sss/db/cache_szilva.ldb
>> >
>> "(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=doma)(sudoUser=#1816400003)(sudoUser=%ipausers)(sudoUser=%picture_access)(sudoUser=%doma)(sudoUser=+*)))"
>> > asq: Unable to register control with rootdse!
>> > # record 1
>> > dn: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> > cn: Doma_ls
>> > dataExpireTimestamp: 1441830262
>> > entryUSN: 20521
>> > name: Doma_ls
>> > objectClass: sudoRule
>> > originalDN: cn=Doma_ls,ou=sudoers,dc=szilva
>> > sudoCommand: ls
>> > sudoHost: nappali.szilva
>> > sudoRunAsGroup: ALL
>> > sudoRunAsUser: ALL
>> > sudoUser: doma
>>
>> > distinguishedName: name=Doma_ls,cn=sudorules,cn=custom,cn=szilva,cn=sysdb
>> > # returned 1 records
>> > # 1 entries
>> > # 0 referrals
>>
>> > This confirms that the entry is indeed there in the db. Why is it found
>> > with ldbsearch and why does sssd_sudo not find it?
>> > I am pretty much stuck with this one. Anyone has an idea?
>> >
>> >
>> Hi,
>>
>> this is strange. Can you provide the logs with debug level set to 0x3ff0
>>
>> please? Can you also send it as an attachment? Thanks!
>>
>> Sure. Here it is. Now I can see that the rule is returned. The
>> question is why the rule does not match. Anyway much better :)
>>
>> Hi, thanks for the logs. Since the rule is returned, we will get more information from sudo logs. Can you please enable sudo logging by putting the following line into /etc/sudo.conf?
>>
>> Debug sudo /var/log/sudo_debug all at trace
>>
>> Run sudo and send us /var/log/sudo_debug? Thanks
>>
>> Thanks for the tip with the proper debug syntax - I was unable to get a single log item out of sudo before.
>>
>> I think I have found something. This is the relevant part of the output of all at debug (you need this not trace I think):
>>
>> Sep 14 22:13:39 sudo[2314] username=doma
>> Sep 14 22:13:39 sudo[2314] domainname=NULL
>> Sep 14 22:13:39 sudo[2314] state |= USERMATCH
>> Sep 14 22:13:39 sudo[2314] Received 1 rule(s)
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_filter_result @ ./sssd.c:175
>> Sep 14 22:13:39 sudo[2314] in_res=0xb7c9c1b8, count=1, act=INCLUDE
>> Sep 14 22:13:39 sudo[2314] emalloc: cnt=1
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_result_filterp @ ./sssd.c:648
>> Sep 14 22:13:39 sudo[2314] -> sudo_sss_check_host @ ./sssd.c:556
>> Sep 14 22:13:39 sudo[2314] val[0]=nappali.szilva
>> Sep 14 22:13:39 sudo[2314] -> addr_matches @ ./match_addr.c:206
>> Sep 14 22:13:39 sudo[2314] -> addr_matches_if @ ./match_addr.c:61
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] IP address nappali.szilva matches local host: false @ addr_matches() ./match_addr.c:217
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] -> netgr_matches @ ./match.c:941
>> Sep 14 22:13:39 sudo[2314] netgroup appali.szilva has no leading '+'
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] -> hostname_matches @ ./match.c:776
>> Sep 14 22:13:39 sudo[2314] host nappali matches sudoers pattern nappali.szilva: false @ hostname_matches() ./match.c:788
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] sssd/ldap sudoHost 'nappali.szilva' ... not
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] reallocating result: 0xb7cb1900 (count: 1 -> 0)
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] u_sss_result=(0xb7c9c1b8, 1) => f_sss_result=(0xb7c9e410, 0)
>> Sep 14 22:13:39 sudo[2314]
>> Sep 14 22:13:39 sudo[2314] searching SSSD/LDAP for sudoers entries
>> Sep 14 22:13:39 sudo[2314] Done with LDAP searches
>>
>>
>> And here is the code from match.c.
>>
>> bool
>> hostname_matches(const char *shost, const char *lhost, const char *pattern)
>> {
>> debug_decl(hostname_matches, SUDO_DEBUG_MATCH)
>> const char *host;
>> bool rc;
>>
>> host = strchr(pattern,'.') != NULL ? lhost : shost;
>> if (has_meta(pattern)) {
>> rc = !fnmatch(pattern, host, FNM_CASEFOLD);
>> } else {
>> rc = !strcasecmp(host, pattern);
>> }
>> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
>> "host %s matches sudoers pattern %s: %s",
>> host, pattern, rc ? "true" : "false");
>> debug_return_bool(rc);
>> }
>>
>> By the look of it it should match. I tried to find out how shost and lhost get their values - these are macros to a member of the sudo_user struct but that part is not debugged. Only thing I can confirm is that I do not get the
>>
>> log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host);
>>
>> from line 816 of sudoers.c.
>>
>> I also checked the hosts file and there I do have the
>>
>> 192.168.110.3 nappali nappali.szilva
>>
>> entry.
>>
>> Still stuck whit this.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>> Additional info. In match.c
>>
>> 780 host = strchr(pattern, '.') != NULL ? lhost : shost;
>>
>> if the pattern contains a '.' then lhost is used, which is then
>>
>> 784 rc = !strcasecmp(host, pattern);
>>
>> compared with the pattern. In our case - from the debug log - host is
>> "nappali" while the pattern is "nappali.szilva".
>>
>> Clearly from some reason lhost does not contain the fqdn as it should. I
>> also tested the set_fqdn at line 806 in sudoers.c with this code:
>>
>> void
>> main(void)
>> {
>> struct addrinfo *res0, hint;
>> char *p;
>> char *user_host, *user_shost;
>>
>> user_host=malloc(500);
>> user_shost=malloc(500);
>>
>> memset(&hint, 0, sizeof(hint));
>> hint.ai_family = PF_UNSPEC;
>> hint.ai_flags = AI_FQDN;
>> if (getaddrinfo("nappali", NULL, &hint, &res0) != 0) {
>> printf("unable to resolve host %s", user_host);
>> } else {
>> user_host = strdup(res0->ai_canonname);
>> printf ("Canonname, user_host: %s,
>> %s\n",res0->ai_canonname,user_host);
>> if ((p = strchr(user_host, '.')) != NULL)
>> user_shost = strndup(user_host, (size_t)(p - user_host));
>> else
>> user_shost = user_host;
>> }
>> printf("Shost: %s\n",user_shost);
>> }
>>
>> This outputs on the host in question:
>>
>> doma at nappali:/home/doma> cc test.c
>> doma at nappali:/home/doma> ./a.out
>> Canonname, user_host: nappali.szilva, nappali.szilva
>> Shost: nappali
>>
>> Seems OK.
>>
>> Any idea?
>
>Hi, I'm sorry for a late delay. Did you manage to create any progress on
>this?
>
Hi, yes. Actually a workaround had been identified. One needs to set hostname to the fqdn and then it works.
On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:
>> sudo doesn't do normalization and IPA's way of exposing host names is by using by default fqdn. So sudo compares local hostname with fqdn-based one, guess which way it will succeed? You theoretically could have every hostname in IPA registered non-fqdn but what you cannot have is a mix between fqdn- and non-fqdn names.
And I replied:
You may well be right but I still think this is a bug in sudo/sssd plugin. As sudo does indeed try to nomalize, but it fails. Here's why I think so:
@line 582 in sssd.c: when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname.
@lines 773-790 in match.c: the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname.
@line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK.
The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself.
I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process.
From abokovoy at redhat.com Thu Oct 1 14:03:24 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 1 Oct 2015 17:03:24 +0300
Subject: [Freeipa-users] NFS Automount Domain Homedirs
In-Reply-To:
References:
<20150929154754.GE4539@redhat.com>
<20150930140846.GN4539@redhat.com>
<20150930144619.GP4539@redhat.com>
Message-ID: <20151001140324.GD4971@redhat.com>
On Wed, 30 Sep 2015, Sadettin Albasan wrote:
>Here is a list of installed sssd packages:
>
>sssd-client-1.12.4-47.el6.x86_64
>sssd-common-1.12.4-47.el6.x86_64
>sssd-ad-1.12.4-47.el6.x86_64
>sssd-1.12.4-47.el6.x86_64
>python-sssdconfig-1.12.4-47.el6.noarch
>sssd-krb5-common-1.12.4-47.el6.x86_64
>sssd-ipa-1.12.4-47.el6.x86_64
>sssd-ldap-1.12.4-47.el6.x86_64
>sssd-proxy-1.12.4-47.el6.x86_64
>sssd-tools-1.12.4-47.el6.x86_64
>sssd-common-pac-1.12.4-47.el6.x86_64
>sssd-krb5-1.12.4-47.el6.x86_64
Thanks.
My apologies, we checked with Sumit and apparently, SSSD in RHEL 6.7 was
built without support for NFS idmap module.
Can you check if using CentOS 7 client and server for NFS would work?
--
/ Alexander Bokovoy
From fujisan43 at gmail.com Thu Oct 1 14:23:01 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Thu, 1 Oct 2015 16:23:01 +0200
Subject: [Freeipa-users] User removed from IPA but still present in LDAP,
so cannot him again in IPA web UI
Message-ID:
Hello,
I want to add user 'user1' with the freeipa web UI. It is not present in
the list of users in the web UI but when I click "add", it says 'user with
name "user1" already exists'.
ldapsearch shows 'user1' is there:
---------------------------------------------------------------
$ ldapsearch -x -h ipasrv uid=user1
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: uid=user1
# requesting: ALL
#
# user1, users, compat, mydomain
dn: uid=user1,cn=users,cn=compat,dc=mydomain
objectClass: posixAccount
objectClass: top
cn: user one
gidNumber: 1029
gecos: user one
uidNumber: 1029
loginShell: /bin/bash
homeDirectory: /home/user1
uid: user1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
---------------------------------------------------------------
and ldapdelete doesn't work:
---------------------------------------------------------------
$ ldapdelete -x -h ipasrv 'uid=user1,cn=users,cn=compat,dc=mydomain'
ldap_delete: No such object (32)
matched DN: dc=mydomain
---------------------------------------------------------------
How can I remove 'user1' completely?
Regards,
Fuji
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From abokovoy at redhat.com Thu Oct 1 14:33:11 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Thu, 1 Oct 2015 17:33:11 +0300
Subject: [Freeipa-users] User removed from IPA but still present in LDAP,
so cannot him again in IPA web UI
In-Reply-To:
References:
Message-ID: <20151001143311.GE4971@redhat.com>
On Thu, 01 Oct 2015, Fujisan wrote:
>Hello,
>
>I want to add user 'user1' with the freeipa web UI. It is not present in
>the list of users in the web UI but when I click "add", it says 'user with
>name "user1" already exists'.
>
>ldapsearch shows 'user1' is there:
>---------------------------------------------------------------
>$ ldapsearch -x -h ipasrv uid=user1
># extended LDIF
>#
># LDAPv3
># base (default) with scope subtree
># filter: uid=user1
># requesting: ALL
>#
>
># user1, users, compat, mydomain
>dn: uid=user1,cn=users,cn=compat,dc=mydomain
>objectClass: posixAccount
>objectClass: top
>cn: user one
>gidNumber: 1029
>gecos: user one
>uidNumber: 1029
>loginShell: /bin/bash
>homeDirectory: /home/user1
>uid: user1
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>---------------------------------------------------------------
>
>and ldapdelete doesn't work:
>---------------------------------------------------------------
>$ ldapdelete -x -h ipasrv 'uid=user1,cn=users,cn=compat,dc=mydomain'
>ldap_delete: No such object (32)
> matched DN: dc=mydomain
>---------------------------------------------------------------
>
>How can I remove 'user1' completely?
Compat tree (cn=compat,dc=mydomain) is a read-only tree which is
generated based on the primary tree (in cn=accounts,dc=mydomain).
If there is no entry in the primary tree, there wouldn't be any entry in
compat tree because it only adds (or removes) entries based on their
existence in the primary tree.
What I see looks like a replication conflict that might have left an
entry named
uid=user1+nsuniqueid=,cn=users,cn=accounts,dc=mydomain and
which caused creation of this compat tree entry.
Can you show output of
ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain '(uid=user1*)'
?
--
/ Alexander Bokovoy
From aebruno2 at buffalo.edu Thu Oct 1 15:03:09 2015
From: aebruno2 at buffalo.edu (Andrew E. Bruno)
Date: Thu, 1 Oct 2015 11:03:09 -0400
Subject: [Freeipa-users] ipa upgrade failed
Message-ID: <20151001150309.GA10653@dead.ccr.buffalo.edu>
Running CentOS 7.1.1503.
Upgrading via yum update from:
ipa-server.x86_64 0:4.1.0-18.el7.centos.3
--to--
ipa-server.x86_64 0:4.1.0-18.el7.centos.4
We have 3 replicates. Upgrading the first replicate (first-master) went
fine. Upgrading the second replicate failed.
Got the following error during the update on the second replicate:
Pre schema upgrade failed with [Errno 111] Connection refused
IPA upgrade failed.
Where should I look for more info? Looked in the usual places and didn't
see anything out of the ordinary. How can I fix/verify the upgrade?
Thanks!
--Andrew
From d.korittki at mittwald.de Thu Oct 1 15:06:34 2015
From: d.korittki at mittwald.de (Dominik Korittki)
Date: Thu, 1 Oct 2015 17:06:34 +0200
Subject: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts
Message-ID: <560D4BFA.2040303@mittwald.de>
Hello folks,
I am running two FreeIPA Servers with around 100 users and around 15.000
hosts, which are used by users to login via ssh. The FreeIPA servers
(which are Centos 7.0) ran good for a while, but as more and more hosts
got migrated to serve as FreeIPA hosts, it started to get slow and unstable.
For example, its hard to maintain hostgroups, which have more than 1.000
hosts. The ipa host-* commands are getting slower as the hostgroup
grows. Is this normal?
We also experience random dirsrv segfaults. Here's a dmesg line from the
latest:
[690787.647261] traps: ns-slapd[5217] general protection ip:7f8d6b6d6bc1
sp:7f8d3aff2a88 error:0 in libc-2.17.so[7f8d6b650000+1b6000]
Nothing in /var/log/dirsrv/slapd-INTERNAL/errors, which relates to the
problem.
I'm thinking about migrating to latest CentOS 7 FreeIPA 4, but does that
solve my problems?
FreeIPA server version is 3.3.3-28.el7.centos
389-ds-base.x86_64 is 1.3.1.6-26.el7_0
Kind regards,
Dominik Korittki
From mbasti at redhat.com Thu Oct 1 15:09:23 2015
From: mbasti at redhat.com (Martin Basti)
Date: Thu, 1 Oct 2015 17:09:23 +0200
Subject: [Freeipa-users] ipa upgrade failed
In-Reply-To: <20151001150309.GA10653@dead.ccr.buffalo.edu>
References: <20151001150309.GA10653@dead.ccr.buffalo.edu>
Message-ID: <560D4CA3.8080609@redhat.com>
On 10/01/2015 05:03 PM, Andrew E. Bruno wrote:
> Running CentOS 7.1.1503.
>
> Upgrading via yum update from:
>
> ipa-server.x86_64 0:4.1.0-18.el7.centos.3
>
> --to--
>
> ipa-server.x86_64 0:4.1.0-18.el7.centos.4
>
>
> We have 3 replicates. Upgrading the first replicate (first-master) went
> fine. Upgrading the second replicate failed.
>
> Got the following error during the update on the second replicate:
>
> Pre schema upgrade failed with [Errno 111] Connection refused
> IPA upgrade failed.
>
> Where should I look for more info? Looked in the usual places and didn't
> see anything out of the ordinary. How can I fix/verify the upgrade?
>
> Thanks!
>
> --Andrew
>
Hello,
can you check /var/log/ipaupgrade.log and /var/log/dirsrv/slapd-*/errors
for more specific errors?
Martin
From jhrozek at redhat.com Thu Oct 1 15:19:17 2015
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Thu, 1 Oct 2015 17:19:17 +0200
Subject: [Freeipa-users] [FreeIPA] SUDO fails with system error
In-Reply-To:
References:
Message-ID: <20151001151917.GD17053@hendrix.redhat.com>
On Thu, Oct 01, 2015 at 12:14:34PM +0000, Markus.Moj at mc.ingenico.com wrote:
> Dear @all,
>
>
>
> I?ve an issue with two, Oracle Linux based, clients and my freeipa server. I can authenticate on any on the enrolled machines but the two oracle server aren?t able to access sudo and I don?t know why.
~~~~~~~~~~~
What version of OEL and sssd?
>
> Here are a few thing I?ve already figured out.
>
>
>
> Both machines are enrolled from scratch and I see following entries in ldap_child.log
>
> (Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3933]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/@' not found in Kerberos database
>
> (Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3934]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/@' not found in Kerberos database
This looks like the enrollment is not correct, are you able to kinit -k
?
>
>
>
> Furthermore I get following entries in secure log
>
> pam_unix(sudo:auth): authentication failure; logname= uid=957400001 euid=0 tty=/dev/pts/1 ruser= rhost= user=
>
> pam_sss(sudo:auth): authentication failure; logname= uid=957400001 euid=0 tty=/dev/pts/1 ruser= rhost= user=
>
> pam_sss(sudo:auth): received for user : 4 (System error)
You said you were able to authenticate, but here the authentication is
throwing system error. How did you authenticate, was it maye with ssh
keys?
Is that all you have in krb5_child.log? I don't see the child exiting in
the logs..
From aebruno2 at buffalo.edu Thu Oct 1 15:28:35 2015
From: aebruno2 at buffalo.edu (Andrew E. Bruno)
Date: Thu, 1 Oct 2015 11:28:35 -0400
Subject: [Freeipa-users] ipa upgrade failed
In-Reply-To: <560D4CA3.8080609@redhat.com>
References: <20151001150309.GA10653@dead.ccr.buffalo.edu>
<560D4CA3.8080609@redhat.com>
Message-ID: <20151001152835.GB10653@dead.ccr.buffalo.edu>
On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote:
>
>
> On 10/01/2015 05:03 PM, Andrew E. Bruno wrote:
> >Running CentOS 7.1.1503.
> >
> >Upgrading via yum update from:
> >
> > ipa-server.x86_64 0:4.1.0-18.el7.centos.3
> >
> > --to--
> >
> > ipa-server.x86_64 0:4.1.0-18.el7.centos.4
> >
> >We have 3 replicates. Upgrading the first replicate (first-master) went
> >fine. Upgrading the second replicate failed.
> >
> >Got the following error during the update on the second replicate:
> >
> >Pre schema upgrade failed with [Errno 111] Connection refused
> >IPA upgrade failed.
> >
> >Where should I look for more info? Looked in the usual places and didn't
> >see anything out of the ordinary. How can I fix/verify the upgrade?
> >
> >Thanks!
> >
> >--Andrew
> >
> Hello,
>
> can you check /var/log/ipaupgrade.log and /var/log/dirsrv/slapd-*/errors for
> more specific errors?
Here's the errors from /var/log/dirsrv/slapd-*/errors right around the time of the upgrade:
[01/Oct/2015:10:42:37 -0400] - slapd shutting down - signaling operation threads - op stack size 84 max work q size 59 max work q stack size 59
[01/Oct/2015:10:44:50 -0400] - Information: Non-Secure Port Disabled
[01/Oct/2015:10:44:50 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
[01/Oct/2015:10:44:50 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 28639232B; We recommend to increase the entry cache size nsslapd-cachememsize.
[01/Oct/2015:10:44:50 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
...
tion.
[01/Oct/2015:10:45:03 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/9fc73292-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/d0a7671e-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated
[01/Oct/2015:10:45:08 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-d13-39-02.int.ccr.buffalo.edu at INT.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-srv-d13-39-02.int.ccr.buffalo.edu-pki-tomcat" (srv-d13-38-02:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later.
[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=int,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated
[01/Oct/2015:10:45:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
...
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22231 (rc: 32)
[01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22232 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22233 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22234 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22235 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22236 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22237 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22238 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22239 (rc: 32)
[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22240 (rc: 32)
..
These delete_changerecord are repeated all the way to 321722.
Here's the errors from /var/log/ipaupgrade.log
2015-10-01T14:44:49Z DEBUG [4/10]: starting directory server
2015-10-01T14:44:49Z DEBUG Starting external process
2015-10-01T14:44:49Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
2015-10-01T14:44:50Z DEBUG Process finished, return code=0
2015-10-01T14:44:50Z DEBUG stdout=
2015-10-01T14:44:50Z DEBUG stderr=
2015-10-01T14:44:50Z DEBUG duration: 0 seconds
2015-10-01T14:44:50Z DEBUG [5/10]: preparing server upgrade
2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
2015-10-01T14:45:00Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
self.create_connection()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
dm_password=self.dm_password, pw_name=self.pw_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
raise e
error: [Errno 111] Connection refused
2015-10-01T14:45:00Z DEBUG duration: 10 seconds
2015-10-01T14:45:00Z DEBUG [6/10]: updating schema
...
2015-10-01T14:45:43Z DEBUG duration: 2 seconds
2015-10-01T14:45:43Z DEBUG [9/10]: restoring configuration
2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-10-01T14:45:43Z DEBUG duration: 0 seconds
2015-10-01T14:45:43Z DEBUG [10/10]: starting directory server
2015-10-01T14:45:43Z DEBUG Starting external process
2015-10-01T14:45:43Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
2015-10-01T14:45:44Z DEBUG Process finished, return code=0
2015-10-01T14:45:44Z DEBUG stdout=
2015-10-01T14:45:44Z DEBUG stderr=
2015-10-01T14:45:44Z DEBUG Starting external process
2015-10-01T14:45:44Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
2015-10-01T14:45:44Z DEBUG Process finished, return code=0
2015-10-01T14:45:44Z DEBUG stdout=active
2015-10-01T14:45:44Z DEBUG stderr=
2015-10-01T14:45:44Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2015-10-01T14:45:51Z DEBUG duration: 7 seconds
2015-10-01T14:45:51Z DEBUG Done.
2015-10-01T14:45:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 151, in run
raise admintool.ScriptError('IPA upgrade failed.', 1)
2015-10-01T14:45:51Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed.
2015-10-01T14:45:51Z ERROR IPA upgrade failed.
2015-10-01T14:45:51Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
2015-10-01T14:45:51Z DEBUG IPA version 4.1.0-18.el7.centos.4
2015-10-01T14:45:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
...
2015-10-01T14:48:37Z DEBUG The CA status is: running
2015-10-01T14:48:37Z INFO The ipa-upgradeconfig command was successful
But from looking through the ipaupgrade.log it seems like the schema changes were in fact applied?
From fujisan43 at gmail.com Thu Oct 1 15:34:26 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Thu, 1 Oct 2015 17:34:26 +0200
Subject: [Freeipa-users] User removed from IPA but still present in LDAP,
so cannot him again in IPA web UI
In-Reply-To: <20151001143311.GE4971@redhat.com>
References:
<20151001143311.GE4971@redhat.com>
Message-ID:
I get this:
-----------------------------
$ ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain
'(uid=user1*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (uid=user1*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-----------------------------
On Thu, Oct 1, 2015 at 4:33 PM, Alexander Bokovoy
wrote:
> On Thu, 01 Oct 2015, Fujisan wrote:
>
>> Hello,
>>
>> I want to add user 'user1' with the freeipa web UI. It is not present in
>> the list of users in the web UI but when I click "add", it says 'user with
>> name "user1" already exists'.
>>
>> ldapsearch shows 'user1' is there:
>> ---------------------------------------------------------------
>> $ ldapsearch -x -h ipasrv uid=user1
>> # extended LDIF
>> #
>> # LDAPv3
>> # base (default) with scope subtree
>> # filter: uid=user1
>> # requesting: ALL
>> #
>>
>> # user1, users, compat, mydomain
>> dn: uid=user1,cn=users,cn=compat,dc=mydomain
>> objectClass: posixAccount
>> objectClass: top
>> cn: user one
>> gidNumber: 1029
>> gecos: user one
>> uidNumber: 1029
>> loginShell: /bin/bash
>> homeDirectory: /home/user1
>> uid: user1
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> ---------------------------------------------------------------
>>
>> and ldapdelete doesn't work:
>> ---------------------------------------------------------------
>> $ ldapdelete -x -h ipasrv 'uid=user1,cn=users,cn=compat,dc=mydomain'
>> ldap_delete: No such object (32)
>> matched DN: dc=mydomain
>> ---------------------------------------------------------------
>>
>> How can I remove 'user1' completely?
>>
> Compat tree (cn=compat,dc=mydomain) is a read-only tree which is
> generated based on the primary tree (in cn=accounts,dc=mydomain).
>
> If there is no entry in the primary tree, there wouldn't be any entry in
> compat tree because it only adds (or removes) entries based on their
> existence in the primary tree.
>
> What I see looks like a replication conflict that might have left an
> entry named
> uid=user1+nsuniqueid=,cn=users,cn=accounts,dc=mydomain and
> which caused creation of this compat tree entry.
>
> Can you show output of ldapsearch -D cn=directory\ manager -W -b
> cn=accounts,dc=mydomain '(uid=user1*)'
> ?
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mbasti at redhat.com Thu Oct 1 15:40:34 2015
From: mbasti at redhat.com (Martin Basti)
Date: Thu, 1 Oct 2015 17:40:34 +0200
Subject: [Freeipa-users] ipa upgrade failed
In-Reply-To: <20151001152835.GB10653@dead.ccr.buffalo.edu>
References: <20151001150309.GA10653@dead.ccr.buffalo.edu>
<560D4CA3.8080609@redhat.com>
<20151001152835.GB10653@dead.ccr.buffalo.edu>
Message-ID: <560D53F2.5@redhat.com>
On 10/01/2015 05:28 PM, Andrew E. Bruno wrote:
> On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote:
>>
>> On 10/01/2015 05:03 PM, Andrew E. Bruno wrote:
>>> Running CentOS 7.1.1503.
>>>
>>> Upgrading via yum update from:
>>>
>>> ipa-server.x86_64 0:4.1.0-18.el7.centos.3
>>>
>>> --to--
>>>
>>> ipa-server.x86_64 0:4.1.0-18.el7.centos.4
>>>
>>> We have 3 replicates. Upgrading the first replicate (first-master) went
>>> fine. Upgrading the second replicate failed.
>>>
>>> Got the following error during the update on the second replicate:
>>>
>>> Pre schema upgrade failed with [Errno 111] Connection refused
>>> IPA upgrade failed.
>>>
>>> Where should I look for more info? Looked in the usual places and didn't
>>> see anything out of the ordinary. How can I fix/verify the upgrade?
>>>
>>> Thanks!
>>>
>>> --Andrew
>>>
>> Hello,
>>
>> can you check /var/log/ipaupgrade.log and /var/log/dirsrv/slapd-*/errors for
>> more specific errors?
> Here's the errors from /var/log/dirsrv/slapd-*/errors right around the time of the upgrade:
>
> [01/Oct/2015:10:42:37 -0400] - slapd shutting down - signaling operation threads - op stack size 84 max work q size 59 max work q stack size 59
> [01/Oct/2015:10:44:50 -0400] - Information: Non-Secure Port Disabled
> [01/Oct/2015:10:44:50 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
> [01/Oct/2015:10:44:50 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 28639232B; We recommend to increase the entry cache size nsslapd-cachememsize.
> [01/Oct/2015:10:44:50 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
> ...
> tion.
> [01/Oct/2015:10:45:03 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/9fc73292-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/d0a7671e-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated
> [01/Oct/2015:10:45:08 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-d13-39-02.int.ccr.buffalo.edu at INT.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-srv-d13-39-02.int.ccr.buffalo.edu-pki-tomcat" (srv-d13-38-02:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later.
> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=int,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated
> [01/Oct/2015:10:45:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> ...
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22231 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22232 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22233 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22234 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22235 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22236 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22237 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22238 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22239 (rc: 32)
> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22240 (rc: 32)
> ..
>
>
> These delete_changerecord are repeated all the way to 321722.
>
>
> Here's the errors from /var/log/ipaupgrade.log
>
>
> 2015-10-01T14:44:49Z DEBUG [4/10]: starting directory server
> 2015-10-01T14:44:49Z DEBUG Starting external process
> 2015-10-01T14:44:49Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> 2015-10-01T14:44:50Z DEBUG Process finished, return code=0
> 2015-10-01T14:44:50Z DEBUG stdout=
> 2015-10-01T14:44:50Z DEBUG stderr=
> 2015-10-01T14:44:50Z DEBUG duration: 0 seconds
> 2015-10-01T14:44:50Z DEBUG [5/10]: preparing server upgrade
> 2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
> 2015-10-01T14:45:00Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
> ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
> self.create_connection()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
> dm_password=self.dm_password, pw_name=self.pw_name)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
> raise e
> error: [Errno 111] Connection refused
>
> 2015-10-01T14:45:00Z DEBUG duration: 10 seconds
> 2015-10-01T14:45:00Z DEBUG [6/10]: updating schema
>
> ...
>
> 2015-10-01T14:45:43Z DEBUG duration: 2 seconds
> 2015-10-01T14:45:43Z DEBUG [9/10]: restoring configuration
> 2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-10-01T14:45:43Z DEBUG duration: 0 seconds
> 2015-10-01T14:45:43Z DEBUG [10/10]: starting directory server
> 2015-10-01T14:45:43Z DEBUG Starting external process
> 2015-10-01T14:45:43Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> 2015-10-01T14:45:44Z DEBUG Process finished, return code=0
> 2015-10-01T14:45:44Z DEBUG stdout=
> 2015-10-01T14:45:44Z DEBUG stderr=
> 2015-10-01T14:45:44Z DEBUG Starting external process
> 2015-10-01T14:45:44Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> 2015-10-01T14:45:44Z DEBUG Process finished, return code=0
> 2015-10-01T14:45:44Z DEBUG stdout=active
>
> 2015-10-01T14:45:44Z DEBUG stderr=
> 2015-10-01T14:45:44Z DEBUG wait_for_open_ports: localhost [389] timeout 300
> 2015-10-01T14:45:51Z DEBUG duration: 7 seconds
> 2015-10-01T14:45:51Z DEBUG Done.
> 2015-10-01T14:45:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 151, in run
> raise admintool.ScriptError('IPA upgrade failed.', 1)
>
> 2015-10-01T14:45:51Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed.
> 2015-10-01T14:45:51Z ERROR IPA upgrade failed.
> 2015-10-01T14:45:51Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
> 2015-10-01T14:45:51Z DEBUG IPA version 4.1.0-18.el7.centos.4
> 2015-10-01T14:45:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
>
> ...
>
> 2015-10-01T14:48:37Z DEBUG The CA status is: running
> 2015-10-01T14:48:37Z INFO The ipa-upgradeconfig command was successful
>
>
> But from looking through the ipaupgrade.log it seems like the schema changes were in fact applied?
>
It looks like the DS has not been ready yet
It started at:
[01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
But upgrade failed before:
2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
If there are no other errors listed, so other part of upgrade are
successful.
Pre-schema upgrade is done for DNS forward zones, but in case that this
was successfully done on master, dns forwardzones should be already updated.
This code is also removed in versions of IPA, so it should not cause
issues in future.
Martin
From simo at redhat.com Thu Oct 1 16:04:14 2015
From: simo at redhat.com (Simo Sorce)
Date: Thu, 1 Oct 2015 12:04:14 -0400
Subject: [Freeipa-users] HBAC
In-Reply-To: <560C8AD1.5080105@mdevsys.com>
References: <560B3A68.7020401@mdevsys.com> <560B3D73.9050704@mdevsys.com>
<20150930055047.GG4539@redhat.com> <560BD190.7050401@redhat.com>
<560C8AD1.5080105@mdevsys.com>
Message-ID: <560D597E.7030205@redhat.com>
On 30/09/15 21:22, TomK wrote:
>
>
> On 9/30/2015 8:12 AM, Martin Kosek wrote:
>> On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:
>>> On Tue, 29 Sep 2015, TomK wrote:
>>>> Hey Guy's,
>>>>
>>>> (Sending this again as I didn't have this email included in the
>>>> freeipa-users
>>>> mailing list so not sure if the other message will get posted.)
>>>>
>>>> Before I post a ticket to RH Support for an RFE, I'll post the
>>>> request here
>>>> to get some feedback on options and what ideas folks have. I've a
>>>> situation
>>>> as follows. I have the following setup in WS 2012 AD DC:
>>>>
>>>> TomK (user)
>>>> TomK Groups:
>>>> unixg
>>>> windowsg
>>>>
>>>> unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
>>>> windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'
>>>>
>>>> TomK(user) also has the 'host' attribute defined as per the proper
>>>> RFC for
>>>> LDAP. With SSSD rules I can define the rules to read the user 'host'
>>>> attribute but not the group 'host' attribute:
>>>>
>>>>
>>>> |access_provider = ldap ldap_access_order = host
>>>> ldap_user_authorized_host =
>>>> host|
>>>>
>>>>
>>>> Essentially TomK to be given access to hosts listed in the 'host'
>>>> attribute
>>>> but denied entry into lab05 for example (not listed in any group 'host'
>>>> attribute above) to the server. If I have a new user that has
>>>> joined that
>>>> particular team at our organization, I can simply add her/him to the
>>>> above
>>>> groups and this user would get access only to the listed servers in
>>>> 'host'
>>>> attribute by default. I don't need to specify new groups in customized
>>>> sssd.conf or ldap.conf files or in sshd config files. Hence less to
>>>> update
>>>> with Salt or any other CM suite. I've managed to setup SUDO rules
>>>> and with
>>>> the openssh-ldap.diff schema SSH public keys could be stored in AD
>>>> as well
>>>> and be read by OpenSSH. So aside from the HBAC capability on groups,
>>>> virtually all our needs are handled by the WS2012 AD DC as it has to
>>>> follow
>>>> the OpenLDAP standard anyway. Now to get this we considered and are
>>>> still
>>>> considering FreeIPA. However this idea poses a set of challenges:
>>>>
>>>> 1) In large organizations where the AD support department are only
>>>> trained in
>>>> Windows AD setup and configuration (Only windows guy's) this would
>>>> require a
>>>> minimal of 3 bodies to support that know LDAP/Linux. This is a
>>>> large cost.
>>>>
>>>> 2) The additional server requires the same hardening as the Windows
>>>> AD DC
>>>> servers meaning a new procedure has to be carved out for the 2+ FreeIPA
>>>> servers to be supported, hardened and maintained (upgraded).
>>>>
>>>> Now I probably sound somewhat anti-FreeIPA, however the challenges of
>>>> implementing it in large organizations surface after some
>>>> deliberation, so
>>>> probably better to list then as it may help direct development of
>>>> the product
>>>> to contend with the challenges (Like having a document fully
>>>> dedicated to
>>>> hardening a FreeIPA server with selinux and other technologies in
>>>> easy to
>>>> maintain configuration). I could be mistaken but some folks
>>>> mention that
>>>> it's 'better' to implement this sort of HBAC through other means (??
>>>> iptables
>>>> ??) but never tried the alternatives yet.
>>>>
>>>> So, cutting to the end, would it be possible to add an attribute like:
>>>>
>>>> |ldap_user_authorized_host|
>>>>
>>>> but perhaps called 'ldap_group_authorized_host' to the SSSD code to
>>>> enable
>>>> reading the 'host' attribute on AD/LDAP defined groups?
>>> In FreeIPA we support HBAC rules for AD users and groups. What exactly
>>> is wrong with that?
>>>
>>> See 'ipa help trust' for details how to map AD groups to IPA groups and
>>> then 'ipa help hbacrule' for how to limit access of those groups to
>>> specific hosts and services on them.
>>>
>>> This is all covered well in the guide:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
>>>
>> More reading on External groups used for AD access control:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups
>>
>>
>> I would also suggest a video with HBAC and Trust in action:
>>
>> https://www.youtube.com/watch?v=sQnNFJOzwa8
>>
>> HTH,
>> Martin
>
> We already defined HBAC rules in the manner that all the links you
> pointed out indicate as an early implementation. As a product, there is
> no issue in IDM from that perspective. This is all great and the
> product is fine from that perspective.
>
> It would be good to have a dual option of either allowing SSSD or IDM /
> FreeIPA have full HBAC capability not just FreeIPA / IDM as in our
> organization that would be a huge cost savings vs implementing IDM as a
> separate Linux DC to be managed by a separate team. So for those
> customers that wish to go directly to AD or have already invested in AD
> can choose SSSD only (If MS bundles AD with certain purchases, for
> example, that is an actual cost savings for a company). Other customers
> who wish to keep the two separate so they do not flood AD DC's with non
> Windows AD settings can integrate IDM.
>
> There will be cases where there could be a potential to save on costs vs
> AD so the Linux IDM could be chosen as an Enterprise DC to which Windows
> server authenticate as well as Linux ones or vice versa, whereas those
> organizations already implementing Windows AD can have the option to
> have Linux servers connecting to the AD DC via SSSD.
>
> Since SSSD and IDM are so closely coupled, for someone who requires
> HBAC, the choice is either take both SSSD and IDM or neither. So other
> solutions are being explored instead.
>
> Do these reasons make sense as to why I posted the original ask?
When SSSD is integrated directly in AD you can use Group Policies to
define access controls. See ad_gpo_access_control in sssd-ad(5)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From simo at redhat.com Thu Oct 1 16:08:08 2015
From: simo at redhat.com (Simo Sorce)
Date: Thu, 1 Oct 2015 12:08:08 -0400
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <560CDD7C.8090804@redhat.com>
References:
<560CDD7C.8090804@redhat.com>
Message-ID: <560D5A68.7070608@redhat.com>
On 01/10/15 03:15, Petr Spacek wrote:
> On 30.9.2015 20:36, Matt Wells wrote:
>> Hi all, I hoped I may glean some brilliance from the group.
>> I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan
>> was to replicate users+passwords with Windows 2012R2 server but following
>> some of the information in the other posts and docs we've moved to a
>> trust. The trust has been setup using the documentation and in short it's
>> worked without issue. I'm able to get principles from the Windows realm (
>> marvel.comics.com). So what I'm attempting and failing to do is
>> authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>> want any users in AD, it's simply there to deliver a GPO and in the next
>> year it will be phased out and we'll be replacing Windows 8 with linux
>> desktops.
>>
>> So
>> marvel.comics.com = windows
>> dc.comics.com = freeipa
>>
>> # rpm -qi freeipa-server
>> Name : freeipa-server
>> Version : 4.1.4
>> Release : 1.fc21
>> Architecture: x86_64
>> Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>> Group : System Environment/Base
>> Size : 4521059
>> License : GPLv3+
>> Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>> 89ad4e8795a43f54
>> Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>> Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>> Build Host : buildhw-07.phx2.fedoraproject.org
>> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>> Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
>> 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>> Fedora release 21 (Twenty One)
>>
>> To cut to the chase here's me logging into a Windows 8 desktop system. I
>> try to login 3 different ways; this system is a member of the marvel
>> domain. Time is extremely close, close enough that I feel really good
>> about ruling it out. Any light you all could shed on this would be
>> outstanding. Thank you all for your time on this, I really appreciate all
>> the time and effort this team puts into reading these posts.
>>
>> Username: dc/greenlantern
>> Password: ************
>>
>> [root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>> greenlantern
>> [30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>> base="dc=dc,dc=comics,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
>> objectClass"
>>
>> Username: greenlanter at dc
>> Password: ************
>>
>>
>> [30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>> base="dc=dc,dc=comics,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
>> objectClass"
>>
>>
>> Username: greenlanter at dc.comics.com
>> Password: ************
>>
>> [30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>> base="dc=dc,dc=comics,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>> @DC.COMICS.COM
>> )(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>> )))" attrs="krbPrincipalName krbCanonicalName
>> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>>
>> >From what I can tell, everything looks good to wbinfo; we see the domain
>> and he see's us. In the AD trust I can go under the trust and validate the
>> trust with no issues.
>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>> BUILTIN : online
>> DC : online
>> MARVEL : online
>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>> marvel.comics.com
>> Name : MARVEL
>> Alt_Name : marvel.comics.com
>> SID : S-1-5-21-3495301974-2766379234-3984916731
>> Active Directory : Yes
>> Native : Yes
>> Primary : No
>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>> 'MARVEL.COMICS.COM\Domain
>> Admins'
>> S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>> marvel.comics.com
>> Name : MARVEL
>> Alt_Name : marvel.comics.com
>> SID : S-1-5-21-3495301974-2766379234-3984916731
>> Active Directory : Yes
>> Native : Yes
>> Primary : No
>
> Unfortunately you will not be able to log into Windows workstations using IPA
> users because FreeIPA is (at the moment) missing Global Catalog component
> which prevents Windows from working with IPA users.
>
> It should work the other way around, but there is nothing you can do at the
> moment to make it working with IPA users in Windows. Global Catalog is several
> months away in the best case.
This is not entirely true.
There is no way to add IPA SIDs to the relevant authorization groups
using the GUI tools in AD, but technically you can do that using command
line tools and pasting in SIDs directly.
Authentication would be possible then, however Windows clients will
never be able to resolve SID to Names, so looking at file permissions
you will not be able to see user names, but only SIDs for IPA users.
Some tools that may depend on SID->Name translation may also fail in
unexpected ways.
This is why we do not recommend to try this, but it is technically
possible if you know very well how to handle everything through Windows
CLIs (I don't so don't ask :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From aebruno2 at buffalo.edu Thu Oct 1 17:50:11 2015
From: aebruno2 at buffalo.edu (Andrew E. Bruno)
Date: Thu, 1 Oct 2015 13:50:11 -0400
Subject: [Freeipa-users] ipa upgrade failed
In-Reply-To: <560D53F2.5@redhat.com>
References: <20151001150309.GA10653@dead.ccr.buffalo.edu>
<560D4CA3.8080609@redhat.com>
<20151001152835.GB10653@dead.ccr.buffalo.edu>
<560D53F2.5@redhat.com>
Message-ID: <20151001175011.GD10653@dead.ccr.buffalo.edu>
On Thu, Oct 01, 2015 at 05:40:34PM +0200, Martin Basti wrote:
>
>
> On 10/01/2015 05:28 PM, Andrew E. Bruno wrote:
> >On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote:
> >>
> >>On 10/01/2015 05:03 PM, Andrew E. Bruno wrote:
> >>>Running CentOS 7.1.1503.
> >>>
> >>>Upgrading via yum update from:
> >>>
> >>> ipa-server.x86_64 0:4.1.0-18.el7.centos.3
> >>>
> >>> --to--
> >>>
> >>> ipa-server.x86_64 0:4.1.0-18.el7.centos.4
> >>>
> >>>We have 3 replicates. Upgrading the first replicate (first-master) went
> >>>fine. Upgrading the second replicate failed.
> >>>
> >>>Got the following error during the update on the second replicate:
> >>>
> >>>Pre schema upgrade failed with [Errno 111] Connection refused
> >>>IPA upgrade failed.
> >>>
> >>>Where should I look for more info? Looked in the usual places and didn't
> >>>see anything out of the ordinary. How can I fix/verify the upgrade?
> >>>
> >>>Thanks!
> >>>
> >>>--Andrew
> >>>
> >>Hello,
> >>
> >>can you check /var/log/ipaupgrade.log and /var/log/dirsrv/slapd-*/errors for
> >>more specific errors?
> >Here's the errors from /var/log/dirsrv/slapd-*/errors right around the time of the upgrade:
> >
> >[01/Oct/2015:10:42:37 -0400] - slapd shutting down - signaling operation threads - op stack size 84 max work q size 59 max work q stack size 59
> >[01/Oct/2015:10:44:50 -0400] - Information: Non-Secure Port Disabled
> >[01/Oct/2015:10:44:50 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
> >[01/Oct/2015:10:44:50 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 28639232B; We recommend to increase the entry cache size nsslapd-cachememsize.
> >[01/Oct/2015:10:44:50 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
> >...
> >tion.
> >[01/Oct/2015:10:45:03 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/9fc73292-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
> >[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/d0a7671e-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
> >[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated
> >[01/Oct/2015:10:45:08 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-d13-39-02.int.ccr.buffalo.edu at INT.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
> >[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-srv-d13-39-02.int.ccr.buffalo.edu-pki-tomcat" (srv-d13-38-02:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later.
> >[01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=int,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated
> >[01/Oct/2015:10:45:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> >...
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22231 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22232 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22233 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22234 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22235 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22236 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22237 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22238 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22239 (rc: 32)
> >[01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22240 (rc: 32)
> >..
> >
> >
> >These delete_changerecord are repeated all the way to 321722.
> >
> >
> >Here's the errors from /var/log/ipaupgrade.log
> >
> >
> >2015-10-01T14:44:49Z DEBUG [4/10]: starting directory server
> >2015-10-01T14:44:49Z DEBUG Starting external process
> >2015-10-01T14:44:49Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> >2015-10-01T14:44:50Z DEBUG Process finished, return code=0
> >2015-10-01T14:44:50Z DEBUG stdout=
> >2015-10-01T14:44:50Z DEBUG stderr=
> >2015-10-01T14:44:50Z DEBUG duration: 0 seconds
> >2015-10-01T14:44:50Z DEBUG [5/10]: preparing server upgrade
> >2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
> >2015-10-01T14:45:00Z DEBUG Traceback (most recent call last):
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
> > ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
> > self.create_connection()
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
> > dm_password=self.dm_password, pw_name=self.pw_name)
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
> > conn.do_external_bind(pw_name)
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
> > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
> > self.__wait_for_connection(timeout)
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
> > wait_for_open_socket(lurl.hostport, timeout)
> > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
> > raise e
> >error: [Errno 111] Connection refused
> >
> >2015-10-01T14:45:00Z DEBUG duration: 10 seconds
> >2015-10-01T14:45:00Z DEBUG [6/10]: updating schema
> >
> >...
> >
> >2015-10-01T14:45:43Z DEBUG duration: 2 seconds
> >2015-10-01T14:45:43Z DEBUG [9/10]: restoring configuration
> >2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> >2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> >2015-10-01T14:45:43Z DEBUG duration: 0 seconds
> >2015-10-01T14:45:43Z DEBUG [10/10]: starting directory server
> >2015-10-01T14:45:43Z DEBUG Starting external process
> >2015-10-01T14:45:43Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> >2015-10-01T14:45:44Z DEBUG Process finished, return code=0
> >2015-10-01T14:45:44Z DEBUG stdout=
> >2015-10-01T14:45:44Z DEBUG stderr=
> >2015-10-01T14:45:44Z DEBUG Starting external process
> >2015-10-01T14:45:44Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> >2015-10-01T14:45:44Z DEBUG Process finished, return code=0
> >2015-10-01T14:45:44Z DEBUG stdout=active
> >
> >2015-10-01T14:45:44Z DEBUG stderr=
> >2015-10-01T14:45:44Z DEBUG wait_for_open_ports: localhost [389] timeout 300
> >2015-10-01T14:45:51Z DEBUG duration: 7 seconds
> >2015-10-01T14:45:51Z DEBUG Done.
> >2015-10-01T14:45:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
> > return_value = self.run()
> > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 151, in run
> > raise admintool.ScriptError('IPA upgrade failed.', 1)
> >
> >2015-10-01T14:45:51Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed.
> >2015-10-01T14:45:51Z ERROR IPA upgrade failed.
> >2015-10-01T14:45:51Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
> >2015-10-01T14:45:51Z DEBUG IPA version 4.1.0-18.el7.centos.4
> >2015-10-01T14:45:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> >
> >...
> >
> >2015-10-01T14:48:37Z DEBUG The CA status is: running
> >2015-10-01T14:48:37Z INFO The ipa-upgradeconfig command was successful
> >
> >
> >But from looking through the ipaupgrade.log it seems like the schema changes were in fact applied?
> >
>
> It looks like the DS has not been ready yet
>
> It started at:
>
> [01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
>
> But upgrade failed before:
>
> 2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
>
>
> If there are no other errors listed, so other part of upgrade are
> successful.
> Pre-schema upgrade is done for DNS forward zones, but in case that this was
> successfully done on master, dns forwardzones should be already updated.
> This code is also removed in versions of IPA, so it should not cause issues
> in future.
Upgrading the 3rd replicate didn't fair so well either. I don't see any
successful schema updates like I did in the previous 2 replicas in
/var/log/ipaupgrade.log. Here's the errors from the 3rd replicate:
2015-10-01T17:20:06Z DEBUG duration: 0 seconds
2015-10-01T17:20:06Z DEBUG [5/10]: preparing server upgrade
2015-10-01T17:20:16Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
2015-10-01T17:20:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
self.create_connection()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
dm_password=self.dm_password, pw_name=self.pw_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
raise e
error: [Errno 111] Connection refused
2015-10-01T17:20:16Z DEBUG duration: 10 seconds
2015-10-01T17:20:16Z DEBUG [6/10]: updating schema
2015-10-01T17:20:27Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema
dm_password='', ldapi=True, live_run=self.live_run) or self.modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema
fqdn=installutils.get_fqdn())
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
raise e
error: [Errno 111] Connection refused
2015-10-01T17:20:27Z DEBUG [error] error: [Errno 111] Connection refused
2015-10-01T17:20:27Z DEBUG [cleanup]: stopping directory server
2015-10-01T17:20:27Z DEBUG Starting external process
2015-10-01T17:20:27Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
2015-10-01T17:22:00Z DEBUG Process finished, return code=0
2015-10-01T17:22:00Z DEBUG [cleanup]: restoring configuration
2015-10-01T17:22:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-10-01T17:22:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-10-01T17:22:00Z DEBUG duration: 0 seconds
2015-10-01T17:22:00Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 144, in run
upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 93, in create_instance
show_service_name=False)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema
dm_password='', ldapi=True, live_run=self.live_run) or self.modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema
fqdn=installutils.get_fqdn())
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
raise e
2015-10-01T17:22:00Z DEBUG The ipa-ldap-updater command failed, exception: error: [Errno 111] Connection refused
2015-10-01T17:22:00Z ERROR [Errno 111] Connection refused
2015-10-01T17:22:01Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
2015-10-01T17:22:01Z DEBUG IPA version 4.1.0-18.el7.centos.4
2015-10-01T17:22:01Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2015-10-01T17:22:01Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2015-10-01T17:22:01Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
Then these errors are repeated:
2015-10-01T17:22:05Z DEBUG stderr=
2015-10-01T17:22:05Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2015-10-01T17:22:09Z DEBUG Waiting until the CA is running
2015-10-01T17:22:09Z DEBUG request 'https://srv-d13-40-02.int.ccr.buffalo.edu:443/ca/admin/ca/getStatus'
2015-10-01T17:22:09Z DEBUG request body ''
2015-10-01T17:22:17Z DEBUG request status 500
2015-10-01T17:22:17Z DEBUG request reason_phrase u'Internal Server Error'
2015-10-01T17:22:17Z DEBUG request headers {'content-length': '2923', 'content-language': 'en', 'server': 'Apache/2.4.6 (CentOS) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.16.2.3 Basic ECC mod_wsgi/3.4 Python/2.7.5', 'connection': 'close', 'date': 'Thu, 01 Oct 2015 17:22:09 GMT', 'content-type': 'text/html;charset=utf-8'}
2015-10-01T17:22:17Z DEBUG request body 'Apache Tomcat/7.0.54 - Error report HTTP Status 500 - CS server is not ready to serve.
type Exception report
message CS server is not ready to serve.
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.io.IOException: CS server is not ready to serve.\n\tcom.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:727)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)\n
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.54 logs.
Apache Tomcat/7.0.54
'
2015-10-01T17:22:17Z DEBUG The CA status is: check interrupted
2015-10-01T17:22:17Z DEBUG Waiting for CA to start...
2015-10-01T17:22:18Z DEBUG request 'https://srv-d13-40-02.int.ccr.buffalo.edu:443/ca/admin/ca/getStatus'
2015-10-01T17:22:18Z DEBUG request body ''
2015-10-01T17:22:18Z DEBUG request status 500
2015-10-01T17:22:18Z DEBUG request reason_phrase u'Internal Server Error'
....
....
2015-10-01T17:27:08Z DEBUG The CA status is: check interrupted
2015-10-01T17:27:08Z DEBUG Waiting for CA to start...
2015-10-01T17:27:09Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
return_value = main_function()
File "/usr/sbin/ipa-upgradeconfig", line 1376, in main
upgrade_pki(ca, fstore)
File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 888, in stopped_service
service_obj.start(instance_name)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 203, in start
self.wait_until_running()
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 197, in wait_until_running
raise RuntimeError('CA did not start in %ss' % timeout)
2015-10-01T17:27:09Z DEBUG The ipa-upgradeconfig command failed, exception: RuntimeError: CA did not start in 300.0s
A few thoughts/concerns:
1. It looks like when the dirsrv is restarted as part of the upgrade it goes
through thousands of iterations of:
DSRetroclPlugin - delete_changerecord: could not delete change record 314605 (rc: 32)
Before it finally becomes responsive and starts serving requests. This causes
the ipa-upgrade to timeout. Should I have restarted the dirsrv first before
performing the yum update?
2. I had (incorrectly?) assumed this to be a very minor upgrade from
4.1.0-18.el7.centos.3 to 4.1.0-18.el7.centos.4. Is there expected to be major
schema upgrades in minor point releases like this? Curious what the schema
updates do?
3. All servers have been rebooted and seem to be up and running. Should I be
concerned about the upgrade failures and replicating dirty (old) data? How can
I verify the upgrades when OK?
Thanks again for all the help.
--Andrew
From rcritten at redhat.com Thu Oct 1 19:52:07 2015
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 01 Oct 2015 15:52:07 -0400
Subject: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts
In-Reply-To: <560D4BFA.2040303@mittwald.de>
References: <560D4BFA.2040303@mittwald.de>
Message-ID: <560D8EE7.8080004@redhat.com>
Dominik Korittki wrote:
> Hello folks,
>
> I am running two FreeIPA Servers with around 100 users and around 15.000
> hosts, which are used by users to login via ssh. The FreeIPA servers
> (which are Centos 7.0) ran good for a while, but as more and more hosts
> got migrated to serve as FreeIPA hosts, it started to get slow and
> unstable.
>
> For example, its hard to maintain hostgroups, which have more than 1.000
> hosts. The ipa host-* commands are getting slower as the hostgroup
> grows. Is this normal?
You mean the ipa hostgroup-* commands? Whenever the entry is displayed
(show and add) it needs to dereference all members so yes, it is
understandable that it gets somewhat slower with more members. How slow
are we talking about?
> We also experience random dirsrv segfaults. Here's a dmesg line from the
> latest:
>
> [690787.647261] traps: ns-slapd[5217] general protection ip:7f8d6b6d6bc1
> sp:7f8d3aff2a88 error:0 in libc-2.17.so[7f8d6b650000+1b6000]
You probably want to start here:
http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
> Nothing in /var/log/dirsrv/slapd-INTERNAL/errors, which relates to the
> problem.
> I'm thinking about migrating to latest CentOS 7 FreeIPA 4, but does that
> solve my problems?
>
> FreeIPA server version is 3.3.3-28.el7.centos
> 389-ds-base.x86_64 is 1.3.1.6-26.el7_0
>
>
>
> Kind regards,
> Dominik Korittki
>
From rmeggins at redhat.com Thu Oct 1 20:23:34 2015
From: rmeggins at redhat.com (Rich Megginson)
Date: Thu, 1 Oct 2015 14:23:34 -0600
Subject: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts
In-Reply-To: <560D8EE7.8080004@redhat.com>
References: <560D4BFA.2040303@mittwald.de> <560D8EE7.8080004@redhat.com>
Message-ID: <560D9646.1020808@redhat.com>
On 10/01/2015 01:52 PM, Rob Crittenden wrote:
> Dominik Korittki wrote:
>> Hello folks,
>>
>> I am running two FreeIPA Servers with around 100 users and around 15.000
>> hosts, which are used by users to login via ssh. The FreeIPA servers
>> (which are Centos 7.0) ran good for a while, but as more and more hosts
>> got migrated to serve as FreeIPA hosts, it started to get slow and
>> unstable.
>>
>> For example, its hard to maintain hostgroups, which have more than 1.000
>> hosts. The ipa host-* commands are getting slower as the hostgroup
>> grows. Is this normal?
> You mean the ipa hostgroup-* commands? Whenever the entry is displayed
> (show and add) it needs to dereference all members so yes, it is
> understandable that it gets somewhat slower with more members. How slow
> are we talking about?
>
>> We also experience random dirsrv segfaults. Here's a dmesg line from the
>> latest:
>>
>> [690787.647261] traps: ns-slapd[5217] general protection ip:7f8d6b6d6bc1
>> sp:7f8d3aff2a88 error:0 in libc-2.17.so[7f8d6b650000+1b6000]
> You probably want to start here:
> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>
and
debuginfo-install ipa-server slapi-nis
in addition to the other packages
>> Nothing in /var/log/dirsrv/slapd-INTERNAL/errors, which relates to the
>> problem.
>> I'm thinking about migrating to latest CentOS 7 FreeIPA 4, but does that
>> solve my problems?
>>
>> FreeIPA server version is 3.3.3-28.el7.centos
>> 389-ds-base.x86_64 is 1.3.1.6-26.el7_0
>>
>>
>>
>> Kind regards,
>> Dominik Korittki
>>
From andrewm659 at yahoo.com Fri Oct 2 02:15:38 2015
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 2 Oct 2015 02:15:38 +0000 (UTC)
Subject: [Freeipa-users] FreeIPA install
Message-ID: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
I just created a new FreeIPA setup at my home and i'm getting the following:
[Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS START ***
[Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS START ***
[Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error: -12271 SSL client cannot verify your certificate
[Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error: -12271 SSL client cannot verify your certificate
I tried running the ipa-manage-cacert to generate a new one and install it.? But no go.
Running CentOS 7.1 with latest updates.? Is there a bug in generating the SSL cert?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From tk at mdevsys.com Fri Oct 2 04:38:58 2015
From: tk at mdevsys.com (TomK)
Date: Fri, 2 Oct 2015 00:38:58 -0400
Subject: [Freeipa-users] HBAC
In-Reply-To: <560D597E.7030205@redhat.com>
References: <560B3A68.7020401@mdevsys.com> <560B3D73.9050704@mdevsys.com>
<20150930055047.GG4539@redhat.com> <560BD190.7050401@redhat.com>
<560C8AD1.5080105@mdevsys.com> <560D597E.7030205@redhat.com>
Message-ID: <560E0A62.7020007@mdevsys.com>
On 10/1/2015 12:04 PM, Simo Sorce wrote:
> On 30/09/15 21:22, TomK wrote:
>>
>>
>> On 9/30/2015 8:12 AM, Martin Kosek wrote:
>>> On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:
>>>> On Tue, 29 Sep 2015, TomK wrote:
>>>>> Hey Guy's,
>>>>>
>>>>> (Sending this again as I didn't have this email included in the
>>>>> freeipa-users
>>>>> mailing list so not sure if the other message will get posted.)
>>>>>
>>>>> Before I post a ticket to RH Support for an RFE, I'll post the
>>>>> request here
>>>>> to get some feedback on options and what ideas folks have. I've a
>>>>> situation
>>>>> as follows. I have the following setup in WS 2012 AD DC:
>>>>>
>>>>> TomK (user)
>>>>> TomK Groups:
>>>>> unixg
>>>>> windowsg
>>>>>
>>>>> unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
>>>>> windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'
>>>>>
>>>>> TomK(user) also has the 'host' attribute defined as per the proper
>>>>> RFC for
>>>>> LDAP. With SSSD rules I can define the rules to read the user 'host'
>>>>> attribute but not the group 'host' attribute:
>>>>>
>>>>>
>>>>> |access_provider = ldap ldap_access_order = host
>>>>> ldap_user_authorized_host =
>>>>> host|
>>>>>
>>>>>
>>>>> Essentially TomK to be given access to hosts listed in the 'host'
>>>>> attribute
>>>>> but denied entry into lab05 for example (not listed in any group
>>>>> 'host'
>>>>> attribute above) to the server. If I have a new user that has
>>>>> joined that
>>>>> particular team at our organization, I can simply add her/him to the
>>>>> above
>>>>> groups and this user would get access only to the listed servers in
>>>>> 'host'
>>>>> attribute by default. I don't need to specify new groups in
>>>>> customized
>>>>> sssd.conf or ldap.conf files or in sshd config files. Hence less to
>>>>> update
>>>>> with Salt or any other CM suite. I've managed to setup SUDO rules
>>>>> and with
>>>>> the openssh-ldap.diff schema SSH public keys could be stored in AD
>>>>> as well
>>>>> and be read by OpenSSH. So aside from the HBAC capability on groups,
>>>>> virtually all our needs are handled by the WS2012 AD DC as it has to
>>>>> follow
>>>>> the OpenLDAP standard anyway. Now to get this we considered and are
>>>>> still
>>>>> considering FreeIPA. However this idea poses a set of challenges:
>>>>>
>>>>> 1) In large organizations where the AD support department are only
>>>>> trained in
>>>>> Windows AD setup and configuration (Only windows guy's) this would
>>>>> require a
>>>>> minimal of 3 bodies to support that know LDAP/Linux. This is a
>>>>> large cost.
>>>>>
>>>>> 2) The additional server requires the same hardening as the Windows
>>>>> AD DC
>>>>> servers meaning a new procedure has to be carved out for the 2+
>>>>> FreeIPA
>>>>> servers to be supported, hardened and maintained (upgraded).
>>>>>
>>>>> Now I probably sound somewhat anti-FreeIPA, however the challenges of
>>>>> implementing it in large organizations surface after some
>>>>> deliberation, so
>>>>> probably better to list then as it may help direct development of
>>>>> the product
>>>>> to contend with the challenges (Like having a document fully
>>>>> dedicated to
>>>>> hardening a FreeIPA server with selinux and other technologies in
>>>>> easy to
>>>>> maintain configuration). I could be mistaken but some folks
>>>>> mention that
>>>>> it's 'better' to implement this sort of HBAC through other means (??
>>>>> iptables
>>>>> ??) but never tried the alternatives yet.
>>>>>
>>>>> So, cutting to the end, would it be possible to add an attribute
>>>>> like:
>>>>>
>>>>> |ldap_user_authorized_host|
>>>>>
>>>>> but perhaps called 'ldap_group_authorized_host' to the SSSD code to
>>>>> enable
>>>>> reading the 'host' attribute on AD/LDAP defined groups?
>>>> In FreeIPA we support HBAC rules for AD users and groups. What exactly
>>>> is wrong with that?
>>>>
>>>> See 'ipa help trust' for details how to map AD groups to IPA groups
>>>> and
>>>> then 'ipa help hbacrule' for how to limit access of those groups to
>>>> specific hosts and services on them.
>>>>
>>>> This is all covered well in the guide:
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
>>>>
>>>>
>>> More reading on External groups used for AD access control:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups
>>>
>>>
>>>
>>> I would also suggest a video with HBAC and Trust in action:
>>>
>>> https://www.youtube.com/watch?v=sQnNFJOzwa8
>>>
>>> HTH,
>>> Martin
>>
>> We already defined HBAC rules in the manner that all the links you
>> pointed out indicate as an early implementation. As a product, there is
>> no issue in IDM from that perspective. This is all great and the
>> product is fine from that perspective.
>>
>> It would be good to have a dual option of either allowing SSSD or IDM /
>> FreeIPA have full HBAC capability not just FreeIPA / IDM as in our
>> organization that would be a huge cost savings vs implementing IDM as a
>> separate Linux DC to be managed by a separate team. So for those
>> customers that wish to go directly to AD or have already invested in AD
>> can choose SSSD only (If MS bundles AD with certain purchases, for
>> example, that is an actual cost savings for a company). Other customers
>> who wish to keep the two separate so they do not flood AD DC's with non
>> Windows AD settings can integrate IDM.
>>
>> There will be cases where there could be a potential to save on costs vs
>> AD so the Linux IDM could be chosen as an Enterprise DC to which Windows
>> server authenticate as well as Linux ones or vice versa, whereas those
>> organizations already implementing Windows AD can have the option to
>> have Linux servers connecting to the AD DC via SSSD.
>>
>> Since SSSD and IDM are so closely coupled, for someone who requires
>> HBAC, the choice is either take both SSSD and IDM or neither. So other
>> solutions are being explored instead.
>>
>> Do these reasons make sense as to why I posted the original ask?
>
> When SSSD is integrated directly in AD you can use Group Policies to
> define access controls. See ad_gpo_access_control in sssd-ad(5)
>
> Simo.
>
>
>
This is one of the things we tried in AD to define on groups/users and
use the ad_gpo_access_control but it was very cumbersome and to scale
that to the number of groups and users we have it would make a much
larger mess.
Spent a bit of time with a few AD guy's to see if that would be doable
but no. The reason for this is that if I have say 4000 groups, to deny
access to all but 1 to a set of servers, I have to:
1) Specify to ALLOW for a group/user within that GPO policy.
2) Then specify 3999 times a DENY on all the other groups within that
one policy. (I cannot specify an allow ahead of a deny like I can with
iptables and the AD guy's didn't indicate any shortcuts with that. I
can't do wild cards with GPO either nor can I specify ! or * and this
makes it impossible to use for even small number of groups.)
3) Create an OU to then hold the systems that I want to give that one
group access too.
4) Apply the GPO Policy to that OU.
So this causes a much larger mess in AD, even if there were shortcuts,
because:
1) I will now have to keep and maintain a huge list of OU's that hold
host objects separately. AD teams will never go for that in large
institutions.
2) I will also now have a huge list of GPO Policies to maintain as well.
3) Anytime I add a group, I then have to add it to the previous GPO
Policies to restrict it's access to the rest of the hosts or users in
that new group would get access in addition to adding a new host.
And with such a large definition, it would become unsupportable and
would cause a big mess where we do not need one. We also tried WMI that
Microsoft suggested but that was no better and added another layer of
complexity. IDM itself has wild cards and such which is convenient but
again all the concerns come up with it with a large organization that I
raised earlier. If such wildcard matches can be included in SSSD to
read the 'host' attribute on a group, such as *mdm* that would make
things even easier as I wouldn't have to keep adding new hosts in.
With the host attribute on the user it's simple. If I don't specify any
value for host, the user can't login anywhere. If I specify * he/she
can login anywhere. If I specify a host list it restricts to that
list. I can use ! as well. So much more practical and with REGEX added
in, very powerfull.
Hence the ask for reading the 'host' attribute. There's an
libpam-python someone wrote that perhaps this could be achieved through
that but that's more on the customization side so we would prefer to see
an official feature add instead, if possible.
This raises another question. Any thoughts about adding plugin
mechanisms into SSSD? With that I could parse REGEX pressions in AD
attributes and act on them. But I think that's more PAM then SSSD.
Cheers,
Tom
From abokovoy at redhat.com Fri Oct 2 08:04:43 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 11:04:43 +0300
Subject: [Freeipa-users] User removed from IPA but still present in LDAP,
so cannot him again in IPA web UI
In-Reply-To:
References:
<20151001143311.GE4971@redhat.com>
Message-ID: <20151002080443.GH4971@redhat.com>
On Thu, 01 Oct 2015, Fujisan wrote:
>I get this:
>
>-----------------------------
>$ ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain
>'(uid=user1*)'
>Enter LDAP Password:
># extended LDIF
>#
># LDAPv3
># base with scope subtree
># filter: (uid=user1*)
># requesting: ALL
>#
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 1
>-----------------------------
as it should be, i.e. no entry.
Can you restart LDAP server? If compat tree entry persists after
restart, it means there is indeed somewhere an entry that is turned into
the compat one and we then can analyse it more.
--
/ Alexander Bokovoy
From abokovoy at redhat.com Fri Oct 2 08:06:39 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 11:06:39 +0300
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <560D5A68.7070608@redhat.com>
References:
<560CDD7C.8090804@redhat.com> <560D5A68.7070608@redhat.com>
Message-ID: <20151002080639.GI4971@redhat.com>
On Thu, 01 Oct 2015, Simo Sorce wrote:
>On 01/10/15 03:15, Petr Spacek wrote:
>>On 30.9.2015 20:36, Matt Wells wrote:
>>>Hi all, I hoped I may glean some brilliance from the group.
>>>I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan
>>>was to replicate users+passwords with Windows 2012R2 server but following
>>>some of the information in the other posts and docs we've moved to a
>>>trust. The trust has been setup using the documentation and in short it's
>>>worked without issue. I'm able to get principles from the Windows realm (
>>>marvel.comics.com). So what I'm attempting and failing to do is
>>>authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>>>want any users in AD, it's simply there to deliver a GPO and in the next
>>>year it will be phased out and we'll be replacing Windows 8 with linux
>>>desktops.
>>>
>>>So
>>>marvel.comics.com = windows
>>>dc.comics.com = freeipa
>>>
>>># rpm -qi freeipa-server
>>>Name : freeipa-server
>>>Version : 4.1.4
>>>Release : 1.fc21
>>>Architecture: x86_64
>>>Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>>>Group : System Environment/Base
>>>Size : 4521059
>>>License : GPLv3+
>>>Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>>>89ad4e8795a43f54
>>>Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>>>Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>>>Build Host : buildhw-07.phx2.fedoraproject.org
>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>>>Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
>>>22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>>>Fedora release 21 (Twenty One)
>>>
>>>To cut to the chase here's me logging into a Windows 8 desktop system. I
>>>try to login 3 different ways; this system is a member of the marvel
>>>domain. Time is extremely close, close enough that I feel really good
>>>about ruling it out. Any light you all could shed on this would be
>>>outstanding. Thank you all for your time on this, I really appreciate all
>>>the time and effort this team puts into reading these posts.
>>>
>>>Username: dc/greenlantern
>>>Password: ************
>>>
>>>[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>>>greenlantern
>>>[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
>>>objectClass"
>>>
>>>Username: greenlanter at dc
>>>Password: ************
>>>
>>>
>>>[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
>>>objectClass"
>>>
>>>
>>>Username: greenlanter at dc.comics.com
>>>Password: ************
>>>
>>>[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>>>@DC.COMICS.COM
>>>)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>>>)))" attrs="krbPrincipalName krbCanonicalName
>>>ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>>>krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>>>krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>>>krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>>>krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>>>ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>>
>>>
>>>>From what I can tell, everything looks good to wbinfo; we see the domain
>>>and he see's us. In the AD trust I can go under the trust and validate the
>>>trust with no issues.
>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>>>BUILTIN : online
>>>DC : online
>>>MARVEL : online
>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>marvel.comics.com
>>>Name : MARVEL
>>>Alt_Name : marvel.comics.com
>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>Active Directory : Yes
>>>Native : Yes
>>>Primary : No
>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>>>'MARVEL.COMICS.COM\Domain
>>>Admins'
>>>S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>marvel.comics.com
>>>Name : MARVEL
>>>Alt_Name : marvel.comics.com
>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>Active Directory : Yes
>>>Native : Yes
>>>Primary : No
>>
>>Unfortunately you will not be able to log into Windows workstations using IPA
>>users because FreeIPA is (at the moment) missing Global Catalog component
>>which prevents Windows from working with IPA users.
>>
>>It should work the other way around, but there is nothing you can do at the
>>moment to make it working with IPA users in Windows. Global Catalog is several
>>months away in the best case.
>
>This is not entirely true.
>There is no way to add IPA SIDs to the relevant authorization groups
>using the GUI tools in AD, but technically you can do that using
>command line tools and pasting in SIDs directly.
>Authentication would be possible then, however Windows clients will
>never be able to resolve SID to Names, so looking at file permissions
>you will not be able to see user names, but only SIDs for IPA users.
>Some tools that may depend on SID->Name translation may also fail in
>unexpected ways.
practically, you will not be able to login into Windows workstations
because login screen will have to do Name->SID translation which it
wouldn't be able to do.
>This is why we do not recommend to try this, but it is technically
>possible if you know very well how to handle everything through
>Windows CLIs (I don't so don't ask :-)
It will not work for Name->SID translations, thus making it practially
unusable.
--
/ Alexander Bokovoy
From mkosek at redhat.com Fri Oct 2 08:09:23 2015
From: mkosek at redhat.com (Martin Kosek)
Date: Fri, 2 Oct 2015 10:09:23 +0200
Subject: [Freeipa-users] FreeIPA install
In-Reply-To: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
References: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <560E3BB3.5070103@redhat.com>
On 10/02/2015 04:15 AM, Andrew Meyer wrote:
> I just created a new FreeIPA setup at my home and i'm getting the following:
>
> [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command
> line: '/usr/sbin/httpd -D FOREGROUND'
> [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error:
> -12271 SSL client cannot verify your certificate
> [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error:
> -12271 SSL client cannot verify your certificate
>
> I tried running the ipa-manage-cacert to generate a new one and install it.
> But no go.
>
> Running CentOS 7.1 with latest updates. Is there a bug in generating the SSL cert?
>
>
>
This rather seems that your client browser does not trust FreeIPA CA certificate.
Related thread:
https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html
More related info:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser
Martin
From fujisan43 at gmail.com Fri Oct 2 08:35:15 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 10:35:15 +0200
Subject: [Freeipa-users] User removed from IPA but still present in LDAP,
so cannot him again in IPA web UI
In-Reply-To: <20151002080443.GH4971@redhat.com>
References:
<20151001143311.GE4971@redhat.com>
<20151002080443.GH4971@redhat.com>
Message-ID:
Yep! Rebooting is just what I needed.
It just cleaned LDAP from user1. I could create 'user1' again within the
FreeIPA web UI.
$ ldapsearch -x -h ipasrv uid=user1
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: uid=user1
# requesting: ALL
#
# user1, users, compat, mydomain
dn: uid=user1,cn=users,cn=compat,dc=mydomain
cn: user one
objectClass: posixAccount
objectClass: top
gidNumber: 1034
gecos: user one
uidNumber: 1034
loginShell: /bin/bash
homeDirectory: /home/user1
uid: user1
# user1, users, accounts, mydomain
dn: uid=user1,cn=users,cn=accounts,dc=mydomain
displayName: user one
cn: user one
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/bash
initials: uo
gecos: user one
homeDirectory: /home/user1
uid: user1
givenName: user
sn: one
uidNumber: 1034
gidNumber: 1034
ipaNTSecurityIdentifier: S-1-5-21-1490379376-134147230-3409394544-1034
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
And after deleting it again:
$ ldapsearch -x -h ipasrv uid=user1
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: uid=user1
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I probably messed around a bit while configuring with IPA.
Thank you.
On Fri, Oct 2, 2015 at 10:04 AM, Alexander Bokovoy
wrote:
> On Thu, 01 Oct 2015, Fujisan wrote:
>
>> I get this:
>>
>> -----------------------------
>> $ ldapsearch -D cn=directory\ manager -W -b cn=accounts,dc=mydomain
>> '(uid=user1*)'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base with scope subtree
>> # filter: (uid=user1*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>> -----------------------------
>>
> as it should be, i.e. no entry.
>
> Can you restart LDAP server? If compat tree entry persists after
> restart, it means there is indeed somewhere an entry that is turned into
> the compat one and we then can analyse it more.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mbasti at redhat.com Fri Oct 2 10:28:56 2015
From: mbasti at redhat.com (Martin Basti)
Date: Fri, 2 Oct 2015 12:28:56 +0200
Subject: [Freeipa-users] ipa upgrade failed
In-Reply-To: <20151001175011.GD10653@dead.ccr.buffalo.edu>
References: <20151001150309.GA10653@dead.ccr.buffalo.edu>
<560D4CA3.8080609@redhat.com>
<20151001152835.GB10653@dead.ccr.buffalo.edu>
<560D53F2.5@redhat.com> <20151001175011.GD10653@dead.ccr.buffalo.edu>
Message-ID: <560E5C68.7080504@redhat.com>
On 10/01/2015 07:50 PM, Andrew E. Bruno wrote:
> On Thu, Oct 01, 2015 at 05:40:34PM +0200, Martin Basti wrote:
>>
>> On 10/01/2015 05:28 PM, Andrew E. Bruno wrote:
>>> On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote:
>>>> On 10/01/2015 05:03 PM, Andrew E. Bruno wrote:
>>>>> Running CentOS 7.1.1503.
>>>>>
>>>>> Upgrading via yum update from:
>>>>>
>>>>> ipa-server.x86_64 0:4.1.0-18.el7.centos.3
>>>>>
>>>>> --to--
>>>>>
>>>>> ipa-server.x86_64 0:4.1.0-18.el7.centos.4
>>>>>
>>>>> We have 3 replicates. Upgrading the first replicate (first-master) went
>>>>> fine. Upgrading the second replicate failed.
>>>>>
>>>>> Got the following error during the update on the second replicate:
>>>>>
>>>>> Pre schema upgrade failed with [Errno 111] Connection refused
>>>>> IPA upgrade failed.
>>>>>
>>>>> Where should I look for more info? Looked in the usual places and didn't
>>>>> see anything out of the ordinary. How can I fix/verify the upgrade?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> --Andrew
>>>>>
>>>> Hello,
>>>>
>>>> can you check /var/log/ipaupgrade.log and /var/log/dirsrv/slapd-*/errors for
>>>> more specific errors?
>>> Here's the errors from /var/log/dirsrv/slapd-*/errors right around the time of the upgrade:
>>>
>>> [01/Oct/2015:10:42:37 -0400] - slapd shutting down - signaling operation threads - op stack size 84 max work q size 59 max work q stack size 59
>>> [01/Oct/2015:10:44:50 -0400] - Information: Non-Secure Port Disabled
>>> [01/Oct/2015:10:44:50 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
>>> [01/Oct/2015:10:44:50 -0400] - WARNING: changelog: entry cache size 512000B is less than db size 28639232B; We recommend to increase the entry cache size nsslapd-cachememsize.
>>> [01/Oct/2015:10:44:50 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
>>> ...
>>> tion.
>>> [01/Oct/2015:10:45:03 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/9fc73292-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
>>> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-INT-CCR-BUFFALO-EDU/cldb/d0a7671e-2b0911e5-a53bd3a1-f3bbc58c.sema; NSPR error - -5943
>>> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated
>>> [01/Oct/2015:10:45:08 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/srv-d13-39-02.int.ccr.buffalo.edu at INT.CCR.BUFFALO.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
>>> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-srv-d13-39-02.int.ccr.buffalo.edu-pki-tomcat" (srv-d13-38-02:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later.
>>> [01/Oct/2015:10:45:08 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=int,dc=ccr,dc=buffalo,dc=edu. Check if DB RUV needs to be updated
>>> [01/Oct/2015:10:45:08 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
>>> ...
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22231 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22232 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22233 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22234 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22235 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22236 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22237 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22238 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22239 (rc: 32)
>>> [01/Oct/2015:10:45:09 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 22240 (rc: 32)
>>> ..
>>>
>>>
>>> These delete_changerecord are repeated all the way to 321722.
>>>
>>>
>>> Here's the errors from /var/log/ipaupgrade.log
>>>
>>>
>>> 2015-10-01T14:44:49Z DEBUG [4/10]: starting directory server
>>> 2015-10-01T14:44:49Z DEBUG Starting external process
>>> 2015-10-01T14:44:49Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
>>> 2015-10-01T14:44:50Z DEBUG Process finished, return code=0
>>> 2015-10-01T14:44:50Z DEBUG stdout=
>>> 2015-10-01T14:44:50Z DEBUG stderr=
>>> 2015-10-01T14:44:50Z DEBUG duration: 0 seconds
>>> 2015-10-01T14:44:50Z DEBUG [5/10]: preparing server upgrade
>>> 2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
>>> 2015-10-01T14:45:00Z DEBUG Traceback (most recent call last):
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
>>> ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
>>> self.create_connection()
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
>>> dm_password=self.dm_password, pw_name=self.pw_name)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
>>> conn.do_external_bind(pw_name)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
>>> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
>>> self.__wait_for_connection(timeout)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
>>> wait_for_open_socket(lurl.hostport, timeout)
>>> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
>>> raise e
>>> error: [Errno 111] Connection refused
>>>
>>> 2015-10-01T14:45:00Z DEBUG duration: 10 seconds
>>> 2015-10-01T14:45:00Z DEBUG [6/10]: updating schema
>>>
>>> ...
>>>
>>> 2015-10-01T14:45:43Z DEBUG duration: 2 seconds
>>> 2015-10-01T14:45:43Z DEBUG [9/10]: restoring configuration
>>> 2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
>>> 2015-10-01T14:45:43Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
>>> 2015-10-01T14:45:43Z DEBUG duration: 0 seconds
>>> 2015-10-01T14:45:43Z DEBUG [10/10]: starting directory server
>>> 2015-10-01T14:45:43Z DEBUG Starting external process
>>> 2015-10-01T14:45:43Z DEBUG args='/bin/systemctl' 'start' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
>>> 2015-10-01T14:45:44Z DEBUG Process finished, return code=0
>>> 2015-10-01T14:45:44Z DEBUG stdout=
>>> 2015-10-01T14:45:44Z DEBUG stderr=
>>> 2015-10-01T14:45:44Z DEBUG Starting external process
>>> 2015-10-01T14:45:44Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
>>> 2015-10-01T14:45:44Z DEBUG Process finished, return code=0
>>> 2015-10-01T14:45:44Z DEBUG stdout=active
>>>
>>> 2015-10-01T14:45:44Z DEBUG stderr=
>>> 2015-10-01T14:45:44Z DEBUG wait_for_open_ports: localhost [389] timeout 300
>>> 2015-10-01T14:45:51Z DEBUG duration: 7 seconds
>>> 2015-10-01T14:45:51Z DEBUG Done.
>>> 2015-10-01T14:45:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
>>> return_value = self.run()
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 151, in run
>>> raise admintool.ScriptError('IPA upgrade failed.', 1)
>>>
>>> 2015-10-01T14:45:51Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed.
>>> 2015-10-01T14:45:51Z ERROR IPA upgrade failed.
>>> 2015-10-01T14:45:51Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
>>> 2015-10-01T14:45:51Z DEBUG IPA version 4.1.0-18.el7.centos.4
>>> 2015-10-01T14:45:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
>>>
>>> ...
>>>
>>> 2015-10-01T14:48:37Z DEBUG The CA status is: running
>>> 2015-10-01T14:48:37Z INFO The ipa-upgradeconfig command was successful
>>>
>>>
>>> But from looking through the ipaupgrade.log it seems like the schema changes were in fact applied?
>>>
>> It looks like the DS has not been ready yet
>>
>> It started at:
>>
>> [01/Oct/2015:10:45:09 -0400] - slapd started. Listening on /var/run/slapd-INT-CCR-BUFFALO-EDU.socket for LDAPI requests
>>
>> But upgrade failed before:
>>
>> 2015-10-01T14:45:00Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
>>
>>
>> If there are no other errors listed, so other part of upgrade are
>> successful.
>> Pre-schema upgrade is done for DNS forward zones, but in case that this was
>> successfully done on master, dns forwardzones should be already updated.
>> This code is also removed in versions of IPA, so it should not cause issues
>> in future.
> Upgrading the 3rd replicate didn't fair so well either. I don't see any
> successful schema updates like I did in the previous 2 replicas in
> /var/log/ipaupgrade.log. Here's the errors from the 3rd replicate:
>
>
> 2015-10-01T17:20:06Z DEBUG duration: 0 seconds
> 2015-10-01T17:20:06Z DEBUG [5/10]: preparing server upgrade
> 2015-10-01T17:20:16Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
> 2015-10-01T17:20:16Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade
> ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
> self.create_connection()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
> dm_password=self.dm_password, pw_name=self.pw_name)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
> raise e
> error: [Errno 111] Connection refused
>
> 2015-10-01T17:20:16Z DEBUG duration: 10 seconds
> 2015-10-01T17:20:16Z DEBUG [6/10]: updating schema
> 2015-10-01T17:20:27Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
> method()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema
> dm_password='', ldapi=True, live_run=self.live_run) or self.modified
> File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema
> fqdn=installutils.get_fqdn())
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
> raise e
> error: [Errno 111] Connection refused
>
> 2015-10-01T17:20:27Z DEBUG [error] error: [Errno 111] Connection refused
> 2015-10-01T17:20:27Z DEBUG [cleanup]: stopping directory server
> 2015-10-01T17:20:27Z DEBUG Starting external process
> 2015-10-01T17:20:27Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at INT-CCR-BUFFALO-EDU.service'
> 2015-10-01T17:22:00Z DEBUG Process finished, return code=0
>
>
>
> 2015-10-01T17:22:00Z DEBUG [cleanup]: restoring configuration
> 2015-10-01T17:22:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-10-01T17:22:00Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-10-01T17:22:00Z DEBUG duration: 0 seconds
> 2015-10-01T17:22:00Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 144, in run
> upgrade.create_instance()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 93, in create_instance
> show_service_name=False)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
> method()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema
> dm_password='', ldapi=True, live_run=self.live_run) or self.modified
> File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema
> fqdn=installutils.get_fqdn())
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
> raise e
>
> 2015-10-01T17:22:00Z DEBUG The ipa-ldap-updater command failed, exception: error: [Errno 111] Connection refused
> 2015-10-01T17:22:00Z ERROR [Errno 111] Connection refused
> 2015-10-01T17:22:01Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True}
> 2015-10-01T17:22:01Z DEBUG IPA version 4.1.0-18.el7.centos.4
> 2015-10-01T17:22:01Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> 2015-10-01T17:22:01Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
> 2015-10-01T17:22:01Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
>
>
> Then these errors are repeated:
>
> 2015-10-01T17:22:05Z DEBUG stderr=
> 2015-10-01T17:22:05Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
> 2015-10-01T17:22:09Z DEBUG Waiting until the CA is running
> 2015-10-01T17:22:09Z DEBUG request 'https://srv-d13-40-02.int.ccr.buffalo.edu:443/ca/admin/ca/getStatus'
> 2015-10-01T17:22:09Z DEBUG request body ''
> 2015-10-01T17:22:17Z DEBUG request status 500
> 2015-10-01T17:22:17Z DEBUG request reason_phrase u'Internal Server Error'
> 2015-10-01T17:22:17Z DEBUG request headers {'content-length': '2923', 'content-language': 'en', 'server': 'Apache/2.4.6 (CentOS) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.16.2.3 Basic ECC mod_wsgi/3.4 Python/2.7.5', 'connection': 'close', 'date': 'Thu, 01 Oct 2015 17:22:09 GMT', 'content-type': 'text/html;charset=utf-8'}
> 2015-10-01T17:22:17Z DEBUG request body 'Apache Tomcat/7.0.54 - Error report HTTP Status 500 - CS server is not ready to serve.
type Exception report
message CS server is not ready to serve.
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.io.IOException: CS server is not ready to serve.\n\tcom.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:727)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)\n
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.54 logs.
Apache Tomcat/7.0.54
'
> 2015-10-01T17:22:17Z DEBUG The CA status is: check interrupted
> 2015-10-01T17:22:17Z DEBUG Waiting for CA to start...
> 2015-10-01T17:22:18Z DEBUG request 'https://srv-d13-40-02.int.ccr.buffalo.edu:443/ca/admin/ca/getStatus'
> 2015-10-01T17:22:18Z DEBUG request body ''
> 2015-10-01T17:22:18Z DEBUG request status 500
> 2015-10-01T17:22:18Z DEBUG request reason_phrase u'Internal Server Error'
> ....
> ....
>
> 2015-10-01T17:27:08Z DEBUG The CA status is: check interrupted
> 2015-10-01T17:27:08Z DEBUG Waiting for CA to start...
> 2015-10-01T17:27:09Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-upgradeconfig", line 1376, in main
> upgrade_pki(ca, fstore)
>
> File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
> self.gen.next()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 888, in stopped_service
> service_obj.start(instance_name)
>
> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 203, in start
> self.wait_until_running()
>
> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 197, in wait_until_running
> raise RuntimeError('CA did not start in %ss' % timeout)
>
> 2015-10-01T17:27:09Z DEBUG The ipa-upgradeconfig command failed, exception: RuntimeError: CA did not start in 300.0s
This is interesting, can you check logs in /var/log/pki/pki-tomcat/ca/debug
>
>
> A few thoughts/concerns:
>
> 1. It looks like when the dirsrv is restarted as part of the upgrade it goes
> through thousands of iterations of:
>
> DSRetroclPlugin - delete_changerecord: could not delete change record 314605 (rc: 32)
>
> Before it finally becomes responsive and starts serving requests. This causes
> the ipa-upgrade to timeout. Should I have restarted the dirsrv first before
> performing the yum update?
You can try, but I'm not sure if this will help.
>
> 2. I had (incorrectly?) assumed this to be a very minor upgrade from
> 4.1.0-18.el7.centos.3 to 4.1.0-18.el7.centos.4. Is there expected to be major
> schema upgrades in minor point releases like this? Curious what the schema
> updates do?
It is minor upgrade, it contains just one fix which does not require
upgrade of LDAP data.
Schema upgrade checks if schema is up to date.
Schema is replicated, so if update on master was successful, schema is
also updated on replicas too.
>
> 3. All servers have been rebooted and seem to be up and running. Should I be
> concerned about the upgrade failures and replicating dirty (old) data? How can
> I verify the upgrades when OK?
You can try manually run ipa-ldap-updater --upgrade after yum upgrade.
Upgrade is idempotent, it should work.
But as I said before, it should work even if upgrade failed, because the
fix in minor version does not require schema/data upgrade.
>
> Thanks again for all the help.
>
> --Andrew
>
Martin
From fujisan43 at gmail.com Fri Oct 2 12:26:50 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 14:26:50 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
Message-ID:
Hello,
I cannot login to the web UI anymore.
The password or username you entered is incorrect.
Log says:
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA for
krbtgt/OPERA at OPERA, Additional pre-authentication required
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA for
krbtgt/OPERA at OPERA, Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
I have no idea what went wrong.
What can I do?
?Regards,
Fuji?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From fujisan43 at gmail.com Fri Oct 2 12:52:25 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 14:52:25 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
Message-ID:
More info:
I can initiate a ticket:
$ kdestroy
$ kinit admin
but cannot view user admin:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
/var/log/messages:
Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.
On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
> Hello,
>
> I cannot login to the web UI anymore.
>
> The password or username you entered is incorrect.
>
> Log says:
>
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
> for krbtgt/OPERA at OPERA, Additional pre-authentication required
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
> (encrypted_timestamp) verify failure: Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>
>
> I have no idea what went wrong.
>
> What can I do?
>
> ?Regards,
> Fuji?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From f.zoske at euroimmun.de Fri Oct 2 06:35:41 2015
From: f.zoske at euroimmun.de (Zoske, Fabian)
Date: Fri, 2 Oct 2015 06:35:41 +0000
Subject: [Freeipa-users] SUDO does not always works on first try
Message-ID:
Hi folks,
we recently setup an IPA-Server on Centos 7.1 and connected some Ubuntu 14.04 LTS machines to this server.
The IPA-Realm is just for configuring the clients, such as HBAC and SUDO. The user information are stored in an AD to which we established a two-way trust.
Our problem is now, that sudo sometimes tells us, that a user is not allowed to run SUDO on that machine. But on the second try he can execute the command which failed the first time.
Any ideas, whats wrong?
Best regards,
Fabian Zoske
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jhrozek at redhat.com Fri Oct 2 13:05:08 2015
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Fri, 2 Oct 2015 15:05:08 +0200
Subject: [Freeipa-users] SUDO does not always works on first try
In-Reply-To:
References:
Message-ID: <20151002130508.GA3127@hendrix.redhat.com>
On Fri, Oct 02, 2015 at 06:35:41AM +0000, Zoske, Fabian wrote:
> Hi folks,
>
> we recently setup an IPA-Server on Centos 7.1 and connected some Ubuntu 14.04 LTS machines to this server.
> The IPA-Realm is just for configuring the clients, such as HBAC and SUDO. The user information are stored in an AD to which we established a two-way trust.
>
> Our problem is now, that sudo sometimes tells us, that a user is not allowed to run SUDO on that machine. But on the second try he can execute the command which failed the first time.
>
> Any ideas, whats wrong?
Not without logs, sorry. We need both from sudo itself and SSSD.
But the closes that comes to mind is:
https://bugzilla.redhat.com/show_bug.cgi?id=1247539
From simo at redhat.com Fri Oct 2 13:18:26 2015
From: simo at redhat.com (Simo Sorce)
Date: Fri, 2 Oct 2015 09:18:26 -0400
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <20151002080639.GI4971@redhat.com>
References:
<560CDD7C.8090804@redhat.com> <560D5A68.7070608@redhat.com>
<20151002080639.GI4971@redhat.com>
Message-ID: <560E8422.60709@redhat.com>
On 02/10/15 04:06, Alexander Bokovoy wrote:
> On Thu, 01 Oct 2015, Simo Sorce wrote:
>> On 01/10/15 03:15, Petr Spacek wrote:
>>> On 30.9.2015 20:36, Matt Wells wrote:
>>>> Hi all, I hoped I may glean some brilliance from the group.
>>>> I have a Freeipa Server sitting atop a Fedora 21 server. The
>>>> initial plan
>>>> was to replicate users+passwords with Windows 2012R2 server but
>>>> following
>>>> some of the information in the other posts and docs we've moved to a
>>>> trust. The trust has been setup using the documentation and in
>>>> short it's
>>>> worked without issue. I'm able to get principles from the Windows
>>>> realm (
>>>> marvel.comics.com). So what I'm attempting and failing to do is
>>>> authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>>>> want any users in AD, it's simply there to deliver a GPO and in the
>>>> next
>>>> year it will be phased out and we'll be replacing Windows 8 with linux
>>>> desktops.
>>>>
>>>> So
>>>> marvel.comics.com = windows
>>>> dc.comics.com = freeipa
>>>>
>>>> # rpm -qi freeipa-server
>>>> Name : freeipa-server
>>>> Version : 4.1.4
>>>> Release : 1.fc21
>>>> Architecture: x86_64
>>>> Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>>>> Group : System Environment/Base
>>>> Size : 4521059
>>>> License : GPLv3+
>>>> Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>>>> 89ad4e8795a43f54
>>>> Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>>>> Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>>>> Build Host : buildhw-07.phx2.fedoraproject.org
>>>> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>>>> Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
>>>> Aug 17
>>>> 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>> [root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>>>> Fedora release 21 (Twenty One)
>>>>
>>>> To cut to the chase here's me logging into a Windows 8 desktop
>>>> system. I
>>>> try to login 3 different ways; this system is a member of the marvel
>>>> domain. Time is extremely close, close enough that I feel really good
>>>> about ruling it out. Any light you all could shed on this would be
>>>> outstanding. Thank you all for your time on this, I really
>>>> appreciate all
>>>> the time and effort this team puts into reading these posts.
>>>>
>>>> Username: dc/greenlantern
>>>> Password: ************
>>>>
>>>> [root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>>>> greenlantern
>>>> [30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>>>> base="dc=dc,dc=comics,dc=com" scope=2
>>>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>
>>>> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>> passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>> ipatokenRadiusConfigLink
>>>> objectClass"
>>>>
>>>> Username: greenlanter at dc
>>>> Password: ************
>>>>
>>>>
>>>> [30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>>>> base="dc=dc,dc=comics,dc=com" scope=2
>>>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>
>>>> )(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>> passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>> ipatokenRadiusConfigLink
>>>> objectClass"
>>>>
>>>>
>>>> Username: greenlanter at dc.comics.com
>>>> Password: ************
>>>>
>>>> [30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>>>> base="dc=dc,dc=comics,dc=com" scope=2
>>>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>>>>
>>>> @DC.COMICS.COM
>>>> )(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>>>> )))" attrs="krbPrincipalName krbCanonicalName
>>>> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>> krbTicketPolicyReference
>>>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>>>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>> krbExtraData
>>>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>>>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>>>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>>>
>>>>
>>>>> From what I can tell, everything looks good to wbinfo; we see the
>>>>> domain
>>>> and he see's us. In the AD trust I can go under the trust and
>>>> validate the
>>>> trust with no issues.
>>>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>>>> BUILTIN : online
>>>> DC : online
>>>> MARVEL : online
>>>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>> marvel.comics.com
>>>> Name : MARVEL
>>>> Alt_Name : marvel.comics.com
>>>> SID : S-1-5-21-3495301974-2766379234-3984916731
>>>> Active Directory : Yes
>>>> Native : Yes
>>>> Primary : No
>>>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>>>> 'MARVEL.COMICS.COM\Domain
>>>> Admins'
>>>> S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>>>> [root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>> marvel.comics.com
>>>> Name : MARVEL
>>>> Alt_Name : marvel.comics.com
>>>> SID : S-1-5-21-3495301974-2766379234-3984916731
>>>> Active Directory : Yes
>>>> Native : Yes
>>>> Primary : No
>>>
>>> Unfortunately you will not be able to log into Windows workstations
>>> using IPA
>>> users because FreeIPA is (at the moment) missing Global Catalog
>>> component
>>> which prevents Windows from working with IPA users.
>>>
>>> It should work the other way around, but there is nothing you can do
>>> at the
>>> moment to make it working with IPA users in Windows. Global Catalog
>>> is several
>>> months away in the best case.
>>
>> This is not entirely true.
>> There is no way to add IPA SIDs to the relevant authorization groups
>> using the GUI tools in AD, but technically you can do that using
>> command line tools and pasting in SIDs directly.
>> Authentication would be possible then, however Windows clients will
>> never be able to resolve SID to Names, so looking at file permissions
>> you will not be able to see user names, but only SIDs for IPA users.
>> Some tools that may depend on SID->Name translation may also fail in
>> unexpected ways.
> practically, you will not be able to login into Windows workstations
> because login screen will have to do Name->SID translation which it
> wouldn't be able to do.
I do not think this is really true, I tested a while back that the PAC
is used for Name -> SID of the logging in user, but I do not know if all
versions of Windows will work flawlessly this way.
>> This is why we do not recommend to try this, but it is technically
>> possible if you know very well how to handle everything through
>> Windows CLIs (I don't so don't ask :-)
> It will not work for Name->SID translations, thus making it practially
> unusable.
It really depends on what you are doing, but I agree it will have
issues, therefore we do not recommend it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From mbabinsk at redhat.com Fri Oct 2 13:27:03 2015
From: mbabinsk at redhat.com (Martin Babinsky)
Date: Fri, 2 Oct 2015 15:27:03 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
Message-ID: <560E8627.2030404@redhat.com>
On 10/02/2015 02:52 PM, Fujisan wrote:
> More info:
>
> I can initiate a ticket:
> $ kdestroy
> $ kinit admin
>
> but cannot view user admin:
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
>
> $ ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> /var/log/messages:
> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
> check failed. Unable to create GSSAPI-encrypted LDAP connection.
>
>
>
> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan > wrote:
>
> Hello,
>
> I cannot login to the web UI anymore.
>
> The password or username you entered is incorrect.
>
> Log says:
>
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
> {18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
> NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA for krbtgt/OPERA at OPERA,
> Additional pre-authentication required
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
> (encrypted_timestamp) verify failure: Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
> {18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
> PREAUTH_FAILED: HTTP/zaira2.opera at OPERA for krbtgt/OPERA at OPERA,
> Decrypt integrity check failed
> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>
>
> I have no idea what went wrong.
>
> What can I do?
>
> ?Regards,
> Fuji?
>
>
>
>
What version of FreeIPA are you running?
--
Martin^3 Babinsky
From fujisan43 at gmail.com Fri Oct 2 13:33:58 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 15:33:58 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To: <560E8627.2030404@redhat.com>
References:
<560E8627.2030404@redhat.com>
Message-ID:
Sorry. I'm running the latest one, 4.1.4.
On Fri, Oct 2, 2015 at 3:27 PM, Martin Babinsky wrote:
> On 10/02/2015 02:52 PM, Fujisan wrote:
>
>> More info:
>>
>> I can initiate a ticket:
>> $ kdestroy
>> $ kinit admin
>>
>> but cannot view user admin:
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>> $ ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> /var/log/messages:
>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>> check failed. Unable to create GSSAPI-encrypted LDAP connection.
>>
>>
>>
>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan > > wrote:
>>
>> Hello,
>>
>> I cannot login to the web UI anymore.
>>
>> The password or username you entered is incorrect.
>>
>> Log says:
>>
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>> {18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
>> NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA for krbtgt/OPERA at OPERA,
>> Additional pre-authentication required
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>> {18 17 16 23 25 26 1 3 2}) 10.0.21.18 :
>> PREAUTH_FAILED: HTTP/zaira2.opera at OPERA for krbtgt/OPERA at OPERA,
>> Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>
>>
>> I have no idea what went wrong.
>>
>> What can I do?
>>
>> ?Regards,
>> Fuji?
>>
>>
>>
>>
>> What version of FreeIPA are you running?
>
> --
> Martin^3 Babinsky
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From andrewm659 at yahoo.com Fri Oct 2 13:29:33 2015
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 2 Oct 2015 13:29:33 +0000 (UTC)
Subject: [Freeipa-users] FreeIPA install
In-Reply-To: <560E3BB3.5070103@redhat.com>
References: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
<560E3BB3.5070103@redhat.com>
Message-ID: <135413725.253302.1443792573727.JavaMail.yahoo@mail.yahoo.com>
I tried to clear them out of the preferences. ?No go.Still getting this:
Secure Connection Failed
An error occurred during a connection to asm-dns01.borg.local. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
? ? The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.? ? Please contact the website owners to inform them of this problem.
On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote:
On 10/02/2015 04:15 AM, Andrew Meyer wrote:
> I just created a new FreeIPA setup at my home and i'm getting the following:
>
> [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command
> line: '/usr/sbin/httpd -D FOREGROUND'
> [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error:
> -12271 SSL client cannot verify your certificate
> [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error:
> -12271 SSL client cannot verify your certificate
>
> I tried running the ipa-manage-cacert to generate a new one and install it.
> But no go.
>
> Running CentOS 7.1 with latest updates.? Is there a bug in generating the SSL cert?
>
>
>
This rather seems that your client browser does not trust FreeIPA CA certificate.
Related thread:
https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html
More related info:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From abokovoy at redhat.com Fri Oct 2 13:43:00 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 16:43:00 +0300
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <560E8422.60709@redhat.com>
References:
<560CDD7C.8090804@redhat.com> <560D5A68.7070608@redhat.com>
<20151002080639.GI4971@redhat.com> <560E8422.60709@redhat.com>
Message-ID: <20151002134300.GA5035@redhat.com>
On Fri, 02 Oct 2015, Simo Sorce wrote:
>On 02/10/15 04:06, Alexander Bokovoy wrote:
>>On Thu, 01 Oct 2015, Simo Sorce wrote:
>>>On 01/10/15 03:15, Petr Spacek wrote:
>>>>On 30.9.2015 20:36, Matt Wells wrote:
>>>>>Hi all, I hoped I may glean some brilliance from the group.
>>>>>I have a Freeipa Server sitting atop a Fedora 21 server. The
>>>>>initial plan
>>>>>was to replicate users+passwords with Windows 2012R2 server but
>>>>>following
>>>>>some of the information in the other posts and docs we've moved to a
>>>>>trust. The trust has been setup using the documentation and in
>>>>>short it's
>>>>>worked without issue. I'm able to get principles from the Windows
>>>>>realm (
>>>>>marvel.comics.com). So what I'm attempting and failing to do is
>>>>>authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>>>>>want any users in AD, it's simply there to deliver a GPO and in the
>>>>>next
>>>>>year it will be phased out and we'll be replacing Windows 8 with linux
>>>>>desktops.
>>>>>
>>>>>So
>>>>>marvel.comics.com = windows
>>>>>dc.comics.com = freeipa
>>>>>
>>>>># rpm -qi freeipa-server
>>>>>Name : freeipa-server
>>>>>Version : 4.1.4
>>>>>Release : 1.fc21
>>>>>Architecture: x86_64
>>>>>Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>>>>>Group : System Environment/Base
>>>>>Size : 4521059
>>>>>License : GPLv3+
>>>>>Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>>>>>89ad4e8795a43f54
>>>>>Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>>>>>Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>>>>>Build Host : buildhw-07.phx2.fedoraproject.org
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>>>>>Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
>>>>>Aug 17
>>>>>22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>>>>>Fedora release 21 (Twenty One)
>>>>>
>>>>>To cut to the chase here's me logging into a Windows 8 desktop
>>>>>system. I
>>>>>try to login 3 different ways; this system is a member of the marvel
>>>>>domain. Time is extremely close, close enough that I feel really good
>>>>>about ruling it out. Any light you all could shed on this would be
>>>>>outstanding. Thank you all for your time on this, I really
>>>>>appreciate all
>>>>>the time and effort this team puts into reading these posts.
>>>>>
>>>>>Username: dc/greenlantern
>>>>>Password: ************
>>>>>
>>>>>[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>>>>>greenlantern
>>>>>[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>Username: greenlanter at dc
>>>>>Password: ************
>>>>>
>>>>>
>>>>>[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>
>>>>>Username: greenlanter at dc.comics.com
>>>>>Password: ************
>>>>>
>>>>>[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>>>>>
>>>>>@DC.COMICS.COM
>>>>>)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>>>>>)))" attrs="krbPrincipalName krbCanonicalName
>>>>>ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference
>>>>>krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>>>>>krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>krbExtraData
>>>>>krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>>>>>krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>>>>>ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>>>>
>>>>>
>>>>>>From what I can tell, everything looks good to wbinfo; we see the
>>>>>>domain
>>>>>and he see's us. In the AD trust I can go under the trust and
>>>>>validate the
>>>>>trust with no issues.
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>>>>>BUILTIN : online
>>>>>DC : online
>>>>>MARVEL : online
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>>>>>'MARVEL.COMICS.COM\Domain
>>>>>Admins'
>>>>>S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>
>>>>Unfortunately you will not be able to log into Windows workstations
>>>>using IPA
>>>>users because FreeIPA is (at the moment) missing Global Catalog
>>>>component
>>>>which prevents Windows from working with IPA users.
>>>>
>>>>It should work the other way around, but there is nothing you can do
>>>>at the
>>>>moment to make it working with IPA users in Windows. Global Catalog
>>>>is several
>>>>months away in the best case.
>>>
>>>This is not entirely true.
>>>There is no way to add IPA SIDs to the relevant authorization groups
>>>using the GUI tools in AD, but technically you can do that using
>>>command line tools and pasting in SIDs directly.
>>>Authentication would be possible then, however Windows clients will
>>>never be able to resolve SID to Names, so looking at file permissions
>>>you will not be able to see user names, but only SIDs for IPA users.
>>>Some tools that may depend on SID->Name translation may also fail in
>>>unexpected ways.
>>practically, you will not be able to login into Windows workstations
>>because login screen will have to do Name->SID translation which it
>>wouldn't be able to do.
>
>I do not think this is really true, I tested a while back that the PAC
>is used for Name -> SID of the logging in user, but I do not know if
>all versions of Windows will work flawlessly this way.
At least Windows Server 2012 does following when I try to login
interactively as EXAMPLE\admin (IPA admin) or admin at EXAMPLE.COM:
16:34:20.903405 IP (tos 0x2,ECT(0), ttl 128, id 18136, offset 0, flags [DF], proto TCP (6), length 52)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [SEW], cksum 0xe350 (correct), seq 713019514, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:34:20.903539 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [S.], cksum 0x76c6 (incorrect -> 0xb654), seq 1716548939, ack 713019515, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:34:20.903674 IP (tos 0x0, ttl 128, id 18137, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x6837 (correct), seq 1, ack 1, win 256, length 0
16:34:20.903788 IP (tos 0x0, ttl 128, id 18138, offset 0, flags [DF], proto TCP (6), length 259)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [P.], cksum 0xe08f (correct), seq 1:220, ack 1, win 256, length 219
16:34:20.903821 IP (tos 0x0, ttl 64, id 40856, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x76ba (incorrect -> 0x676f), seq 1, ack 220, win 237, length 0
16:34:20.904727 IP (tos 0x0, ttl 64, id 40857, offset 0, flags [DF] proto TCP (6), length 202)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [P.], cksum 0x775c (incorrect -> 0x89b3), seq 1:163, ack 220, win 237, length 162
16:34:20.904778 IP (tos 0x0, ttl 64, id 40858, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [F.], cksum 0x76ba (incorrect -> 0x66cc), seq 163, ack 220, win 237, length 0
16:34:20.904917 IP (tos 0x0, ttl 128, id 18139, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x66b9 (correct), seq 220, ack 164, win 256, length 0
16:34:20.905073 IP (tos 0x0, ttl 128, id 18140, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [F.], cksum 0x66b8 (correct), seq 220, ack 164, win 256, length 0
16:34:20.905133 IP (tos 0x0, ttl 64, id 33156, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x66cb (correct), seq 164, ack 221, win 237, length 0
16:34:20.906033 IP (tos 0x0, ttl 128, id 18141, offset 0, flags [none], proto UDP (17), length 217)
wdc.adx.test.50485 > m1.example.com.ldap: [udp sum ok] UDP, length 189
16:34:20.906434 IP (tos 0x0, ttl 64, id 64131, offset 0, flags [DF], proto UDP (17), length 190)
m1.example.com.ldap > wdc.adx.test.50485: [bad udp cksum 0x775b -> 0xa778!] UDP, length 162
E.g. it tried to talk to IPA KDC and when failed, it did CLDAP ping to
pick up information about IPA domain.
KDC log has following:
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin at EXAMPLE for krbtgt/EXAMPLE at EXAMPLE, Client not found in Kerberos database
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin at EXAMPLE for krbtgt/EXAMPLE at EXAMPLE, Client not found in Kerberos database
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin\@EXAMPLE.COM at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Client not found in Kerberos database
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): closing down fd 12
This is something more reasonable -- e.g. our DAL driver doesn't support
domain flat name as a realm and doesn't support proper handling of
enterprise principals. This is something I have patches for to cover
trusted forests' realms but not our own. Maybe this is worth to
investigate first.
--
/ Alexander Bokovoy
From abokovoy at redhat.com Fri Oct 2 13:45:58 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 16:45:58 +0300
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
Message-ID: <20151002134558.GB5035@redhat.com>
On Fri, 02 Oct 2015, Fujisan wrote:
>More info:
>
>I can initiate a ticket:
>$ kdestroy
>$ kinit admin
>
>but cannot view user admin:
>$ ipa user-show admin
>ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
>
>$ ipactl status
>Directory Service: RUNNING
>krb5kdc Service: RUNNING
>kadmin Service: RUNNING
>named Service: RUNNING
>ipa_memcached Service: RUNNING
>httpd Service: RUNNING
>pki-tomcatd Service: RUNNING
>smb Service: RUNNING
>winbind Service: RUNNING
>ipa-otpd Service: RUNNING
>ipa-dnskeysyncd Service: RUNNING
>ipa: INFO: The ipactl command was successful
>
>/var/log/messages:
>Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
>failed. Unable to create GSSAPI-encrypted LDAP connection.
What did you do?
This and the log below about HTTP/zaira2.opera at OPERA show that you have
different keys in LDAP and in your keytab files for host/zaira2.opera
and HTTP/zaira2.opera principals. This might happen if somebody removed
the principals from LDAP (ipa service-del/ipa service-add, or ipa
host-del/ipa host-add) so that they become non-synchronized with
whatever you have in the keytab files.
>On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>
>> Hello,
>>
>> I cannot login to the web UI anymore.
>>
>> The password or username you entered is incorrect.
>>
>> Log says:
>>
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>
>>
>> I have no idea what went wrong.
>>
>> What can I do?
>>
>> ?Regards,
>> Fuji?
>>
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
From andrewm659 at yahoo.com Fri Oct 2 13:41:52 2015
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 2 Oct 2015 13:41:52 +0000 (UTC)
Subject: [Freeipa-users] FreeIPA install
In-Reply-To: <560E3BB3.5070103@redhat.com>
References: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
<560E3BB3.5070103@redhat.com>
Message-ID: <184547654.266809.1443793312510.JavaMail.yahoo@mail.yahoo.com>
works in chrome and not firefox, creating new FF profile.
On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote:
On 10/02/2015 04:15 AM, Andrew Meyer wrote:
> I just created a new FreeIPA setup at my home and i'm getting the following:
>
> [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792] AH00094: Command
> line: '/usr/sbin/httpd -D FOREGROUND'
> [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa: INFO: *** PROCESS
> START ***
> [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL Library Error:
> -12271 SSL client cannot verify your certificate
> [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL Library Error:
> -12271 SSL client cannot verify your certificate
>
> I tried running the ipa-manage-cacert to generate a new one and install it.
> But no go.
>
> Running CentOS 7.1 with latest updates.? Is there a bug in generating the SSL cert?
>
>
>
This rather seems that your client browser does not trust FreeIPA CA certificate.
Related thread:
https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html
More related info:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mbasti at redhat.com Fri Oct 2 13:50:16 2015
From: mbasti at redhat.com (Martin Basti)
Date: Fri, 2 Oct 2015 15:50:16 +0200
Subject: [Freeipa-users] FreeIPA install
In-Reply-To: <184547654.266809.1443793312510.JavaMail.yahoo@mail.yahoo.com>
References: <49946488.84105.1443752138529.JavaMail.yahoo@mail.yahoo.com>
<560E3BB3.5070103@redhat.com>
<184547654.266809.1443793312510.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <560E8B98.6060106@redhat.com>
On 10/02/2015 03:41 PM, Andrew Meyer wrote:
> works in chrome and not firefox, creating new FF profile.
>
Hi,
try to remove IPA certificates from firefox in ff settings
Martin
>
>
> On Friday, October 2, 2015 3:09 AM, Martin Kosek
> wrote:
>
>
>
> On 10/02/2015 04:15 AM, Andrew Meyer wrote:
>
> > I just created a new FreeIPA setup at my home and i'm getting
> the following:
> >
> > [Thu Oct 01 14:02:10.082255 2015] [core:notice] [pid 18792]
> AH00094: Command
> > line: '/usr/sbin/httpd -D FOREGROUND'
> > [Thu Oct 01 14:02:14.742680 2015] [:error] [pid 18795] ipa:
> INFO: *** PROCESS
> > START ***
> > [Thu Oct 01 14:02:14.745250 2015] [:error] [pid 18794] ipa:
> INFO: *** PROCESS
> > START ***
> > [Thu Oct 01 14:02:42.984969 2015] [:error] [pid 18798] SSL
> Library Error:
> > -12271 SSL client cannot verify your certificate
> > [Thu Oct 01 15:21:56.837422 2015] [:error] [pid 18801] SSL
> Library Error:
> > -12271 SSL client cannot verify your certificate
> >
> > I tried running the ipa-manage-cacert to generate a new one and
> install it.
> > But no go.
> >
> > Running CentOS 7.1 with latest updates. Is there a bug in
> generating the SSL cert?
>
> >
> >
> >
>
> This rather seems that your client browser does not trust FreeIPA
> CA certificate.
>
> Related thread:
> https://www.redhat.com/archives/freeipa-devel/2009-June/msg00188.html
>
> More related info:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/using-the-ui.html#config-browser
>
> Martin
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From aebruno2 at buffalo.edu Fri Oct 2 13:56:47 2015
From: aebruno2 at buffalo.edu (Andrew E. Bruno)
Date: Fri, 2 Oct 2015 09:56:47 -0400
Subject: [Freeipa-users] re-initialize replica
Message-ID: <20151002135647.GA18409@dead.ccr.buffalo.edu>
What's the best way to re-initialize a replica?
Suppose one of your replicas goes south.. is there a command to tell
that replicate to re-initialize from the first master (instead of
removing/re-adding the replica from the topology)?
Thanks,
--Andrew
From abokovoy at redhat.com Fri Oct 2 14:03:04 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 17:03:04 +0300
Subject: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops
In-Reply-To: <560E8422.60709@redhat.com>
References:
<560CDD7C.8090804@redhat.com> <560D5A68.7070608@redhat.com>
<20151002080639.GI4971@redhat.com> <560E8422.60709@redhat.com>
Message-ID: <20151002140304.GC5035@redhat.com>
On Fri, 02 Oct 2015, Simo Sorce wrote:
>On 02/10/15 04:06, Alexander Bokovoy wrote:
>>On Thu, 01 Oct 2015, Simo Sorce wrote:
>>>On 01/10/15 03:15, Petr Spacek wrote:
>>>>On 30.9.2015 20:36, Matt Wells wrote:
>>>>>Hi all, I hoped I may glean some brilliance from the group.
>>>>>I have a Freeipa Server sitting atop a Fedora 21 server. The
>>>>>initial plan
>>>>>was to replicate users+passwords with Windows 2012R2 server but
>>>>>following
>>>>>some of the information in the other posts and docs we've moved to a
>>>>>trust. The trust has been setup using the documentation and in
>>>>>short it's
>>>>>worked without issue. I'm able to get principles from the Windows
>>>>>realm (
>>>>>marvel.comics.com). So what I'm attempting and failing to do is
>>>>>authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>>>>>want any users in AD, it's simply there to deliver a GPO and in the
>>>>>next
>>>>>year it will be phased out and we'll be replacing Windows 8 with linux
>>>>>desktops.
>>>>>
>>>>>So
>>>>>marvel.comics.com = windows
>>>>>dc.comics.com = freeipa
>>>>>
>>>>># rpm -qi freeipa-server
>>>>>Name : freeipa-server
>>>>>Version : 4.1.4
>>>>>Release : 1.fc21
>>>>>Architecture: x86_64
>>>>>Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>>>>>Group : System Environment/Base
>>>>>Size : 4521059
>>>>>License : GPLv3+
>>>>>Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>>>>>89ad4e8795a43f54
>>>>>Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>>>>>Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>>>>>Build Host : buildhw-07.phx2.fedoraproject.org
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>>>>>Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
>>>>>Aug 17
>>>>>22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>>>>>Fedora release 21 (Twenty One)
>>>>>
>>>>>To cut to the chase here's me logging into a Windows 8 desktop
>>>>>system. I
>>>>>try to login 3 different ways; this system is a member of the marvel
>>>>>domain. Time is extremely close, close enough that I feel really good
>>>>>about ruling it out. Any light you all could shed on this would be
>>>>>outstanding. Thank you all for your time on this, I really
>>>>>appreciate all
>>>>>the time and effort this team puts into reading these posts.
>>>>>
>>>>>Username: dc/greenlantern
>>>>>Password: ************
>>>>>
>>>>>[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>>>>>greenlantern
>>>>>[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>Username: greenlanter at dc
>>>>>Password: ************
>>>>>
>>>>>
>>>>>[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>
>>>>>Username: greenlanter at dc.comics.com
>>>>>Password: ************
>>>>>
>>>>>[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>>>>>
>>>>>@DC.COMICS.COM
>>>>>)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>>>>>)))" attrs="krbPrincipalName krbCanonicalName
>>>>>ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference
>>>>>krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>>>>>krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>krbExtraData
>>>>>krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>>>>>krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>>>>>ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>>>>
>>>>>
>>>>>>From what I can tell, everything looks good to wbinfo; we see the
>>>>>>domain
>>>>>and he see's us. In the AD trust I can go under the trust and
>>>>>validate the
>>>>>trust with no issues.
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>>>>>BUILTIN : online
>>>>>DC : online
>>>>>MARVEL : online
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>>>>>'MARVEL.COMICS.COM\Domain
>>>>>Admins'
>>>>>S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>
>>>>Unfortunately you will not be able to log into Windows workstations
>>>>using IPA
>>>>users because FreeIPA is (at the moment) missing Global Catalog
>>>>component
>>>>which prevents Windows from working with IPA users.
>>>>
>>>>It should work the other way around, but there is nothing you can do
>>>>at the
>>>>moment to make it working with IPA users in Windows. Global Catalog
>>>>is several
>>>>months away in the best case.
>>>
>>>This is not entirely true.
>>>There is no way to add IPA SIDs to the relevant authorization groups
>>>using the GUI tools in AD, but technically you can do that using
>>>command line tools and pasting in SIDs directly.
>>>Authentication would be possible then, however Windows clients will
>>>never be able to resolve SID to Names, so looking at file permissions
>>>you will not be able to see user names, but only SIDs for IPA users.
>>>Some tools that may depend on SID->Name translation may also fail in
>>>unexpected ways.
>>practically, you will not be able to login into Windows workstations
>>because login screen will have to do Name->SID translation which it
>>wouldn't be able to do.
>
>I do not think this is really true, I tested a while back that the PAC
>is used for Name -> SID of the logging in user, but I do not know if
>all versions of Windows will work flawlessly this way.
When I tried to login as EXAMPLE.COM\admin (my IPA admin) to Windows
Server 2012 over two-way trust, I've got following message:
https://abbra.fedorapeople.org/.paste/wrong-sign-in-method.png
This simply means EXAMPLE.COM\admin lacks interactive logon rights
because nobody assigned them. I agree that theoretically one could
assign them one way or another but this has to be done manually for
every IPA member (via some group's SID?) and at every machine in the
domain to even check whether we'll be able to proceed further and find
out that we need Global Catalog to continue. ;)
--
/ Alexander Bokovoy
From fujisan43 at gmail.com Fri Oct 2 14:06:00 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 16:06:00 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To: <20151002134558.GB5035@redhat.com>
References:
<20151002134558.GB5035@redhat.com>
Message-ID:
Well, I think I messed up when trying to configure cockpit to use kerberos.
What should I do to fix this?
I have this on the ipa server:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
2 host/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
1 nfs/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
3 HTTP/zaira2.opera at OPERA
On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> More info:
>>
>> I can initiate a ticket:
>> $ kdestroy
>> $ kinit admin
>>
>> but cannot view user admin:
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>> $ ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> /var/log/messages:
>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>> check
>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>
> What did you do?
>
> This and the log below about HTTP/zaira2.opera at OPERA show that you have
> different keys in LDAP and in your keytab files for host/zaira2.opera
> and HTTP/zaira2.opera principals. This might happen if somebody removed
> the principals from LDAP (ipa service-del/ipa service-add, or ipa
> host-del/ipa host-add) so that they become non-synchronized with
> whatever you have in the keytab files.
>
>
> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>
>> Hello,
>>>
>>> I cannot login to the web UI anymore.
>>>
>>> The password or username you entered is incorrect.
>>>
>>> Log says:
>>>
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>
>>>
>>> I have no idea what went wrong.
>>>
>>> What can I do?
>>>
>>> ?Regards,
>>> Fuji?
>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From abokovoy at redhat.com Fri Oct 2 14:25:25 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 17:25:25 +0300
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
Message-ID: <20151002142525.GD5035@redhat.com>
On Fri, 02 Oct 2015, Fujisan wrote:
>Well, I think I messed up when trying to configure cockpit to use kerberos.
>
>What should I do to fix this?
>
>I have this on the ipa server:
>$ klist -k
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
>----
>--------------------------------------------------------------------------
> 2 host/zaira2.opera at OPERA
> 2 host/zaira2.opera at OPERA
> 2 host/zaira2.opera at OPERA
> 2 host/zaira2.opera at OPERA
> 1 nfs/zaira2.opera at OPERA
> 1 nfs/zaira2.opera at OPERA
> 1 nfs/zaira2.opera at OPERA
> 1 nfs/zaira2.opera at OPERA
> 3 HTTP/zaira2.opera at OPERA
> 3 HTTP/zaira2.opera at OPERA
> 3 HTTP/zaira2.opera at OPERA
> 3 HTTP/zaira2.opera at OPERA
>
You can start by:
0. backup every file mentioned below
1. Move /etc/krb5.keytab somewhere
2. kinit as admin
3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
4. restart SSSD
5. Move /etc/httpd/conf/ipa.keytab somewhere
6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k /etc/httpd/conf/ipa.keytab
7. Restart httpd
Every time you run 'ipa-getkeytab', Kerberos key for the service
specified by you is replaced on the server side so that keys in the
keytabs become unusable.
I guess cockpit instructions were for something that was not supposed to
run on IPA master. On IPA master there are already all needed services
(host/ and HTTP/) and their keytabs are in place.
>
>On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> More info:
>>>
>>> I can initiate a ticket:
>>> $ kdestroy
>>> $ kinit admin
>>>
>>> but cannot view user admin:
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>> $ ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> smb Service: RUNNING
>>> winbind Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> /var/log/messages:
>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>> check
>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>
>> What did you do?
>>
>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>> different keys in LDAP and in your keytab files for host/zaira2.opera
>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>> host-del/ipa host-add) so that they become non-synchronized with
>> whatever you have in the keytab files.
>>
>>
>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>
>>> Hello,
>>>>
>>>> I cannot login to the web UI anymore.
>>>>
>>>> The password or username you entered is incorrect.
>>>>
>>>> Log says:
>>>>
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>
>>>>
>>>> I have no idea what went wrong.
>>>>
>>>> What can I do?
>>>>
>>>> ?Regards,
>>>> Fuji?
>>>>
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
From simo at redhat.com Fri Oct 2 14:33:20 2015
From: simo at redhat.com (Simo Sorce)
Date: Fri, 2 Oct 2015 10:33:20 -0400
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To: <20151002142525.GD5035@redhat.com>
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
Message-ID: <560E95B0.4080602@redhat.com>
On 02/10/15 10:25, Alexander Bokovoy wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>> Well, I think I messed up when trying to configure cockpit to use
>> kerberos.
>>
>> What should I do to fix this?
>>
>> I have this on the ipa server:
>> $ klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>>
> You can start by:
> 0. backup every file mentioned below
> 1. Move /etc/krb5.keytab somewhere
> 2. kinit as admin
> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
> 4. restart SSSD
> 5. Move /etc/httpd/conf/ipa.keytab somewhere
> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
> /etc/httpd/conf/ipa.keytab
> 7. Restart httpd
>
> Every time you run 'ipa-getkeytab', Kerberos key for the service
> specified by you is replaced on the server side so that keys in the
> keytabs become unusable.
Note you can use the -r switch to just retrieve (w/o resetting the key)
the HTTP/name key in the ipa.keytab and not move away any keytabs.
Higher kvno will win.
You can use ktutil if you really want to remove keys from /etc/krb5.keytab
HTH,
Simo.
> I guess cockpit instructions were for something that was not supposed to
> run on IPA master. On IPA master there are already all needed services
> (host/ and HTTP/) and their keytabs are in place.
>
>>
>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> More info:
>>>>
>>>> I can initiate a ticket:
>>>> $ kdestroy
>>>> $ kinit admin
>>>>
>>>> but cannot view user admin:
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>>> $ ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> smb Service: RUNNING
>>>> winbind Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> /var/log/messages:
>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>> check
>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>
>>> What did you do?
>>>
>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>> host-del/ipa host-add) so that they become non-synchronized with
>>> whatever you have in the keytab files.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>>
>>>> Hello,
>>>>>
>>>>> I cannot login to the web UI anymore.
>>>>>
>>>>> The password or username you entered is incorrect.
>>>>>
>>>>> Log says:
>>>>>
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>> {18 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>> {18 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>
>>>>>
>>>>> I have no idea what went wrong.
>>>>>
>>>>> What can I do?
>>>>>
>>>>> ?Regards,
>>>>> Fuji?
>>>>>
>>>>>
>>>>>
>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>
--
Simo Sorce * Red Hat, Inc * New York
From fujisan43 at gmail.com Fri Oct 2 14:44:50 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 16:44:50 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To: <20151002142525.GD5035@redhat.com>
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
Message-ID:
I still cannot login to the web UI.
Here is what I did:
1. mv /etc/krb5.keytab /etc/krb5.keytab.save
2. kinit admin
Password for admin at OPERA:
3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
/etc/krb5.keytab
4. systemctl restart sssd.service
5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
/etc/httpd/conf/ipa.keytab
7. systemctl restart httpd.service
The log says now:
Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA for
krbtgt/OPERA at OPERA, Additional pre-authentication required
On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy
wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> Well, I think I messed up when trying to configure cockpit to use
>> kerberos.
>>
>> What should I do to fix this?
>>
>> I have this on the ipa server:
>> $ klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 2 host/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 1 nfs/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>> 3 HTTP/zaira2.opera at OPERA
>>
>> You can start by:
> 0. backup every file mentioned below
> 1. Move /etc/krb5.keytab somewhere
> 2. kinit as admin
> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
> 4. restart SSSD
> 5. Move /etc/httpd/conf/ipa.keytab somewhere
> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
> /etc/httpd/conf/ipa.keytab
> 7. Restart httpd
>
> Every time you run 'ipa-getkeytab', Kerberos key for the service
> specified by you is replaced on the server side so that keys in the
> keytabs become unusable.
>
> I guess cockpit instructions were for something that was not supposed to
> run on IPA master. On IPA master there are already all needed services
> (host/ and HTTP/) and their keytabs are in place.
>
>
>
>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>> wrote:
>>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>> More info:
>>>>
>>>> I can initiate a ticket:
>>>> $ kdestroy
>>>> $ kinit admin
>>>>
>>>> but cannot view user admin:
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>>> $ ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> ipa_memcached Service: RUNNING
>>>> httpd Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> smb Service: RUNNING
>>>> winbind Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> /var/log/messages:
>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>> check
>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>
>>>> What did you do?
>>>
>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>> host-del/ipa host-add) so that they become non-synchronized with
>>> whatever you have in the keytab files.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>
>>>>
>>>> Hello,
>>>>
>>>>>
>>>>> I cannot login to the web UI anymore.
>>>>>
>>>>> The password or username you entered is incorrect.
>>>>>
>>>>> Log says:
>>>>>
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>
>>>>>
>>>>> I have no idea what went wrong.
>>>>>
>>>>> What can I do?
>>>>>
>>>>> ?Regards,
>>>>> Fuji?
>>>>>
>>>>>
>>>>>
>>>>> --
>>>
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From fujisan43 at gmail.com Fri Oct 2 14:46:36 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 16:46:36 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
Message-ID:
I forgot to mention that
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
> I still cannot login to the web UI.
>
> Here is what I did:
>
> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
> 2. kinit admin
> Password for admin at OPERA:
> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
> /etc/krb5.keytab
> 4. systemctl restart sssd.service
> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
> /etc/httpd/conf/ipa.keytab
> 7. systemctl restart httpd.service
>
> The log says now:
>
> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>
>
>
> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> Well, I think I messed up when trying to configure cockpit to use
>>> kerberos.
>>>
>>> What should I do to fix this?
>>>
>>> I have this on the ipa server:
>>> $ klist -k
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ----
>>>
>>> --------------------------------------------------------------------------
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 2 host/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 1 nfs/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>> 3 HTTP/zaira2.opera at OPERA
>>>
>>> You can start by:
>> 0. backup every file mentioned below
>> 1. Move /etc/krb5.keytab somewhere
>> 2. kinit as admin
>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>> 4. restart SSSD
>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>> /etc/httpd/conf/ipa.keytab
>> 7. Restart httpd
>>
>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>> specified by you is replaced on the server side so that keys in the
>> keytabs become unusable.
>>
>> I guess cockpit instructions were for something that was not supposed to
>> run on IPA master. On IPA master there are already all needed services
>> (host/ and HTTP/) and their keytabs are in place.
>>
>>
>>
>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>>> wrote:
>>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>> More info:
>>>>>
>>>>> I can initiate a ticket:
>>>>> $ kdestroy
>>>>> $ kinit admin
>>>>>
>>>>> but cannot view user admin:
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>>> $ ipactl status
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: RUNNING
>>>>> ipa_memcached Service: RUNNING
>>>>> httpd Service: RUNNING
>>>>> pki-tomcatd Service: RUNNING
>>>>> smb Service: RUNNING
>>>>> winbind Service: RUNNING
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>> ipa: INFO: The ipactl command was successful
>>>>>
>>>>> /var/log/messages:
>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>> check
>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>
>>>>> What did you do?
>>>>
>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>> whatever you have in the keytab files.
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>>
>>>>>> I cannot login to the web UI anymore.
>>>>>>
>>>>>> The password or username you entered is incorrect.
>>>>>>
>>>>>> Log says:
>>>>>>
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>
>>>>>>
>>>>>> I have no idea what went wrong.
>>>>>>
>>>>>> What can I do?
>>>>>>
>>>>>> ?Regards,
>>>>>> Fuji?
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From abokovoy at redhat.com Fri Oct 2 15:01:45 2015
From: abokovoy at redhat.com (Alexander Bokovoy)
Date: Fri, 2 Oct 2015 18:01:45 +0300
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
Message-ID: <20151002150145.GG5035@redhat.com>
On Fri, 02 Oct 2015, Fujisan wrote:
>I forgot to mention that
>
>$ ipa user-show admin
>ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
This is most likely because of the cached session to your server.
You can check if
keyctl list @s
returns you something like
[root at m1 ~]# keyctl list @s
2 keys in keyring:
496745412: --alswrv 0 65534 keyring: _uid.0
215779962: --alswrv 0 0 user: ipa_session_cookie:admin at EXAMPLE.COM
If so, then notice the key number (215779962) for the session cookie,
and do:
keyctl purge 215779962
keyctl reap
This should make a next 'ipa ...' command run to ask for new cookie.
>
>On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>
>> I still cannot login to the web UI.
>>
>> Here is what I did:
>>
>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>> 2. kinit admin
>> Password for admin at OPERA:
>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>> /etc/krb5.keytab
>> 4. systemctl restart sssd.service
>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>> /etc/httpd/conf/ipa.keytab
>> 7. systemctl restart httpd.service
>>
>> The log says now:
>>
>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>
>>
>>
>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> Well, I think I messed up when trying to configure cockpit to use
>>>> kerberos.
>>>>
>>>> What should I do to fix this?
>>>>
>>>> I have this on the ipa server:
>>>> $ klist -k
>>>> Keytab name: FILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ----
>>>>
>>>> --------------------------------------------------------------------------
>>>> 2 host/zaira2.opera at OPERA
>>>> 2 host/zaira2.opera at OPERA
>>>> 2 host/zaira2.opera at OPERA
>>>> 2 host/zaira2.opera at OPERA
>>>> 1 nfs/zaira2.opera at OPERA
>>>> 1 nfs/zaira2.opera at OPERA
>>>> 1 nfs/zaira2.opera at OPERA
>>>> 1 nfs/zaira2.opera at OPERA
>>>> 3 HTTP/zaira2.opera at OPERA
>>>> 3 HTTP/zaira2.opera at OPERA
>>>> 3 HTTP/zaira2.opera at OPERA
>>>> 3 HTTP/zaira2.opera at OPERA
>>>>
>>>> You can start by:
>>> 0. backup every file mentioned below
>>> 1. Move /etc/krb5.keytab somewhere
>>> 2. kinit as admin
>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>> 4. restart SSSD
>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>> /etc/httpd/conf/ipa.keytab
>>> 7. Restart httpd
>>>
>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>> specified by you is replaced on the server side so that keys in the
>>> keytabs become unusable.
>>>
>>> I guess cockpit instructions were for something that was not supposed to
>>> run on IPA master. On IPA master there are already all needed services
>>> (host/ and HTTP/) and their keytabs are in place.
>>>
>>>
>>>
>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>>>> wrote:
>>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>> More info:
>>>>>>
>>>>>> I can initiate a ticket:
>>>>>> $ kdestroy
>>>>>> $ kinit admin
>>>>>>
>>>>>> but cannot view user admin:
>>>>>> $ ipa user-show admin
>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>> Unauthorized
>>>>>>
>>>>>> $ ipactl status
>>>>>> Directory Service: RUNNING
>>>>>> krb5kdc Service: RUNNING
>>>>>> kadmin Service: RUNNING
>>>>>> named Service: RUNNING
>>>>>> ipa_memcached Service: RUNNING
>>>>>> httpd Service: RUNNING
>>>>>> pki-tomcatd Service: RUNNING
>>>>>> smb Service: RUNNING
>>>>>> winbind Service: RUNNING
>>>>>> ipa-otpd Service: RUNNING
>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>
>>>>>> /var/log/messages:
>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>>> check
>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>
>>>>>> What did you do?
>>>>>
>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you have
>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>> and HTTP/zaira2.opera principals. This might happen if somebody removed
>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>> whatever you have in the keytab files.
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>>
>>>>>>> I cannot login to the web UI anymore.
>>>>>>>
>>>>>>> The password or username you entered is incorrect.
>>>>>>>
>>>>>>> Log says:
>>>>>>>
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>
>>>>>>>
>>>>>>> I have no idea what went wrong.
>>>>>>>
>>>>>>> What can I do?
>>>>>>>
>>>>>>> ?Regards,
>>>>>>> Fuji?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
From fujisan43 at gmail.com Fri Oct 2 15:04:46 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Fri, 2 Oct 2015 17:04:46 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To: <20151002150145.GG5035@redhat.com>
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
<20151002150145.GG5035@redhat.com>
Message-ID:
I only have this:
$ keyctl list @s
1 key in keyring:
641467419: --alswrv 0 65534 keyring: _uid.0
$
On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy
wrote:
> On Fri, 02 Oct 2015, Fujisan wrote:
>
>> I forgot to mention that
>>
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
> This is most likely because of the cached session to your server.
>
> You can check if keyctl list @s
> returns you something like
> [root at m1 ~]# keyctl list @s
> 2 keys in keyring:
> 496745412: --alswrv 0 65534 keyring: _uid.0
> 215779962: --alswrv 0 0 user: ipa_session_cookie:admin at EXAMPLE.COM
>
> If so, then notice the key number (215779962) for the session cookie,
> and do:
> keyctl purge 215779962
> keyctl reap
>
> This should make a next 'ipa ...' command run to ask for new cookie.
>
>
>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>>
>> I still cannot login to the web UI.
>>>
>>> Here is what I did:
>>>
>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>> 2. kinit admin
>>> Password for admin at OPERA:
>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>> /etc/krb5.keytab
>>> 4. systemctl restart sssd.service
>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>> /etc/httpd/conf/ipa.keytab
>>> 7. systemctl restart httpd.service
>>>
>>>
>>> The log says now:
>>>
>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17
>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy
>>> wrote:
>>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>> kerberos.
>>>>>
>>>>> What should I do to fix this?
>>>>>
>>>>> I have this on the ipa server:
>>>>> $ klist -k
>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------------
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 2 host/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 1 nfs/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>
>>>>> You can start by:
>>>>>
>>>> 0. backup every file mentioned below
>>>> 1. Move /etc/krb5.keytab somewhere
>>>> 2. kinit as admin
>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>> 4. restart SSSD
>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>> /etc/httpd/conf/ipa.keytab
>>>> 7. Restart httpd
>>>>
>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>> specified by you is replaced on the server side so that keys in the
>>>> keytabs become unusable.
>>>>
>>>> I guess cockpit instructions were for something that was not supposed to
>>>> run on IPA master. On IPA master there are already all needed services
>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy
>>>>> wrote:
>>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>>>
>>>>>> More info:
>>>>>>
>>>>>>>
>>>>>>> I can initiate a ticket:
>>>>>>> $ kdestroy
>>>>>>> $ kinit admin
>>>>>>>
>>>>>>> but cannot view user admin:
>>>>>>> $ ipa user-show admin
>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>> Unauthorized
>>>>>>>
>>>>>>> $ ipactl status
>>>>>>> Directory Service: RUNNING
>>>>>>> krb5kdc Service: RUNNING
>>>>>>> kadmin Service: RUNNING
>>>>>>> named Service: RUNNING
>>>>>>> ipa_memcached Service: RUNNING
>>>>>>> httpd Service: RUNNING
>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>> smb Service: RUNNING
>>>>>>> winbind Service: RUNNING
>>>>>>> ipa-otpd Service: RUNNING
>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>
>>>>>>> /var/log/messages:
>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
>>>>>>> check
>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>
>>>>>>> What did you do?
>>>>>>>
>>>>>>
>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>> have
>>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>> removed
>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>> whatever you have in the keytab files.
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>>>>
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>>
>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>
>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>
>>>>>>>> Log says:
>>>>>>>>
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>> {18 17
>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>> {18 17
>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
>>>>>>>>
>>>>>>>>
>>>>>>>> I have no idea what went wrong.
>>>>>>>>
>>>>>>>> What can I do?
>>>>>>>>
>>>>>>>> ?Regards,
>>>>>>>> Fuji?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>
>>>>>>
>>>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From alexanders.mailinglists+nospam at gmail.com Fri Oct 2 14:28:57 2015
From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar)
Date: Fri, 2 Oct 2015 16:28:57 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not working
with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
Message-ID:
Hello
How do I get password authentication to work with freeipa-client
3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
Long version follows :)
We've got an IPA server with the Red Hat Identity Management server
on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
users and groups there and would now like to login with SSH. When I
store a SSH key for the user account, I can login just fine, using
this SSH key. But I'd like/need to use passwords as well. And sudo
also doesn't work, when it's asking for passwords - I supposed,
it's the same root cause.
Let's stick with SSH.
Initially, I installed the FreeIPA client with this command line:
ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
--enable-dns-updates --unattended \
--principal=admin --password=correctone \
--domain=customer.company.internal \
--server=auth01.customer.company.internal
I then try to do a SSH login with:
ssh -l ewt at customer.company.internal 192.168.229.143
or:
ssh -l ewt 192.168.229.143
Password authentication doesn't work.
In the /var/log/syslog on the system where I try to login, I find this:
2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
Key table entry not found
After having turned up the debug level of the sssd with "sssd -i -f -d
0x0770 --debug-timestamps=1", I find the following in the system log
files:
2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=212.71.117.1 user=ewt
2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=212.71.117.1 user=ewt
2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
pam_sss(sshd:auth): received for user ewt: 4 (System error)
2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
password for ewt from 212.71.117.1 port 58136 ssh2
TBH, I don't quite understand it. Anyway, in
/var/log/sssd/sssd_customer.company.internal.log I noticed:
(Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[parse_krb5_child_response] (0x0020): message too short.
(Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[krb5_auth_done] (0x0040): Could not parse child response [22]:
Invalid argument
(Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
Well? What am I doing wrong or what might I have forgotten?
Thanks a lot and best regards,
Alexander
--
=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar at gmail.com <==
From sbose at redhat.com Fri Oct 2 15:56:26 2015
From: sbose at redhat.com (Sumit Bose)
Date: Fri, 2 Oct 2015 17:56:26 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not
working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
In-Reply-To:
References:
Message-ID: <20151002155626.GK22851@p.redhat.com>
On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> Hello
>
> How do I get password authentication to work with freeipa-client
> 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
>
> Long version follows :)
>
> We've got an IPA server with the Red Hat Identity Management server
> on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> users and groups there and would now like to login with SSH. When I
> store a SSH key for the user account, I can login just fine, using
> this SSH key. But I'd like/need to use passwords as well. And sudo
> also doesn't work, when it's asking for passwords - I supposed,
> it's the same root cause.
>
> Let's stick with SSH.
>
> Initially, I installed the FreeIPA client with this command line:
>
> ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> --enable-dns-updates --unattended \
> --principal=admin --password=correctone \
> --domain=customer.company.internal \
> --server=auth01.customer.company.internal
>
> I then try to do a SSH login with:
>
> ssh -l ewt at customer.company.internal 192.168.229.143
> or:
> ssh -l ewt 192.168.229.143
>
> Password authentication doesn't work.
>
> In the /var/log/syslog on the system where I try to login, I find this:
>
> 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> Key table entry not found
>
> After having turned up the debug level of the sssd with "sssd -i -f -d
> 0x0770 --debug-timestamps=1", I find the following in the system log
> files:
>
> 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): received for user ewt: 4 (System error)
> 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> password for ewt from 212.71.117.1 port 58136 ssh2
>
> TBH, I don't quite understand it. Anyway, in
> /var/log/sssd/sssd_customer.company.internal.log I noticed:
>
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [parse_krb5_child_response] (0x0020): message too short.
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [krb5_auth_done] (0x0040): Could not parse child response [22]:
> Invalid argument
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
looks like krb5_child is not able to process the request. There should
be a krb5_child log as well, maybe it has more details.
bye,
Sumit
>
> Well? What am I doing wrong or what might I have forgotten?
>
> Thanks a lot and best regards,
>
> Alexander
> --
> => Google+ => http://plus.skwar.me <==
> => Chat (Jabber/Google Talk) => a.skwar at gmail.com <==
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
From jhrozek at redhat.com Fri Oct 2 15:59:51 2015
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Fri, 2 Oct 2015 17:59:51 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not
working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
In-Reply-To:
References:
Message-ID: <20151002155951.GB3127@hendrix.redhat.com>
On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> Hello
>
> How do I get password authentication to work with freeipa-client
> 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
>
> Long version follows :)
>
> We've got an IPA server with the Red Hat Identity Management server
> on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> users and groups there and would now like to login with SSH. When I
> store a SSH key for the user account, I can login just fine, using
> this SSH key. But I'd like/need to use passwords as well. And sudo
> also doesn't work, when it's asking for passwords - I supposed,
> it's the same root cause.
>
> Let's stick with SSH.
>
> Initially, I installed the FreeIPA client with this command line:
>
> ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> --enable-dns-updates --unattended \
> --principal=admin --password=correctone \
> --domain=customer.company.internal \
> --server=auth01.customer.company.internal
>
> I then try to do a SSH login with:
>
> ssh -l ewt at customer.company.internal 192.168.229.143
> or:
> ssh -l ewt 192.168.229.143
>
> Password authentication doesn't work.
>
> In the /var/log/syslog on the system where I try to login, I find this:
>
> 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> Key table entry not found
>
> After having turned up the debug level of the sssd with "sssd -i -f -d
> 0x0770 --debug-timestamps=1", I find the following in the system log
> files:
>
> 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): received for user ewt: 4 (System error)
> 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> password for ewt from 212.71.117.1 port 58136 ssh2
>
> TBH, I don't quite understand it. Anyway, in
> /var/log/sssd/sssd_customer.company.internal.log I noticed:
>
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [parse_krb5_child_response] (0x0020): message too short.
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [krb5_auth_done] (0x0040): Could not parse child response [22]:
> Invalid argument
> (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
>
> Well? What am I doing wrong or what might I have forgotten?
We need to also see the krb5_child.log but please check if the keytab is
correct (ie kinit -k works).
From aebruno2 at buffalo.edu Fri Oct 2 16:00:59 2015
From: aebruno2 at buffalo.edu (Andrew E. Bruno)
Date: Fri, 2 Oct 2015 12:00:59 -0400
Subject: [Freeipa-users] re-initialize replica
In-Reply-To: <20151002135647.GA18409@dead.ccr.buffalo.edu>
References: <20151002135647.GA18409@dead.ccr.buffalo.edu>
Message-ID: <20151002160059.GB18409@dead.ccr.buffalo.edu>
On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
> What's the best way to re-initialize a replica?
>
> Suppose one of your replicas goes south.. is there a command to tell
> that replicate to re-initialize from the first master (instead of
> removing/re-adding the replica from the topology)?
Found the command I was looking for:
ipa-replica-manage re-initialize --from xxx
However, one of our replicates is down and can't seem to re-initialize
it. Starting ipa fails (via systemctl restart ipa):
ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
named Service: STOPPED
ipa_memcached Service: STOPPED
httpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
Errors from the dirsrv show:
: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
[02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server at realm] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
[02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
[02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
Attempting to re-initialize fails:
ipa-replica-manage re-initialize --from master
Connection timed out.
I verified time is in sync and DNS forward/reverse resolution is working.
Any pointers on what else to try?
Thanks!
--Andrew
From nathan at nathanpeters.com Fri Oct 2 20:57:06 2015
From: nathan at nathanpeters.com (nathan at nathanpeters.com)
Date: Fri, 2 Oct 2015 13:57:06 -0700
Subject: [Freeipa-users] Can not post to list - email floats off into
cyberspace
Message-ID: <865a08ab5754d6162b3a363c7d73860a.squirrel@webmail.nathanpeters.com>
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain (identical
setup) in our production network but it was ignored because a server
restart fixed it.
This issue then re-surfaced in our development domain today (different
network, different physical hardware, same OS and IPA versions).
I received a report today from a developer that he could not ping a
machine in another domain so I verified network connectivity and
everything was fine. When I tried to resolve the name from the IPA dc
using ping it would fail, but nslookup directly to the forward server
worked fine.
ipactl showed no issues, and only after I restarted the server did the
lookups start working again.
Console log below :
Using username "myipausername".
Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
[myipausername at dc1 ~]$ sudo su -
Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
ATTEMPT FIRST PING TO UNRESOLVABLE HOST
=======================================
[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
CHECK IPA STATUS
================
[root at dc1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
ATTEMPT PING OF GLOBAL FORWARDER
================================
[root at dc1 ~]# ping 10.21.0.14
PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
^C
--- 10.21.0.14 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
=========================================================
[root at dc1 ~]# nslookup
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> artifactory.externaldomain.net
Server: 10.21.0.14
Address: 10.21.0.14#53
Non-authoritative answer:
artifactory.externaldomain.net canonical name =
van-artifactory1.externaldomain.net.
Name: van-artifactory1.externaldomain.net
Address: 10.20.10.14
RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
IS WORKING FROM THIS MACHINE
======================================================================================================
> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
[root at dc1 ~]# ping van-artifactory1.externaldomain.net
ping: unknown host van-artifactory1.externaldomain.net
RESTART IPA SERVICES
====================
[root at dc1 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root at dc1 ~]# ipa dnsconfig-show
ipa: ERROR: did not receive Kerberos credentials
[root at dc1 ~]# kinit myipausername
Password for myipausername at ipadomain.NET:
OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
==================================================
[root at dc1 ~]# ipa dnsconfig-show
Global forwarders: 10.21.0.14
Allow PTR sync: TRUE
PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
==================================================
[root at dc1 ~]# ping artifactory.externaldomain.net
PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of data.
64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
^C
--- van-artifactory1.externaldomain.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
[root at dc1 ~]#
Here are some strange enties from my /var/log/messages relating to errors
from today :
Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
rrset from cache: not found
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
Looking at the log entries, it appears that there may have been a network
connectivity 'blip' (maybe a switch or router was restarted) at some point
and even after connectivity was restored, the global forwarding was
failing because the "we can't contact our forwarder" status seemed to get
stuck in memory.
From nathan at nathanpeters.com Thu Oct 1 21:07:00 2015
From: nathan at nathanpeters.com (nathan at nathanpeters.com)
Date: Thu, 1 Oct 2015 14:07:00 -0700
Subject: [Freeipa-users] DNS forwarding configuration randomly breaks and
stops working
Message-ID: <0b25b6317a7d34927e8f81743a88e157.squirrel@webmail.nathanpeters.com>
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain (identical
setup) in our production network but it was ignored because a server
restart fixed it.
This issue then re-surfaced in our development domain today (different
network, different physical hardware, same OS and IPA versions).
I received a report today from a developer that he could not ping a
machine in another domain so I verified network connectivity and
everything was fine. When I tried to resolve the name from the IPA dc
using ping it would fail, but nslookup directly to the forward server
worked fine.
ipactl showed no issues, and only after I restarted the server did the
lookups start working again.
Console log below :
Using username "myipausername".
Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
[myipausername at dc1 ~]$ sudo su -
Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
ATTEMPT FIRST PING TO UNRESOLVABLE HOST
=======================================
[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
CHECK IPA STATUS
================
[root at dc1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
ATTEMPT PING OF GLOBAL FORWARDER
================================
[root at dc1 ~]# ping 10.21.0.14
PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
^C
--- 10.21.0.14 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
=========================================================
[root at dc1 ~]# nslookup
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> artifactory.externaldomain.net
Server: 10.21.0.14
Address: 10.21.0.14#53
Non-authoritative answer:
artifactory.externaldomain.net canonical name =
van-artifactory1.externaldomain.net.
Name: van-artifactory1.externaldomain.net
Address: 10.20.10.14
RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
IS WORKING FROM THIS MACHINE
======================================================================================================
> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
[root at dc1 ~]# ping van-artifactory1.externaldomain.net
ping: unknown host van-artifactory1.externaldomain.net
RESTART IPA SERVICES
====================
[root at dc1 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root at dc1 ~]# ipa dnsconfig-show
ipa: ERROR: did not receive Kerberos credentials
[root at dc1 ~]# kinit myipausername
Password for myipausername at ipadomain.NET:
OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
==================================================
[root at dc1 ~]# ipa dnsconfig-show
Global forwarders: 10.21.0.14
Allow PTR sync: TRUE
PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
==================================================
[root at dc1 ~]# ping artifactory.externaldomain.net
PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of data.
64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
^C
--- van-artifactory1.externaldomain.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
[root at dc1 ~]#
Here are some strange enties from my /var/log/messages relating to errors
from today :
Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
rrset from cache: not found
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
Looking at the log entries, it appears that there may have been a network
connectivity 'blip' (maybe a switch or router was restarted) at some point
and even after connectivity was restored, the global forwarding was
failing because the "we can't contact our forwarder" status seemed to get
stuck in memory.
From nathan at nathanpeters.com Fri Oct 2 23:47:28 2015
From: nathan at nathanpeters.com (nathan at nathanpeters.com)
Date: Fri, 2 Oct 2015 16:47:28 -0700
Subject: [Freeipa-users] DNS forwarding configuration randomly breaks
and stops working
In-Reply-To: <0b25b6317a7d34927e8f81743a88e157.squirrel@webmail.nathanpeters.com>
References: <0b25b6317a7d34927e8f81743a88e157.squirrel@webmail.nathanpeters.com>
Message-ID: <7a8d700fff553f33563e9648f378fae8.squirrel@webmail.nathanpeters.com>
This issue has occured again and I am once again trying to troubleshoot it.
show forwarder
--------------
-bash-4.2$ ipa dnsconfig-show
Global forwarders: 10.21.0.14
Allow PTR sync: TRUE
attempt ping
------------
-bash-4.2$ ping stash.externaldomain.net
ping: unknown host stash.externaldomain.net
-attempt nslookup
-----------------
-bash-4.2$ nslookup
> stash.externaldomain.net
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find stash.externaldomain.net: NXDOMAIN
*comment* : strange it doesn't work against localhost. Lets make sure
that localhost lookups work at all :
-bash-4.2$ nslookup
> google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 216.58.216.142
*comment* : yup, I can resolve google.com when talking to localhost...
now lets try to talk to the forwarder configured in the global settings
-----------------------------------------------------------------------
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> stash.externaldomain.net
Server: 10.21.0.14
Address: 10.21.0.14#53
Non-authoritative answer:
stash.externaldomain.net canonical name = git1.externaldomain.net.
Name: git1.externaldomain.net
Address: 10.20.10.30
more troubleshooting
--------------------
I ran wireshark to see what the freeipa server was sending back to the
client :
3 0.000393 10.178.0.99 10.178.21.2 DNS 163 Standard query response 0x12ca
No such name CNAME git1.externaldomain.net
I've never seen a 'no such CNAME' response before. Lets look at the
contents of the packet:
Frame 4: 163 bytes on wire (1304 bits), 163 bytes captured (1304 bits)
Ethernet II, Src: Vmware_b7:09:c6 (00:50:56:b7:09:c6), Dst:
HewlettP_3c:f9:48 (2c:59:e5:3c:f9:48)
Internet Protocol Version 4, Src: 10.178.0.99 (10.178.0.99), Dst:
10.178.21.2 (10.178.21.2)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 57374 (57374)
Domain Name System (response)
[Request In: 1]
[Time: 0.000414000 seconds]
Transaction ID: 0x12ca
Flags: 0x8183 Standard query response, No such name
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive
queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0011 = Reply code: No such name (3)
Questions: 1
Answer RRs: 1
Authority RRs: 1
Additional RRs: 0
Queries
stash.externaldomain.net: type A, class IN
Name: stash.externaldomain.net
[Name Length: 21]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
stash.externaldomain.net: type CNAME, class IN, cname
git1.externaldomain.net
Name: stash.externaldomain.net
Type: CNAME (Canonical NAME for an alias) (5)
Class: IN (0x0001)
Time to live: 22483
Data length: 20
CNAME: git1.externaldomain.net
Authoritative nameservers
externaldomain.net: type SOA, class IN, mname
van-dns1.externaldomain.net
Name: externaldomain.net
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 518
Data length: 38
Primary name server: van-dns1.externaldomain.net
Responsible authority's mailbox: tech.externaldomain.net
Serial Number: 2015092101
Refresh Interval: 10800 (3 hours)
Retry Interval: 900 (15 minutes)
Expire limit: 604800 (7 days)
Minimum TTL: 86400 (1 day)
> We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
>
> We have no per zone forwarding enabled, only a single global forwarder.
> This seems to work fine, but then after a while (several weeks I think)
> will randomly stop working.
>
> We had this issue several weeks ago on a different IPA domain (identical
> setup) in our production network but it was ignored because a server
> restart fixed it.
>
> This issue then re-surfaced in our development domain today (different
> network, different physical hardware, same OS and IPA versions).
>
> I received a report today from a developer that he could not ping a
> machine in another domain so I verified network connectivity and
> everything was fine. When I tried to resolve the name from the IPA dc
> using ping it would fail, but nslookup directly to the forward server
> worked fine.
>
> ipactl showed no issues, and only after I restarted the server did the
> lookups start working again.
>
> Console log below :
>
> Using username "myipausername".
> Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
> [myipausername at dc1 ~]$ sudo su -
> Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
>
> ATTEMPT FIRST PING TO UNRESOLVABLE HOST
> =======================================
> [root at dc1 ~]# ping artifactory.externaldomain.net
> ping: unknown host artifactory.externaldomain.net
>
> CHECK IPA STATUS
> ================
> [root at dc1 ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> ATTEMPT PING OF GLOBAL FORWARDER
> ================================
> [root at dc1 ~]# ping 10.21.0.14
> PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
> 64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
> 64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
> ^C
> --- 10.21.0.14 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
> rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
>
> MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
> =========================================================
> [root at dc1 ~]# nslookup
>> server 10.21.0.14
> Default server: 10.21.0.14
> Address: 10.21.0.14#53
>> artifactory.externaldomain.net
> Server: 10.21.0.14
> Address: 10.21.0.14#53
>
> Non-authoritative answer:
> artifactory.externaldomain.net canonical name =
> van-artifactory1.externaldomain.net.
> Name: van-artifactory1.externaldomain.net
> Address: 10.20.10.14
>
> RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
> IS WORKING FROM THIS MACHINE
> ======================================================================================================
>> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
> ping: unknown host artifactory.externaldomain.net
> [root at dc1 ~]# ping van-artifactory1.externaldomain.net
> ping: unknown host van-artifactory1.externaldomain.net
>
> RESTART IPA SERVICES
> ====================
> [root at dc1 ~]# ipactl restart
> Restarting Directory Service
> Restarting krb5kdc Service
> Restarting kadmin Service
> Restarting named Service
> Restarting ipa_memcached Service
> Restarting httpd Service
> Restarting pki-tomcatd Service
> Restarting smb Service
> Restarting winbind Service
> Restarting ipa-otpd Service
> Restarting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
> [root at dc1 ~]# ipa dnsconfig-show
> ipa: ERROR: did not receive Kerberos credentials
> [root at dc1 ~]# kinit myipausername
> Password for myipausername at ipadomain.NET:
>
> OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
> ==================================================
> [root at dc1 ~]# ipa dnsconfig-show
> Global forwarders: 10.21.0.14
> Allow PTR sync: TRUE
>
> PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
> ==================================================
> [root at dc1 ~]# ping artifactory.externaldomain.net
> PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of
> data.
> 64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
> 64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
> 64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
> ^C
> --- van-artifactory1.externaldomain.net ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2004ms
> rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
> [root at dc1 ~]#
>
> Here are some strange enties from my /var/log/messages relating to errors
> from today :
>
> Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
> rrset from cache: not found
> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
> resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
> resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
>
> Looking at the log entries, it appears that there may have been a network
> connectivity 'blip' (maybe a switch or router was restarted) at some point
> and even after connectivity was restored, the global forwarding was
> failing because the "we can't contact our forwarder" status seemed to get
> stuck in memory.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
From nathan at nathanpeters.com Sat Oct 3 00:35:51 2015
From: nathan at nathanpeters.com (nathan at nathanpeters.com)
Date: Fri, 2 Oct 2015 17:35:51 -0700
Subject: [Freeipa-users] Can not post to list - email floats off into
cyberspace
In-Reply-To: <865a08ab5754d6162b3a363c7d73860a.squirrel@webmail.nathanpeters.com>
References: <865a08ab5754d6162b3a363c7d73860a.squirrel@webmail.nathanpeters.com>
Message-ID: <96bd919ba55633c42e56096501d78aae.squirrel@webmail.nathanpeters.com>
Sorry about this post. I sent this email to the list 3 times over the
last 48 hours and it was finally accepted after the 3rd send when I
changed the subject to something totally not descriptive of my problem.
Original email with original subject also finally posted today :(
> We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
>
> We have no per zone forwarding enabled, only a single global forwarder.
> This seems to work fine, but then after a while (several weeks I think)
> will randomly stop working.
>
> We had this issue several weeks ago on a different IPA domain (identical
> setup) in our production network but it was ignored because a server
> restart fixed it.
>
> This issue then re-surfaced in our development domain today (different
> network, different physical hardware, same OS and IPA versions).
>
> I received a report today from a developer that he could not ping a
> machine in another domain so I verified network connectivity and
> everything was fine. When I tried to resolve the name from the IPA dc
> using ping it would fail, but nslookup directly to the forward server
> worked fine.
>
> ipactl showed no issues, and only after I restarted the server did the
> lookups start working again.
>
> Console log below :
>
> Using username "myipausername".
> Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
> [myipausername at dc1 ~]$ sudo su -
> Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
>
> ATTEMPT FIRST PING TO UNRESOLVABLE HOST
> =======================================
> [root at dc1 ~]# ping artifactory.externaldomain.net
> ping: unknown host artifactory.externaldomain.net
>
> CHECK IPA STATUS
> ================
> [root at dc1 ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> ATTEMPT PING OF GLOBAL FORWARDER
> ================================
> [root at dc1 ~]# ping 10.21.0.14
> PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
> 64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
> 64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
> ^C
> --- 10.21.0.14 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
> rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
>
> MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
> =========================================================
> [root at dc1 ~]# nslookup
>> server 10.21.0.14
> Default server: 10.21.0.14
> Address: 10.21.0.14#53
>> artifactory.externaldomain.net
> Server: 10.21.0.14
> Address: 10.21.0.14#53
>
> Non-authoritative answer:
> artifactory.externaldomain.net canonical name =
> van-artifactory1.externaldomain.net.
> Name: van-artifactory1.externaldomain.net
> Address: 10.20.10.14
>
> RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
> IS WORKING FROM THIS MACHINE
> ======================================================================================================
>> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
> ping: unknown host artifactory.externaldomain.net
> [root at dc1 ~]# ping van-artifactory1.externaldomain.net
> ping: unknown host van-artifactory1.externaldomain.net
>
> RESTART IPA SERVICES
> ====================
> [root at dc1 ~]# ipactl restart
> Restarting Directory Service
> Restarting krb5kdc Service
> Restarting kadmin Service
> Restarting named Service
> Restarting ipa_memcached Service
> Restarting httpd Service
> Restarting pki-tomcatd Service
> Restarting smb Service
> Restarting winbind Service
> Restarting ipa-otpd Service
> Restarting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
> [root at dc1 ~]# ipa dnsconfig-show
> ipa: ERROR: did not receive Kerberos credentials
> [root at dc1 ~]# kinit myipausername
> Password for myipausername at ipadomain.NET:
>
> OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
> ==================================================
> [root at dc1 ~]# ipa dnsconfig-show
> Global forwarders: 10.21.0.14
> Allow PTR sync: TRUE
>
> PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
> ==================================================
> [root at dc1 ~]# ping artifactory.externaldomain.net
> PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of
> data.
> 64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
> 64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
> 64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
> ^C
> --- van-artifactory1.externaldomain.net ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2004ms
> rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
> [root at dc1 ~]#
>
> Here are some strange enties from my /var/log/messages relating to errors
> from today :
>
> Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
> rrset from cache: not found
> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
> resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
> resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
>
> Looking at the log entries, it appears that there may have been a network
> connectivity 'blip' (maybe a switch or router was restarted) at some point
> and even after connectivity was restored, the global forwarding was
> failing because the "we can't contact our forwarder" status seemed to get
> stuck in memory.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
From nathan at nathanpeters.com Fri Oct 2 17:21:57 2015
From: nathan at nathanpeters.com (nathan at nathanpeters.com)
Date: Fri, 2 Oct 2015 10:21:57 -0700
Subject: [Freeipa-users] DNS forwarding configuration randomly breaking
Message-ID:
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain (identical
setup) in our production network but it was ignored because a server
restart fixed it.
This issue then re-surfaced in our development domain today (different
network, different physical hardware, same OS and IPA versions).
I received a report today from a developer that he could not ping a
machine in another domain so I verified network connectivity and
everything was fine. When I tried to resolve the name from the IPA dc
using ping it would fail, but nslookup directly to the forward server
worked fine.
ipactl showed no issues, and only after I restarted the server did the
lookups start working again.
Console log below :
Using username "myipausername".
Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
[myipausername at dc1 ~]$ sudo su -
Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
ATTEMPT FIRST PING TO UNRESOLVABLE HOST
=======================================
[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
CHECK IPA STATUS
================
[root at dc1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
ATTEMPT PING OF GLOBAL FORWARDER
================================
[root at dc1 ~]# ping 10.21.0.14
PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
^C
--- 10.21.0.14 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
=========================================================
[root at dc1 ~]# nslookup
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> artifactory.externaldomain.net
Server: 10.21.0.14
Address: 10.21.0.14#53
Non-authoritative answer:
artifactory.externaldomain.net canonical name =
van-artifactory1.externaldomain.net.
Name: van-artifactory1.externaldomain.net
Address: 10.20.10.14
RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
IS WORKING FROM THIS MACHINE
======================================================================================================
> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
ping: unknown host artifactory.externaldomain.net
[root at dc1 ~]# ping van-artifactory1.externaldomain.net
ping: unknown host van-artifactory1.externaldomain.net
RESTART IPA SERVICES
====================
[root at dc1 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root at dc1 ~]# ipa dnsconfig-show
ipa: ERROR: did not receive Kerberos credentials
[root at dc1 ~]# kinit myipausername
Password for myipausername at ipadomain.NET:
OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
==================================================
[root at dc1 ~]# ipa dnsconfig-show
Global forwarders: 10.21.0.14
Allow PTR sync: TRUE
PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
==================================================
[root at dc1 ~]# ping artifactory.externaldomain.net
PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of data.
64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
^C
--- van-artifactory1.externaldomain.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
[root at dc1 ~]#
Here are some strange enties from my /var/log/messages relating to errors
from today :
Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
rrset from cache: not found
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
Looking at the log entries, it appears that there may have been a network
connectivity 'blip' (maybe a switch or router was restarted) at some point
and even after connectivity was restored, the global forwarding was
failing because the "we can't contact our forwarder" status seemed to get
stuck in memory.
From janellenicole80 at gmail.com Sun Oct 4 17:25:24 2015
From: janellenicole80 at gmail.com (Janelle)
Date: Sun, 4 Oct 2015 10:25:24 -0700
Subject: [Freeipa-users] admin loses access?
Message-ID: <56116104.3020404@gmail.com>
Hello everyone,
Just wondering if anyone knows why this happens from time to time on
servers:
$ kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials
there are no failed logins to the admin account - not even any login
attempts, so it is not like someone is getting the account locked out.
Just curious if anyone else has seen in. With 16 masters, it occurs
randomly on some hosts, but eventually clears either on its own or with
a restart of IPA. However, I just restarted IPA on this server and after
about 2-3 minutes it works again.
Thank you
~Janelle
From harenberg at physik.uni-wuppertal.de Sun Oct 4 19:29:27 2015
From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg)
Date: Sun, 4 Oct 2015 21:29:27 +0200
Subject: [Freeipa-users] admin loses access?
In-Reply-To: <56116104.3020404@gmail.com>
References: <56116104.3020404@gmail.com>
Message-ID: <56117E17.2050302@physik.uni-wuppertal.de>
Hi Janelle,
Am 04.10.2015 um 19:25 schrieb Janelle:
> Just wondering if anyone knows why this happens from time to time on
> servers:
>
> $ kinit admin
> kinit: Clients credentials have been revoked while getting initial
> credentials
>
> there are no failed logins to the admin account - not even any login
> attempts, so it is not like someone is getting the account locked out.
> Just curious if anyone else has seen in. With 16 masters, it occurs
> randomly on some hosts, but eventually clears either on its own or with
> a restart of IPA. However, I just restarted IPA on this server and after
> about 2-3 minutes it works again.
>
I am seeing the same, see my mail "kinit admin not working anymore
(LOCKED_OUT: Clients credentials have been revoked)" from 03-SEPT.
Actually, wasn't it you who wanted to open a ticket?
Have a nice evening,
Torsten
--
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<> <>
<> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <>
<> Bergische Universitaet <>
<> FB C - Physik Tel.: +49 (0)202 439-3521 <>
<> Gaussstr. 20 Fax : +49 (0)202 439-2811 <>
<> 42097 Wuppertal <>
<> <>
<><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>
From fujisan43 at gmail.com Mon Oct 5 07:17:41 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Mon, 5 Oct 2015 09:17:41 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
<20151002150145.GG5035@redhat.com>
Message-ID:
Good morning,
?
Any suggestion what I should do??
?I still have
?$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
Regards.
On Fri, Oct 2, 2015 at 5:04 PM, Fujisan wrote:
> I only have this:
>
> $ keyctl list @s
> 1 key in keyring:
> 641467419: --alswrv 0 65534 keyring: _uid.0
> $
>
>
>
> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy
> wrote:
>
>> On Fri, 02 Oct 2015, Fujisan wrote:
>>
>>> I forgot to mention that
>>>
>>> $ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>> This is most likely because of the cached session to your server.
>>
>> You can check if keyctl list @s
>> returns you something like
>> [root at m1 ~]# keyctl list @s
>> 2 keys in keyring:
>> 496745412: --alswrv 0 65534 keyring: _uid.0
>> 215779962: --alswrv 0 0 user:
>> ipa_session_cookie:admin at EXAMPLE.COM
>>
>> If so, then notice the key number (215779962) for the session cookie,
>> and do:
>> keyctl purge 215779962
>> keyctl reap
>>
>> This should make a next 'ipa ...' command run to ask for new cookie.
>>
>>
>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>>>
>>> I still cannot login to the web UI.
>>>>
>>>> Here is what I did:
>>>>
>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>> 2. kinit admin
>>>> Password for admin at OPERA:
>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>> /etc/krb5.keytab
>>>> 4. systemctl restart sssd.service
>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>> /etc/httpd/conf/ipa.keytab
>>>> 7. systemctl restart httpd.service
>>>>
>>>>
>>>> The log says now:
>>>>
>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>> 17
>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera at OPERA
>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy
>>>> wrote:
>>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>> kerberos.
>>>>>>
>>>>>> What should I do to fix this?
>>>>>>
>>>>>> I have this on the ipa server:
>>>>>> $ klist -k
>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>> KVNO Principal
>>>>>> ----
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------------
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 2 host/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>
>>>>>> You can start by:
>>>>>>
>>>>> 0. backup every file mentioned below
>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>> 2. kinit as admin
>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>> 4. restart SSSD
>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>> /etc/httpd/conf/ipa.keytab
>>>>> 7. Restart httpd
>>>>>
>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>> specified by you is replaced on the server side so that keys in the
>>>>> keytabs become unusable.
>>>>>
>>>>> I guess cockpit instructions were for something that was not supposed
>>>>> to
>>>>> run on IPA master. On IPA master there are already all needed services
>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy >>>>> >
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>>>
>>>>>>> More info:
>>>>>>>
>>>>>>>>
>>>>>>>> I can initiate a ticket:
>>>>>>>> $ kdestroy
>>>>>>>> $ kinit admin
>>>>>>>>
>>>>>>>> but cannot view user admin:
>>>>>>>> $ ipa user-show admin
>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>> Unauthorized
>>>>>>>>
>>>>>>>> $ ipactl status
>>>>>>>> Directory Service: RUNNING
>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>> kadmin Service: RUNNING
>>>>>>>> named Service: RUNNING
>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>> httpd Service: RUNNING
>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>> smb Service: RUNNING
>>>>>>>> winbind Service: RUNNING
>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>
>>>>>>>> /var/log/messages:
>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>> initialize
>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>> integrity
>>>>>>>> check
>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>
>>>>>>>> What did you do?
>>>>>>>>
>>>>>>>
>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>>> have
>>>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera
>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>> removed
>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>> whatever you have in the keytab files.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>>
>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>
>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>
>>>>>>>>> Log says:
>>>>>>>>>
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>> {18 17
>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>> 12
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>> failed
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>> {18 17
>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>> 12
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>
>>>>>>>>> What can I do?
>>>>>>>>>
>>>>>>>>> ?Regards,
>>>>>>>>> Fuji?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> / Alexander Bokovoy
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From pspacek at redhat.com Mon Oct 5 08:03:09 2015
From: pspacek at redhat.com (Petr Spacek)
Date: Mon, 5 Oct 2015 10:03:09 +0200
Subject: [Freeipa-users] DNS forwarding configuration randomly breaks
and stops working
In-Reply-To: <7a8d700fff553f33563e9648f378fae8.squirrel@webmail.nathanpeters.com>
References: <0b25b6317a7d34927e8f81743a88e157.squirrel@webmail.nathanpeters.com>
<7a8d700fff553f33563e9648f378fae8.squirrel@webmail.nathanpeters.com>
Message-ID: <56122EBD.1030405@redhat.com>
On 3.10.2015 01:47, nathan at nathanpeters.com wrote:
> This issue has occured again and I am once again trying to troubleshoot it.
>
> show forwarder
> --------------
> -bash-4.2$ ipa dnsconfig-show
> Global forwarders: 10.21.0.14
> Allow PTR sync: TRUE
>
> attempt ping
> ------------
> -bash-4.2$ ping stash.externaldomain.net
> ping: unknown host stash.externaldomain.net
>
> -attempt nslookup
> -----------------
> -bash-4.2$ nslookup
>> stash.externaldomain.net
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> ** server can't find stash.externaldomain.net: NXDOMAIN
>
> *comment* : strange it doesn't work against localhost. Lets make sure
> that localhost lookups work at all :
>
> -bash-4.2$ nslookup
>> google.com
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: google.com
> Address: 216.58.216.142
>
> *comment* : yup, I can resolve google.com when talking to localhost...
>
> now lets try to talk to the forwarder configured in the global settings
> -----------------------------------------------------------------------
>> server 10.21.0.14
> Default server: 10.21.0.14
> Address: 10.21.0.14#53
>> stash.externaldomain.net
> Server: 10.21.0.14
> Address: 10.21.0.14#53
>
> Non-authoritative answer:
> stash.externaldomain.net canonical name = git1.externaldomain.net.
> Name: git1.externaldomain.net
> Address: 10.20.10.30
>
> more troubleshooting
> --------------------
> I ran wireshark to see what the freeipa server was sending back to the
> client :
>
> 3 0.000393 10.178.0.99 10.178.21.2 DNS 163 Standard query response 0x12ca
> No such name CNAME git1.externaldomain.net
>
> I've never seen a 'no such CNAME' response before. Lets look at the
> contents of the packet:
>
>
> Frame 4: 163 bytes on wire (1304 bits), 163 bytes captured (1304 bits)
> Ethernet II, Src: Vmware_b7:09:c6 (00:50:56:b7:09:c6), Dst:
> HewlettP_3c:f9:48 (2c:59:e5:3c:f9:48)
> Internet Protocol Version 4, Src: 10.178.0.99 (10.178.0.99), Dst:
> 10.178.21.2 (10.178.21.2)
> User Datagram Protocol, Src Port: 53 (53), Dst Port: 57374 (57374)
> Domain Name System (response)
> [Request In: 1]
> [Time: 0.000414000 seconds]
> Transaction ID: 0x12ca
> Flags: 0x8183 Standard query response, No such name
> 1... .... .... .... = Response: Message is a response
> .000 0... .... .... = Opcode: Standard query (0)
> .... .0.. .... .... = Authoritative: Server is not an authority
> for domain
> .... ..0. .... .... = Truncated: Message is not truncated
> .... ...1 .... .... = Recursion desired: Do query recursively
> .... .... 1... .... = Recursion available: Server can do recursive
> queries
> .... .... .0.. .... = Z: reserved (0)
> .... .... ..0. .... = Answer authenticated: Answer/authority
> portion was not authenticated by the server
> .... .... ...0 .... = Non-authenticated data: Unacceptable
> .... .... .... 0011 = Reply code: No such name (3)
> Questions: 1
> Answer RRs: 1
> Authority RRs: 1
> Additional RRs: 0
> Queries
> stash.externaldomain.net: type A, class IN
> Name: stash.externaldomain.net
> [Name Length: 21]
> [Label Count: 3]
> Type: A (Host Address) (1)
> Class: IN (0x0001)
> Answers
> stash.externaldomain.net: type CNAME, class IN, cname
> git1.externaldomain.net
> Name: stash.externaldomain.net
> Type: CNAME (Canonical NAME for an alias) (5)
> Class: IN (0x0001)
> Time to live: 22483
> Data length: 20
> CNAME: git1.externaldomain.net
> Authoritative nameservers
> externaldomain.net: type SOA, class IN, mname
> van-dns1.externaldomain.net
> Name: externaldomain.net
> Type: SOA (Start Of a zone of Authority) (6)
> Class: IN (0x0001)
> Time to live: 518
> Data length: 38
> Primary name server: van-dns1.externaldomain.net
> Responsible authority's mailbox: tech.externaldomain.net
> Serial Number: 2015092101
> Refresh Interval: 10800 (3 hours)
> Retry Interval: 900 (15 minutes)
> Expire limit: 604800 (7 days)
> Minimum TTL: 86400 (1 day)
>
>
>> We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
>>
>> We have no per zone forwarding enabled, only a single global forwarder.
>> This seems to work fine, but then after a while (several weeks I think)
>> will randomly stop working.
>>
>> We had this issue several weeks ago on a different IPA domain (identical
>> setup) in our production network but it was ignored because a server
>> restart fixed it.
>>
>> This issue then re-surfaced in our development domain today (different
>> network, different physical hardware, same OS and IPA versions).
>>
>> I received a report today from a developer that he could not ping a
>> machine in another domain so I verified network connectivity and
>> everything was fine. When I tried to resolve the name from the IPA dc
>> using ping it would fail, but nslookup directly to the forward server
>> worked fine.
>>
>> ipactl showed no issues, and only after I restarted the server did the
>> lookups start working again.
>>
>> Console log below :
>>
>> Using username "myipausername".
>> Last login: Thu Oct 1 16:36:51 2015 from 10.5.5.57
>> [myipausername at dc1 ~]$ sudo su -
>> Last login: Tue Sep 29 19:03:39 UTC 2015 on pts/3
>>
>> ATTEMPT FIRST PING TO UNRESOLVABLE HOST
>> =======================================
>> [root at dc1 ~]# ping artifactory.externaldomain.net
>> ping: unknown host artifactory.externaldomain.net
>>
>> CHECK IPA STATUS
>> ================
>> [root at dc1 ~]# ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> ATTEMPT PING OF GLOBAL FORWARDER
>> ================================
>> [root at dc1 ~]# ping 10.21.0.14
>> PING 10.21.0.14 (10.21.0.14) 56(84) bytes of data.
>> 64 bytes from 10.21.0.14: icmp_seq=1 ttl=64 time=0.275 ms
>> 64 bytes from 10.21.0.14: icmp_seq=2 ttl=64 time=0.327 ms
>> ^C
>> --- 10.21.0.14 ping statistics ---
>> 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
>> rtt min/avg/max/mdev = 0.275/0.301/0.327/0.026 ms
>>
>> MANUAL NSLOOKUP OF DOMAIN ON GLOBAL FORWARDER FROM IPA DC
>> =========================================================
>> [root at dc1 ~]# nslookup
>>> server 10.21.0.14
>> Default server: 10.21.0.14
>> Address: 10.21.0.14#53
>>> artifactory.externaldomain.net
>> Server: 10.21.0.14
>> Address: 10.21.0.14#53
>>
>> Non-authoritative answer:
>> artifactory.externaldomain.net canonical name =
>> van-artifactory1.externaldomain.net.
>> Name: van-artifactory1.externaldomain.net
>> Address: 10.20.10.14
>>
>> RE-ATTEMPT PING SINCE WE KNOW THAT NAME RESOLUTION (at least via nslookup
>> IS WORKING FROM THIS MACHINE
>> ======================================================================================================
>>> ^C[root at dc1 ~]# ping artifactory.externaldomain.net
>> ping: unknown host artifactory.externaldomain.net
>> [root at dc1 ~]# ping van-artifactory1.externaldomain.net
>> ping: unknown host van-artifactory1.externaldomain.net
>>
>> RESTART IPA SERVICES
>> ====================
>> [root at dc1 ~]# ipactl restart
>> Restarting Directory Service
>> Restarting krb5kdc Service
>> Restarting kadmin Service
>> Restarting named Service
>> Restarting ipa_memcached Service
>> Restarting httpd Service
>> Restarting pki-tomcatd Service
>> Restarting smb Service
>> Restarting winbind Service
>> Restarting ipa-otpd Service
>> Restarting ipa-dnskeysyncd Service
>> ipa: INFO: The ipactl command was successful
>> [root at dc1 ~]# ipa dnsconfig-show
>> ipa: ERROR: did not receive Kerberos credentials
>> [root at dc1 ~]# kinit myipausername
>> Password for myipausername at ipadomain.NET:
>>
>> OUTPUT GLOBAL FORWARDER CONFIG FOR TROUBLESHOOTING
>> ==================================================
>> [root at dc1 ~]# ipa dnsconfig-show
>> Global forwarders: 10.21.0.14
>> Allow PTR sync: TRUE
>>
>> PING NOW WORKS BECAUSE IPA SERVICES WERE RESTARTED
>> ==================================================
>> [root at dc1 ~]# ping artifactory.externaldomain.net
>> PING van-artifactory1.externaldomain.net (10.20.10.14) 56(84) bytes of
>> data.
>> 64 bytes from 10.20.10.14: icmp_seq=1 ttl=60 time=3.00 ms
>> 64 bytes from 10.20.10.14: icmp_seq=2 ttl=60 time=1.42 ms
>> 64 bytes from 10.20.10.14: icmp_seq=3 ttl=60 time=2.39 ms
>> ^C
>> --- van-artifactory1.externaldomain.net ping statistics ---
>> 3 packets transmitted, 3 received, 0% packet loss, time 2004ms
>> rtt min/avg/max/mdev = 1.420/2.274/3.004/0.653 ms
>> [root at dc1 ~]#
>>
>> Here are some strange enties from my /var/log/messages relating to errors
>> from today :
>>
>> Oct 1 20:39:31 dc1 named-pkcs11[15066]: checkhints: unable to get root NS
>> rrset from cache: not found
>> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
>> resolving 'pmdb1.ipadomain.net/A/IN': 2001:500:2f::f#53
>> Oct 1 20:39:17 dc1 named-pkcs11[15066]: error (network unreachable)
>> resolving 'pmdb1.ipadomain.net/AAAA/IN': 2001:500:2f::f#53
>>
>> Looking at the log entries, it appears that there may have been a network
>> connectivity 'blip' (maybe a switch or router was restarted) at some point
>> and even after connectivity was restored, the global forwarding was
>> failing because the "we can't contact our forwarder" status seemed to get
>> stuck in memory.
Most likely.
>> [root at dc1 ~]# ipa dnsconfig-show
>> Global forwarders: 10.21.0.14
>> Allow PTR sync: TRUE
This means that you are using the default forward policy which is 'first'.
I.e. BIND daemon on the IPA server is trying to use the forwarder first and
when it fails it fallbacks to asking server on the public Internet.
I speculate that public servers know nothing about the name you were asking
for and this negative answer got cached. This is default behavior in BIND and
IPA did not change it.
Workaround for network problems could be
$ ipa dnsconfig-mod --forward-policy=only
which will prevent BIND from falling back to public servers.
Anyway, you should solve network connectivity problems, too :-)
I hope this helps.
--
Petr^2 Spacek
From andreas.calminder at nordnet.se Mon Oct 5 08:58:40 2015
From: andreas.calminder at nordnet.se (Andreas Calminder)
Date: Mon, 5 Oct 2015 10:58:40 +0200
Subject: [Freeipa-users] Sudo default options
Message-ID: <56123BC0.3010208@nordnet.se>
Hi,
guessing this is a quite frequent question, but I can't find any solid
information about the topic.
I want to specify a set of default sudo options so I don't have to
specify these options for every other sudo rule I create.
There's supposed to be a magic "defaults" rule.
This old document
(https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf) suggests
it's cn=defaults,ou=sudorules,dc=example,dc=com which doesn't exist in
my ipa 4.1 installation others suggest it's under
ou=sudoers,dc=example,dc=com when poking around in ldap it looks like it
could also be cn=sudorules,cn=sudo,dc=example,dc=com, but there is no
way to be sure. Also, might it be as simple as create a defaults rule in
the webui or cli with the default options set or is this a ldapmodify
action?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From alexanders.mailinglists+nospam at gmail.com Mon Oct 5 07:00:13 2015
From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar)
Date: Mon, 5 Oct 2015 09:00:13 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not
working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
In-Reply-To: <20151002155951.GB3127@hendrix.redhat.com>
References:
<20151002155951.GB3127@hendrix.redhat.com>
Message-ID:
Hi
Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
to login with SSH and enter a password.
kinit doesn't work.
$ kinit -k
kinit: Permission denied while getting initial credentials
For this test, I was root and then did a "su - user" and then "kinit -k".
Also after the "kinit -k", nothing is in the krb5_child.log.
Regards,
Alexander
2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
> On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > Hello
> >
> > How do I get password authentication to work with freeipa-client
> > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> >
> > Long version follows :)
> >
> > We've got an IPA server with the Red Hat Identity Management server
> > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > users and groups there and would now like to login with SSH. When I
> > store a SSH key for the user account, I can login just fine, using
> > this SSH key. But I'd like/need to use passwords as well. And sudo
> > also doesn't work, when it's asking for passwords - I supposed,
> > it's the same root cause.
> >
> > Let's stick with SSH.
> >
> > Initially, I installed the FreeIPA client with this command line:
> >
> > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > --enable-dns-updates --unattended \
> > --principal=admin --password=correctone \
> > --domain=customer.company.internal \
> > --server=auth01.customer.company.internal
> >
> > I then try to do a SSH login with:
> >
> > ssh -l ewt at customer.company.internal 192.168.229.143
> > or:
> > ssh -l ewt 192.168.229.143
> >
> > Password authentication doesn't work.
> >
> > In the /var/log/syslog on the system where I try to login, I find this:
> >
> > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> > Key table entry not found
> >
> > After having turned up the debug level of the sssd with "sssd -i -f -d
> > 0x0770 --debug-timestamps=1", I find the following in the system log
> > files:
> >
> > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > password for ewt from 212.71.117.1 port 58136 ssh2
> >
> > TBH, I don't quite understand it. Anyway, in
> > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> >
> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [read_pipe_handler] (0x0400): EOF received, client finished
> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [parse_krb5_child_response] (0x0020): message too short.
> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > Invalid argument
> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> >
> > Well? What am I doing wrong or what might I have forgotten?
>
> We need to also see the krb5_child.log but please check if the keytab is
> correct (ie kinit -k works).
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Alexander
--
=> *Google+* => http://plus.skwar.me <==
=> *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From pbrezina at redhat.com Mon Oct 5 09:29:06 2015
From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=)
Date: Mon, 05 Oct 2015 11:29:06 +0200
Subject: [Freeipa-users] Sudo default options
In-Reply-To: <56123BC0.3010208@nordnet.se>
References: <56123BC0.3010208@nordnet.se>
Message-ID: <561242E2.2070000@redhat.com>
On 10/05/2015 10:58 AM, Andreas Calminder wrote:
> Hi,
> guessing this is a quite frequent question, but I can't find any solid
> information about the topic.
> I want to specify a set of default sudo options so I don't have to
> specify these options for every other sudo rule I create.
> There's supposed to be a magic "defaults" rule.
> This old document
> (https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf) suggests
> it's cn=defaults,ou=sudorules,dc=example,dc=com which doesn't exist in
> my ipa 4.1 installation others suggest it's under
> ou=sudoers,dc=example,dc=com when poking around in ldap it looks like it
> could also be cn=sudorules,cn=sudo,dc=example,dc=com, but there is no
> way to be sure. Also, might it be as simple as create a defaults rule in
> the webui or cli with the default options set or is this a ldapmodify
> action?
Hi,
just create a sudo rule named "defaults" through ipa cli or wui.
From fujisan43 at gmail.com Mon Oct 5 10:13:21 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Mon, 5 Oct 2015 12:13:21 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
<20151002150145.GG5035@redhat.com>
Message-ID:
I uninstalled the ipa server and reinstalled it. Then restored the backup.
And then the following:
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera at OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0
$ keyctl purge 556579409
purged 0 keys
$ keyctl reap
0 keys reaped
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera at OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0
?It doesn't seem to purge or to reap.?
On Mon, Oct 5, 2015 at 9:17 AM, Fujisan wrote:
> Good morning,
> ?
> Any suggestion what I should do??
>
> ?I still have
>
> ?$ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> Regards.
>
>
> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan wrote:
>
>> I only have this:
>>
>> $ keyctl list @s
>> 1 key in keyring:
>> 641467419: --alswrv 0 65534 keyring: _uid.0
>> $
>>
>>
>>
>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy
>> wrote:
>>
>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>
>>>> I forgot to mention that
>>>>
>>>> $ ipa user-show admin
>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>> Unauthorized
>>>>
>>> This is most likely because of the cached session to your server.
>>>
>>> You can check if keyctl list @s
>>> returns you something like
>>> [root at m1 ~]# keyctl list @s
>>> 2 keys in keyring:
>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>> 215779962: --alswrv 0 0 user:
>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>
>>> If so, then notice the key number (215779962) for the session cookie,
>>> and do:
>>> keyctl purge 215779962
>>> keyctl reap
>>>
>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>
>>>
>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>>>>
>>>> I still cannot login to the web UI.
>>>>>
>>>>> Here is what I did:
>>>>>
>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>> 2. kinit admin
>>>>> Password for admin at OPERA:
>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>> /etc/krb5.keytab
>>>>> 4. systemctl restart sssd.service
>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>> /etc/httpd/conf/ipa.keytab
>>>>> 7. systemctl restart httpd.service
>>>>>
>>>>>
>>>>> The log says now:
>>>>>
>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18
>>>>> 17
>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>> HTTP/zaira2.opera at OPERA
>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy >>>> >
>>>>> wrote:
>>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>
>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>> kerberos.
>>>>>>>
>>>>>>> What should I do to fix this?
>>>>>>>
>>>>>>> I have this on the ipa server:
>>>>>>> $ klist -k
>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>> KVNO Principal
>>>>>>> ----
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------------------------------
>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>
>>>>>>> You can start by:
>>>>>>>
>>>>>> 0. backup every file mentioned below
>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>> 2. kinit as admin
>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>>> 4. restart SSSD
>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>> 7. Restart httpd
>>>>>>
>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>> keytabs become unusable.
>>>>>>
>>>>>> I guess cockpit instructions were for something that was not supposed
>>>>>> to
>>>>>> run on IPA master. On IPA master there are already all needed services
>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>> abokovoy at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> More info:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I can initiate a ticket:
>>>>>>>>> $ kdestroy
>>>>>>>>> $ kinit admin
>>>>>>>>>
>>>>>>>>> but cannot view user admin:
>>>>>>>>> $ ipa user-show admin
>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>> Unauthorized
>>>>>>>>>
>>>>>>>>> $ ipactl status
>>>>>>>>> Directory Service: RUNNING
>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>> named Service: RUNNING
>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>> httpd Service: RUNNING
>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>> smb Service: RUNNING
>>>>>>>>> winbind Service: RUNNING
>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>
>>>>>>>>> /var/log/messages:
>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>> initialize
>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>> integrity
>>>>>>>>> check
>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>
>>>>>>>>> What did you do?
>>>>>>>>>
>>>>>>>>
>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that you
>>>>>>>> have
>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>> host/zaira2.opera
>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>> removed
>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>> whatever you have in the keytab files.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>
>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>
>>>>>>>>>> Log says:
>>>>>>>>>>
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>>> {18 17
>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>>> 12
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>> failed
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes
>>>>>>>>>> {18 17
>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd
>>>>>>>>>> 12
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>
>>>>>>>>>> What can I do?
>>>>>>>>>>
>>>>>>>>>> ?Regards,
>>>>>>>>>> Fuji?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> --
>>>>>>>> / Alexander Bokovoy
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>>
>>>>>>
>>>>>
>>>>>
>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From fujisan43 at gmail.com Mon Oct 5 10:27:04 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Mon, 5 Oct 2015 12:27:04 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
<20151002150145.GG5035@redhat.com>
Message-ID:
I just noticed I can log in to the web UI with user admin and his password.
But when I try to configure firefox to use kerberos, I click on "Install
Kerberos Configuration Firefox Extension" button, a message appears saying
"Firefox prevented this site from asking you to install software on your
computer", so I click on the "Allow" button and then another message
appears "The add-on downloaded from this site could not be installed
because it appears to be corrupt.".
And the ipa commands are still not working.
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
On Mon, Oct 5, 2015 at 12:13 PM, Fujisan wrote:
> I uninstalled the ipa server and reinstalled it. Then restored the backup.
> And then the following:
>
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv 0 65534 keyring: _uid.0
> 556579409: --alswrv 0 0 user:
> ipa_session_cookie:host/zaira2.opera at OPERA
> 286806445: ---lswrv 0 65534 keyring: _persistent.0
> $ keyctl purge 556579409
> purged 0 keys
> $ keyctl reap
> 0 keys reaped
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
> $ keyctl list @s
> 3 keys in keyring:
> 437165764: --alswrv 0 65534 keyring: _uid.0
> 556579409: --alswrv 0 0 user:
> ipa_session_cookie:host/zaira2.opera at OPERA
> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>
> ?It doesn't seem to purge or to reap.?
>
>
>
> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan wrote:
>
>> Good morning,
>> ?
>> Any suggestion what I should do??
>>
>> ?I still have
>>
>> ?$ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>>
>>
>> Regards.
>>
>>
>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan wrote:
>>
>>> I only have this:
>>>
>>> $ keyctl list @s
>>> 1 key in keyring:
>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>> $
>>>
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy
>>> wrote:
>>>
>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>
>>>>> I forgot to mention that
>>>>>
>>>>> $ ipa user-show admin
>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>> Unauthorized
>>>>>
>>>> This is most likely because of the cached session to your server.
>>>>
>>>> You can check if keyctl list @s
>>>> returns you something like
>>>> [root at m1 ~]# keyctl list @s
>>>> 2 keys in keyring:
>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>> 215779962: --alswrv 0 0 user:
>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>
>>>> If so, then notice the key number (215779962) for the session cookie,
>>>> and do:
>>>> keyctl purge 215779962
>>>> keyctl reap
>>>>
>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>
>>>>
>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>>>>>
>>>>> I still cannot login to the web UI.
>>>>>>
>>>>>> Here is what I did:
>>>>>>
>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>> 2. kinit admin
>>>>>> Password for admin at OPERA:
>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>> /etc/krb5.keytab
>>>>>> 4. systemctl restart sssd.service
>>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>> 7. systemctl restart httpd.service
>>>>>>
>>>>>>
>>>>>> The log says now:
>>>>>>
>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>> {18 17
>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>> HTTP/zaira2.opera at OPERA
>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>> abokovoy at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>
>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>> kerberos.
>>>>>>>>
>>>>>>>> What should I do to fix this?
>>>>>>>>
>>>>>>>> I have this on the ipa server:
>>>>>>>> $ klist -k
>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>> KVNO Principal
>>>>>>>> ----
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------------------------------
>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>
>>>>>>>> You can start by:
>>>>>>>>
>>>>>>> 0. backup every file mentioned below
>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>> 2. kinit as admin
>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
>>>>>>> 4. restart SSSD
>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>> 7. Restart httpd
>>>>>>>
>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>>> keytabs become unusable.
>>>>>>>
>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>> supposed to
>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>> services
>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>> abokovoy at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> More info:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>> $ kdestroy
>>>>>>>>>> $ kinit admin
>>>>>>>>>>
>>>>>>>>>> but cannot view user admin:
>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>> Unauthorized
>>>>>>>>>>
>>>>>>>>>> $ ipactl status
>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>> named Service: RUNNING
>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>
>>>>>>>>>> /var/log/messages:
>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>> initialize
>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>> integrity
>>>>>>>>>> check
>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>
>>>>>>>>>> What did you do?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>> you have
>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>> host/zaira2.opera
>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>> removed
>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>
>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>
>>>>>>>>>>> Log says:
>>>>>>>>>>>
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>> etypes
>>>>>>>>>>> {18 17
>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>> fd 12
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>> failed
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>> etypes
>>>>>>>>>>> {18 17
>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>> fd 12
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>
>>>>>>>>>>> What can I do?
>>>>>>>>>>>
>>>>>>>>>>> ?Regards,
>>>>>>>>>>> Fuji?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>> / Alexander Bokovoy
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From andreas.calminder at nordnet.se Mon Oct 5 10:27:30 2015
From: andreas.calminder at nordnet.se (Andreas Calminder)
Date: Mon, 5 Oct 2015 12:27:30 +0200
Subject: [Freeipa-users] Sudo default options
In-Reply-To: <561242E2.2070000@redhat.com>
References: <56123BC0.3010208@nordnet.se> <561242E2.2070000@redhat.com>
Message-ID: <56125092.3060109@nordnet.se>
All right,
Thanks a million!
/andreas
On 10/05/2015 11:29 AM, Pavel B?ezina wrote:
> On 10/05/2015 10:58 AM, Andreas Calminder wrote:
>> Hi,
>> guessing this is a quite frequent question, but I can't find any solid
>> information about the topic.
>> I want to specify a set of default sudo options so I don't have to
>> specify these options for every other sudo rule I create.
>> There's supposed to be a magic "defaults" rule.
>> This old document
>> (https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf)
>> suggests
>> it's cn=defaults,ou=sudorules,dc=example,dc=com which doesn't exist in
>> my ipa 4.1 installation others suggest it's under
>> ou=sudoers,dc=example,dc=com when poking around in ldap it looks like it
>> could also be cn=sudorules,cn=sudo,dc=example,dc=com, but there is no
>> way to be sure. Also, might it be as simple as create a defaults rule in
>> the webui or cli with the default options set or is this a ldapmodify
>> action?
>
> Hi,
> just create a sudo rule named "defaults" through ipa cli or wui.
From mkosek at redhat.com Mon Oct 5 10:40:42 2015
From: mkosek at redhat.com (Martin Kosek)
Date: Mon, 5 Oct 2015 12:40:42 +0200
Subject: [Freeipa-users] re-initialize replica
In-Reply-To: <20151002160059.GB18409@dead.ccr.buffalo.edu>
References: <20151002135647.GA18409@dead.ccr.buffalo.edu>
<20151002160059.GB18409@dead.ccr.buffalo.edu>
Message-ID: <561253AA.4050509@redhat.com>
On 10/02/2015 06:00 PM, Andrew E. Bruno wrote:
> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote:
>> What's the best way to re-initialize a replica?
>>
>> Suppose one of your replicas goes south.. is there a command to tell
>> that replicate to re-initialize from the first master (instead of
>> removing/re-adding the replica from the topology)?
>
> Found the command I was looking for:
> ipa-replica-manage re-initialize --from xxx
>
> However, one of our replicates is down and can't seem to re-initialize
> it. Starting ipa fails (via systemctl restart ipa):
>
> ipactl status
> Directory Service: RUNNING
> krb5kdc Service: STOPPED
> kadmin Service: STOPPED
> named Service: STOPPED
> ipa_memcached Service: STOPPED
> httpd Service: STOPPED
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa: INFO: The ipactl command was successful
>
>
> Errors from the dirsrv show:
>
> : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> [02/Oct/2015:11:45:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
> [02/Oct/2015:11:50:05 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server at realm] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
> [02/Oct/2015:11:50:05 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)
> [02/Oct/2015:11:50:05 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)
>
>
> Attempting to re-initialize fails:
>
> ipa-replica-manage re-initialize --from master
> Connection timed out.
>
>
> I verified time is in sync and DNS forward/reverse resolution is working.
>
> Any pointers on what else to try?
>
> Thanks!
>
> --Andrew
Given that your Kerberos server instance is down, I would start investigating
Kerberos logs to see why.
From fujisan43 at gmail.com Mon Oct 5 10:55:50 2015
From: fujisan43 at gmail.com (Fujisan)
Date: Mon, 5 Oct 2015 12:55:50 +0200
Subject: [Freeipa-users] Cannot connect to FreeIPA web UI anymore
In-Reply-To:
References:
<20151002134558.GB5035@redhat.com>
<20151002142525.GD5035@redhat.com>
<20151002150145.GG5035@redhat.com>
Message-ID:
It is actually on the ipa server that ipa commands are not working. On ipa
clients, I do not have errors.
On Mon, Oct 5, 2015 at 12:27 PM, Fujisan wrote:
> I just noticed I can log in to the web UI with user admin and his password.
>
> But when I try to configure firefox to use kerberos, I click on "Install
> Kerberos Configuration Firefox Extension" button, a message appears saying
> "Firefox prevented this site from asking you to install software on your
> computer", so I click on the "Allow" button and then another message
> appears "The add-on downloaded from this site could not be installed
> because it appears to be corrupt.".
>
> And the ipa commands are still not working.
> $ ipa user-show admin
> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
> Unauthorized
>
>
> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan wrote:
>
>> I uninstalled the ipa server and reinstalled it. Then restored the backup.
>> And then the following:
>>
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera at OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>> $ keyctl purge 556579409
>> purged 0 keys
>> $ keyctl reap
>> 0 keys reaped
>> $ ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>> Unauthorized
>> $ keyctl list @s
>> 3 keys in keyring:
>> 437165764: --alswrv 0 65534 keyring: _uid.0
>> 556579409: --alswrv 0 0 user:
>> ipa_session_cookie:host/zaira2.opera at OPERA
>> 286806445: ---lswrv 0 65534 keyring: _persistent.0
>>
>> ?It doesn't seem to purge or to reap.?
>>
>>
>>
>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan wrote:
>>
>>> Good morning,
>>> ?
>>> Any suggestion what I should do??
>>>
>>> ?I still have
>>>
>>> ?$ ipa user-show admin
>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>> Unauthorized
>>>
>>>
>>> Regards.
>>>
>>>
>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan wrote:
>>>
>>>> I only have this:
>>>>
>>>> $ keyctl list @s
>>>> 1 key in keyring:
>>>> 641467419: --alswrv 0 65534 keyring: _uid.0
>>>> $
>>>>
>>>>
>>>>
>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy
>>>> wrote:
>>>>
>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>
>>>>>> I forgot to mention that
>>>>>>
>>>>>> $ ipa user-show admin
>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>> Unauthorized
>>>>>>
>>>>> This is most likely because of the cached session to your server.
>>>>>
>>>>> You can check if keyctl list @s
>>>>> returns you something like
>>>>> [root at m1 ~]# keyctl list @s
>>>>> 2 keys in keyring:
>>>>> 496745412: --alswrv 0 65534 keyring: _uid.0
>>>>> 215779962: --alswrv 0 0 user:
>>>>> ipa_session_cookie:admin at EXAMPLE.COM
>>>>>
>>>>> If so, then notice the key number (215779962) for the session cookie,
>>>>> and do:
>>>>> keyctl purge 215779962
>>>>> keyctl reap
>>>>>
>>>>> This should make a next 'ipa ...' command run to ask for new cookie.
>>>>>
>>>>>
>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan wrote:
>>>>>>
>>>>>> I still cannot login to the web UI.
>>>>>>>
>>>>>>> Here is what I did:
>>>>>>>
>>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save
>>>>>>> 2. kinit admin
>>>>>>> Password for admin at OPERA:
>>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera at OPERA -k
>>>>>>> /etc/krb5.keytab
>>>>>>> 4. systemctl restart sssd.service
>>>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
>>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera at OPERA -k
>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>> 7. systemctl restart httpd.service
>>>>>>>
>>>>>>>
>>>>>>> The log says now:
>>>>>>>
>>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
>>>>>>> {18 17
>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
>>>>>>> abokovoy at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>
>>>>>>>> Well, I think I messed up when trying to configure cockpit to use
>>>>>>>>> kerberos.
>>>>>>>>>
>>>>>>>>> What should I do to fix this?
>>>>>>>>>
>>>>>>>>> I have this on the ipa server:
>>>>>>>>> $ klist -k
>>>>>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>>>>>> KVNO Principal
>>>>>>>>> ----
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 2 host/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 1 nfs/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>> 3 HTTP/zaira2.opera at OPERA
>>>>>>>>>
>>>>>>>>> You can start by:
>>>>>>>>>
>>>>>>>> 0. backup every file mentioned below
>>>>>>>> 1. Move /etc/krb5.keytab somewhere
>>>>>>>> 2. kinit as admin
>>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k
>>>>>>>> /etc/krb5.keytab
>>>>>>>> 4. restart SSSD
>>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere
>>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
>>>>>>>> /etc/httpd/conf/ipa.keytab
>>>>>>>> 7. Restart httpd
>>>>>>>>
>>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service
>>>>>>>> specified by you is replaced on the server side so that keys in the
>>>>>>>> keytabs become unusable.
>>>>>>>>
>>>>>>>> I guess cockpit instructions were for something that was not
>>>>>>>> supposed to
>>>>>>>> run on IPA master. On IPA master there are already all needed
>>>>>>>> services
>>>>>>>> (host/ and HTTP/) and their keytabs are in place.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
>>>>>>>>> abokovoy at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> More info:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I can initiate a ticket:
>>>>>>>>>>> $ kdestroy
>>>>>>>>>>> $ kinit admin
>>>>>>>>>>>
>>>>>>>>>>> but cannot view user admin:
>>>>>>>>>>> $ ipa user-show admin
>>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
>>>>>>>>>>> Unauthorized
>>>>>>>>>>>
>>>>>>>>>>> $ ipactl status
>>>>>>>>>>> Directory Service: RUNNING
>>>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>>>> named Service: RUNNING
>>>>>>>>>>> ipa_memcached Service: RUNNING
>>>>>>>>>>> httpd Service: RUNNING
>>>>>>>>>>> pki-tomcatd Service: RUNNING
>>>>>>>>>>> smb Service: RUNNING
>>>>>>>>>>> winbind Service: RUNNING
>>>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>>>>>
>>>>>>>>>>> /var/log/messages:
>>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
>>>>>>>>>>> initialize
>>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
>>>>>>>>>>> integrity
>>>>>>>>>>> check
>>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>>>>>>>>>>
>>>>>>>>>>> What did you do?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This and the log below about HTTP/zaira2.opera at OPERA show that
>>>>>>>>>> you have
>>>>>>>>>> different keys in LDAP and in your keytab files for
>>>>>>>>>> host/zaira2.opera
>>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody
>>>>>>>>>> removed
>>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa
>>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with
>>>>>>>>>> whatever you have in the keytab files.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I cannot login to the web UI anymore.
>>>>>>>>>>>>
>>>>>>>>>>>> The password or username you entered is incorrect.
>>>>>>>>>>>>
>>>>>>>>>>>> Log says:
>>>>>>>>>>>>
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>> etypes
>>>>>>>>>>>> {18 17
>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Additional pre-authentication required
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>> fd 12
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
>>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check
>>>>>>>>>>>> failed
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
>>>>>>>>>>>> etypes
>>>>>>>>>>>> {18 17
>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
>>>>>>>>>>>> HTTP/zaira2.opera at OPERA
>>>>>>>>>>>> for krbtgt/OPERA at OPERA, Decrypt integrity check failed
>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
>>>>>>>>>>>> fd 12
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I have no idea what went wrong.
>>>>>>>>>>>>
>>>>>>>>>>>> What can I do?
>>>>>>>>>>>>
>>>>>>>>>>>> ?Regards,
>>>>>>>>>>>> Fuji?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>> / Alexander Bokovoy
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From tbabej at redhat.com Mon Oct 5 11:16:41 2015
From: tbabej at redhat.com (Tomas Babej)
Date: Mon, 5 Oct 2015 13:16:41 +0200
Subject: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts
In-Reply-To: <560D4BFA.2040303@mittwald.de>
References: <560D4BFA.2040303@mittwald.de>
Message-ID: <56125C19.5010307@redhat.com>
On 10/01/2015 05:06 PM, Dominik Korittki wrote:
> Hello folks,
>
> I am running two FreeIPA Servers with around 100 users and around 15.000
> hosts, which are used by users to login via ssh. The FreeIPA servers
> (which are Centos 7.0) ran good for a while, but as more and more hosts
> got migrated to serve as FreeIPA hosts, it started to get slow and
> unstable.
>
> For example, its hard to maintain hostgroups, which have more than 1.000
> hosts. The ipa host-* commands are getting slower as the hostgroup
> grows. Is this normal?
> We also experience random dirsrv segfaults. Here's a dmesg line from the
> latest:
>
> [690787.647261] traps: ns-slapd[5217] general protection ip:7f8d6b6d6bc1
> sp:7f8d3aff2a88 error:0 in libc-2.17.so[7f8d6b650000+1b6000]
>
> Nothing in /var/log/dirsrv/slapd-INTERNAL/errors, which relates to the
> problem.
> I'm thinking about migrating to latest CentOS 7 FreeIPA 4, but does that
> solve my problems?
>
> FreeIPA server version is 3.3.3-28.el7.centos
> 389-ds-base.x86_64 is 1.3.1.6-26.el7_0
>
>
>
> Kind regards,
> Dominik Korittki
>
Hi Dominik,
performance issues are a known problem, there has been some work to
improve the performance with respect to large groups:
11bd9d96f191066f7ba760549f00179c128a9787
efcd48ad01a39a67f131a2cea9d54771642222fb
These improvements are in FreeIPA 4.2 only, however, which has not been
released for CentOS7 as of now. You may try to play with FreeIPA 4.2 on
Fedora, see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/.
HTH,
Tomas
From alexanders.mailinglists+nospam at gmail.com Mon Oct 5 11:39:48 2015
From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar)
Date: Mon, 5 Oct 2015 13:39:48 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not
working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
In-Reply-To:
References:
<20151002155951.GB3127@hendrix.redhat.com>
Message-ID:
Hi
Hm, when I'm root, "kinit -k" works:
# kinit -k
#
Just not as a user. As a user, I get the "kinit: Permission denied while
getting initial credentials" error message.
Regards,
Alexander
2015-10-05 9:00 GMT+02:00 Alexander Skwar <
alexanders.mailinglists+nospam at gmail.com>:
> Hi
>
> Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> to login with SSH and enter a password.
>
> kinit doesn't work.
>
> $ kinit -k
> kinit: Permission denied while getting initial credentials
>
> For this test, I was root and then did a "su - user" and then "kinit -k".
> Also after the "kinit -k", nothing is in the krb5_child.log.
>
> Regards,
> Alexander
>
>
> 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
>
>> On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
>> > Hello
>> >
>> > How do I get password authentication to work with freeipa-client
>> > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
>> >
>> > Long version follows :)
>> >
>> > We've got an IPA server with the Red Hat Identity Management server
>> > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
>> > users and groups there and would now like to login with SSH. When I
>> > store a SSH key for the user account, I can login just fine, using
>> > this SSH key. But I'd like/need to use passwords as well. And sudo
>> > also doesn't work, when it's asking for passwords - I supposed,
>> > it's the same root cause.
>> >
>> > Let's stick with SSH.
>> >
>> > Initially, I installed the FreeIPA client with this command line:
>> >
>> > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
>> > --enable-dns-updates --unattended \
>> > --principal=admin --password=correctone \
>> > --domain=customer.company.internal \
>> > --server=auth01.customer.company.internal
>> >
>> > I then try to do a SSH login with:
>> >
>> > ssh -l ewt at customer.company.internal 192.168.229.143
>> > or:
>> > ssh -l ewt 192.168.229.143
>> >
>> > Password authentication doesn't work.
>> >
>> > In the /var/log/syslog on the system where I try to login, I find this:
>> >
>> > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
>> > Key table entry not found
>> >
>> > After having turned up the debug level of the sssd with "sssd -i -f -d
>> > 0x0770 --debug-timestamps=1", I find the following in the system log
>> > files:
>> >
>> > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
>> > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
>> > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
>> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
>> > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
>> > pam_sss(sshd:auth): received for user ewt: 4 (System error)
>> > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
>> > password for ewt from 212.71.117.1 port 58136 ssh2
>> >
>> > TBH, I don't quite understand it. Anyway, in
>> > /var/log/sssd/sssd_customer.company.internal.log I noticed:
>> >
>> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [read_pipe_handler] (0x0400): EOF received, client finished
>> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [parse_krb5_child_response] (0x0020): message too short.
>> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [krb5_auth_done] (0x0040): Could not parse child response [22]:
>> > Invalid argument
>> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
>> >
>> > Well? What am I doing wrong or what might I have forgotten?
>>
>> We need to also see the krb5_child.log but please check if the keytab is
>> correct (ie kinit -k works).
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
>
>
> Alexander
> --
> => *Google+* => http://plus.skwar.me <==
> => *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
>
>
>
--
Alexander
--
=> *Google+* => http://plus.skwar.me <==
=> *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From sbose at redhat.com Mon Oct 5 12:07:44 2015
From: sbose at redhat.com (Sumit Bose)
Date: Mon, 5 Oct 2015 14:07:44 +0200
Subject: [Freeipa-users] ssh and sudo password authentication not
working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04
In-Reply-To:
References:
<20151002155951.GB3127@hendrix.redhat.com>
Message-ID: <20151005120744.GB19585@p.redhat.com>
On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> Hi
>
> Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> to login with SSH and enter a password.
Can you try to increase the debug_level to 0xFFF0?
>
> kinit doesn't work.
>
> $ kinit -k
> kinit: Permission denied while getting initial credentials
>
> For this test, I was root and then did a "su - user" and then "kinit -k".
> Also after the "kinit -k", nothing is in the krb5_child.log.
The 'kinit -k' has to be done as root. It will only check if the client
can connect to the KDC at all and tries to get a TGT for the host.
It's expected that during this operation nothing is added to the SSSD
logs because the kinit utility work independent of SSSD.
bye,
Sumit
>
> Regards,
> Alexander
>
>
> 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
>
> > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > Hello
> > >
> > > How do I get password authentication to work with freeipa-client
> > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > >
> > > Long version follows :)
> > >
> > > We've got an IPA server with the Red Hat Identity Management server
> > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > > users and groups there and would now like to login with SSH. When I
> > > store a SSH key for the user account, I can login just fine, using
> > > this SSH key. But I'd like/need to use passwords as well. And sudo
> > > also doesn't work, when it's asking for passwords - I supposed,
> > > it's the same root cause.
> > >
> > > Let's stick with SSH.
> > >
> > > Initially, I installed the FreeIPA client with this command line:
> > >
> > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > > --enable-dns-updates --unattended \
> > > --principal=admin --password=correctone \
> > > --domain=customer.company.internal \
> > > --server=auth01.customer.company.internal
> > >
> > > I then try to do a SSH login with:
> > >
> > > ssh -l ewt at customer.company.internal 192.168.229.143
> > > or:
> > > ssh -l ewt 192.168.229.143
> > >
> > > Password authentication doesn't work.
> > >
> > > In the /var/log/syslog on the system where I try to login, I find this:
> > >
> > > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> > > Key table entry not found
> > >
> > > After having turned up the debug level of the sssd with "sssd -i -f -d
> > > 0x0770 --debug-timestamps=1", I find the following in the system log
> > > files:
> > >
> > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > > password for ewt from 212.71.117.1 port 58136 ssh2
> > >
> > > TBH, I don't quite understand it. Anyway, in
> > > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> > >
> > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [read_pipe_handler] (0x0400): EOF received, client finished
> > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [parse_krb5_child_response] (0x0020): message too short.
> > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > > Invalid argument
> > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> > >
> > > Well? What am I doing wrong or what might I have forgotten?
> >
> > We need to also see the krb5_child.log but please check if the keytab is
> > correct (ie kinit -k works).
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
>
>
>
> --
>
>
> Alexander
> --
> => *Google+* => http://plus.skwar.me <==
> => *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
From d.korittki at mittwald.de Mon Oct 5 12:13:31 2015
From: d.korittki at mittwald.de (Dominik Korittki)
Date: Mon, 5 Oct 2015 14:13:31 +0200
Subject: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts
In-Reply-To: <560D8EE7.8080004@redhat.com>
References: <560D4BFA.2040303@mittwald.de> <560D8EE7.8080004@redhat.com>
Message-ID: <5612696B.7050601@mittwald.de>
Am 01.10.2015 um 21:52 schrieb Rob Crittenden:
> Dominik Korittki wrote:
>> Hello folks,
>>
>> I am running two FreeIPA Servers with around 100 users and around 15.000
>> hosts, which are used by users to login via ssh. The FreeIPA servers
>> (which are Centos 7.0) ran good for a while, but as more and more hosts
>> got migrated to serve as FreeIPA hosts, it started to get slow and
>> unstable.
>>
>> For example, its hard to maintain hostgroups, which have more than 1.000
>> hosts. The ipa host-* commands are getting slower as the hostgroup
>> grows. Is this normal?
>
> You mean the ipa hostgroup-* commands? Whenever the entry is displayed
> (show and add) it needs to dereference all members so yes, it is
> understandable that it gets somewhat slower with more members. How slow
> are we talking about?
>
>> We also experience random dirsrv segfaults. Here's a dmesg line from the
>> latest:
>>
>> [690787.647261] traps: ns-slapd[5217] general protection ip:7f8d6b6d6bc1
>> sp:7f8d3aff2a88 error:0 in libc-2.17.so[7f8d6b650000+1b6000]
>
> You probably want to start here:
> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
A stacktrace from the latest crash is attached to this email. After
restarting the service, this is what I get in
/var/log/dirsrv/slapd-INTERNAL/errors (hostname is ipa01.internal):
[05/Oct/2015:13:51:30 +0200] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[05/Oct/2015:13:51:30 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[05/Oct/2015:13:51:30 +0200] - Listening on
/var/run/slapd-INTERNAL.socket for LDAPI requests
[05/Oct/2015:13:51:30 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (No Kerberos
credentials available)) errno 0 (Success)
[05/Oct/2015:13:51:30 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[05/Oct/2015:13:51:30 +0200] NSMMReplicationPlugin -
agmt="cn=meToipa02.internal" (ipa02:389): Replication bind with GSSAPI
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (No Kerberos credentials available))
[05/Oct/2015:13:51:30 +0200] NSMMReplicationPlugin - changelog program -
agmt="cn=masterAgreement1-ipa02.internal-pki-tomcat" (ipa02:389): CSN
54bea480000000600000 not found, we aren't as up to date, or we purged
[05/Oct/2015:13:51:30 +0200] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-ipa02.internal-pki-tomcat" (ipa02:389): Data
required to update replica has been purged. The replica must be
reinitialized.
[05/Oct/2015:13:51:30 +0200] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-ipa02.internal-pki-tomcat" (ipa02:389):
Incremental update failed and requires administrator action
[05/Oct/2015:13:51:33 +0200] NSMMReplicationPlugin -
agmt="cn=meToipa02.internal" (ipa02:389): Replication bind with GSSAPI
auth resumed
These lines are present since a replayed a ldif dump from ipa02 to
ipa01, but i didn't think that it related to the segfault problem
(therefore i said there are no related problems in the logfile).
But I am starting to believe that these errors could be in relation to
each other.
Kind regards,
Dominik Korittki
>
>
>> Nothing in /var/log/dirsrv/slapd-INTERNAL/errors, which relates to the
>> problem.
Not sure about that anymore.
>> I'm thinking about migrating to latest CentOS 7 FreeIPA 4, but does that
>> solve my problems?
>>
>> FreeIPA server version is 3.3.3-28.el7.centos
>> 389-ds-base.x86_64 is 1.3.1.6-26.el7_0
>>
>>
>>
>> Kind regards,
>> Dominik Korittki
>>
>
>
>
>
-------------- next part --------------
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-64.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done.
done.
[New LWP 28096]
[New LWP 28100]
[New LWP 28074]
[New LWP 28109]
[New LWP 28098]
[New LWP 27931]
[New LWP 28079]
[New LWP 28073]
[New LWP 28103]
[New LWP 28077]
[New LWP 28076]
[New LWP 28101]
[New LWP 27930]
[New LWP 28071]
[New LWP 28084]
[New LWP 28075]
[New LWP 28102]
[New LWP 27928]
[New LWP 28121]
[New LWP 28086]
[New LWP 28099]
[New LWP 28092]
[New LWP 28094]
[New LWP 28104]
[New LWP 28091]
[New LWP 27929]
[New LWP 28106]
[New LWP 28088]
[New LWP 28081]
[New LWP 28082]
[New LWP 28090]
[New LWP 28095]
[New LWP 28083]
[New LWP 28085]
[New LWP 28108]
[New LWP 28089]
[New LWP 28093]
[New LWP 28078]
[New LWP 28097]
[New LWP 28087]
[New LWP 28107]
[New LWP 28808]
[New LWP 28080]
[New LWP 28072]
[New LWP 28105]
[New LWP 27927]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-INTERNAL -i /var/run/dirsrv/slapd-INTER'.
Program terminated with signal 11, Segmentation fault.
#0 __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
31 movdqu (%rdi), %xmm1
Thread 46 (Thread 0x7ff9ee409840 (LWP 27927)):
#0 0x00007ff9ebc44e0d in poll () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1 0x00007ff9ec57cb97 in poll (__timeout=250, __nfds=90, __fds=0x7ff9efb5db00) at /usr/include/bits/poll2.h:46
No locals.
#2 _pr_poll_with_poll (pds=0x7ff9f14bee80, npds=npds at entry=90, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:3922
stack_syspoll = {{fd = 50282600, events = 32767, revents = 0}, {fd = -1, events = 0, revents = 0}, {fd = 50282592, events = 32767, revents = 0}, {fd = -302831930, events = 32761, revents = 0}, {fd = -262928752, events = 32761, revents = 0}, {fd = -302556435, events = 32761, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 50282600, events = 32767, revents = 0}, {fd = -302328358, events = 32761, revents = 0}, {fd = -259132376, events = 32761, revents = 0}, {fd = -259132376, events = 32761, revents = 0}, {fd = -259132376, events = 32761, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = -252312688, events = 32761, revents = 0}, {fd = -273276224, events = 32761, revents = 0}, {fd = 50282616, events = 32767, revents = 0}, {fd = 50282596, events = 32767, revents = 0}, {fd = -253383952, events = 1, revents = 0}, {fd = 50282392, events = 32767, revents = 0}, {fd = -254462112, events = 32761, revents = 0}, {fd = -255798320, events = 32761, revents = 0}, {fd = -253383952, events = 32761, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 5, events = 0, revents = 0}, {fd = -266137912, events = 32761, revents = 0}, {fd = -256981432, events = 32761, revents = 0}, {fd = -267500112, events = 32761, revents = 0}, {fd = -256981432, events = 32761, revents = 0}, {fd = -256981432, events = 32761, revents = 0}, {fd = -256981432, events = 32761, revents = 0}, {fd = 50282720, events = 32767, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = -245466232, events = 32761, revents = 0}, {fd = -299955300, events = 32761, revents = 0}, {fd = -302831930, events = 32761, revents = 0}, {fd = 16, events = 0, revents = 0}, {fd = -302341650, events = 32761, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = -256981448, events = 32761, revents = 0}, {fd = 50282544, events = 32767, revents = 0}, {fd = 50282592, events = 32767, revents = 0}, {fd = 50282624, events = 32767, revents = 0}, {fd = 50282720, events = 32767, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = -245466232, events = 32761, revents = 0}, {fd = -299955300, events = 32761, revents = 0}, {fd = 50282648, events = 32767, revents = 0}, {fd = 144, events = 0, revents = 0}, {fd = 50282720, events = 32767, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = 50282680, events = 32767, revents = 0}, {fd = 144, events = 0, revents = 0}, {fd = 50282720, events = 32767, revents = 0}, {fd = -254438416, events = 32761, revents = 0}, {fd = -245466232, events = 32761, revents = 0}, {fd = -299955300, events = 32761, revents = 0}, {fd = -302831930, events = 32761, revents = 0}, {fd = -256062448, events = 32761, revents = 0}, {fd = -254438400, events = 32761, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = -302463804, events = 32761, revents = 0}, {fd = -245497432, events = 32761, revents = 0}, {fd = -299955300, events = 32761, revents = 0}}
syspoll =
index =
msecs = 250
ready =
start = 415435113
elapsed =
remaining =
#3 0x00007ff9ec57f6d5 in PR_Poll (pds=, npds=npds at entry=90, timeout=timeout at entry=250) at ../../../nspr/pr/src/pthreads/ptio.c:4324
No locals.
#4 0x00007ff9ee440bf9 in slapd_daemon (ports=ports at entry=0x7fff02ff43f0) at ldap/servers/slapd/daemon.c:1168
select_return = 0
prerr =
n_tcps = 0x7ff9ef986390
s_tcps = 0x7ff9ef986480
i_unix = 0x7ff9ef9863e0
fdesp = 0x0
num_poll = 90
pr_timeout = 250
time_thread_p = 0x7ff9f0c0aaa0
threads =
in_referral_mode = 0
n_listeners = 3
listener_idxs = 0x7ff9f06cf980
#5 0x00007ff9ee4346d5 in main (argc=7, argv=0x7fff02ff4a08) at ldap/servers/slapd/main.c:1273
return_value = 0
slapdFrontendConfig =
ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7ff9ef9864a0, s_listenaddr = 0x7ff9ef9879e0, n_socket = 0x7ff9ef986390, i_listenaddr = 0x7ff9ef9879c0, i_port = 1, i_socket = 0x7ff9ef9863e0, s_socket = 0x7ff9ef986480}
m =
Thread 45 (Thread 0x7ff9b67ec700 (LWP 28105)):
#0 0x00007ff9e53c5340 in __rawmemchr at plt () from /usr/lib64/dirsrv/plugins/libacl-plugin.so
No symbol table info available.
#1 0x00007ff9e53c7e83 in acl_match_substring (f=, str=str at entry=0x7ff9451a91c0 "uid=user1,cn=users,cn=compat,dc=internal", exact_match=exact_match at entry=0) at ldap/servers/plugins/acl/acl.c:3250
i =
rc =
len =
p = 0x7ff9b67e0bc0 "^"
end = 0x7ff9b67e2bbe ""
realval =
tmp = 0x0
pat = "^\000*idnsname=.*,cn=dns,dc=internal$\000ternal$\000E\371\177", '\000' , "`|\032E\371\177\000\000\000\031Z\000p\tv\331\024\016~\266\371\177\000\000\260y\032E\371\177\000\000\000\000\000\000\000\000\000\000\377\377\377\377\000\000\000\000\024\016~\266\371\177\000\000\260y\032E\371\177\000\000\000\000\000\000\000\000\000\000\021\022\367\355\371\177", '\000' , "\002\000\000\000\360?\357\371\177\000\000\300\f~\266\371\177\000\000\260\f~\266\371\177\000\000\000\031Z\000p\tv\331\000\000\000\000\000\000\000\000o"...
buf = "uid=user1,cn=users,cn=compat,dc=internal\000al\000\000l\000l", '\000' , "\250\034\321\336\371\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000?\365\345\371\177\000\000o\004\000\000\000\000\000\000\070\341\312\336\371\177\000\000?\315\336\371\177\000\000>\365\342\345\371\177\000\000~\n\000\000\000\000\000\000\070\341\312\336\371\177\000\000w\004\000\000\000\000\000\000\240,~\266\371\177\000\000\220,~\266\371\177\000\000\210,~\266\371\177\000\000\260B\354\336\371\177\000\000\000\000\000\000\000\000\000\000"...
type = 0x7ff9f06708e0 "target"
initial = 0x7ff9efda8d50 "cn="
final = 0x7ff9f01b6fd0 ",ou=sudoers,dc=internal"
any = 0x0
re = 0x0
re_result = 0x0
#2 0x00007ff9e53c83c6 in acl__resource_match_aci (aclpb=aclpb at entry=0x7ff9f127b480, aci=aci at entry=0x7ff9f10a5ce0, skip_attrEval=skip_attrEval at entry=1, a_matched=a_matched at entry=0x0) at ldap/servers/plugins/acl/acl.c:2104
f =
rv =
matches =
attr_matched = 1
attr_matched_in_targetattrfilters = 0
dn_matched = 1
res_attr =
aci_right = 7
res_right = 2
star_matched = 0
num_attrs = 0
c_attrEval = 0x0
res_ndn = 0x7ff9451a91c0 "uid=user1,cn=users,cn=compat,dc=internal"
aci_ndn = 0x7ff9f02d30e0 "dc=internal"
matched_val = 0x0
add_matched_val_to_ht = 0
res_right_str = "\004\000\000\000\000\000\000\000?\353\371\177\000\000-\000\000\000\000\000\000\000\236y\032E\371\177\000\000\037\000\000\000\000\000\000\000\272\370\275\353\371\177\000\000\060\256\357\360\371\177\000\000\000M~\266\371\177\000\000\000M~\266\371\177\000\000\001\000\000\000\000\000\000\000 \347\243D\371\177\000\000\071\246\363\355\371\177\000\000`\250\266\360\371\177\000\000\374v=\345\371\177\000\000\200\264'\361\371\177\000\000X\200=\345\371\177\000"
#3 0x00007ff9e53ca016 in acl__scan_match_handles (type=2, aclpb=0x7ff9f127b480) at ldap/servers/plugins/acl/acl.c:3609
aci = 0x7ff9f10a5ce0
cookie = 0
c_evalContext = 0x7ff9f127bed8
matched = 3
index = 54
#4 acl__match_handlesFromCache (access=-249053480, attr=0x7ff9451a8fe0 "uid", aclpb=0x7ff9f127b480) at ldap/servers/plugins/acl/acl.c:3826
c_evalContext = 0x7ff9f127bed8
context_type = 2
ret_val = -1
#5 acl_access_allowed (pb=, e=e at entry=0x7ff9efe3b740, attr=attr at entry=0x7ff9451a8fe0 "uid", val=, access=access at entry=2) at ldap/servers/plugins/acl/acl.c:552
n_edn = 0x7ff9f104ba10 "uid=user1,cn=users,cn=compat,dc=internal"
rv =
err =
ret_val =
right = 0x7ff9e53e1c7f "search"
aclpb = 0x7ff9f127b480
c_attrEval = 0x0
got_reader_locked = 1
deallocate_attrEval = 0
clientDn = 0x7ff9440075e0 "uid=user2,cn=sysaccounts,cn=etc,dc=internal"
e_sdn =
op = 0x7ff9f04c7f10
decision_reason = {deciding_aci = 0x0, reason = ACL_REASON_NONE}
loglevel =
#6 0x00007ff9e53dbf47 in acl_access_allowed_main (pb=, e=0x7ff9efe3b740, attrs=, val=, access=2, flags=, errbuf=0x0) at ldap/servers/plugins/acl/aclplugin.c:383
rc = 0
attr = 0x7ff9451a8fe0 "uid"
#7 0x00007ff9edf7ecec in plugin_call_acl_plugin (pb=pb at entry=0x7ff9f0dc7ef0, e=e at entry=0x7ff9efe3b740, attrs=attrs at entry=0x7ff9b67e4f10, val=val at entry=0x7ff9451a2068, access=access at entry=2, flags=flags at entry=0, errbuf=errbuf at entry=0x0) at ldap/servers/slapd/plugin_acl.c:90
p = 0x7ff9ef952430
rc = 50
aclplugin_initialized = 1
operation = 0x7ff9f04c7f10
#8 0x00007ff9edf4d216 in test_ava_filter (pb=0x7ff9f0dc7ef0, e=e at entry=0x7ff9efe3b740, a=0x7ff9eff73a20, ava=0x7ff9451a2060, ftype=163, verify_access=1, only_check_access=0, access_check_done=0x7ff9b67e4fd4) at ldap/servers/slapd/filterentry.c:330
attrs = {0x7ff9451a8fe0 "uid", 0x0}
rc =
#9 0x00007ff9edf4e29f in slapi_filter_test_ext_internal (pb=, e=0x7ff9efe3b740, f=0x7ff9451a2040, verify_access=1, only_check_access=0, access_check_done=access_check_done at entry=0x7ff9b67e4fd4) at ldap/servers/slapd/filterentry.c:160
rc =
#10 0x00007ff9edf4e78a in slapi_filter_test_ext (pb=0x7ff9f0dc7ef0, e=0x7ff9efe3b740, f=0x7ff9451a2040, verify_access=1, only_check_access=only_check_access at entry=0) at ldap/servers/slapd/filterentry.c:274
rc = 0
access_check_done = 0
#11 0x00007ff9edf4e7b8 in slapi_filter_test (pb=, e=, f=, verify_access=) at ldap/servers/slapd/filterentry.c:96
No locals.
#12 0x00007ff9e0cf1414 in backend_search_entry_cb (domain=, map=, secure=, key=, key_len=, value=, value_len=44, id=0x7ff9f06f6a60 "uid=user1,cn=users,cn=accounts,dc=internal", key_index=0, backend_data=0x7ff9f0025620, cb_data=0x7ff9b67e51e0) at back-sch.c:1011
sdn = 0x7ff9efe3b740
cbdata = 0x7ff9b67e51e0
entry_data = 0x7ff9f0025620
result =
#13 0x00007ff9e0d04043 in map_data_foreach_entry (state=, cbdata=0x7ff9b67e51e0, fn=0x7ff9e0cf1390 , id=, map_name=, domain_name=) at map.c:271
i = 0
k = 0
domain = 0x7ff9f09d6990
j = 3
map = 0x7ff9efd47fc8
entry = 0x7ff9f0763800
#14 map_data_foreach_entry_id (state=