[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Alexander Bokovoy abokovoy at redhat.com
Wed Sep 9 16:53:54 UTC 2015 

On Wed, 09 Sep 2015, Morgan Marodin wrote:
>Hi Alexander
>
>IPv6 stack is disabled on my RHEL like distro, v 7 x64, but is enable on my
>WIndows 2012.
>I have read in a freeipa article to disable IPv6.
Sorry, and why you did decide to disable IPv6 stack? FreeIPA article
explicitly talks about not disabling IPv6.

Samba and FreeIPA LDAP code require working IPv6 stack on the machine.
You can have a system without IPv6 addresses but do not disable the
infrastructure. All contemporary networking applications are written
with the idea that you can use IPv6-only functions and work on both IPv4
and IPv6 at the same time. See ipv6(7) manual page:

----
IPv4 connections can be handled with the v6 API by using the
v4-mapped-on-v6 address type; thus a program needs to support only this
API type to support both protocols. This is handled transparently by the
address handling functions in the C library.

IPv4 and IPv6 share the local port space.  When you get an IPv4
connection or packet to a IPv6 socket, its source address will be mapped
to v6 and it will be mapped to v6.
----


>I've 2 Domain Controller with Windows Server 2012 and (at this time) one
>new freeipa server, just installed, in the same network.
>AD REALM is MYDOMAIN.COM and IPA REALM is IPA.MYDOMAIN.COM.
>I've installed bind in IPA that contains only ipa.mydomain.com zone.
>In AD servers is configured mydomain.com zone, with ipa.mydomain.com
>delegation to linux server (192.168.0.65).


>Do you have other question of my setup?
>Let me know, thanks.
>Morgan
>
>
>2015-09-09 16:01 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Wed, 09 Sep 2015, Morgan Marodin wrote:
>>
>>> Hi Alexander.
>>>
>>> Ok, after enabling debugging I have these logs:
>>> -------------------------------------------------------------------
>>> ==> /var/log/httpd/error_log <==
>>> INFO: Current debug levels:
>>>  all: 100
>>>  tdb: 100
>>>  printdrivers: 100
>>>  lanman: 100
>>>  smb: 100
>>>  rpc_parse: 100
>>>  rpc_srv: 100
>>>  rpc_cli: 100
>>>  passdb: 100
>>>  sam: 100
>>>  auth: 100
>>>  winbind: 100
>>>  vfs: 100
>>>  idmap: 100
>>>  quota: 100
>>>  acls: 100
>>>  locking: 100
>>>  msdfs: 100
>>>  dmapi: 100
>>>  registry: 100
>>>  scavenger: 100
>>>  dns: 100
>>>  ldb: 100
>>> pm_process() returned Yes
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'sasl-EXTERNAL' registered
>>> GENSEC backend 'ntlmssp' registered
>>> Using binding ncacn_np:srv01.ipa.mydomain.com[,]
>>> s4_tevent: Added timed event "dcerpc_connect_timeout_handler":
>>> 0x7f8a3c224990
>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c042170
>>> s4_tevent: Added timed event "composite_trigger": 0x7f8a3c25b4a0
>>> s4_tevent: Running timer event 0x7f8a3c042170 "composite_trigger"
>>> s4_tevent: Destroying timer event 0x7f8a3c25b4a0 "composite_trigger"
>>> Mapped to DCERPC endpoint \pipe\lsarpc
>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>> netmask=255.255.255.0
>>> added interface eth0 ip=192.168.0.65 bcast=192.168.0.255
>>> netmask=255.255.255.0
>>>
>> Do you have IPv6 stack enabled?
>>
>> [2015/09/09 08:45:05.032211, 50, pid=11196, effective(0, 0), real(0, 0)]
>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>>  s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f7118a92cf0
>>> [2015/09/09 08:45:05.032282, 50, pid=11196, effective(0, 0), real(0, 0)]
>>> ../lib/util/tevent_debug.c:63(samba_tevent_debug)
>>>  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f7118a92cf0
>>> [2015/09/09 08:45:05.032353,  4, pid=11196, effective(217400000,
>>> 217400000), real(217400000, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>  pop_sec_ctx (217400000, 217400000) - sec_ctx_stack_ndx = 0
>>> [2015/09/09 08:45:05.032421,  2, pid=11196, effective(217400000,
>>> 217400000), real(217400000, 0), class=rpc_srv]
>>> ../source3/rpc_server/rpc_ncacn_np.c:630(make_external_rpc_pipe_p)
>>>  tstream_npa_connect_recv  to /run/samba/ncalrpc/np for pipe lsarpc and
>>> user IPA\admin failed: No such file or directory
>>>
>> I'm particularly worrying about his one -- /run/samba/ncalrpc/np pipe
>> has to be there.
>>
>> Can you explain what is your setup in detail?
>>
>> --
>> / Alexander Bokovoy
>>
>
>
>
>-- 
>Morgan Marodin
>email: morgan at marodin.it
>mobile: +39.3477829069

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list